Please submit requests to exercise your privacy rights here
This Privacy Statement describes how Seagate Technology LLC or any parent, subsidiary or affiliate controlled by, under common control with, or controlling Seagate Technology LLC, including but not limited to affiliates operating under the LaCie name or brand, (collectively, “Seagate” or “we” or “us”) collects, uses, and shares information through the Seagate websites, which include but are not limited to Seagate.com, LaCie.com and their sub-domains (each a “Site”), and the Seagate services, products, software and software applications made available by us for use on or through computers and mobile devices (collectively, the “Offerings” under this Privacy Statement). Please remember that your use of our Sites and Offerings is at all times subject to the applicable Terms and Conditions that incorporate this Privacy Statement.
“Personal Information” is information that identifies you as an individual or relates to an identifiable individual. We collect information through the Sites and Offerings such as:
We collect and process these types of Personal Information to provide our services to you and as legally required. If you do not provide the information that we request, we may not be able to provide you with the full experiences of this Site and our Offerings, or may be prevented from complying with the applicable legal obligations.
Collection of Personal Information
We collect Personal Information in a variety of ways, including:
Please be aware if you disclose any Personal Information relating to other people to us or to our service providers in connection with the Site or Offerings, you represent that you have the permission to do so and to permit us to use the information in accordance with this Privacy Statement.
Use of Personal Information
We use Personal Information:
Disclosure of Personal Information
We disclose Personal Information:
Personal information may be disclosed by you, through your profile on our Site or Offerings and other information or content you may post or disclose through the Site or Offerings in a public forum, or through your social media account.
Other Uses and Disclosures
We also use and disclose your Personal Information as we believe to be necessary or appropriate:
“Other Information” is any information that does not reveal your specific identity or does not directly relate to an identifiable individual.
If we are required to treat Other Information as Personal Information under applicable law, then we may use and disclose it for the purposes for which we use and disclose Personal Information as detailed in this Policy.
Collection of Other Information
We and our service providers collect Other Information in a variety of ways, including:
Uses and Disclosures of Other Information
In some instances, we combine Other Information with Personal Information. If we do, we will treat the combined information as Personal Information as long as it is combined.
Seagate advertises on pages within our Sites and Offerings and on other websites not affiliated with Seagate. We contract with advertising service providers who serve advertising to you through the use of technologies, such as cookies and other similar technologies.
We use advertising service providers to help us determine which of our advertisements are most likely to be of interest to you. These advertising service providers may use behavioral information, such as how you navigate our Sites or Offerings, to provide relevant advertisements to you while you are using our Sites and/or Offerings.
We also contract with advertising companies to advertise our Offerings on websites not affiliated with Seagate. If you click on one of our ads, you link to the third party website that offers the advertised account or Offerings. These ads may contain cookies and other similar technologies that allow tracking of your response to our advertisements. These technologies, along with information the advertising companies collect about your online use, are used to recognize you across the devices you use, such as a mobile phone and a laptop.
If you would like more information about this practice, and to learn how to opt out of it in desktop and mobile browsers on the particular device on which you are accessing this Privacy Statement, please visit http://optout.aboutads.info/#/ and http://optout.networkadvertising.org/#/. In order for the opt-outs to work on your computer, your browser must be set to accept cookies. If you delete cookies or access the Site or Offering from a different device, you will need to opt-out again. You may download the AppChoices app at www.aboutads.info/appchoices to opt out in mobile applications. Please note that opting out of ad targeting does not opt you out from receiving general advertising.
Do Not Track
Our Offerings and Sites do not support “Do Not Track” requests at this time.
THIRD PARTY SERVICES
This Privacy Statement does not address, and we are not responsible for, the privacy, information or other practices of any third parties, including any third party operating any website or service to which the Sites or Offerings link. The inclusion of a link on the Sites or Offerings does not imply endorsement of the linked site or service by us or by our affiliates.
In addition, we are not responsible for the information collection, use, disclosure, or security policies or practices of any independent third party social media platform provider, app developer, app provider, operating system provider, wireless service provider, device manufacturer, or other organization, including with respect to any Personal Information you disclose to other organizations through or in connection with the Sites or Offerings, such as by using third-party messaging services linked or integrated through the Sites or Offerings.
We have reasonable security measures in place to protect against the loss, misuse and alteration of the information under our control. Please be advised, however, that while we strive to protect your information, we cannot guarantee or warrant the security of any information you disclose or transmit to us online and cannot be responsible for the theft, destruction, or inadvertent disclosure of your information. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contact Us” section below.
CHOICES AND ACCESS
Your choices regarding our use and disclosure of your Personal Information
You may opt-out from:
How you can exercise your rights
If you would like to request to access, correct, update, object, restrict or delete your Personal Information, or if you would like to request to receive an electronic copy of Personal Information that you have previously provided to us for purposes of transmitting it to another company (to the extent this right to data portability is provided to you by applicable law), or if you would like to withdraw your consent where we rely on your consent for collection, use, and disclosure of your Personal Information, or to object the automatic decision making, or object to the processing of your publicly disclosed information, you may send us your request through this form. If you are a close relative of a deceased, to the extent provided under applicable law, you may request to access, correct, update, receive a copy, or delete the deceased’s information.
We will respond to your request within thirty (30) days or as soon as reasonably practicable, and in accordance with applicable law.
In your request, please make clear relevant details, for example, what Personal Information you would like to have changed, whether you would like to have your Personal Information removed from our database, or what limitations you would like to put on our use of your Personal Information. Please do not include more Personal Information than the form requires. For your protection, we will verify your identity before processing your request. When you are a close relative of a deceased and are requesting to access, correct, update, receive a copy, or delete the deceased’s information, we may need to verify your identity and the relationship between you and the deceased.
Please note that we may retain certain and limited information about your request for recordkeeping purposes, to complete any transactions that you began prior to requesting a change or deletion, for the establishment, exercise or defense of legal claims, for our compliance with applicable laws and regulations, and/or as otherwise required by law.
We will retain your Personal Information for as long as needed or permitted in light of the purpose(s) for which it was obtained.
The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with you and provide the Site or Offerings to you (for example, for as long as you have an account with us or keep using the Site or Offerings); (ii) whether there is a legal or business obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations regulatory investigations, or other legal matters).
USE OF SITE AND OFFERINGS BY MINORS
This Site and our Offerings are not directed toward individuals under the age of majority in the country in which they reside. We do not knowingly collect Personal Information from individuals under 18.
JURISDICTION AND CROSS-BORDER TRANSFER
Your Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers. Please be aware that, when you use the Site or Offerings, we transfer information, through the course of regular business operations, to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country or that may not be considered adequate by your country of residence. When we transfer your Personal Information outside your country of residence, we may put in place appropriate safeguards in accordance with our legal obligations to ensure your Personal Information is adequately protected irrespective of the country to which it is transferred. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information.
Some countries are recognized by the European Commission as providing an adequate level of data protection according to European Economic Area (“EEA”) standards (the full list of these countries is available here). For transfers from the EEA to countries not considered adequate by the European Commission, we have put in place adequate measures, such as standard contractual clauses adopted by the European Commission to protect your Personal Information.
If you are a resident in China, we may only transfer your personal information when we have one or more legal basis, such as performance of contract, or compliance with legal obligations. For transfer from China to other countries or areas, we will take measures such as standard contractual clauses adopted by the Cyberspace Administration of China. You may also request for us to provide you information about your personal information transfers, in accordance with applicable law.
You may request a copy of these measures by contacting us as described in the “Contact Us” section below.
We ask that you not send us, and you not disclose, any sensitive Personal Information (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs (such as doctrinal or philosophical beliefs), sexual behavior, health, disability, biometrics or genetic characteristics, criminal background, personal financial account data, tracking trace data or geolocation data, data of minors under age of 14, or trade union membership) or any other information which may affect you in the same manner as prescribed by applicable law) on or through the Site or otherwise to us.
For additional information regarding specific Offerings, please select from the list below:
If you are a California resident, please find additional information regarding your rights and our collection, use, and disclosure of your Personal Information, in our California Consumer Privacy Act Notice.
UPDATES TO THIS PRIVACY STATEMENT
We may update this Privacy Statement from time to time. If so, we will post our updated Privacy Statement on our Site and/or Offerings along with a change notice on the Site and/or Offerings prior to a material change. Where applicable and required by applicable law, we may ask for your consent to any change where your consent is needed. The “Last Updated” legend at the bottom of this Privacy Statement indicates when this Privacy Statement was last revised. We may also send registered users of our Site and/or Offerings a notice that this Privacy Statement has been materially changed. We encourage you to review this Privacy Statement regularly for any changes. Any changes will become effective when we post the revised Privacy Statement on the Site and/or Offerings, and your use of the Site and/or Offerings following these changes means that you accept the revised Privacy Statement.
Seagate Technology LLC or an affiliate controlled by, under common control with, or controlling Seagate Technology LLC, including but not limited to affiliates operating under the LaCie name or brand is located at
Seagate Technology LLC
47488 Kato Road
Fremont, CA 94538
If you would like to exercise your privacy rights, please submit your request here. We will respond to your request consistent with applicable law.
If you have questions about this Privacy Statement, please contact our Data Protection Officer at email@example.com or:
Seagate Technology LLC
Attn: Legal Department – Global Privacy
47488 Kato Road
Fremont, CA 94538
If you live in Germany, you may contact our Data Protection Officer in Germany:
Dr. Sebastian Kraska
You may lodge a complaint with a supervisory authority competent for your country or region, or where an alleged infringement of applicable data protection law occurs. Please click here for contact information for such authorities in the EEA.
We will also keep prior versions of this Privacy Statement in an archive for your review here:
LAST UPDATED: November 1, 2021
Seagate Technology LLC ("Seagate") treats all personal information in accordance with Seagate’s Privacy Statement. This section applies if you are using any of our Lyve offerings, including our Lyve Management Portal collectively ("Lyve Solutions"). Please remember that your use of our Lyve Solutions and our processing of this information is at all times subject to the applicable Terms and Conditions.
INFORMATION WE COLLECT
When you use any of our Lyve Solutions, we may collect the following information in addition to the Personal Information and Other Information described in Seagate's Privacy Statement:
Identifiers including registered username, name, email address, business address, phone number (including for two factor authentication (“2FA”), where required).
Commercial information including billing information, products or services purchased.
Technical Data including browser information, IP address, device information, usage data, date and time a device accesses our servers, amount of storage utilized, or statistical information.
