Last Updated: September 17, 2020
On 16 July 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area to the United States. Also, on 08 September 2020, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection (FADP).
Please note that EU Standard Contractual Clauses (SCCs) remain a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area and the United Kingdom and Switzerland to the United States.
Red Hat, Inc. and its U.S. controlled subsidiaries (collectively, "Red Hat”, “we”, “our" or "us") respect your privacy. This Privacy Shield Notice ("Notice") describes our standards and procedures for handling Personal Information transferred from the European Economic Area ("EEA") and Switzerland to the U.S. in accordance with Red Hat’s obligations under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
Red Hat has subscribed to and will adhere to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks by adopting and implementing the Privacy Shield Principles ("Principles"). More information about the Privacy Shield can be found at www.privacyshield.gov. Our Privacy Shield certification can be found at www.privacyshield.gov/list.
For the purpose of this Notice, "Personal Information" means any data relating to an identified or identifiable individual, including, for example, name, address, telephone number and e-mail address, and "processing" means any operation performed on Personal Information, such as, for example, collection, use, management, consultation or disclosure. This Notice supplements our Red Hat Privacy Statement. Unless specifically defined in this Notice, the terms in this Notice have the same meaning as in our Privacy Statement. In case of conflict between this Notice and the Principles, the Principles will govern.
How We Obtain Personal Information
We obtain and process Personal Information from the EEA and Switzerland in different capacities:
- As a data controller, we collect and process EEA and Swiss Personal Information directly from individuals, either via our publicly available websites, including www.redhat.com, or in connection with our customer, partner, and vendor relationships.
- As an agent (as that term is used in the Principles), we obtain and process EEA and Swiss Personal Information on behalf of and under the instructions of our customers in connection with cloud services Red Hat provides ("Cloud Services"), such as Personal Information stored by customers using our OpenShift Online offering. In that context, customers are the data controllers or agents and the roles and responsibilities of the parties for the processing of Personal Information are defined in our agreements with customers.
Red Hat commits to comply with the Principles with respect to all Personal Information received from the EEA and Switzerland in reliance on the Privacy Shield.
Privacy Shield Principles
- Notice Red Hat’s Privacy Statement in combination with this Notice describes our privacy practices with respect to Personal Information received from the EEA and Switzerland in reliance on the Privacy Shield.
- Choice When providing our Cloud Services, our customers choose the types of Personal Information we process and the purposes of the processing. Accordingly, our customers are responsible for providing notice to individuals. In the event Personal Information is (i) to be used for a purpose that is materially different from the purposes for which the Personal Information was originally collected or subsequently authorized, or (ii) transferred to a third party acting as a data controller, individuals will be given, where practical and appropriate, an opportunity to opt out of having their Personal Information so used or transferred where it involves non-sensitive information. Where such use or transfer involves sensitive information, individuals must opt-in before such use or transfer.
- Data Integrity and Purpose Limitation Any Personal Information we receive may be used by Red Hat for the purposes indicated in our Red Hat Privacy Statement or as otherwise notified to you. We will not process Personal Information in a way that is incompatible with these purposes unless subsequently authorized by you.
We take reasonable steps to limit the collection and usage of Personal Information to that which is relevant for the purposes for which it was collected, and to ensure that such Personal Information is reliable, accurate, complete and current. Individuals are encouraged to keep their Personal Information with Red Hat up to date and may contact Red Hat as indicated below or in the Red Hat Privacy Statement to request that their Personal Information be updated or corrected.
We will retain your Personal Information in an identifiable form only for the period necessary to fulfill the purposes outlined in the Red Hat Privacy Statement, unless a longer retention period is required or permitted by law or by the Principles. We will adhere to the Principles for as long as we retain the Personal Information collected under the Privacy Shield.
When providing our Cloud Services, we process and retain Personal Information as necessary to provide our services as permitted in our agreement with customers, or as required or permitted under applicable law.
- Accountability for Onward Transfer of Personal Information Red Hat may transfer Personal Information for the purposes described in the Red Hat Privacy Statement to a third party acting as a data controller or as an agent. If we intend to disclose Personal Data to a third party acting as a data controller or as an agent we will comply with, and protect, Personal Information as provided in the Accountability for Onward Transfer Principle. When providing our Cloud Services we disclose Personal Information as provided in our agreement with customers.
We remain responsible for the processing of Personal Information received under the Privacy Shield and subsequently transferred to a third party acting as an agent if the agent processes such Personal Information in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.
- Security Red Hat takes reasonable and appropriate precautions, taking into account the risks involved in the processing and the nature of the Personal Information, to help protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- Access Where appropriate, individuals have reasonable access to their Personal Information and may request corrections, deletions, or additions where the Personal Information is inaccurate or has been processed in violation of the Principles. We may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles. You may request access to your Personal Information by contacting us as described below.
When providing our Cloud Services, we only process and disclose the Personal Information as specified in our agreements with customers. Our customer controls how Personal Information is disclosed to us and processed, and how it can be modified. Accordingly, if you want to request access, or to limit use or disclosure of your Personal Information, please contact the company to which you submitted your Personal Information and that uses our Cloud Services. If you contact us with the name of our customer to which you provided your Personal Information, we will refer your request to that customer and support them in responding to your request.
- Recourse, Enforcement and Liability Red Hat has established procedures to periodically verify implementation of and compliance with the Principles. Red Hat conducts an annual self-assessment of its practices regarding Personal Information intended to verify that the assertions Red Hat makes about its practices are true and that such practices have been implemented as represented.
In case of disputes, individuals are able to seek resolution of their questions or complaints regarding the processing of their Personal Information in accordance with the Principles. If an individual feels that Red Hat is not abiding by this Notice or is not in compliance with the Principles, he or she should first contact Red Hat at the contact information provided below.
If an issue cannot be resolved through Red Hat’s internal dispute resolution mechanism, you may submit a complaint to JAMS, which provides, at no cost to you, an independent third-party dispute resolution option based in the U.S. To contact JAMS and/or learn more about the company’s dispute resolution services, including instructions for submitting a complaint, please visit here. For residual complaints not fully or partially resolved by other means, you may be able to invoke binding arbitration as detailed in the Principles available here.
Red Hat is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”).
Amendment This Notice may be amended consistent with the requirements of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. When we update this Notice, we will also revise the "Last Updated" date at the top of this document.
Questions or complaints. If you have any questions, concerns or complaint regarding our privacy practices, or if you’d like to exercise your choices or rights, you can contact us: