This Policy applies to all Netwrix entities that process Personal Data.
“Automated Decisions” are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Subject” means an individual for whom Netwrix Processes Personal Data.
“Employee” means any current, former or prospective employee, temporary worker, intern or other non-permanent employee of Netwrix or any current or prospective subsidiary or affiliate of Netwrix.
“European Economic Area (“EEA“)“ means the following countries: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Republic of Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, The Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity and includes information, that (i) relates to an identified or identifiable Customer, Employee or Supplier’s representative; (ii) can be linked to that Customer, Employee or Supplier’s representative; (iii) is transferred to Netwrix in the U.S. from the EEA or Switzerland, and (iv) is recorded in any form.
“Privacy Officer” means the individual officer designated by Netwrix as the initial point of contact for inquiries, complaints, or questions regarding privacy matters. The Privacy Officer is identified at the end of this Policy.
“Processing” is defined as any action that is performed on Personal Data, whether in whole or in part by automated means, such as collecting, modifying, using, disclosing, or deleting such data. This Policy does not cover data rendered anonymous or where pseudonyms are used that do not allow for, directly or indirectly, the identification of an individual. The use of pseudonyms involves the replacement of names or other identifiers with substitutes, so that identification of individual persons is either impossible or at least rendered considerably more difficult. This Policy shall apply again if the protections offered through anonymization no longer apply.
“Sensitive Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or concerning health or sex, and the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.
“Supplier” means any supplier, vendor or other third party located in the USA and/or the EEA or Switzerland that provides services or products to Netwrix.
III. APPLICATION OF EU DATA PROTECTION LAWS
This Policy is designed to provide compliance with all relevant applicable data protection laws in the EEA, and in particular the General Data Protection Regulation (“GDPR”). Netwrix will handle Personal Data in accordance with local law at the place where the Personal Data is processed.
IV. PRINCIPLES FOR PROCESSING PERSONAL DATA
Netwrix respects the privacy of Data Subjects and is committed to protecting Personal Data. Netwrix will observe the following principles when processing Personal Data:
- Data will be processed fairly and in accordance with applicable law.
- Data will be collected for specified, legitimate purposes and not processed further in ways incompatible with those purposes.
- Data will be relevant to and not excessive for the purposes for which they are collected and used. For example data may be rendered anonymous if deemed reasonable, feasible and appropriate, depending on the nature of the data and the risks associated with the intended uses.
- Data Subjects in the EU may be asked to provide their clear and unequivocal consent for the collection, processing and transfer of their Personal Data.
- Data will be accurate and, where necessary kept up up-to-date. Reasonable steps will be taken to rectify or delete Personal Data that is inaccurate or incomplete.
- Data will be kept only as it is necessary for the purposes for which it was collected and processed. Those purposes are described in this Policy.
- Data will be deleted or amended following a relevant request by the Data Subject, provided such request complies with applicable law.
- Data will be processed in accordance with the Data Subject’s legal rights (as described in this Policy or as provided by law).
- Appropriate technical, physical and organizational measures will be taken to prevent unauthorized access, unlawful processing and unauthorized or accidental loss, destruction or damage to data. In case of any such violation with respect to Personal Data, Netwrix will take appropriate steps to end the violation and determine liabilities in accordance with applicable law and will cooperate with the competent authorities.
V. TYPES OF DATA PROCESSED
Netwrix’s services do not need to collect or process individual consumer information to perform its services. However, as part of the services Netwrix provides, it may have incidental access to Personal Data.
With regard to Customer contact information, Netwrix collects and processes the following categories of Personal Data:
- First and last name
- Business email address, and
- Business telephone number
Netwrix does not need any Sensitive Personal Data and instructs its customers to avoid submitting any Sensitive Personal Data to Netwrix.
VI. WAYS OF OBTAINING PERSONAL DATA
Netwrix obtains Personal Data through various sources:
- As submitted by the customer through the services;
- Collected from publicly available databases;
- The use of third party vendors who compile databases for Netwrix’s use (Netwrix requires assurances from the third party vendor that the information was collected, processed, and transferred in compliance with applicable data protection laws and that Netwrix is permitted to make further use of the information)
VII. PURPOSES FOR PERSONAL DATA PROCESSING
Netwrix processes Personal Data for legitimate purposes related mostly to direct marketing in a business-to-business context. Netwrix does not process for purposes of marketing to individual consumers.
In addition, Netwrix may process Personal Data for business operational purposes. The foregoing limited purposes will be taken into consideration before any type of processing of Personal Data occurs
For customer/supplier-specific Personal Data, the purposes of processing may include:
- Management of Netwrix’s relationships with its customers and suppliers
- Processing payments
- Carrying out Netwrix’s obligations under its contracts with customers and suppliers
In the event of a change of the foregoing, Netwrix will inform affected Data Subjects of new processes or applications, new purposes for which the Personal Data are to be used, and the categories of recipients of the Personal Data.
VIII. SECURITY AND CONFIDENTIALITY
Netwrix is committed to implementing and maintaining appropriate technical, physical and organizational measures to protect Personal Data against unauthorized access, unlawful processing, accidental loss or damage and unauthorized destruction.
IX. RIGHTS OF DATA SUBJECTS
Any person has the right to be provided with information as to the nature of the Personal Data stored or processed about him or her by Netwrix and may request deletion or amendments. Data Subjects may contact the Privacy Officer or email@example.com to review, update, and revise their Personal Data.
If access is denied, the Data Subject has the right to be informed about the reasons for denial. The person affected may contact any competent regulatory body or authority to resolve the issue. Netwrix will handle in a transparent and timely manner any type of complaint resolution or inquiry about Personal Data.
If any information is inaccurate or incomplete, the Data Subject may request that the data be amended. If the Data Subject demonstrates that the purpose for which the data is being processed in no longer legal or appropriate, the data will be deleted, unless applicable laws require otherwise.
In connection with the activities described under Section VII, Netwrix may transmit Personal Data outside the EEA and more specifically to: (i) Netwrix’s corporate headquarters in California, USA; or (ii) its other offices in the US. Moreover, Personal Data might be sent to the following third parties in or outside the EEA:
- Selected Third Parties: Netwrix may disclose or share Personal Data of customers or prospective customers with suppliers, or other third party vendors, but Netwrix will not sell any Personal Data without the Data Subject’s valid consent.
- Other Third Parties: Netwrix may be required to disclose certain Personal Data to other third parties: (i) As a matter of law (e.g. to tax authorities); (ii) to protect Netwrix’s legal rights; (iii) to Law Enforcement Authorities in compliance with applicable laws.
XI. AUTOMATED DECISIONS
XII. CONTACT INFORMATION
Netwrix will ensure that this Policy is observed and duly implemented. All Netwrix Employees who have access to Personal Data must comply with this Policy.
If at any time, a person believes that Personal Data relating to him or her has been Processed in violation of this Policy, he or she should report the concern to the Privacy Officer. In addition, Netwrix is happy to answer any questions related to its Processing of Personal Data.
Please contact us at firstname.lastname@example.org.