We collect this information through your use of our Lyve Solutions and through the registration of a Lyve Solutions account. Please remember that Seagate may access information collected through the Lyve Management Portal and as necessary to perform our obligations under the Lyve Solutions, such as data recovery services, but does not have access to information you choose to store in our Lyve offerings.
USE AND SHARING OF INFORMATION
We process this information as necessary for account management, and to accomplish our business purposes and provide the relevant service you are using, including for testing and applying new product or system versions, patches, updates and upgrades. In addition to our standard uses of your information, we also use this information to provide functionality to the Lyve Solutions you are using, to personalize your experience with it, and to improve your overall experience with our applications, services, and offerings.
We provide a 2FA security feature, which is activated when accessing our Lyve Management Portal, either by way of a QR code or a verification code sent via text message. If you choose to opt-in for 2FA via text message, we will send the verification code to the phone number provided by you during the sign-up process. This verification process is necessary to confirm your identity every time you log in to our Lyve Management Portal.
Seagate and our partners and licensees may collect, use, and share information for purposes of providing you the nearest Seagate authorized service center locations. We only share your information with our affiliates and our third-party service providers, subject to appropriate contractual and technical arrangements.
As appropriate under the circumstances, we engage in these activities with your consent, for our legitimate business interests, to manage our contractual relationship with you and to comply with legal obligations.
Please note that due to our role as a processor or service provider and our inability to access the information you choose to store in a Lyve Solution, we are unable to process requests from your end users or customers.
You may be able disable or limit certain features in Lyve Solutions through the settings located in a particular Lyve Solution or your account portal. You may also have certain rights over your personal information as more fully described in our Privacy Statement.
If you have questions about this Privacy Statement, please contact our Data Protection Officer at firstname.lastname@example.org or:
Seagate Technology LLC
Attn: Legal Department – Global Privacy
47488 Kato Road
Fremont, CA 94538
If you live in Germany, you may contact our Data Protection Officer in Germany:
Dr. Sebastian Kraska
Last Update Date: October 14, 2021
DATA PRIVACY AGREEMENT
The parties acknowledge and agree as follows:
Adequacy Decision. “Adequacy Decision” means a decision issued by the European Commission that a country or region or a category of recipients in such country or region is deemed to provide an “adequate” level of data protection.
Affiliate. An “Affiliate” means any entity which controls, is controlled by, or is under common control with the subject party.
Data Privacy Breach. A “Data Privacy Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, acquisition of Seagate Personal Information, or any other unauthorized Processing of Seagate Personal Information.
Data Protection Laws. “Data Protection Laws” means (a) the General Data Protection Regulation 2016/679 (“GDPR”) and all applicable data protection laws and regulations of a country that is a member of the European Union (“EU”) or the European Economic Area (“EEA”) and (b) any applicable laws or regulations of any other jurisdiction governing the Processing or protection of personal data.
Data Subject. “Data Subject” is an identified or identifiable natural person about whom Seagate Personal Information may be Processed under this DPA.
Seagate Personal Information. “Seagate Personal Information” means any information that relates to an identified or identifiable natural person, which is created, owned, or provided by Seagate or for Seagate, that Supplier has access to, obtains, uses, maintains, or Processes in connection with any agreement(s) between the parties and/or their Affiliates.
Processing. “Process” or “Processing” means, without limitation, operations performed on Seagate Personal Information, whether or not by automated means, such as collecting, recording, organizing, structuring, altering, using, accessing, disclosing, disseminating, copying, transferring, storing or otherwise retaining, deleting, aligning, combining, restricting, adapting, retrieving, consulting, destroying, or disposing Seagate Personal Information.
Sensitive Information means any of the following types of Seagate Personal Information: (i) social security number, taxpayer identification number, passport number, driver’s license number or other government-issued identification number; (ii) credit or debit card details or financial account number, with or without any code or password that would permit access to the account or credit history; or (iii) information on race, religion, ethnicity, sex life or practices or sexual orientation, medical or health information, genetic or biometric information, biometric templates, political or philosophical beliefs, political party or trade union membership, background check information or judicial data such as criminal records or information on other judicial or administrative proceedings.
Standard Clauses. “Standard Clauses” means the standard contractual clauses for the transfer of personal information to Processors established in third countries which do not ensure an adequate level of data protection (Commission Decision 2010/87/EU or any successor version), with optional clauses removed.
Sub-processor. A “Sub-processor” means any third party engaged by Supplier or by any other Sub-processor who will have access to, receive, or otherwise Process any Seagate Personal Information.
Supplier Personnel. “Supplier Personnel” means any Supplier employee, contractor, Sub-processor or agent whom Supplier authorizes to Process Seagate Personal Information.
The terms “Controller,” “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
DATA SECURITY AND PROTECTION
Status of the Parties. The parties hereby acknowledge and agree that Seagate is the Controller and Supplier is the Processor with respect to the Seagate Personal Information.
Nondisclosure of Seagate Personal Information. Supplier shall not disclose Seagate Personal Information in any manner for any purpose to any third party without obtaining prior written authorization from Seagate, other than disclosures to Sub-processors in accordance with Section 2.5 below. Without limiting the foregoing, in no event may Supplier sell or otherwise disclose Seagate Personal Information to any third party for the commercial benefit of Supplier or any third party.
Limitations on Processing. Supplier shall not Process or permit the Processing of Seagate Personal Information except as necessary to provide services to Seagate in accordance with any agreement(s) between the parties and/or their Affiliates or other written instructions of Seagate.
Information Security Program. Supplier will implement, maintain, monitor and, where necessary, update a comprehensive written information security program that contains appropriate administrative, technical, and physical safeguards to protect Seagate Personal Information against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage or any other unauthorized form of Processing) (“Information Security Program”). The Information Security Program will include the measures listed in the Security Standards attached as Schedule 2.
Restrictions on Sub-processors. Supplier may disclose Seagate Personal Information to Sub-processors as necessary to perform its services for Seagate, subject to the conditions set forth in this Section 2.5. Supplier shall maintain a list of the Sub-processors to which it discloses Seagate Personal Information, and will provide this list to Seagate upon Seagate’s request. As of the Effective Date of this DPA, Supplier will provide Seagate a current list of Supplier’s Sub-processor(s). Supplier shall notify Seagate at email@example.com at least 30 business days before adding any Sub-processor to the list. If Seagate does not object to the proposed Sub-processor within 30 business days of receipt of notice, the Sub-processor is deemed to have been approved. If Seagate objects to any Sub-processor having access to Seagate Personal Information, then Supplier shall not disclose Seagate Personal Information to the Sub-processor. If at any time either party finds a Sub-processor is not providing sufficient guarantees of security appropriate to the risk associated with the Seagate Personal Information being Processed, Seagate may in its sole discretion, remove the Sub-processor from the list. In the event a Sub-Processor is objected to or removed by Seagate, Supplier will be provided a reasonable amount of time to replace the Sub-processor. If Supplier cannot provide the Services without disclosing Seagate Personal Information to the objected Sub-processor, then Seagate may terminate any applicable agreement(s) between the parties and/or their Affiliates without cost or liability owed to Supplier.
Sub-processor Compliance and Breach. Supplier’s use of Sub-processors does not reduce Supplier’s obligation to comply with this DPA or applicable Data Protection Laws. Supplier will be liable to Seagate for performance of the services, Data Privacy Breaches and breaches of this DPA and applicable Data Protection Laws by its Sub-processors to the same extent as if Supplier breached.
Obligations of Supplier Personnel and Sub-processors. Supplier shall ensure that any person or Sub-processor who has access to Seagate Personal Information is bound by written privacy and data protection terms at least as restrictive as those in this DPA. Supplier shall ensure that all privacy and data protection obligations continue after their Processing for Seagate ends. This obligation continues in perpetuity, or alternatively, at least until Supplier has certified that all Seagate Personal Information has been deleted, destroyed, and irretrievable.
Limited Access. Supplier shall limit access to Seagate Personal Information to Supplier Personnel or Sub-processors who require access for Supplier to perform its obligations under any agreement(s) between the parties and/or their Affiliates or Seagate’s written instruction, who have (a) been trained on data protection and security requirements, and (b) agreed to comply with data confidentiality requirements at least as restrictive as those required by Seagate during and after their Processing for Seagate.
Notice of Requests or Complaints. Unless prohibited by law, Supplier shall notify Seagate at firstname.lastname@example.org within 2 business days after receiving any request or complaint relating to the Processing of Seagate Personal Information, including:
requests from a Data Subject for data portability, requests to access, change, delete, or restrict, and similar requests; or
complaints or allegations that the Processing infringes on a Data Subject’s rights.
Supplier Responses. Supplier shall not respond to any request or complaint under Section 2.9 unless expressly authorized to do so by Seagate. Supplier shall cooperate with Seagate with respect to any action taken relating to any request or complaint including, without limitation, deletion requests. Supplier shall seek to implement appropriate processes (including technical and organizational measures) to assist Seagate in responding to requests or complaints, unless prohibited by law.
Requests for Disclosure. Unless prohibited by law, Supplier shall immediately notify Seagate if Supplier receives any document requesting or purporting to compel the disclosure of Seagate Personal Information (such as oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil investigative demands, or other similar requests or processes; collectively, “Disclosure Requests”). If a Disclosure Request is not binding, Supplier will not respond. If a Disclosure Request is binding, Supplier shall, unless prohibited by applicable law, notify Seagate at least 48 hours before responding so that Seagate may exercise such rights as it may have to prevent or limit the disclosure. Supplier shall exercise reasonable efforts to prevent and limit any disclosure and to preserve the confidentiality of Seagate Personal Information. Supplier shall cooperate with Seagate with respect to any action taken in response to Disclosure Request, including cooperating to obtain an appropriate protective order or other assurance to protect the confidentiality of the Seagate Personal Information.
Cooperation. Supplier shall assist Seagate in meeting its obligations under Data Protection Laws regarding (a) registration and notification; (b) accountability; (c) ensuring the security of Seagate Personal Information; and (d) fulfilling privacy and data protection impact assessments and related consultations of Supervisory Authorities.
Participation in Regulatory Investigations. Supplier shall assist and support Seagate in any investigation by any Supervisory Authority to the extent the investigation relates to Seagate Personal Information Processed by Supplier or Supplier’s Sub-processor.
