ACRONIS, INC.

DATA PRIVACY FRAMEWORK PRIVACY POLICY

Effective Date:  24 July, 2024

Last Updated:  24 July, 2024

Acronis, Inc. (Acronis or we) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

Acronis has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) regarding the Processing of Personal Information received from the European Union (EU) in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Acronis has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) about the Processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF. If the terms in this Acronis Data Privacy Framework Privacy Policy (DPF Policy) and the DPF Principles (defined below) conflict, then the DPF Principles shall govern. To learn more about the Data Privacy Framework program and to view our certification, please visit https://www.dataprivacyframework.gov.

DEFINITIONS

Capitalized terms used but not otherwise defined in this DPF Policy have the following meanings:

·        Agent means any third party that collects or uses Personal Information under the instructions of, and solely for, a Controller or to which a Controller discloses Personal Information for use on the Controller's behalf. 

·        Data Subject (or you) means a natural person whose Personal Information is covered by this DPF Policy.

·        Controller means a person or organization which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.  Acronis is a Controller as to certain Processing.

·        DPF Principles means, collectively, the EU-U.S. DPF Principles (defined above) and the Swiss-U.S. DPF Principles (defined above), as set forth by the U.S. Department of Commerce and available at https://www.dataprivacyframework.gov/EU-US-Framework.

·        DPF Program means, collectively, EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

·        Personal Information means any information, including Sensitive Personal Information, relating to an identified or identifiable natural person that is received by Acronis in the U.S. from the EEA, Switzerland or UK/Gibraltar, and recorded in any form.

o   An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

·        Process, Processes or Processing means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

·        Sensitive Personal Information means Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying an individual’s sex life, and any Personal Information received by Acronis from a third party that the third party identifies and treats as sensitive.

WHEN THIS DPF POLICY APPLIES

This DPF Policy applies to Personal Information transferred from member countries of the European Economic Area (EEA, which is the member states of the EU plus Iceland, Liechtenstein and Norway), the United Kingdom (UK), and Switzerland to Acronis in the U.S. in reliance on the EU-U.S. DPF, UK Extension to the EU-U.S. DPF or the Swiss-U.S. DPF. 

Personal Information that Acronis Processes in compliance with the DPF Program is covered by Acronis’ other privacy-related requirements and policies (collectively, the Acronis Privacy Statement), available at https://www.acronis.com/company/privacy/.  For some of Acronis’ websites and mobile applications, if a separate privacy policy, notice or statement is linked or posted, that privacy policy, notice or statement applies.

Acronis is an Agent as to certain Processing for its customers and a Controller as to other Processing for its customers as described in the Acronis Privacy Statement.

This DPF Policy does not apply to Personal Information transferred under Standard Contractual Clauses or any approved derogation from the EU General Data Protection Regulation, the UK General Data Protection Regulation or the Swiss Federal Data Protection Act.  While the DPF Program is an authorized international transfer mechanism to enable Acronis to receive Data Subjects’ Personal Information in the U.S., Acronis’ obligations and Data Subject rights under the DPF Program are separate from those under the EU General Data Protection Regulation, the UK General Data Protection Regulation and the Swiss Federal Data Protection Act.

ACRONIS’ COMMITMENT TO THE DPF PRINCIPLES

Acronis commits to applying the DPF Principles to all Personal Information received by Acronis in the U.S. from the EEA, UK and Switzerland in reliance on the DPF Program.  Acronis’ adherence to this DPF Policy may be limited to the extent required to meet Acronis’ legal, regulatory, governmental or national security obligations.

THE DPF PRINCIPLES

The DPF Principles are: 1. Notice; 2. Choice; 3. Accountability for Onward Transfer; 4. Security;

5. Data Integrity and Purpose Limitation; 6. Access; and 7. Recourse, Enforcement and Liability.

1. Notice Principle

Acronis provides notice to Data Subjects about its Processing practices for Personal Information received by Acronis in the U.S. from the EEA, UK and Switzerland in reliance on the DPF Program through the Acronis Privacy Statement and this DPF Policy, including:

·        the types of Personal Information it collects about them

·        the purposes for which it Processes the Personal Information (see also 5. below)

·        the types of Agents and other third parties to which Acronis discloses Personal Information and the purposes for doing so (see also 3. below)

·        the rights of Data Subjects to access their Personal Information (see 6. below)

·        the choices that Acronis offers Data Subjects for limiting use and disclosure of their Personal Information (see also 2. below)

·        how Acronis’ obligations under the DPF Program are enforced, including Acronis’ designated independent dispute resolution mechanism to address complaints and provide appropriate recourse free of charge, the possibility, under certain conditions, to invoke binding arbitration (see also 7. below)

·        Acronis’ liability in cases of onward transfers to third parties (see also section 3. below)

·        how Data Subjects can contact Acronis with questions or complaints.

