Managed Cloud Services Privacy Statement

Purpose
The purpose of this document is to articulate the policy of NTT Managed Services Americas, LLC (NTT Managed Services Americas) for handling and protecting the privacy of information acquired, accessed, or retained for business purposes or to establish and maintain provided services.

Scope
This privacy policy applies to all personal and customer information, whether in electronic, paper or verbal format, and does not apply to the data collection practices of any third parties, NTT Managed Services Americas customers, or any partners or affiliates of NTT Managed Services Americas.

NTT Managed Services Americas Privacy Statement
Protecting privacy is paramount to NTT Managed Services Americas, LLC (NTT Managed Services Americas). NTT Managed Services Americas and its United States affiliate Symmetry Corporation, NTT Managed Services Americas’ U.S. subsidiaries, and its wholly owned India subsidiary, (hereinafter collectively referred to as the “NTT Managed Services Americas,” “we,” “us” or “our”) comply with various laws/regulations regarding the protection of Personal Financial Information (PFI), Personal Information (PI), Personally Identifiable Information (PII) and Protected Health Information (PHI) data.

NTT Managed Services Americas maintains a privacy program in compliance with the ISO 27018 standard (Protection of PII in public clouds for PII processors) and acts in compliance with International and GDPR, Federal and applicable state privacy laws, as well as HIPAA, HITECH, Omnibus rule to safeguard the privacy of Protected Health Information (PHI). Onward transfers of customer data containing EU Personal Information relies on Standard Contractual Clauses (SCCs, aka Model Clauses). We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. NTT Managed Services Americas, LLC and Symmetry Corporation has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

This privacy policy outlines our general policy and practices, including the types of information we gather, how we use it and the notice and choice affected individuals have regarding our use of and their ability to correct that information. We also may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

 

Data We Collect

As a corporate entity we handle, store, and protect personnel and human resources data for the purposes of administering and carrying out the employment or personnel relationship for NTT Managed Services Americas employees and contractors. Human Resources/Personnel Data may include Personal Data/Personal Information (PI), Personal Financial Information (PFI), Personal Identifiable Information (PII), and/or Protected Health Information (PHI). Prospective NTT personnel may additionally see the Recruitment Privacy Statement located at (https://services.global.ntt/en-us/legal/recruitment-privacy-statement). 

We handle, store, and protect customer data, which varies according to the purposes of the business services provided to potential and current customers in support of maintaining customer relationships as well as other pertinent business contact data.

Furthermore, as a managed services provider we acquire, store, and transmit customer communications and customer operational information, which customers may regard as confidential, private, or sensitive as part of the customer service relationship. This customer classified data may or may not include Personally Identifiable Information (PII), Personal Financial Information (PFI), and/or Protected Health Information (PHI).

A Data Protection Impact Assessment (DPIA) will be used to outline the lawful basis for processing the data as it relates to the use of Human Resources/Personnel Data, Customer Contact data, Customer Communications, and Customer Operational Information.

Personal Information Collected and Methods of Collection-Customers 

We collect the following minimum personal information from individuals authorized by companies, who are our customers, to access and use our services:

  • First Name
  • Last Name
  • Company Name
  • Business Email Address
  • Business Phone

In addition to the above information, we may also collect additional information from either the individual or their employer in order to facilitate communication (e.g. additional phone numbers, time zone the individual is in, etc.) and to identify and provide proof of identity (e.g. PIN numbers, pass phrases, manager’s name, etc.) for the individual.

This information is collected from either the individual themselves or provided to us by their employer.

Visitors, in accordance with the visitor policy, accessing our headquarters or data centers will have the following information collected:

  • First Name
  • Last Name
  • Country of Residency

We may also collect additional information from the individual in order to satisfy Export Controls. Regular scans for employees and Ad Hoc scans of visitors will be conducted to ensure they are not from a Specially Designated Embargoed Nation, a Denied Person or Debarred Party, prior to the individual entering our headquarters or data centers. This information will be collected from the individual or the employer.

During the scanning process the individual may be asked to provide additional information if the above information reveals a match to a person on a watch list such as but not limited to; Specially Designated Embargoed Nation, Denied Persons, Debarred Parties, etc. This information Includes:

  • City
  • State
  • Zip

Data collected for the scanning process will be removed after the visitor no longer actively visits our premises. Data may also be removed if customer/visitor requests or if we no longer have a business reason to continue the scan.