Notice of Potential Violations or Inability to Comply. Supplier shall immediately notify Seagate if:
Supplier has reason to believe that any instructions from Seagate regarding Processing of Seagate Personal Information would violate applicable law;
Supplier has reason to believe that it is unable to comply with any of its obligations under this DPA or Data Protection Laws and it cannot cure this inability to comply within a reasonable timeframe; or
Supplier becomes aware of any circumstances or changes in applicable law that are likely to prevent it from fulfilling its obligations under this DPA.
Suspension or Adjustments for Compliance. Seagate may suspend Supplier’s or Sub-processors’ Processing of Seagate Personal Information to prevent potential violations of or noncompliance with applicable law, this DPA, or any applicable agreement(s) between the parties and/or their Affiliates related to privacy or data protection. Supplier shall cooperate with Seagate to adjust the Processing to remedy any potential violation or noncompliance. If adjustment is not possible, Seagate may terminate any applicable agreement(s) between the parties and/or their Affiliates, without cost or liability owed to Supplier.
European Economic Area Standard Clauses. If Supplier transfers Personal Information received from within the EEA to a recipient outside the EEA that is not covered by an Adequacy Decision, then Supplier shall enter into Standard Clauses. Supplier shall ensure that any Sub-processors also execute the Standard Clauses, where applicable.
Other Jurisdiction Provisions. Where applicable, Supplier shall comply with the Requirements for Specific Jurisdictions, attached as Schedule 1.
COMPLIANCE AND ACCOUNTABILITY
Compliance. Supplier shall ensure that Supplier’s and Sub-processors’ Processing of Seagate Personal Information complies with all applicable laws, self-regulatory frameworks, and contract requirements applicable to Supplier and Sub-processor. Supplier shall annually review Supplier’s and Sub-processors’ practices to ensure they comply with this DPA and with all applicable laws. Supplier shall cooperate, at its own expense, with Seagate’s requests that Supplier demonstrate compliance with the data protection and security terms referenced in this DPA.
Records of Processing Activities. Supplier will maintain an up-to-date record of the details of the Supplier’s representative and data protection officer, categories of Processing activities performed, information regarding cross-border data transfer, a general description of the security measures implemented in respect of the Processed data, the name, contact and Processing details of each Sub-processor of Seagate Personal Information, and, where applicable, any Sub-processors’ representative and data protection officer. Upon request, Supplier will provide an historical and current copy of this record to Seagate.
Audit. Supplier shall make available to Seagate, on written request, all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including onsite inspections, by Seagate or an independent third-party auditor mandated by Seagate in relation to the Processing of Seagate Personal Information. Any such independent third-party auditor shall be required to enter into a non-disclosure agreement with the parties. Supplier shall remedy any non-compliance within a reasonable amount of time. If remediation is not possible, Seagate may terminate any applicable agreement(s) between the parties and/or their Affiliates, without cost or liability owed to Supplier.
SUPPLIER RESPONSIBILITIES AFTER A DATA PRIVACY BREACH
Notification of Data Privacy Breach. Supplier shall notify Seagate in writing of a known or suspected Data Privacy Breach immediately, and in any event within 24 hours after first learning of the potential Data Privacy Breach, and shall immediately:
notify Seagate at email@example.com of the Data Privacy Breach;
investigate or provide required assistance in the investigation of the Data Privacy Breach;
provide Seagate with detailed information about the Data Privacy Breach, including but not limited to the categories, location, and approximate number of Data Subjects concerned and the categories, location, and approximate number of Seagate Personal Information records, and continue to provide Seagate promptly with additional information about the Data Privacy Breach as it becomes available;
take all commercially reasonable steps to mitigate the effects of the Data Privacy Breach, or assist Seagate in doing so; and
implement a remediation plan, subject to Seagate’s approval, and monitor the resolution of Data Privacy Breaches and vulnerabilities related to Seagate Personal Information to ensure that appropriate corrective action is taken on a timely basis.
Containment and Remedy. Supplier shall immediately contain and remedy any Data Privacy Breach and prevent any further Data Privacy Breach; and Supplier shall take all actions necessary to comply with applicable Data Protection Laws and industry standards to contain and remedy the Data Privacy Breach.
Communications. Supplier shall not issue any communications related to a Data Privacy Breach, in any manner that would identify, or is reasonably likely to identify or reveal the identity of, Seagate, without Seagate’s prior approval.
Preservation of Evidence. Supplier shall maintain an incident response plan. Following discovery of a Data Privacy Breach, Supplier shall preserve evidence related to the Data Privacy Breach and maintain a clear chain of command according to Supplier’s incident response plan.
Cooperation. Supplier shall cooperate with Seagate in any litigation, investigation, or other action Seagate requires to protect Seagate’s rights relating to the use, disclosure, protection, and maintenance of Seagate Personal Information. Supplier further agrees to provide reasonable assistance and cooperation requested by Seagate and/or Seagate’s designated representatives, in the furtherance of any correction, remediation, or investigation of any Data Privacy Breach and/or the mitigation of any potential damage, including any notification that Seagate may determine appropriate to send to affected Data Subjects, regulators or third parties, and/or the provision of any credit reporting service that Seagate deems appropriate to provide to affected Data Subjects. Supplier will be responsible for Seagate’s reasonable expenses related to a Supplier Data Privacy Breach, including but not limited to investigation, remediation, and notification.