Acronis is not required to apply the Notice Principle or the Choice or Accountability for Onward Transfer Principles (see 2. and 3. below) to public record information (i.e., records kept by government agencies or entities at any level that are open to consultation by the public in general) or information that is already publicly available to the public at large if this information is not combined with non-public record information and, for public record information, and any conditions for consultation established by the relevant jurisdiction are respected. 

2. Choice Principle

Acronis provides Data Subjects with choices about their Personal Information before Acronis uses Personal Information covered by this DPF Policy for a new purpose that is materially different from the purpose for which the Personal Information was originally collected or subsequently authorized or before disclosure to a non-Agent third party that was not already authorized.

Acronis will obtain affirmative consent (i.e., opt-in) from Data Subjects before Sensitive Personal Information is disclosed to a third party.  

Acronis will obtain the Data Subject’s affirmative express consent (i.e., opt in) before Sensitive Personal Information covered by this DPF Policy is (i) disclosed to a third party or (ii) used for a new purpose that is different from that for which the Personal Information was originally collected or subsequently authorized by the Data Subject (subject to some limitations set forth here).  Under the DPF Principles, Acronis is not required to provide choice when disclosure is made to a third party that is acting as an Agent if Acronis enters into a written contract with the Agent (see 3. below). 

To opt out of these uses or disclosures of Personal Information or Sensitive Personal Information, please send an email to data-protection-office@acronis.com.

Acronis may engage with a Data Subject to request sufficient information to allow Acronis to confirm the identity of the Data Subject making an opt-out request.  Acronis may use Personal Information for certain direct marketing purposes when it is impracticable for Acronis to provide a Data Subject with an opportunity to opt out before using the Personal Information. Acronis will promptly offer the Data Subject the opportunity at the same time (and upon request at any time) to decline (at no cost) to receive any further direct marketing communications and Acronis complies with the individual’s wishes.

3. Accountability for Onward Transfer Principle

Acronis offers Data Subjects the opportunity to choose (i.e., opt out) whether their Personal Information is (i) disclosed to a third party or (ii) used for a purpose that is materially different from the purpose(s) for which the Personal Information was originally collected or subsequently authorized. 

Transfers to Controllers: Acronis will transfer Personal Information covered by this DPF Policy to a third party acting as a Controller consistent with the relevant Acronis Privacy Policies provided to each affected Data Subject and the Data Subject’s consent given to Acronis. 

Acronis will make these transfers only if the Controller has agreed in a written contract that it will (i) Process the Personal Information for limited and specified purposes consistent with the consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease Processing of the Personal Information or take other reasonable and appropriate steps to remediate the Processing if it makes such a determination.

Acronis will take reasonable and appropriate steps to prevent, stop or remediate the Processing if Acronis becomes aware that a Controller is Processing Personal Information covered by this DPF Policy contrary to the DPF Principles. 

Transfers to Agents: Acronis will transfer to each Agent only the Personal Information needed for the Agent to provide the services or products as Acronis has instructed. 

Acronis will require that each Agent:

·        Process the Personal Information only for limited and specified purposes as instructed by Acronis;

·        Provide at least the same level of privacy protection as is required by the DPF Principles;

·        Take reasonable and appropriate steps to ensure that the Agent effectively Processes the Personal Information transferred in a manner compliant with Acronis’ obligations under the DPF Principles; and

·        Notify Acronis if the Agent determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles.

Upon receiving notification from an Agent that the Agent can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, Acronis will take reasonable and appropriate steps to stop and remediate the unauthorized Processing.  Acronis also provides summaries of the relevant privacy provisions of its contracts with Agents to the Department of Commerce upon request.

In certain situations, Acronis may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 

Acronis remains liable under the DPF Principles if an Agent Processes Personal Information covered by this DPF Policy in a manner inconsistent with the DPF Principles unless Acronis proves that Acronis is not responsible for the event giving rise to the damages.

