Enterprise Online Privacy Statement
PRIVACY AND DATA PROTECTION AT DXC
This policy has been updated on December 11, 2019, to reflect DXC’s commitment (1) for international data transfers as related to the potential withdrawal of the United Kingdom (UK) from the EU (“Brexit”) and (2) to DXC’s obligations as a service provider related to the California Consumer Privacy Act.
At DXC our commitment to privacy goes beyond the minimum legal and regulatory requirements. We strive for best-in-class data protection and privacy management, which requires a sound data privacy governance structure and an effective data privacy compliance and best practices program to ensure DXC meets ever-changing and increasingly-complex regulatory standards and all contractually agreed privacy obligations.
DXC's Global Privacy and Data Protection Office has strategic and operational responsibility for this program, which is adequately resourced and appropriately organized to ensure the policies and compliance processes, technology and physical controls and security we rely upon to govern the collection, use, storage and transfer of personal data all over the world meets statutory and regulatory requirements. Therefore, DXC's approach is to coordinate the contribution of several corporate disciplines - including ethics and compliance, legal, human resources, and information and physical security - to achieve our "best in class" data protection and privacy management objectives.
Strong board and executive management commitment to DXC's CLEAR Values and a culture of compliance with policy and the law.
- Our CLEAR Values are the distinguishing hallmarks of DXC's performance and reputation. They inform our decisions and drive personal responsibility. DXC's CLEAR Values define a culture in which the way we achieve our objectives matters as much, if not more, than our results.
DXC’s Ethics and Compliance Office (ECO)
- ECO’s Charter and responsibilities are evidenced by Board resolution, which assigns day-to-day management responsibility for DXC’s ethics and compliance program to a Chief Ethics and Compliance Officer.
- The ECO Mission: Promote throughout the global DXC Technology community a culture of performance with integrity that encourages ethical conduct, reinforces the CLEAR Values, and drives compliance with the Code of Business Conduct, internal policies, and the law.
DXC's Global Privacy and Data Protection Office (PDPO).
- Based in the European Union (EU), DXC's global PDPO is a well-resourced and qualified strategic compliance function that operates under the authority of DXC's global Ethics and Compliance Office.
- The PDPO is responsible and accountable to advise DXC's businesses on best practices in privacy compliance, and to develop policies, procedures, training, risk assessment and monitoring programs that enable DXC to provide adequate levels of personal data protection for its clients, employees and other relevant individuals in all geographies and jurisdictions the world over.
Compliance Policies, Standards, and Processes.
- A strong, globally-applicable Privacy and Data Protection Policy which reflects the Generally Accepted Privacy Principles ("GAPP") applicable to the collection, use, storage, and processing of personal data.
- Comprehensive and cohesive compliance standards, processes, and procedures, which ensure consistent privacy and data protection across all of DXC's legal entities and businesses.
Employee Training and Awareness
- DXC takes a holistic approach to ensure privacy-aware employees throughout the employment lifecycle including new-hire instructions, annual awareness briefings, targeted training for high-risk populations, and periodic awareness messaging through newsletters and PDPO bulletins.
Strong Risk Management Programs
- In light of the inherent exposures to DXC's operational and strategic goals, DXC is committed to ensuring that risk, issue, and opportunity management is a core competency, and an integral part of DXC's business operations that supports and informs reliable, quality decision making.
- The resources in both the Ethics and Compliance Office and its Privacy and Data Protection Office are integral parts of DXC's overall risk assessment program and posture, which includes internal and external audit and monitoring functions.
- With regular privacy risk assessments, the PDPO monitors emerging exposures and remediates weaknesses in an effort to constantly mature DXC's compliance capabilities.
A consistent Privacy Impact Assessment program is carried out on new and changed services, systems, and processes, aiming to disclose potential issues before they become a problem.
Formal data breach handling procedures and a robust 24/7 operated incident response center supplement regulatory and contractual notification requirements, enabling constant vigilance and readiness in case of a crisis.
Strong, Collaborative Cross-Disciplinary Partnerships
- Inclusive of key internal stakeholders, including strong collaborative ties to DXC’s information and physical security, legal, human resources, and key business unit personnel without whom strict compliance with privacy laws is not possible.
Flexible Service Delivery Model
- A strong and robust global service delivery model that is flexible enough to meet the privacy requirements of the highly sensitive, regulated, and classified data environments.
