Zayo Group, LLC Data Privacy
At Zayo, we know how important privacy is to our customers and individuals. We have created this privacy statement to explain our approach to the collection, use, and disclosure of customer and individual’s information through the use of our services, marketing efforts related to our services, or as you interact with our web page.
Article I: Context
Zayo provides telecommunications and infrastructure offerings to customers globally. As part of providing those offerings, Zayo may act as a processor. Zayo collects and stores Personal Data for purposes of providing its offerings, informing customers of additional offerings, tracking use activity on its websites, and marketing efforts related to its offerings. Articles III through VIII of this privacy statement details the specific collection, use and storage for each of Zayo’s offerings.
Article II: Definitions
CPNI – customer proprietary network information.
Data – All information of individuals that is processed.
Data Subject – the person who provides (or information is collected from) Personal Data.
Offerings — the communications and products offered by Zayo to its customers.
Personal Data or Personal Information – any information that relates to an identified or identifiable living individual. This includes, for example, information such as a name, address, telephone number, email address, and identification number.
Processing – any set of actions which is performed on personal data such as collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, or destroying.
California Consumer Protection Act – TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100]
Controller – the entity that determines the processes and means of processing.
GDPR – EU General Data Protection Regulation.
PIPEDA – Canada Personal Information Protection and Electronic Documents Act.
Processor – the entity that processes personal data on behalf of the controller.
Article III: Zayo’s Offerings; Interaction with Private Data
For Data Services and Network Infrastructure [including Dark Fiber, Wave, SONET, Ethernet]
Zayo provides infrastructure and bandwidth services that permit customers to transport data in accordance with customer contractual requirements. The Customer is responsible for ensuring the data transmitted through these services is appropriately protected and compliant with current privacy legislation. Although the information moving through Company infrastructure may include customer information, Zayo is not acting in the role of processor of customer data; Zayo does not possess any direct or administrative access to any customer content that is transmitted through our communication infrastructure. This separation is maintained through both technological and security controls implemented on our service architecture.
For Cloud Services [Object Based Storage Services]
Zayo provides and operates cloud based capabilities and infrastructure that permit storage and lifecycle management activities for customer content. Zayo only permits access by a limited number of employees to customer-stored content at the request of the authorized customer party requesting Zayo to access such content, and such access by Zayo employees is limited to certain administrative functions, such as resetting passwords to provide the authorized customer party access to customer content. Zayo requires these employees to read, understand, and acknowledge compliance with Zayo’s policy governing such access. Through the Cloud Services Offering, Zayo is acting in the role of a processor on behalf of the Customer (the controller). Zayo has prepared a Data Processor Addendum (“DPA”) in accordance with GDPR Article 28. Please make a request through your designated Zayo contact to initiate the process for executing a DPA.
For Voice Services [Including VoIP, and UCCV]
Zayo provides cloud-based voice and collaboration solutions that deliver voice and PBX features, video meetings and messaging, and contact management features through an intuitive cloud interface. Customers may access a dashboard of reports, and may subscribe to a call recording feature. To access the Customer dashboard a new user receives a system-generated password in a separate email from the application setup instructions. The user is instructed to change the password and neither the Customer administrator nor Zayo have access to user passwords. Zayo has an application management password for all applications, including our call recording solutions. Zayo only permits access by a limited number of employees , for the purpose of providing Customer assistance and troubleshooting. Access to Zayo’s highest level master portal is limited to a select few employees. Customer portals for programming phones may be accessed only by select Zayo employees upon request of the Customer. These portals are limited to phone systems and do not provide access to applications such as meetings or call recordings.
Article IV: What Personal Data is Processed by Zayo
Contact Information – Zayo receives Personal Data from Data Subjects in their role as employees of our customers. Information required by Zayo to enable communications with customers, administer customer accounts, and in accordance with contractual obligations is limited to name, business address, telephone number, job title, and email address. Zayo may also collect certain publicly available social media information to facilitate provisioning of our Offerings and communications with our customers.
