Capitalized terms used but not otherwise defined in this DPF Policy have the following meanings:

• Agent means any third party that collects or uses Personal Information under the instructions of, and solely for, a Controller or to which a Controller discloses Personal Information for use on the Controller's behalf.
• Data Subject (or you) means a natural person whose Personal Information is covered by this DPF Policy.
• Controller means a person or organization which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information. Acronis is a Controller as to certain Processing.
• DPF Principles means, collectively, the EU-U.S. DPF Principles (defined above) and the Swiss-U.S. DPF Principles (defined above), as set forth by the U.S. Department of Commerce and available at https://www.dataprivacyframework.gov/EU-US-Framework.
• DPF Program means, collectively, EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
• Personal Information means any information, including Sensitive Personal Information, relating to an identified or identifiable natural person that is received by Acronis in the U.S. from the EEA, Switzerland or UK/Gibraltar, and recorded in any form.

o An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Process, Processes or Processing means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
• Sensitive Personal Information means Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying an individual’s sex life, and any Personal Information received by Acronis from a third party that the third party identifies and treats as sensitive.

The DPF Principles are: 1. Notice; 2. Choice; 3. Accountability for Onward Transfer; 4. Security; 5. Data Integrity and Purpose Limitation; 6. Access; and 7. Recourse, Enforcement and Liability.

1. Notice Principle
Acronis provides notice to Data Subjects about its Processing practices for Personal Information received by Acronis in the U.S. from the EEA, UK and Switzerland in reliance on the DPF Program through the Acronis Privacy Statement and this DPF Policy, including:

• the types of Personal Information it collects about them
• the purposes for which it Processes the Personal Information (see also Section 5. below)
• the types of Agents and other third parties to which Acronis discloses Personal Information and the purposes for doing so (see also Section 3. below)
• the rights of Data Subjects to access their Personal Information (see Section 6. below)
• the choices that Acronis offers Data Subjects for limiting use and disclosure of their Personal Information (see also Section 2. below)
• how Acronis’ obligations under the DPF Program are enforced, including Acronis’ designated independent dispute resolution mechanism to address complaints and provide appropriate recourse free of charge, the possibility, under certain conditions, to invoke binding arbitration (see also Section 7. below)
• Acronis’ liability in cases of onward transfers to third parties (see also Section 3. below)
• how Data Subjects can contact Acronis with questions or complaints.

Acronis is not required to apply the Notice Principle or the Choice or Accountability for Onward Transfer Principles (see Sections 2. and 3. below) to public record information (i.e., records kept by government agencies or entities at any level that are open to consultation by the public in general) or information that is already publicly available to the public at large if this information is not combined with non-public record information and, for public record information, and any conditions for consultation established by the relevant jurisdiction are respected.

2. Choice Principle

Acronis provides Data Subjects with choices about their Personal Information before Acronis uses Personal Information covered by this DPF Policy for a new purpose that is materially different from the purpose for which the Personal Information was originally collected or subsequently authorized or before disclosure to a non-Agent third party that was not already authorized.

Acronis will obtain affirmative consent (i.e., opt-in) from Data Subjects before Sensitive Personal Information is disclosed to a third party.

Acronis will obtain a Data Subject’s affirmative express consent (i.e., opt in) before Sensitive Personal Information covered by this DPF Policy is (i) disclosed to a third party (see Section 3 below); or (ii) used for a new purpose that is different from that for which the Personal Information was originally collected or subsequently authorized by the Data Subject (subject to some limitations set forth here). Under the DPF Principles, Acronis is not required to provide choice when disclosure is made to a third party that is acting as an Agent as long as Acronis enters into a written contract with the Agent (see Section 3. below).

To opt out of these uses or disclosures of Personal Information or Sensitive Personal Information, please send an email to data-protection-office@acronis.com.

Acronis may engage with a Data Subject to request sufficient information to allow Acronis to confirm the identity of the Data Subject who is making an opt-out request. Acronis may use Personal Information for certain direct marketing purposes when it is impracticable for Acronis to provide a Data Subject with an opportunity to opt out before using the Personal Information. Acronis will promptly offer the Data Subject the opportunity at the same time (and upon request at any time) to decline (at no cost) to receive any further direct marketing communications and Acronis will comply with the individual’s wishes.

3. Accountability for Onward Transfer Principle

Acronis offers Data Subjects the opportunity to choose (“opt out”) whether their Personal Information is (i) disclosed to a third party or (ii) used for a purpose that is materially different from the purpose(s) for which the Personal Information was originally collected or subsequently authorized.

Transfers to Controllers: Acronis will transfer Personal Information covered by this DPF Policy to a third party acting as a Controller consistent with the relevant Acronis Privacy Statement and other notices provided to each affected Data Subject, when required by law and within the scope of the Data Subject’s consent given to Acronis.

Acronis transfers Personal Information to Acronis affiliates (acting as Controllers) that Process Personal Information for purposes consistent with this DPF Policy or as notified at the time of collection. For example, Acronis may share contact information of event attendees with affiliates to maintain accurate marketing data. Access to Personal Information is restricted and granted on a need-to-know basis. Transfers of Personal Information to affiliates are subject to appropriate intracompany agreements, policies and security safeguards.

Acronis transfers Personal Information, and in some cases receives Personal Information, on a Controller to Controller basis:

• pursuant to certain contracts with managed service providers, distributors and other business customers (Business Customers);
• to resellers and other third parties that promote, resell, distribute and/or ‘white-label’ the Acronis products and services.
• when Business Customers choose to integrate third-party services with their deployment of certain Acronis Products and Services.

Acronis transfers Personal Information to its lawyers, accountants, insurers, and other professional advisers acting as Controllers as needed for them to provide their professional advice.

Acronis will make these transfers only if a Controller has agreed in a written contract that it will (i) Process the Personal Information for limited and specified purposes consistent with the consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease Processing of the Personal Information or take other reasonable and appropriate steps to remediate the Processing if it makes such a determination.

Acronis also may transfer Personal Information in connection with a merger, sale, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy or other change of ownership or control by Acronis or any affiliate. Acronis will use contractual and other controls to help ensure that the terms of this DPF Policy apply to the Personal Information after the transaction or that Data Subjects receive advance notice of changes to how their Personal Information is handled.

Acronis will take reasonable and appropriate steps to prevent, stop or remediate the Processing if Acronis becomes aware that a Controller is Processing Personal Information covered by this DPF Policy contrary to the DPF Principles.

Transfers to Agents: Acronis transfers Personal Information to Agents to enable Agents to perform services for Acronis, such as customer service; data analytics; business intelligence; machine learning and artificial intelligence systems; ecommerce operations, surveys and research; cybersecurity testing; and advertising and marketing services that may supplement Personal Information.

Acronis offers certain Business Customers access to a chatbot powered generative artificial intelligence (GenAI) technology. The Acronis chatbot is data search tool that uses an interactive, conversational format. The Acronis chatbot collects data (some of which may be Personal Information). The provider of the GenAI technology that powers the Acronis chatbot has contractually committed to not use data received in connection with the Acronis chatbot for training its GenAI model but does filter Acronis’s business data submitted through automated content classifiers and safety tools. The classifications created are metadata about business data received via the Acronis chatbot but do not contain any of the business data itself. Acronis’s business data is only subject to human review as needed to resolve incidents or as required by law. Acronis’s current list of Agents (also known as Subprocessors) is available here.

Acronis also transfers Personal Information to third parties (i) when necessary to protect legal rights of Acronis, Data Subjects, Agents, Business Customers or other interested parties; (ii) if disclosure would mitigate Acronis’s liability in an actual or threatened lawsuit; (iii) to pursue available remedies or limit damages; (iv) to enforce our agreements; and (v) to respond to an emergency.

Acronis will require that each Agent:

• Process the Personal Information only for limited and specified purposes as instructed by Acronis;
• Provide at least the same level of privacy protection as is required by the DPF Principles;
• Take reasonable and appropriate steps to ensure that the Agent effectively Processes the Personal Information transferred in a manner compliant with Acronis’ obligations under the DPF Principles; and
• Notify Acronis if the Agent determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles.
  
  Upon receiving notification from an Agent that the Agent can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, Acronis will take reasonable and appropriate steps to stop and remediate the unauthorized Processing. Acronis also provides summaries of the relevant privacy provisions of its contracts with Agents to the Department of Commerce upon request.