4. Security Principle

Acronis takes reasonable and appropriate measures to protect Personal Information covered by this DPF Policy from loss, misuse and unauthorized access, disclosure, alteration, and destruction, considering the risks involved in the Processing and the nature of the Personal Information.

5. Data Integrity and Purpose Limitation Principle

Acronis limits its collection of Personal Information to information that is relevant for the purposes of Processing. Acronis does not Process Personal Information in a way that is incompatible with the purposes for which it was collected or subsequently authorized by the Data Subject.

Acronis takes reasonable steps to ensure that such Personal Information is reliable for its intended use, accurate, complete, and current. Acronis takes reasonable and appropriate measures to comply with the requirement under the DPF Program to retain Personal Information in identifiable form only for as long as it serves a purpose of Processing. Specifically, Acronis will retain Personal Information in accordance with Acronis’ legitimate business purposes and legal obligations, unless a longer retention period is required or permitted by law. 

Acronis will adhere to the DPF Principles for as long as it retains Personal Information covered by this DPF Policy.

6. Access Principle

Data Subjects whose Personal Information is covered by this DPF Policy have the right (i) to obtain from Acronis confirmation of whether or not Acronis is Processing Personal Information relating to them and to access that Personal Information and (ii) to correct, amend, or delete their Personal Information if it is inaccurate or if Acronis Processes it in violation of the DPF Principles - except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, when the rights of persons other than the Data Subject would be violated or when disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security, national defense or public security. 

Acronis will make good-faith, reasonable and practical efforts to comply with requests, so long as our doing so would be consistent with applicable law and/or Acronis’ contractual requirements.   

Acronis may engage with a Data Subject to request sufficient information to allow Acronis to confirm the Data Subject’s identity or if an access request is vague or broad in scope or to better understand the motivation for the request and to locate responsive information.  Acronis also may inquire about how the Data Subject interacted with Acronis or about the nature of the Personal Information or its use that is the subject of the request. Acronis may deny or limit access to the extent that granting full access would reveal Acronis’ own proprietary or confidential commercial information, such as the confidential commercial information of another that is subject to a contractual obligation of confidentiality.  Acronis may set reasonable limits on the number of times within a given period that access requests from a particular Data Subject will be met.  

To make a data access request, Data Subjects may contact Acronis at data-protection-office@acronis.com.

Acronis will respond to access requests within a reasonable time.

7. Recourse, Enforcement, and Liability

The Federal Trade Commission (FTC) has jurisdiction over Acronis’ compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Acronis commits to resolve complaints about our collection or use of Personal Information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.  

EU, UK and Swiss individuals with inquiries or complaints should first contact Acronis by email to data-protection-office@acronis.com.

Acronis has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, JAMS.  To open a DPF-related dispute resolution case with JAMS, please visit https://www.jamsadr.com/DPF-Dispute-Resolution .  You are not responsible for any fee associated with using JAMS to resolve a dispute with Acronis under the DPF Program.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms.

See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for information. (Note that Paragraph C of Annex I of the DPF Principles (https://www.dataprivacyframework.gov/framework-article/C%E2%80%93Pre-Arbitration-Requirements)  explains the Pre-Arbitration Requirements.)

* * * * *

Acronis agrees to periodically review and verify its compliance with the DPF Principles and to remedy any issues arising out of Acronis’ failure to comply with the DPF Principles. Acronis acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of DPF participants.

All Acronis personnel who have access in the U.S. to Personal Information covered by this DPF Policy are responsible for ensuring that Personal Information Processing complies with this DPF Policy.  Acronis personnel are also responsible for ensuring that Agents or other unaffiliated third parties that Process Personal Information subject to this DPF Policy comply with this DPF Policy and Process Personal Information in accordance with the DPF Principles, including contracts required by the DPF Program.

CHANGES TO THIS DATA PRIVACY FRAMEWORK POLICY

This DPF Policy may be amended from time to time consistent with the requirements of the DPF. When we make changes to this DPF Policy, we will revise the “Last Updated” date at the beginning of this DPF Policy.   We will also take appropriate measures to inform you in advance of changes we feel are significant so that you have an opportunity to review the revised DPF Policy before it is effective.  If your consent is required by the DPF Principles, we will obtain your consent.  We encourage you to regularly check this DPF Policy to ensure you are aware of the updated version.

QUESTIONS?

Acronis is committed to protecting the privacy of your Personal Information. If you have any questions or comments about this DPF Policy, please contact data-protection-office@acronis.com.