Website Application and Other Associated Service Portals – Zayo processes Personal Data contact information associated with the creation of application user credentials (eg. Tranzact, Workday recruitment, Zayo service portals, etc.), and collects website visitor information in the form of generic website statistics and cookies including device, operating system and browser type, country and time zone indicators and other system settings.
Marketing – Zayo utilizes websites for the display of corporate information as well as to market and transact Zayo Offerings. Customers and website visitors interact with various functions on these pages that may require the collection and use of Personal Data to complete those functions.
Opt Out – If Zayo uses your Personal Data for the purpose of sending you marketing communications, you may manage your receipt of marketing and non-transactional communications from Zayo by clicking on the “manage preference” link located on the bottom of Zayo marketing emails or by emailing firstname.lastname@example.org (“Opt Out”).
Please note that, notwithstanding the above, you will continue to receive marketing and non-transactional communications from Zayo unless you manage your receipt of such communications by clicking on the “manage preference” link.
Opting out of marketing communications does not opt you out of receiving important business communications related to your current relationships with Zayo, such as communications about the Offerings Zayo provides to your company.
Submission of Personal Data by Customer – In cases where contact information is provided by the customer in accordance with contractual requirements, the customer is responsible for ensuring that any Personal Data submitted to Zayo has been obtained in accordance with relevant data protection requirements and that, where applicable, customer has obtained any required consent from the Data Subject prior to providing Personal Data to Zayo.
Identity Information – For customers that require access to Zayo facilities, Zayo collects government issued identity information (e.g., drivers license, passport), palm or fingerprint biometric identifiers, and CCTV video image. Zayo collects this information directly from the Data Subject at each designated Zayo facility.
Network Traffic Data – Zayo collects data that is captured through system logging and data flow management systems including, but not limited to, source and destination Internet Protocol [IP] addresses and domain name, date and time indicators, and other network layer protocol header information as collected based on service capabilities. Although IP addresses are collected within network traffic logs, Zayo does not possess the necessary capabilities without the involvement of the impacted customer to identify an individual.
Article V: Why Zayo Uses Personal Data
Contract Administration – Zayo processes Personal Data contact information as necessary for the performance of Offerings pursuant to a contract between Zayo and its customer. Contact information is needed for ongoing contract administration, to provide customer notices and service announcements, to assist with service incident resolution, to install and maintain services on customer premises and to address billing and payment inquiries.
Physical Security Controls – Zayo processes identity information as necessary for the performance of a contract between Zayo and the customer. Customer contracts require that physical security controls be implemented to prevent unauthorized access to colocation facilities and customer equipment. Identity information is collected to authenticate individuals based on customer approvals.
Traffic Data – Zayo monitors and processes network traffic data consistent with its legitimate interests to support the offerings provided pursuant to a contract between Zayo and its Customer, to ensure the integrity of services and to support security incident and event management functions.
Website – Zayo processes website visitor information and contact information with our legitimate interest to offer and provide products and services, send promotional materials and marketing communications regarding programs, offers and surveys, deliver targeted online advertising, communicate with returning visitors and auto fill web based forms, respond to inquiries and to operate, evaluate and improve our business. Zayo processes website application information with our legitimate interest to create and maintain user credentials to allow authenticated user access to self-serve functions related to telecommunication services or to submit recruitment information for consideration of employment.
Article VI: Disclosure of Personal Data
Generally – Zayo may disclose Personal Data: (i) as set forth in a Data Processor Addendum between Zayo and a customer; (ii) as required by law or legal process; (iii) to law enforcement authorities or other government entities; and (iv) when Zayo believes disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of alleged fraudulent or illegal activity.
Transfers to Subprocessors – Zayo endeavors to limit data transfers wherever possible, however, Zayo does provide Personal Data, limited to name, contact information, and title, to its subprocessors to fulfill its obligations to its customers, and for administrative purposes. Where such data transfers are necessary, Zayo ensures that recipients of this data have appropriate safeguards and contractual terms in place, including Standard Contractual Clauses under GDPR where applicable. Personal Data transferred to Zayo subprocessors are stored on infrastructure located in the United States.
