Zayo Data Privacy Statement
At Zayo, we know how important privacy is to our customers. We have created this privacy statement to explain our approach to the collection, use, and disclosure of customer information through the use of our services or as you interact with our web page. This privacy statement aligns with the requirements of the EU General Data Protection Regulation (GDPR), effective 25 May 2018 and other applicable laws.
Standard Contractual Clauses (SCC)
Pursuant to the mentioned decision of the CJEU (“Schrems 2”) invalidating the EU-U.S. Privacy Shield framework, Zayo has entered into a Standard Contractual Clause (SCC) framework (2001/497/EC, 2001/915/EC, 2001/87/EU) with its EU-based affiliated companies that describe the personal data that are transferred to the U.S. and the safeguards applied by Zayo for protecting such data. A summary of which is provided below.
Zayo as the US-based data importer is responsible as a controller for the processing of personal data it receives, under the SCC, and subsequently may transfer to a third party acting as a service provider on its behalf. In these cases, Zayo will impose contractual obligations on the third party to comply with the SCC (onward transfer). Zayo has duly considered the risks for EU personal data that it receives under such SCC and believes that the personal data are adequately protected. This is an ongoing process at this time. Zayo may update this Policy or its SCC in case that any applicable further regulatory guidance on the interpretation and implementation of the mentioned “Schrems 2” decision becomes available.
With respect to personal data received or transferred pursuant to SCC, Zayo websites and telecommunication services are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Zayo may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
EU-U.S. Privacy Shield
Zayo participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework with respect to Zayo websites and telecommunication services. Zayo is committed to subjecting all personal data from these sources received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List.
On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
Zayo continues to participate in the EU-U.S. Privacy Shield Framework and its associated obligations while the US and EU Commission reach a final disposition.
Data – All information of individuals that is processed.
Personal data – any information that relates to an identified or identifiable living individual. This includes, for example, information such as a name, address, telephone number, email address, and identification number.
Processing – any set of actions which is performed on personal data such as collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, or destroying.
Controller – the entity that determines the processes and means of processing.
Processor – the entity that processes personal data on behalf of the controller.
Zayo provides direct communications infrastructure services to customers globally. As part of providing those services, Zayo may act as a controller or a processor, or neither. This privacy statement explains our position with respect to the different services Zayo provides.
For Data Services and Network Infrastructure [including Dark Fiber, Wave, SONET, Ethernet]
Zayo provides infrastructure and bandwidth services that permit customers to transport data in accordance with customer contractual requirements. The Customer is responsible for ensuring the data transmitted through these services is appropriately protected and compliant with current privacy legislation. Although customer information is moving through Company infrastructure, Zayo is NOT acting in the role of a processor of customer data. Zayo does not possess any direct or administrative access to any customer content that is transmitted through our communication infrastructure. This separation is maintained through both technological and security controls implemented on our service architecture.
For Cloud Services [Object Based Storage Services]
Zayo provides and operates cloud based capabilities and infrastructure that permit storage and lifecycle management activities for customer content. Through these services, Zayo is acting in the role of a processor on behalf of the Customer [the controller]. Zayo has prepared a Data Processor Addendum [DPA] in accordance with GDPR Article 28. Please make a request through your designated Zayo contact to initiate the process for executing a DPA.
For Zayo.com and other associated Zayo service portals
Zayo utilizes websites for the display of corporate information as well as to market and transact Zayo services. Customers and website visitors interact with various functions on these pages that may require the collection and use of personal information to complete those functions.
Zayo as a Controller
Zayo collects personal data from data subjects in order to enable communications with website visitors and customers, administer customer accounts and comply with customer contracts.
1. Categories of Personal Data Collected
Zayo utilizes a number of categories of personal data to conduct operations. The following categories are broad descriptions aligned with business operations.
Contact Information – Zayo collects data subject [customer] name, business address, telephone number, job title, email address, social media credentials.
Zayo generally collects this information directly from data subjects. In cases where contact information is provided by the customer in accordance with contractual requirements, the customer is responsible for ensuring that any personal data submitted to Zayo has been obtained in accordance with relevant data protection requirements. Where applicable, customer warrants that it has obtained any required consent from the data subject prior to providing personal data to Zayo.
Identity Information – Zayo collects government issued identity information [e.g., drivers license, passport], palm or fingerprint biometric identifiers, and CCTV video image.
Zayo collects this information directly from the data subject at each designated Zayo facility.
Network Traffic Data – Zayo collects data that is captured through system logging and data flow management systems including, but not limited to, source and destination Internet Protocol [IP] addresses and domain name, date and time indicators, and other network layer protocol header information as collected based on service capabilities.
NOTE: Although IP addresses are collected within network traffic logs, Zayo does not possess the necessary capabilities without the involvement of the impacted “customer” to identify an individual.
Website Visitor Information – Zayo collects website visitor information in the form of generic website statistics and cookies including device, operating system and browser type, country and time zone indicators and other system settings.
Website Application Information – Zayo collects contact information associated with the creation of application user credentials [eg. Tranzact, Workday recruitment, Zayo service portals, etc.].