RETURN AND SECURE DELETION OF SEAGATE PERSONAL INFORMATION
Data Integrity. Supplier shall comply with all Seagate instructions to maintain data integrity, including (a) disposing of Seagate Personal Information that is maintained by Supplier but that is no longer necessary to provide Services; (b) ensuring that any Seagate Personal Information created by Supplier on Seagate’s behalf is accurate and kept up to date; and (c) upon Seagate’s request, allow Seagate to access any Seagate Personal Information, all in accordance with applicable laws.
Return and Deletion of Seagate Personal Information. Upon the earlier of (a) request by Seagate or (b) the expiration or earlier termination of the agreement(s) between the parties and/or their Affiliates related to the Processing of Seagate Personal Information, at Seagate’s direction, Supplier shall, and shall direct its Sub-processors to, export the Seagate Personal Information or provide Seagate, or its third party designee, with the ability to export all Seagate Personal Information in a machine readable and interoperable format determined by Seagate. Supplier shall maintain the Seagate Personal Information for as long as Seagate determines is reasonably necessary to allow Seagate to fully access and export the Seagate Personal Information, at no cost to Seagate. Each party shall identify a contact person to migrate the Seagate Personal Information and shall work promptly, diligently, and in good faith to facilitate a timely transfer. Within 90 days after Seagate (a) confirms that Seagate Personal Information was received and migrated correctly, or (b) informs Supplier of its election to not migrate the Seagate Personal Information, Supplier and Sub-processors shall securely destroy all Seagate Personal Information, delink Seagate’s workspace identifiers, and overwrite with new data or otherwise destroy the Seagate Personal Information through an approved sanitization method.
Destruction of Seagate Personal Information. If Supplier disposes of any paper, electronic or other record containing Seagate Personal Information, Supplier will do so by taking all reasonable steps (based on the sensitivity of the Seagate Personal Information) to destroy Seagate Personal Information by: (a) shredding; (b) permanently erasing and deleting; (c) degaussing; or (d) otherwise modifying the Seagate Personal Information in such records to make it unreadable, unreconstructable and indecipherable. If Supplier decommissions or otherwise retires a hard drive that contains a copy of Seagate Personal Information then Supplier shall securely shred or destroy the drive rendering the Seagate Personal Information unreadable and destroyed in accordance with NIST 800-88, revision 1. Supplier shall certify in writing that the drive has been shredded or destroyed and that that the Seagate Personal Information cannot be read, retrieved, or otherwise reconstructed.
Notice of Any Retention. If Supplier has a legal obligation to retain Seagate Personal Information beyond the period otherwise permitted by this DPA, Supplier shall notify Seagate in writing of its obligation, shall not further Process the Seagate Personal Information beyond retaining such information to fulfill Supplier’s legal obligation, and shall return or destroy the Seagate Personal Information as soon as possible after the legally-required retention period ends. This DPA will remain in effect until Supplier has ceased to have custody or control of or access to any Seagate Personal Information.
Documentation. Supplier shall document its retention and disposal of Seagate Personal Information pursuant to this DPA. Upon Seagate’s request, Supplier shall provide documentation of retention and a written certification that Seagate Personal Information has been securely destroyed in accordance with this DPA.
Term. This DPA will remain in effect until (i) there is no other active agreement(s) between the parties and (ii) Supplier has ceased to have custody or control of or access to any Seagate Personal Information.
Order of Precedence. In case of discrepancies between this DPA and any agreement(s) between the parties and/or their Affiliates, the provisions of this DPA will prevail except for any discrepancies involving Schedule 2 (Security Standards), in which case the other agreement(s) will prevail. This DPA shall not limit or restrict, but shall only be deemed to supplement the Standard Clauses.
Updates. The parties will reasonably cooperate to update this DPA by mutual written agreement as needed to ensure compliance with applicable laws and regulations.
Third Party Beneficiaries. Seagate’s Affiliates are intended third-party beneficiaries of this DPA; and may enforce the terms of this DPA as if each was a signatory to this DPA. Seagate also may enforce the provisions of this DPA on behalf of its Affiliates, instead of its Affiliates separately bringing a cause of action against Supplier.
Disclosure of DPA to Supervisory Authority. Seagate may provide a summary or a copy of this DPA to any Supervisory Authority.
Severance. If any provision in this DPA is ineffective or void, this will not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
Counterparts.This DPA may be signed by electronic signature, and such electronic signature shall be treated as an original, including for evidentiary purposes. This DPA may be signed in two or more counterparts, none of which needs to contain the signatures of both of the parties, and each of which will be deemed to be an original, and all of which taken together will constitute one and the same instrument.
Interpretation. The headings in this DPA are for reference only and will not affect the interpretation of this agreement.
DATA PRIVACY REQUIREMENTS FOR SPECIFIC JURISDICTIONS
The following requirements apply to the jurisdictions specified:
Applicability. The provisions of this Section 1 apply where (a) Supplier receives or accesses Seagate Personal Information from a Seagate Affiliate located in Australia; or (b) Seagate notifies Supplier that Seagate Personal Information is subject to these requirements.
Membership of a Professional or Trade Association. The term "Sensitive Information" also includes Personal Information about an individual’s membership of a professional or trade association.
Australian Privacy Principles. The Supplier must comply with any applicable obligations under the Privacy Act 1988 (Cth), including the Australian Privacy Principles, when dealing with Seagate Personal Information or otherwise providing the services pursuant to this DPA.