In certain situations, Acronis may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or as required in judicial proceedings, court orders or legal processes.

Acronis remains liable under the DPF Principles if an Agent Processes Personal Information covered by this DPF Policy in a manner inconsistent with the DPF Principles unless Acronis proves that Acronis is not responsible for the event giving rise to the damages.

As described in the Acronis Cookie Notice, certain advertising partners set cookies and other data collection technology on Acronis’ websites that collect Personal Information when a Data Subject has opted in through the Acronis Privacy Preference Center.

4. Security Principle

Acronis takes reasonable and appropriate measures to protect Personal Information covered by this DPF Policy from loss, misuse and unauthorized access, disclosure, alteration, and destruction, considering the risks involved in the Processing and the nature of the Personal Information.

5. Data Integrity and Purpose Limitation Principle

Acronis limits its collection of Personal Information to information that is relevant for the purposes of Processing. Acronis does not Process Personal Information in a way that is incompatible with the purposes for which it was collected or subsequently authorized by the Data Subject.

Acronis takes reasonable steps to ensure that such Personal Information is reliable for its intended use, accurate, complete, and current. Acronis takes reasonable and appropriate measures to comply with the requirement under the DPF Program to retain Personal Information in identifiable form only for as long as it serves a purpose of Processing. Specifically, Acronis will retain Personal Information in accordance with Acronis’ legitimate business purposes and legal obligations, unless a longer retention period is required or permitted by law.

Acronis will adhere to the DPF Principles for as long as it retains Personal Information covered by this DPF Policy.

6. Access Principle

Data Subjects whose Personal Information is covered by this DPF Policy have the right (i) to obtain from Acronis confirmation of whether or not Acronis is Processing Personal Information relating to them and to access that Personal Information and (ii) to correct, amend, or delete their Personal Information if it is inaccurate or if Acronis Processes it in violation of the DPF Principles - except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, when the rights of persons other than the Data Subject would be violated or when disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security, national defense or public security.

Acronis will make good-faith, reasonable and practical efforts to comply with requests, so long as our doing so would be consistent with applicable law and/or Acronis’ contractual requirements.

Acronis may engage with a Data Subject to request sufficient information to allow Acronis to confirm the Data Subject’s identity or if an access request is vague or broad in scope or to better understand the motivation for the request and to locate responsive information. Acronis also may inquire about how the Data Subject interacted with Acronis or about the nature of the Personal Information or its use that is the subject of the request. Acronis may deny or limit access to the extent that granting full access would reveal Acronis’ own proprietary or confidential commercial information, such as the confidential commercial information of another that is subject to a contractual obligation of confidentiality. Acronis may set reasonable limits on the number of times within a given period that access requests from a particular Data Subject will be met.

To make a data access request, Data Subjects may contact Acronis at data-protection-office@acronis.com.

Acronis will respond to access requests within a reasonable time.

7. Recourse, Enforcement, and Liability

The Federal Trade Commission (FTC) has jurisdiction over Acronis’ compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Acronis commits to resolve complaints about our collection or use of Personal Information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

EU, UK and Swiss individuals with inquiries or complaints should first contact Acronis by email to data-protection-office@acronis.com.

Acronis has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, JAMS. To open a DPF-related dispute resolution case with JAMS, please visit https://www.jamsadr.com/DPF-Dispute-Resolution. You are not responsible for any fee associated with using JAMS to resolve a dispute with Acronis under the DPF Program.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms.

Please visit https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for information. (Note that Paragraph C of Annex I of the DPF Principles (https://www.dataprivacyframework.gov/framework-article/C%E2%80%93Pre-Arbitration-Requirements) explains the Pre-Arbitration Requirements.)

* * * * *

Acronis agrees to periodically review and verify its compliance with the DPF Principles and to remedy any issues arising out of Acronis’ failure to comply with the DPF Principles. Acronis acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of DPF participants.

All Acronis personnel who have access in the U.S. to Personal Information covered by this DPF Policy are responsible for ensuring that Personal Information Processing complies with this DPF Policy. Acronis personnel are also responsible for ensuring that Agents or other unaffiliated third parties that Process Personal Information subject to this DPF Policy comply with this DPF Policy and Process Personal Information in accordance with the DPF Principles, including contracts required by the DPF Program.