Zayo collects this information directly from data subjects using application interfaces and provides privacy notices related to each applications purpose and use of personal information collected. Current applications support service administration/transactions, recruitment and facility access.
2. Purposes and Legal Bases for Processing Personal Data
Zayo processes contact information as necessary for the performance of a contract between Zayo and the Customer. Contact information is needed for ongoing contract administration, to provide customer notices and service announcements, to assist with service incident resolution, to install and maintain services on customer premises and to address billing and payment inquiries.
Zayo processes identity information as necessary for the performance of a contract between Zayo and the Customer. Customer contracts require that physical security controls be implemented to prevent unauthorized access to colocation facilities and customer equipment. Identity information is collected to authenticate individuals based on customer approvals.
Zayo processes network traffic data consistent with its legitimate interests to ensure the integrity of services and to support security incident and event management functions.
Zayo processes website visitor information and contact information with our legitimate interest to offer and provide products and services, send promotional materials and marketing communications regarding programs, offers and surveys, deliver targeted online advertising, communicate with returning visitors and auto fill web based forms, respond to inquiries and to operate, evaluate and improve our business.
Zayo processes website application information with our legitimate interest to create and maintain user credentials to allow authenticated user access to self-serve functions related to telecommunication services or to submit recruitment information for consideration of employment.
3. Categories of Recipients of Personal Data
Zayo shares personal data with several categories of recipients.
Contact information may be used/accessed by Zayo employees including client services, sales, network/service operations staff and both Zayo and 3rd party operations personnel.
Identity information may be used/accessed by Zayo facility operation employees and 3rd party facility and security services providers at designated facilities.
Network traffic data may be used/accessed by designated Zayo network administrators/platform managers and Zayo Security Operations Centre [SOC] staff.
Website visitor information is used/accessed by authorized Zayo marketing and sales representatives and contracted 3rd party digital marketing and advertising partners [including Google Analytics, Google Adwords and Adtaxi].
Website application information is used/accessed by designated subject matter experts related to service order processing and recruitment, Zayo application administrators and designated help desk resources assigned to support application operations.
General note of disclosure:
Zayo may disclose information about you (i) as required by law or legal process, (ii) to law enforcement authorities or other government entities, and (iii) when we believe disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of alleged fraudulent or illegal activity.
4. Data Transfers
Zayo endeavours to limit data transfers wherever possible. Where data transfers are necessary, Zayo ensures that recipients of this data have appropriate safeguards in place. With respect to the personal data categories described above, Zayo executes necessary data transfers on the following legal bases:
Contact information and website application information is managed within Salesforce and Workday on infrastructure located in the United States. This data transfer is necessary for the performance of a contract between Zayo and the Customer.
Identity information does not require data transfer. All data is maintained locally within the jurisdiction where it is collected and used.
Network traffic data is managed within our network operation and security events management tools within the United States. Website visitor information is managed within our hosted website platform within the United States. Data is transferred using the SCC Framework, in accordance with the European Commission’s adequacy decision.
5. Data Retention
Zayo maintains a corporate records retention policy and schedule. Specific retentions based on data categories are outlined below. However, various data elements when included within corporate documents will be governed by corporate and legal requirements.
Zayo retains contact information and website application information for as long as the Customer maintains an active account and for 7 years after account termination in order to comply with legal and financial reporting obligations. In other cases, when information is no longer required in support of a defined purpose, it will be deleted.
Zayo retains identity information for the duration of valid access to designated facilities. CCTV images are kept up to 30 days after which they are deleted.
Zayo retains network traffic data for 90 days, then archived for 1 year before being deleted.
Zayo retains website visitor information related to generic website statistics for the life of the website in an archive. Web cookie information is retained in alignment with cookie expiration dates.
6. Data Subject Rights
You have the right to:
- Request further details on the processing of your personal data;
- Request a copy of the personal data that you have provided to us;
- Correct or remove any inaccurate personal data we hold; and
- Object to any processing based on legitimate interests grounds, unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;
To update, correct, or remove personal data or to object to the processing of your information related to website visit or web application support, please contact us at firstname.lastname@example.org or through “support” options on portals or applications.
NOTE: Where contact information has been provided by your employer [our Customer], direct your request to your employer for corrective action. Due to the nature of personal data use, Zayo reserves the right to verify any corrections with customer contract authorities prior to making any changes.
For all other inquiries, please contact us, in writing, at email@example.com or write to the physical address listed below. In your request, please clearly articulate the nature of the concern/request as specifically as possible. Prior to release of any information, we may be required to ask for additional information from you in order to verify your identity before disclosure.
If you consider that privacy requests have not been addressed adequately by Zayo or the processing of Personal Data infringes the GDPR, you have the right to lodge a complaint with the office of the Data Protection Commissioner or Supervisory Authority in the country where you reside.
7. Organization Details and Contact Information
Zayo Group LLC
1805 29th Street, Suite 2050,
Boulder Colorado, USA, 80301
International House, 1 St Katharine’s Way, London E1W 1UN
Overschiestraat 65, 1062 XD, Amsterdam
Privacy Office :
Director, Global Privacy
Revision date: September 28, 2020