This notice was updated on September 11, 2020
Magento has subscribed to the Privacy Shield program, which covers both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and, therefore, Magento has certified that it adheres to the EU-U.S. Privacy Shield Principles and the Swiss-U.S. Privacy Shield Principles, both of which include Supplemental Principles (collectively, the “EU-U.S. and Swiss-U.S. Privacy Shield Principles”) for Personal Information covered by the Policy. In light of the recent Schrems II decision by the European Court of Justice on July 16, 2020, however, Magento no longer relies on its Privacy Shield certification as a means to lawfully transfer personal data from EEA countries to the United States, although we remain committed to the Privacy Shield Principles when processing personal data.
More information about the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, including the list of certified organizations, can be found at https://www.privacyshield.gov.
Personal Information that is transferred to Magento from the EEA and Switzerland falls into two categories: 1) Personal Information regarding personnel from Magento’s customers in the EEA and Switzerland, such as name, email address, and telephone number; and 2) Personal Information from customers’ end users in the EEA and Switzerland that Magento processes on behalf of its customers, such as end user name, address, and transaction information. In the case of the latter category, Magento acts as a data processor and processes such information only under the instructions of its customers. This information is controlled by Magento’s customers in the EEA and Switzerland.
Because the requirements of the Privacy Shield program vary depending on whether Magento is acting as a processor on behalf of its customers or as a data controller, meaning that Magento makes independent decisions about how that information will be used, Magento’s policies and practices are described separately below.
Magento Acting As A Data Processor on Behalf of its Customers
When Magento acts as a processor on behalf of its customers, the following policies apply to all data processing operations concerning Personal Information that has been transferred from the EEA and Switzerland to the United States.
Use of Personal Information
Magento will process the Personal Information only for the purposes requested by the customer.
Access and Correction
Magento will assist the controller (the customer) in responding to individuals exercising their rights under the Principles.
Agents and Service Providers
Magento will not transfer Personal Information to third parties except where permitted or required by the customer and then in accordance with the EU-U.S. and Swiss-U.S. Privacy Shield Principles.
Notice & Choice
Because the Personal Information is under the control of Magento’s customers, appropriate notice and choice to the individual are provided by Magento’s customers. As the data processor, Magento typically does not have a direct relationship with the customers’ end users.
Magento Acting As A Data Controller
Magento may receive Personal Information from customers in the EEA and Switzerland regarding its employees.
Use of Personal Information
Any Personal Information sent to us may be used by Magento and its agents for the following purposes: communications, fulfilling transactions, analytics, and marketing. If we intend to use your information for a purpose that is materially different from these purposes or if we intend to disclose it to a third party (a non-agent) not previously identified, we will notify you and offer you the opportunity to opt out of such uses and/or disclosures where it involves non-sensitive information or opt-in where sensitive information is involved.
Disclosures to Affiliates and Third Parties
Your Personal Information may be disclosed:
- To third parties, to permit them to send you marketing communications, consistent with your choices.
- To a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
Disclosures to Agents and Service Providers
We sometimes contract with other companies and individuals to perform functions or services on our behalf such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, auditing and other services. They may have access to Personal Information needed to perform their functions but are restricted from using the Personal Information for purposes other than providing services for us or to us. Magento requires that its agents and service providers that have access to Personal Information received from the EEA and Switzerland provide the same level of protection as required by the EU-U.S. and Swiss-U.S. Privacy Shield Principles.
We are responsible for ensuring that our agents, service providers and other third parties to whom we disclose your Personal Information process the information in a manner consistent with our obligations under the EU-U.S. and Swiss-U.S. Privacy Shield Principles.
We use reasonable physical, electronic, and administrative safeguards to protect your Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Information and the risks involved in the processing that information.
Data Integrity and Purpose Limitation
We limit the collection and use of Personal Information to the information that is relevant for the purposes of processing and will not process Personal Information in a way that is incompatible with the purposes for which the information has been collected or subsequently authorized by you. We take reasonable steps to ensure the personal information is reliable for its intended use, accurate, complete, and current to the extent necessary for the purposes for which we use the Personal Information.
Access to Personal Data
You can ask to access, review and correct Personal Information that we maintain about you by sending a written request to firstname.lastname@example.org.
Enforcement and Dispute Resolution
If you have any questions or concerns, please write to us at the address listed below. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the EU-U.S. and Swiss-U.S. Privacy Shield Principles.
In the event we are unable to resolve your complaints or disputes, you may contact ANA (https://thedma.org/resources/consumer-resources/privacyshield-consumers/), an alternative dispute resolution provider located in the United States, for more information or to file a complaint. ANA will investigate and assist you free of charge in resolving your complaint.
Magento US is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
Disclosures Required By Law
We may need to disclose Personal Information in response to lawful requests by public authorities for law enforcement or national security reasons or when such action is necessary to comply with a judicial proceeding or court order, or when otherwise required by law.
345 Park Avenue, San Jose, CA 95110-2704
Magento Commerce International Limited
21 Charlemont Place, Dublin D02 WV10, Ireland
This policy may be changed from time to time, consistent with the requirements of the Privacy Shield program. You can determine when this Policy was last revised by referring to the “LAST UPDATED” legend at the top of this page. Any changes to our Policy will become effective upon our posting of the revised Policy on the Site.