Types of Personal Information that may be Collected and Methods of Collection – Vendors, Contractors, and Suppliers

We collect the following minimum personal information from individuals who are not our employees but require a badge for unescorted access to our offices and data centers (e.g. customers, contractors, vendors, suppliers, etc.) via Non-Employee Access Forms:

  • First Name, Last Name, Middle Initial
  • Company Name
  • Phone
  • E-mail
  • Government Issued ID
  • Company Name
  • Company Address
  • Company City, State, and Zip Code
  • Supervisor or Human Resources Contact
  • Supervisor’s Phone
  • Supervisor’s E-mail

In addition to the above information, we may also collect additional information from either the individual or their employer in order to facilitate communication (e.g., additional phone numbers, time zone the individual is in, etc.) and to identify and provide proof of identity (e.g., PINs, passphrases, manager’s name, etc.) for the individual. To comply with Export Controls, we may retain the information outlined in the above section to facilitate regular scans for vendors, contractors, and suppliers.

Children’s Information

We will not knowingly market to, collect, or store any personal information from individuals under the age of 18.

Use of Audio, Video, Image, and Teleconference Recording

During the course of business, we may create and retain digital recordings or images for specific use cases such as phone calls to the service desk, images for entrance to an office or data center, video recordings of people in the offices or data centers, and teleconference meetings. We create recordings of audio and/or visual information during these events for business purposes of quality assurance, record-keeping/documentation, protection of assets, incident prevention, and/or security/legal/contractual obligations. Recordings shall only be retained for as long as required for business use. Data subjects are informed of audio recording in the automated greeting for calls to the service desk. Data subjects are notified of video surveillance and recording through signs posted at the entrances to our offices and data centers. Data subjects are notified of teleconference meeting recordings through a flashing “recording in progress” icon, audio announcements, system announcements, or meeting invite messages.

Personal information will be:

  • Used only for the purposes identified at collection or in the notice and only if the individual has provided implicit or explicit consent unless a law or regulation specifically requires otherwise.
  • Retained for no longer than necessary to fulfill the stated purposes, or for a period specifically required by law or regulation.
  • Disposed of in a manner that prevents loss, theft, misuse, or unauthorized access.

We acknowledge that individuals have the right to access the personal information that we collect and maintain about them. An individual who seeks access, or who seeks to correct, amend, or delete data under the right to erasure, should direct their query to s24.privacynotice@global.ntt. If requested to remove data, we will respond within 30 days.

Choice and Consent

We shall offer individuals the opportunity to choose (to opt-in or opt-out) whether their Personal Information is (1) retained for the purpose of a potential or existing business relationship, (2) to be disclosed to a third party, or (3) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, we will give individuals the opportunity to affirmatively or explicitly (opt-out) consent to the use of their information or the disclosure of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. We shall treat Sensitive Personal Information received from an individual the same as the individual would treat it. The consequence of not providing consent is the inability of the requestor to access certain information and a lack of exchange of appropriate services between us and the requester, which is also subject to terms of any existing agreements between the parties. If there are any additional consequences for refusing to provide personal information or of denying or withdrawing consent to use personal information, individuals will be informed of this when the personal information is collected. An individual who seeks to exercise their rights of choice and consent should direct their query to s24.privacynotice@global.ntt

Onward Transfers/Disclosures to Third Parties

Personal information collected by us shall be disclosed to third parties only for the purposes described in the notice, and for which the individual has provided implicit or explicit consent, unless a law or regulation specifically requires or allows otherwise. We shall ensure that any third party vendor/sub-contractor we have procured for which Personal Information scoped to the European Union may be disclosed enter into legal agreements subject to appropriate safeguards (SCCs). Third parties who have legal agreements with us shall protect personal information in a manner consistent with the relevant aspects of our privacy policies or other specific instructions or requirements and are subject to law providing the same level of privacy protection as is required by SCCs. We shall take remedial action in response to misuse of personal information by a third-party vendor/sub-contractor to whom we have disclosed such information. Prior to disclosing Personal Information to a third party for purposes other than which it was originally collected or subsequently authorized by the individual, we shall notify the individual of such disclosure and allow the individual the choice (opt-out) of such disclosure. In cases of onward transfer to third parties (vendors/sub-contractors) of data of EU, UK, and Swiss individuals received pursuant to EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, Swiss-U.S. DPF, and/or SCCs, NTT Managed Services Americas is liable unless NTT Managed services Americas proves that it is not responsible for an event giving rise a potential damage.

Law Enforcement and National Security Requests

We also may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. To date, we have never been requested by the U.S. government to provide access to any Personal Information under the Foreign Intelligence Surveillance Act (FISA) or otherwise.