Formal Dispute Resolution Mechanism
- A one-stop point of contact for our employees and clients for any privacy related matters regardless of the geography, business, or service. If you have specific concerns or requests, please feel free to send an email to email@example.com .
Personal information is any information that personally identifies an individual or from which an individual could be identified. This may include a name, address, telephone number, email address and other private personal attributes.
DXC collects, uses, stores and transfers (collectively “processes”) personal information to manage its relationship with its customers, employees, business partners and other third parties (“covered individuals”) and better serve covered individuals by personalizing their experience and interaction with DXC. Such processing is done in compliance with applicable laws, including appropriate notice and consent, along with required filings with data protection authorities, where required.
DXC may collect and process personal information through a variety of means, including, as examples, access to DXC sites or services, or other ordering channels, employment processes, during conversations or correspondence with DXC representatives, through purchase of goods or services or in the course of an online application.
Fulfilling your Transaction Request
If we receive any requests related to, for example, a product or service, a callback, or specific marketing materials, we will use your personal information to fulfill your request. In this context, we may share information with others, for instance, DXC's group companies and business partners, involved in fulfillment. In connection with a transaction, we may also contact you as part of our customer satisfaction surveys or for market research purposes subject to applicable laws and regulations.
Personalizing your Experience on our Web Sites
We may use information we collect about you to provide you with a personalized experience on our Web sites, such as providing you with content in which you may be interested and making navigation on our sites easier.
The information you provide to DXC, as well as the information we have lawfully collected about you indirectly, may be used by DXC for marketing purposes. We will offer you the opportunity to opt-in to DXC using your information in this way. You may at any time choose not to receive marketing materials from us by following the unsubscribe instructions included in each e-mail you may receive, or by contacting DXC directly at firstname.lastname@example.org, or by visiting the DXC Preference Center.
Some of our offerings may be co-branded, that is sponsored by both DXC and third parties, such as DXC Alliance Partners. If you sign up for these offerings, be aware that your information may also be collected by and shared with those third parties. We encourage you to familiarize yourself with their privacy policies to gain an understanding of the manner in which they will handle information about you. If you would like to review, rectify or request deletion of any Personal Information we have about you, you can submit a request by emailing DXC’s privacy office at email@example.com.
In connection with a job application or inquiry, whether advertised on a DXC Web site or otherwise, you may provide us with information about yourself, such as a resume. We may use this information throughout DXC and its group companies in order to address your inquiry or consider you for employment purposes.
Monitoring or Recording of Calls, Chats and Other Interactions
Certain online transactions may involve you calling us or us calling you. They may also involve online chats. Please be aware that it is DXC's general practice to monitor and in some cases record such interactions for staff training or quality assurance purposes or to retain evidence of a particular transaction or interaction.
Mobile Applications and Use of Information in the Social Computing Environment
DXC makes available mobile applications for download from various mobile application marketplaces. DXC also provides social computing tools on some of its websites to enable collaboration among members who have registered to use them. These include forums, wikis, blogs and other social media platforms.
When downloading and using these applications or registering to use these social computing tools, you may be asked to provide certain personal information. These applications and tools may also include supplemental privacy statements with specific information about collection and handling practices. We encourage you to read those supplemental statements to understand how the tools and applications may process your data.
Protect the Rights and Property
We may also use or share your information to protect the rights or property of DXC, our business partners, suppliers, clients, or others when we have reasonable grounds to believe that such rights or property have been or could be affected. In addition, we reserve the right to disclose your personal information as required by law and when we believe that disclosure is necessary to protect our rights, or the rights of others, or to comply with a judicial proceeding, court order, law enforcement or legal process.
DXC will not sell, rent or lease your personal information to others.
As a global organization with business processes, management structures and technical systems that cross borders, DXC may share information about you within DXC and transfer it to countries in the world where we do business in connection with the uses identified above and in accordance with this Privacy Statement. Our Privacy Statement and our internal policies and practices are designed to provide a globally consistent level of protection for personal information all over the world. Even in countries whose laws provide for less protection for your information, DXC will still handle and protect your information in the manner described in this Privacy Statement.
DXC retains service providers, suppliers, and other alliance partners located in various countries to manage or support its business operations, provide professional services, deliver customer services and solutions, and otherwise process information on DXC behalf. It is DXC's practice to require such service providers, suppliers and alliance partners to handle personal data and other confidential information in a manner consistent with DXC's policies.
