Zayo Data Privacy Statement
At Zayo, we know how important privacy is to our customers. We have created this privacy statement to explain our approach to the collection, use, and disclosure of customer information through the use of our services or as you interact with our web page. This privacy statement aligns with the transparency requirements of the EU General Data Protection Regulation (GDPR), effective 25 May 2018.
EU-U.S. Privacy Shield
Zayo participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework with respect to Zayo web sites and telecommunication services. Zayo is committed to subjecting all personal data from these sources received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List.
Zayo is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Zayo complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Zayo web sites and telecommunication services are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Zayo may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield
Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Data subjects – people whose information is processed.
Personal data – any information that relates to an identified or identifiable living individual. This includes, for example, information such as name, address, telephone number, email address, and identification number.
Processing – any set of actions which is performed on personal data such as collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, or destroying.
Controller – the entity that determines the processes and means of processing.
Processor – the entity that processes personal data on behalf of the controller.
Zayo provides direct communications infrastructure services to customers globally. As part of providing those services, Zayo may act as a controller or a processor, or neither. This privacy statement explains our position with respect to the different services Zayo provides.
For Data Services and Network Infrastructure [including Dark Fibre, Wave, SONET, Ethernet]:
Zayo provides infrastructure and bandwidth services that permit customers to transport data in accordance with customer contractual requirements. The Customer is responsible for ensuring the data transmitted through these services is appropriately protected and compliant with current privacy legislation. Although customer information is moving through Company infrastructure, Zayo is NOT acting in the role of a processor of customer data. Zayo does not possess any direct or administrative access to any customer content that is transmitted through our communication infrastructure. This separation is maintained through both technological and security controls implemented on our service architecture.
For Cloud Services [Object Based Storage Services]:
Zayo provides and operates cloud based capabilities and infrastructure that permit storage and lifecycle management activities for customer content. Through these services, Zayo is acting in the role of a processor on behalf of the Customer [the controller]. Zayo has prepared a Data Processor Addendum [DPA] in accordance with GDPR Article 28. Please make a request through your designated Zayo contact to initiate the process for executing a DPA.
For Zayo.com and other associated Zayo service portals:
Zayo utilizes websites for the display of corporate information as well as to market and transact Zayo services. Customers and web site visitors interact with various functions on these pages that may require the collection and use of personal information to complete those functions.
Zayo as a Controller:
Zayo collects personal data from data subjects in order to enable communications with web site visitors and customers, administer customer accounts and comply with customer contracts.
Categories of Personal Data Collected
Zayo utilizes a number of categories of personal information to conduct operations. The following categories are broad descriptions aligned with business operations.
Contact Information – Zayo collects data subject [customer] name, business address, telephone number, job title, email address, social media credentials.
Zayo generally collects this information directly from data subjects. In cases where contact information is provided by the customer in accordance with contractual requirements, the customer is responsible for ensuring that any personal data submitted to Zayo has been obtained in accordance with relevant data protection requirements. Where applicable, customer warrants that it has obtained any required consent from the data subject prior to providing personal data to Zayo.
Identity Information – Zayo collects government issued identity information [e.g., drivers license, passport], palm or fingerprint biometric identifiers, and CCTV video image.
Zayo collects this information directly from the data subject at each designated Zayo facility.
Network Traffic Data – Zayo collects data that is captured through system logging and data flow management systems including, but not limited to, source and destination Internet Protocol [IP] addresses and domain name, date and time indicators, and other network layer protocol header information as collected based on service capabilities. NOTE: Although IP addresses are collected within network traffic logs, Zayo does not possess the necessary capabilities without the involvement of the impacted “customer” to identify an individual.
Website Visitor Information – Zayo collects website visitor information in the form of generic website statistics and cookies including device, operating system and browser type, country and time zone indicators and other system settings.
Website Application Information – Zayo collects contact information associated with the creation of application user credentials [eg. Tranzact, Workday recruitment, Zayo service portals, etc.].
Zayo collects this information directly from data subjects using application interfaces and provides privacy notices related to each applications purpose and use of personal information collected. Current applications support service administration/transactions, recruitment and facility access.
Purposes and Legal Bases for Processing Personal Data
Zayo processes contact information as necessary for the performance of a contract between Zayo and the Customer. Contact information is needed for ongoing contract administration, to provide customer notices and service announcements, to assist with service incident resolution, to install and maintain services on customer premises and to address billing and payment inquiries.