Note of use or disclosure for enforcement purposes. If Supplier uses or discloses Personal Information for one or more enforcement activities conducted by, or on behalf of, an enforcement body, Supplier shall keep a written record of the use and disclosure and promptly provide a copy of the record to Seagate, unless prohibited by law.
Australian government related identifiers. Where the Personal Information includes Australian government related identifiers Supplier (a) shall not adopt the Australian government related identifier for an individual as its own identifier of the individual unless expressly directed to do so by Seagate; and (b) shall not use or disclose the Australian government related identifier except where reasonably necessary to verify the identity of the individual, or otherwise where directed to do so by Seagate.
Collection of Personal Information. Where Seagate’s instructions to Supplier require Supplier to collect personal information on Seagate’s behalf, Supplier must (a) seek instructions from Seagate regarding (i) any information that must be provided to the Data Subject in connection with the collection of the Data Subject’s personal information; and (ii) any opt-in consents required for direct marketing purposes; and (b) not collect any Sensitive Information or without the Data Subject’s consent.
Supplier Agreements with the Australian Government. If Seagate is a contracted service provider to an Australian government entity at federal, state or territory level, and to the extent Seagate is bound to comply with additional data protection obligations by virtue of an agreement with the relevant government entity, Seagate will impose equivalent obligations upon Supplier, as required under applicable Australian law. Seagate and Supplier agree to enter into additional agreements, if needed, to reflect those obligations.
Applicability. The provisions of this Section 2 apply to Seagate Personal Information Supplier receives or accesses from a Seagate Affiliate located in Japan.
Supplier Personnel. Supplier will be responsible for supervising its Supplier Personnel in their compliance with the DPA.
Employment Management Measures. Supplier shall protect Seagate Personal Information relating to employment management as provided by Ministry of Health, Labor and Welfare (“MHLW”) Employment Management Guidelines.
Personal Information Learned Through Employment. Supplier shall ensure that its employees do not divulge or misappropriate the Seagate Personal Information learned through their employment.
Consent before Transfer or Disclosure. Supplier shall obtain prior written consent from Seagate before disclosing or transferring social security and tax numbers to any third party (including any Affiliate) that is not a party to the DPA, including any Sub-processors.
Return or Destroy after Purpose Achieved. Supplier shall stop Processing and return or destroy Seagate Personal Information in its possession when it has achieved the purpose for which it was collected.
Backup Purposes. Supplier shall not copy or reproduce Seagate Personal Information except for backup purposes.
Applicability. The provisions of this Section 3 apply to Seagate Personal Information Supplier receives or accesses from a Seagate Affiliate located in South Korea.
Limited Access. Supplier shall limit access to Personal Information to Supplier Personnel who reasonably require such access for the purposes of the Processing.
Required Safeguards. Supplier shall establish and maintain safeguards including:
internal procedures for secure handling of Personal Information;
technical safeguards such as firewalls, anti-virus and anti-malware software;
physical access restrictions, such as locks;
measures to prevent alteration or falsification of access logs or records of Processing;
measures to securely store and transmit Personal Information, such as encryption of Personal Information where required by the Personal Information Protection Act (PIPA), the Enforcement Regulations of PIPA, the Act on Promotion of Information and Communications Network Utilization and Protection of Information (PICNU), the Enforcement Regulations of PICNU (“PICNU Regulations”), the Utilization and Protection of Credit Information Act (UPCIA) or other Korean law, as applicable.
Encryption of Peculiar Identification Data. Supplier shall encrypt resident registration numbers, driver’s license numbers, and passport numbers when:
transmitted through an information or communications network;
stored on portable storage media or peripherals;
stored on any external computer network, or in a demilitarized zone, or on any personal computer or mobile device; or
stored on Supplier’s internal network if Supplier’s systems fail to meet Seagate-specified risk criteria.
Encryption of Password and Biometric Data. Supplier shall encrypt all passwords and biometric data stored in any form.
Information before Disclosure. Before disclosing or transferring Seagate Personal Information to a third party data processor, Supplier shall inform Seagate reasonably in advance. Upon Seagate’s request, Supplier will provide the following information: (a) the Processing activities to be subcontracted; (b) the identity of the third party data processor; and (c) any changes to (a) or (b).
Training. Supplier will participate in any training that Seagate may elect to provide to Supplier to safeguard against Seagate Personal Information being stolen, leaked, altered, or damaged during the course of Processing such Seagate Personal Information.
Applicability. The provisions of this Section 4 apply to Seagate Personal Information Supplier receives or accesses from a Seagate Affiliate located in Taiwan.
Sub-Processors. Notwithstanding Section 2.4 of the DPA, Supplier will not disclose or transfer Seagate Personal Information to, or allow access to Seagate Personal Information to any Sub-processor without Seagate’s express written consent.
Limited Processing Time. Supplier shall Process the Seagate Personal Information only for the period of time necessary to achieve the purposes of Processing, unless the parties have agreed on a different duration.
Preserve Access Records. Supplier shall preserve access records for as long as necessary to ensure they are periodically reviewed for instances of unauthorized access.
This Schedule represents the minimum security measures that will be taken by Supplier. If any agreement(s) between the parties requires Supplier to have a higher level or more extensive security measures, Supplier will abide by those terms. Supplier must maintain and enforce various policies, standards and processes designed to secure Seagate Personal Information and other data per industry standards, for example NIST Cyber Security Framework and ISO 27001 or 27002, to which Supplier employees are provided access.