Circumstances may arise where, whether for strategic or other business reasons, DXC decides to sell, buy, merge or otherwise reorganize businesses in some countries. Such a transaction may involve the disclosure of personal information to prospective or actual purchasers, or the receipt of such information from sellers. It is DXC’s practice to seek appropriate protection for information in these types of transactions.
Please be aware that in certain circumstances, personal information may be subject to disclosure to government agencies pursuant to judicial proceeding, court order, law enforcement or legal process. We may also share your information to protect the rights or property of DXC, our business partners, suppliers or clients, and others when we have reasonable grounds to believe that such rights or property have been or could be affected.
Registration is not required to gain access to DXC websites. However, if you choose to receive certain services, specific material and information your subscription is required on certain DXC websites.
In this regard, DXC may collect personal information from you including your name, phone number, email address, or other information you choose to provide at various times, for example, when you complete an online form or request or participate in an online community.
You can make or change your choices about receiving either subscription or general communications at the data collection point, within your account preference settings or by using other methods, which are listed in this Privacy Statement. You may opt-out at any time using the links at the bottom of any email or via the DXC Preference Center.
Please note, this option does not apply to communications primarily for the purpose of administering business relationships, including contracts, support, or other administrative and transactional notices where the primary purpose of these communications is not promotional in nature.
DXC recognizes and respects the varying national laws and obligations and their impact on cross-border data transfers. When transferring personal information outside of the country of collection for the purposes identified above, DXC will do so in compliance with applicable law.
In the development of DXC’s privacy policies and standards, we respect and take into account the major privacy and data protection principles and frameworks around the world and any amendments applied thereto from time-to-time, including the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 1988, the APEC Privacy Framework, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Principles under the Privacy Act 1988.
EU Personal Data Transfers
For personal data originating from a European Union (EU) member state, DXC uses a variety of lawful data transfer mechanisms for this purpose, including EU Standard Contractual Clauses
DXC has an intragroup agreement on the transfer and processing of personal data within the DXC group worldwide which has the EU Standard Contractual Clauses incorporated. This agreement allows DXC to ensure that personal data, including data originating from the EU, which is transferred cross-border and processed by other DXC group companies, including those located outside the EU, is adequately protected in accordance with applicable data protection law.
Companies like DXC Technology who are regulated by and therefore subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission are given the opportunity to offer their clients and partners an alternative and efficient way to legally share personal information originating from within the EU or Switzerland. Consistent with this, DXC, and all other U.S. based DXC entities and affiliates as listed below (‘covered DXC entities’), comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. DXC, for itself and on behalf of the covered DXC entities, has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Enterprise Online Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. Further details are provided below. To learn more about the Privacy Shield Framework, and to view DXC's certification, please visit: http://www.privacyshield.gov.
DXC U.S. based entities covered under Privacy Shield
All U.S. subsidiaries with the DXC Technology brand.
Enforcement, Independent Recourse Mechanism and Liability
DXC is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
In compliance with the Privacy Shield Principles, DXC, for itself and on behalf of the covered DXC entities, commits to resolve complaints about its collection or use of personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact DXC’s Privacy and Data Protection Office at:
DXC, for itself and on behalf of the covered DXC entities, has further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to you.
In the context of an onward transfer, DXC, and any of the covered DXC entities, has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. DXC, and any of the covered DXC entities, shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the respective Privacy Shield organization proves that it is not responsible for the event giving rise to the damage.
For the avoidance of doubts, DXC, or any of the covered DXC entity, is not liable under the Privacy Shield Principles when on behalf of another organization DXC, or any of the covered DXC entity, merely transmit, route, switch, or cache information. As is the case with the EU Directive itself, the Privacy Shield does not create secondary liability. To the extent that DXC, or any of the covered DXC entity, is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal data, it would not be liable.
Disclosure of Personal Data
Detailed information about the type or identity of third parties to which DXC discloses personal information, and the purposes for which it does so, can be found in the Sections “Use of Personal Information” and “Sharing of Personal Data” as outlined further above in this Enterprise Online Privacy Statement. Please note that DXC may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Transfer of Personal Data from the United Kingdom to the U.S. post ‘Brexit’
The European Council and the United Kingdom (UK) have agreed to extend the period for withdrawal of the UK from the European Union (EU) beyond March 29, 2019. During the extension period, the UK will remain a Member State of the EU; as a Member State, EU law will remain applicable to and in the UK, therefore transfers of personal data from the UK to the U.S. made under the Privacy Shield will remain legal until the date the UK and the EU implement the withdrawal (“Applicable Withdrawal Date”).