Data Security

We shall take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration, and destruction. We have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration, or destruction. Further, we require that employees keep customer information confidential. We caution our customers that no medium of communication, especially the Internet, is entirely secure. Accordingly, we cannot guarantee the security of information on or transmitted via the Internet and we are not responsible for loss, corruption or unauthorized acquisition and use of personal information, or for any damages resulting from such loss, corruption, unauthorized acquisition or unauthorized use.

Data Integrity

Individuals are responsible for providing us with accurate and complete personal information and for contacting us if any correction of such information is required. We shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, we shall take reasonable steps to ensure that Personal Information is collected and maintained so that it is accurate, complete, current, and reliable for its intended use.

ACCESS TO PERSONAL INFORMATION (PI, PII, (e)PHI)

Transparent Personal Information, Time Frame, and Cost

We shall, upon request, allow an individual access to their Personal Information for data that we have collected. Personal information will be provided to the individual in a concise, transparent, intelligible, and easily accessible form, in a reasonable timeframe, and at a reasonable cost, if any. Requests for Personal Information that is controlled by a customer will be routed to the appropriate customer privacy representative. We will assist customers with such requests pursuant to the Master Service Agreement (MSA) or Statement of Work (SOW).

Updating, Correcting, Amending, or Deleting Personal Information

We shall, upon request, allow data subjects to update, correct, amend or delete personal information held and controlled by us, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. If practical and economically feasible to do so, we shall provide such updated or corrected information to third parties that previously were provided with the individual’s personal information.

We cannot process direct requests from data subjects to update, correct, amend, or delete personal information controlled by its customers. Such requests will be routed to the appropriate customer privacy representative. Handling of such requests and communication with data subjects where Personal information is controlled by our customers is the responsibility of each customer. We will assist customers with such requests pursuant to the MSA or SOW.

Identity Confirmation

We shall authenticate the identity of individuals who request access to their personal information before they are given access to that information.

Denial of Access

We shall inform individuals, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation.

Statement of Disagreement

We shall inform individuals, in writing, about the reason a request for correction of personal information was denied, and how they may appeal.

Enforcement/Monitoring

We use self-assessment and monitoring to assure compliance with this privacy policy and periodically verify that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, accessible, and in conformity with the Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints or disputes regarding use and disclosure of Personal Information in accordance with the Principles.

If a complaint or dispute cannot be resolved through our internal process, we agree to dispute resolution using an independent resource mechanism as a third-party resolution provider.

NTT Managed Services Americas, LLC is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

EU-U.S., UK Extension to EU-U.S., and Swiss-U.S. Data Privacy Frameworks

NTT Managed Services Americas complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. NTT Managed Services Americas, LLC and Symmetry Corporation has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. NTT Managed Services Americas, LLC and Symmetry Corporation has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Dispute resolution

If a complaint or dispute cannot be resolved through our internal process, we agree to dispute resolution using (an independent resource mechanism) as a third-party resolution provider. Complaints regarding this privacy policy should first contact NTT Managed Services Americas at:

NTT Managed Services Americas

Attn: Devin Iler, Security Governance and Privacy Manager
4000 Town Center, Suite 200
Southfield, MI 48075
Email: s24.privacynotice@global.ntt 
Webform: Click here to access our privacy rights webform

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), we commit to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact NTT Managed Services Americas, LLC at:

NTT Managed Services Americas

4000 Town Center, Suite 200
Southfield, MI 48075
s24.privacynotice@global.ntt
Phone: +1-888-914-9661 Access code: 111342
Webform: Click here to access our privacy rights webform

NTT Managed Services Americas has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf.

Human Resources Data Complaints

If your complaint involves human resources data transferred to the United States from the European Union, the United Kingdom, or Switzerland in the context of the employment relationship, and We do not address it satisfactorily, We commit to cooperate with the panel established by the EU data protection authorities (DPA Panel), the UK Information Commissioner’s Office, and the Swiss Federal Data Protection and Information Commissioner, as applicable, and to comply with the advice given by the DPA panel, ICO, or FDPIC, as applicable, with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en. Complaints related to human resources data should not be addressed to the BBB NATIONAL PROGRAMS.

Amendments

This privacy policy may be amended from time to time consistent with the requirements of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), and/or changes to privacy laws and regulations. If we modify our Privacy Statement, we will post the revised version here, with an updated revision date. You agree to visit this page periodically to be aware of and review any such revisions. If we make material changes to our Privacy Statement, we may also notify you by other means prior to the changes taking effect, such as by posting a notice on our websites or sending you a notification. By continuing to use our website after such revisions are in effect, you accept and agree to abide by the revisions. Information is subject to other policies.

 

Effective Date: 10 October 2023