Information Security Policies and Standards. Supplier must implement security requirements for staff and all subcontractors, suppliers, or agents who have access to Seagate Personal Information that are designed to:
Prevent unauthorized persons from gaining access to Seagate Personal Information processing systems (physical access control);
Prevent Seagate Personal Information processing systems being used without authorization (logical access control);
Ensure that persons entitled to use a Seagate Personal Information processing system can only gain access to such Seagate Personal Information as they are entitled to access in accordance with their approved access rights and that, in the course of processing or use and after storage Seagate Personal Information cannot be read, copied, modified or deleted without authorization (data access control);
Ensure that Seagate Personal Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Seagate Personal Information by means of data transmission facilities can be established and verified (data transfer control);
Ensure the establishment of an audit trail to document whether and by whom Seagate Personal Information have been entered into, modified in, transferred or removed from Seagate Personal Information processing (entry control);
Ensure that Seagate Personal Information is processed solely in accordance with the instructions (control of instructions);
Ensure that Seagate Personal Information is protected against accidental destruction or loss (availability control); and
Ensure that Seagate Personal Information collected for different purposes can be processed separately (separation control).
Supplier will conduct periodic risk assessments and review and, as appropriate, revise its information security practices at least annually or whenever there is a material change in Supplier’s business practices that may reasonably affect the security, confidentiality or integrity of Seagate Personal Information, provided that Supplier will not modify its information security practices in a manner that will weaken or compromise the confidentiality, availability or integrity of Seagate Personal Information.
Physical Security. Supplier must maintain commercially reasonable security systems at all Supplier sites at which an information system that uses or houses Seagate Personal Information is located. Supplier reasonably restricts access to such Seagate Personal Information appropriately.
When media are to be disposed of or reused, procedures must be implemented to prevent any subsequent retrieval of any Seagate Personal Information stored on them before they are withdrawn from the inventory. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures must be implemented to prevent undue retrieval of Seagate Personal Information stored on them.
Supplier must implement security policies and procedures to classify Sensitive Information assets, clarify security responsibilities and promote awareness for employees.
All Seagate Personal Information security incidents must be managed in accordance with appropriate incident response procedures.
Supplier must encrypt, using industry-standard encryption tools, all Sensitive Information in transit and at rest.
Network Security. Supplier must maintain network security using commercially available equipment and industry-standard techniques, including firewalls, intrusion detection and prevention systems, access control lists and routing protocols.
Supplier must maintain appropriate access controls, including, but not limited to, restricting access to Seagate Personal Information to the minimum number of Supplier Personnel who require such access.
Only authorized staff may grant, modify or revoke access to an information system that uses or houses Seagate Personal Information. Supplier must maintain proper access records, which will be presented to Seagate upon Seagate’s request.
User administration procedures must define user roles and their privileges and how access is granted, changed and terminated; address appropriate segregation of duties and define the logging/monitoring requirements and mechanisms.
All employees of Supplier must be assigned unique user-IDs.
Access rights must be implemented adhering to the “least privilege” approach.
Supplier must implement commercially reasonable physical and electronic security to create and protect passwords.
Virus and Malware Controls. Supplier must install and maintain the latest anti-virus and malware protection software on the system and have in place scheduled malware monitoring and system scanning to protect Seagate Personal Information from anticipated threats or hazards and protect against unauthorized access to or use of Seagate Personal Information.
Personnel. Prior to providing access to Seagate Personal Information to Supplier Personnel, Supplier must require Supplier Personnel to comply with Supplier’s information security program. Supplier must implement a security awareness program to train personnel about their security obligations. This program will include training about data classification obligations; physical security controls; security practices; and security incident reporting. Supplier will have clearly defined roles and responsibilities for the employees. Screening will be implemented before employment with terms and conditions of employment applied appropriately. Supplier employees must strictly follow established security policies and procedures. A disciplinary process must be applied if employees commit a Data Privacy Breach.
Business Continuity. Supplier implements appropriate back-up and disaster recovery and business resumption plans. Supplier reviews both business continuity plan and risk assessment regularly. Business continuity plans are being tested and updated regularly to ensure that they are up to date and effective.
Primary Security Manager. Supplier must notify Seagate of its designated primary security manager. The security manager will be responsible for managing and coordinating the performance of Supplier’s obligations set forth in Supplier’s information security program and in this DPA.
Audit. Seagate reserves the right to audit Supplier commitments as stated in this Schedule 2, in accordance with section 4.4 “Audit” of this DPA.
Breach. If it is determined Supplier is in breach of this DPA, Supplier must remediate any such breach without undue delay and in any event within 30 calendar days. Any known or suspected Data Privacy Breach shall be governed by section 5. “Supplier Responsibilities After a Data Privacy Breach” of this DPA.
The Data Privacy Agreement is effective from August 11, 2020, onward.
For agreement completed from November 20, 2019, to August 10, 2020, please see the PDF attached here. Data Privacy Agreement August 10, 2020
For agreements completed from March 31, 2019, to November 19, 2019, please see the PDF attached here. Data Protection Requirements November 20, 2019
For agreements completed prior to March 31, 2019, please see the PDF attached here. Data Protection Requirements March 31, 2019