After the Applicable Withdrawal Date, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.
In order for DXC (US) to receive personal data from the UK post Applicable Withdrawal Date in reliance on the EU-U.S. Privacy Shield Framework, the following Privacy Shield commitments shall apply and be adopted by DXC as of the Applicable Withdrawal Date.
DXC complies with the EU-U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom to the United States in reliance on Privacy Shield. DXC has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit: http://www.privacyshield.gov
DXC is committed to the lawful treatment and confidential handling of sensitive information, including personal information about California residents, and has adopted a set of global information management policies including privacy and data protection, security, system access, information classification, and other relevant policies governing the collection, use, disclosure, transfer, retention, and deletion of information.
DXC as a “Service Provider” (as defined in the CCPA) confirms that it will process personal information which it retains, uses, or discloses in connection with its performance under any contract: (1) only on behalf of and for the benefit of the “Business” (as defined in the CCPA) from which it has received the personal information; (2) only in accordance with the contract and Business’s prior written instructions, if any; unless (3) as otherwise required by the CCPA. DXC confirms that it will not process personal information for any purpose other than for the specific purpose of performing the services specified in the contract.
Security is a high priority for DXC and to protect the personal data and other confidential information and maintain its accuracy and integrity we have implemented appropriate administrative, technical and physical safeguards to prevent unauthorized access, use or disclosure. We require the same high standard of information security and information management of any third parties we share your data with.
We will retain personal information only for as long as legally required or permitted and in accordance with DXC records and information management policies. We respect your right to privacy and upon your request DXC will no longer use your personal information unless required to provide you services or as necessary to comply with DXC’s legal obligations, resolve complaints and disputes, and enforce our agreements.
DXC has implemented technology, management processes and policies aimed to maintain data accuracy. According to applicable laws, DXC provides individuals with reasonable access to personal information that they provided to DXC and the reasonable ability to review and correct the data or ask for anonymization, blockage, or deletion, as applicable. To protect your privacy and security when submitting an access request, we will take reasonable steps to verify your identity, such as requiring a password and user ID, passport number and/or other unique personal identifiers before granting access to your data. To submit your access request, please contact the DXC Global Privacy and Data Protection Office at firstname.lastname@example.org .
DXC is committed to resolve any complaints you may have in relation to your privacy and DXC's collection and use of your personal information. Please send any privacy related complaints or requests, including request for access to information to email@example.com.
EU/Swiss individuals may also reach out their national privacy authorities and ask for their support. DXC is committed to coordinate and collaborate with foreign regulators, including EU member state privacy authorities.
This site is intended for adult use only. DXC does not knowingly collect information from children as defined by local law, and does not target its websites, social computer tools or mobile applications to children under these ages. We encourage parents and guardians to take an active role in their children’s online and mobile activities and interests and ask that minors should not submit any personal information.
Please note that the web site is constantly being updated and this list will change over time. If you have any additional questions about the use of a particular cookie please do not hesitate to email firstname.lastname@example.org.
We may also provide social media features that enable you to share information with your social networks and to interact with DXC and its group companies on various social media sites. Your use of these features may result in the collection or sharing of information about you, depending on the feature. We encourage you to review the privacy policies and settings on the social media sites with which you interact to make sure you understand the information that may be collected, used, and shared by those sites.
We will post a notice for 30 days at the top of this page notifying users when this Privacy Statement is updated or modified in a material way. If we are going to use your personal information in a manner different from that stated at the time of collection, we will notify you, and you will have, subject to legal and/or contractual provisions, a choice as to whether or not we can use your personal information in such a way.
We value your opinion, if you have any comments or question about this Privacy Statement, DXC's handling of your personal information, or a possible breach of your privacy you can send an email to the DXC Global Privacy and Data Protection Office at email@example.com.
Individuals living inside the EU and Switzerland seeking further information, guidance and advice may also contact their local privacy authorities.
We will treat your requests or complaints confidentially. Our representative will contact you within a reasonable time after receipt of your complaint to address your concerns and outline options regarding how they may be resolved. We will aim to ensure that your complaint is resolved in timely and appropriate manner.