Article VII: Retention of Personal Data
Generally – Zayo maintains a corporate records retention policy and schedule. Specific retentions based on data categories are outlined below. However, various data elements when included within corporate documents will be governed by corporate and legal requirements.
Retention of Personal Data – Zayo retains Personal Data contact information and website application information for as long as the Customer maintains an active account and for 7 years after account termination in order to comply with legal and financial reporting obligations. In some cases, such as when required by law or rule, Zayo will keep Personal Data contact information for longer periods (e.g., E-Rate retention requirements). For all other cases, when Personal Data contact information is no longer required in support of a defined purpose, it will be deleted.
Retention of Images and Video Recordings – Zayo retains identity information for the duration of valid access to designated facilities. CCTV images are kept up to 30 days after which they are deleted.
Retention of Network Traffic – Zayo retains network traffic data for 90 days, then archived for 1 year before being deleted.
Retention of Website Information – Zayo retains website visitor information related to generic website statistics for the life of the website in an archive. Web cookie information is retained in alignment with cookie expiration dates.
Article VIII: Your Rights as a Data Subject
- You have the right to:
- The right to access your personal information
- The right to rectify any inaccurate personal information
- The right to the erasure of your personal information
- The right to restrict the processing of your personal information
- The right to data portability
- The right to object to the processing of your personal information
- The right to opt out of the sale of your personal information (under CCPA)
- The right to not be discriminated against for exercising your privacy rights (under CCPA)
To update, correct, or remove personal data or to object to the processing of your information related to website visit or web application support, please contact us at email@example.com or through “support” options on portals or applications.
NOTE: Where contact information has been provided by your employer (our customer), direct your request to your employer for corrective action. Due to the nature of Personal Data use, Zayo reserves the right to verify any corrections with customer contract authorities prior to making any changes.
For all other inquiries, please contact us, in writing, at firstname.lastname@example.org or write to the physical address listed below. In your request, please clearly articulate the nature of the concern/request as specifically as possible. Prior to release of any information, we may be required to ask for additional information from you in order to verify your identity before disclosure.
If you consider that privacy requests have not been addressed adequately by Zayo or the processing of Personal Data infringes GDPR, you have the right to lodge a complaint with the office of the Data Protection Commissioner or Supervisory Authority in the country where you reside.
Article IX: Organization Details and Contact Information
Zayo Group LLC
1805 29th Street, Suite 2050,
Boulder Colorado, USA, 80301
International House,1 St Katharine’s Way, London E1W 1UN
Overschiestraat 65, 1062 XD, Amsterdam
Privacy Office :
Chief Privacy Officer
Revision date: May 1, 2023
Article X: Applicable Law
GDPR applies to any Personal Data collected from a Data Subject and requires Zayo to have certain safeguards and process in place to ensure, among other things, that Personal Data is processed for a legitimate purpose, lawfully and transparently, collected for a specific purpose and not used in a manner inconsistent with that purpose, and appropriate safeguards are in place to ensure Personal Data is not processed in a manner that is unauthorized or unlawful. To the extent applicable, Zayo performs Offerings in compliance with Article 49(1) of the GDPR.
CCPA provides California consumers certain rights concerning how, when, and why businesses collect personal information. Zayo does not resell any Personal Data. If Zayo resells Personal Data in the future, this privacy statement will be amended accordingly.
CPNI relates to the quantity, technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier solely by virtue of the customer-carrier-relationship; and information contained in all the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier. Zayo has a CPNI policy that details how Zayo treats CPNI, and when employees or representatives may access and use CPNI. All employees or representatives of Zayo receive mandatory annual CPNI training, including, without limitation, training with respect to when they are and are not authorized to access and use CPNI.
Failure by any of our employees to comply with Zayo’s policies concerning CPNI is subject to disciplinary actions which may, depending upon the severity of the failure, result in termination of employment.
Other Applicable Laws Zayo also monitors and establishes other compliance measures for laws pertaining to privacy other than those set out in this Policy. Concerning such laws, Zayo conducts annual training for applicable employees, and requires employees to attest they have completed such training.