Zayo processes identity information as necessary for the performance of a contract between Zayo and the Customer. Customer contracts require that physical security controls be implemented to prevent unauthorized access to colocation facilities and customer equipment. Identity information is collected to authenticate individuals based on customer approvals.
Zayo processes network traffic data consistent with its legitimate interests to ensure the integrity of services and to support security incident and event management functions.
Zayo processes website visitor information and contact information with our legitimate interest to offer and provide products and services, send promotional materials and marketing communications regarding programs, offers and surveys, deliver targeted online advertising, communicate with returning visitors and auto fill web based forms, respond to inquiries and to operate, evaluate and improve our business.
Zayo processes website application information with our legitimate interest to create and maintain user credentials to allow authenticated user access to self-serve functions related to telecommunication services or to submit recruitment information for consideration of employment.
Categories of Recipients of Personal Data
Zayo shares personal data with several categories of recipients.
Contact information may be used/accessed by Zayo employees including client services, sales, network/service operations staff and both Zayo and 3rd party operations personnel.
Identity information may be used/accessed by Zayo facility operation employees and 3rd party facility and security services providers at designated facilities.
Network traffic data may be used/accessed by designated Zayo network administrators/platform managers and Zayo Security Operations Centre [SOC] staff.
Website visitor information is used/accessed by authorized Zayo marketing and sales representatives and contracted 3rd party digital marketing and advertising partners [including Google Analytics, Google Adwords and Adtaxi].
Website application information is used/accessed by designated subject matter experts related to service order processing and recruitment, Zayo application administrators and designated help desk resources assigned to support application operations.
General note of disclosure:
Zayo may disclose information about you (i) as required by law or legal process, (ii) to law enforcement authorities or other government entities, and (iii) when we believe disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of alleged fraudulent or illegal activity.
Zayo endeavours to limit data transfers wherever possible. Where data transfers are necessary, Zayo ensures that recipients of this data have appropriate safeguards in place. With respect to the personal data categories described above, Zayo executes necessary data transfers on the following legal bases:
Contact information and website application information is managed within Salesforce and Workday on infrastructure located in the United States. This data transfer is necessary for the performance of a contract between Zayo and the Customer.
Identity information does not require data transfer. All data is maintained locally within the jurisdiction where it is collected and used.
Network traffic data is managed within our network operation and security events management tools within the United States. Website visitor information is managed within our hosted website platform within the United States. Data is transferred using the EU-U.S. Privacy Shield Framework, in accordance with the European Commission’s adequacy decision.
Zayo maintains a corporate records retention policy and schedule. Specific retentions based on data categories are outlined below. However, various data elements when included within corporate documents will be governed by corporate and legal requirements.
Zayo retains contact information and website application information for as long as the Customer maintains an active account and for 7 years after account termination in order to comply with legal and financial reporting obligations. In other cases, when information is no longer required in support of a defined purpose, it will be deleted.
Zayo retains identity information for the duration of valid access to designated facilities. CCTV images are kept up to 30 days after which they are deleted.
Zayo retains network traffic data for 90 days, then archived for 1 year before being deleted.
Zayo retains website visitor information related to generic website statistics for the life of the website in an archive. Web cookie information is retained in alignment with cookie expiration dates.
Data Subject Rights
You have the right to:
- Request further details on the processing of your personal data;
- Request a copy of the personal data that you have provided to us;
- Correct or remove any inaccurate personal data we hold; and
- Object to any processing based on legitimate interests grounds, unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;
To update, correct, or remove personal data or to object to the processing of your information related to web site visit or web application support, please contact us at firstname.lastname@example.org or through “support” options on portals or applications.
NOTE: Where contact information has been provided by your employer [our Customer], direct your request to your employer for corrective action. Due to the nature of personal data use, Zayo reserves the right to verify any corrections with customer contract authorities prior to making any changes.
For all other inquiries, please contact us, in writing, at email@example.com. In your request, please clearly articulate the nature of the concern/request as specifically as possible. Prior to release of any information, we may be required to ask for additional information from you in order to verify your identity before disclosure.
If you consider that privacy requests have not been addressed adequately by Zayo or the processing of Personal Data infringes the GDPR, you have the right to lodge a complaint with the office of the Data Protection Commissioner or Supervisory Authority in the country where you reside.
Organization Details and Contact Information
Zayo Group LLC
1805 29th Street, Suite 2050,
Boulder Colorado, USA, 80301
Harmsworth House, 13-15 Bouverie Street , London, EC4Y 8DP
19-21 rue Poissonnière, Paris 75002, France.
Privacy Office :
Director, Global Privacy
Revision date: April 26, 2019