Data Privacy Framework Notice

Last Updated: September 15, 2023

Advisory:

On 10 July 2023, the European Commission approved the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) as a valid transfer mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area to the United States. The decision concluded that the US ensures an adequate level of protection for personal information that is transferred from the EU to US companies as part of the Data Privacy Framework Program.

On 17 July 2023, the Swiss-US Data Privacy Framework (“Swiss-U.S. DPF”)  entered into effect and may be relied upon once recognized by the Swiss Federal Administration.  Likewise, on 17 July 2023, the UK Extension to the EU-U.S. Data Privacy Framework (“UK Extension”) became effective and can be relied upon on the date that the adequacy regulations implementing the data bridge for the UK Extension enter into force.

The EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF (collectively, the “DPF”) amends the privacy principles that Red Hat adhered to as part of the EU-US and Swiss-US Privacy Shield Framework as the EU-U.S. Data Privacy Framework Principles and the Swiss-U.S. Data Privacy Framework Principles (“Principles”). Red Hat activities certified as part of the EU-US Privacy Shield Framework remain certified under the DPF.

Introduction

Red Hat, Inc. and its U.S. controlled subsidiary Red Hat Professional Consulting, Inc. (collectively, "Red Hat”, “we”, “our" or "us") respect your privacy. This Data Privacy Framework Notice ("Notice") describes our standards and procedures for handling Personal Information transferred from the European Economic Area ("EEA"), the United Kingdom (and Gibraltar) and Switzerland to the U.S. in accordance with Red Hat’s obligations under the DPF.

For the purpose of this Notice, "Personal Information" means any data relating to an identified or identifiable individual, including, for example, name, address, telephone number and e-mail address, and "processing" means any operation performed on Personal Information, such as, for example, collection, use, management, consultation or disclosure. This Notice supplements our Red Hat Privacy Statement. Unless specifically defined in this Notice, the terms in this Notice have the same meaning as in our Privacy Statement.

Certification to the DPF Program

Red Hat complies with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce.  Red Hat has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension.  Red Hat has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this Notice and the Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

How We Obtain Personal Information

We obtain and process Personal Information from the EEA, the United Kingdom and Switzerland in different capacities:

• As a data controller, we collect and process EEA, the United Kingdom and Swiss Personal Information directly from individuals, either via our publicly available websites, including www.redhat.com, or in connection with our customer, partner, and vendor relationships.
   
• As an agent (as that term is used in the Principles), we obtain and process EEA, the United Kingdom and Swiss Personal Information on behalf of and under the instructions of our customers in connection with Red Hat-branded cloud or hosted service offerings ("Online Services"). In that context, customers are the data controllers or agents and the roles and responsibilities of the parties for the processing of Personal Information are defined in our agreements with customers.

Red Hat commits to comply with the Principles with respect to all Personal Information received from the EEA, the United Kingdom and Switzerland in reliance on the DPF.

Data Privacy Framework Principles

1. Notice. Red Hat’s Privacy Statement in combination with this Notice describes our privacy practices with respect to Personal Information received from the EEA, the United Kingdom and Switzerland in reliance on the DPF.
    
2. Choice. When providing our Online Services, our customers choose the types of Personal Information we process and the purposes of the processing. Accordingly, our customers are responsible for providing notice to individuals. In the event Personal Information is (i) to be used for a purpose that is materially different from the purposes for which the Personal Information was originally collected or subsequently authorized, or (ii) transferred to a third party acting as a data controller, individuals will be given, where practical and appropriate, an opportunity to opt out of having their Personal Information so used or transferred where it involves non-sensitive information. Where such use or transfer involves sensitive information, individuals must opt-in before such use or transfer.
    
3. Data Integrity and Purpose Limitation. Any Personal Information we receive may be used by Red Hat for the purposes indicated in our Red Hat Privacy Statement or as otherwise notified to you. We will not process Personal Information in a way that is incompatible with these purposes unless subsequently authorized by you.
    

   We take reasonable steps to limit the collection and usage of Personal Information to that which is relevant for the purposes for which it was collected, and to ensure that such Personal Information is reliable, accurate, complete and current. Individuals are encouraged to keep their Personal Information with Red Hat up to date and may contact Red Hat as indicated below or in the Red Hat Privacy Statement to request that their Personal Information be updated or corrected.

   We will retain your Personal Information in an identifiable form only for the period necessary to fulfill the purposes outlined in the Red Hat Privacy Statement, unless a longer retention period is required or permitted by law or by the Principles. We will adhere to the Principles for as long as we retain the Personal Information collected under the DPF.

   When providing our Online Services, we process and retain Personal Information as necessary to provide our services as permitted in our agreement with customers, or as required or permitted under applicable law.

4. Accountability for Onward Transfer of Personal Information. Red Hat may transfer Personal Information for the purposes described in the Red Hat Privacy Statement to a third party acting as a data controller or as an agent. If we intend to disclose Personal Data to a third party acting as a data controller or as an agent we will comply with, and protect, Personal Information as provided in the Accountability for Onward Transfer Principle. When providing our Online Services we disclose Personal Information as provided in our agreement with customers.
    

   We remain responsible for the processing of Personal Information received under the DPF and subsequently transferred to a third party acting as an agent if the agent processes such Personal Information in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

5. Security. Red Hat takes reasonable and appropriate precautions, taking into account the risks involved in the processing and the nature of the Personal Information, to help protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
    
6. Access. Where appropriate, individuals have reasonable access to their Personal Information and may request corrections, deletions, or additions where the Personal Information is inaccurate or has been processed in violation of the Principles. We may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles. You may request access to your Personal Information by contacting us as described below.
    

   When providing our Online Services, we only process and disclose the Personal Information as specified in our agreements with customers. Our customer controls how Personal Information is disclosed to us and processed, and how it can be modified. Accordingly, if you want to request access, or to limit use or disclosure of your Personal Information, please contact the company to which you submitted your Personal Information and that uses our Online Services. If you contact us with the name of our customer to which you provided your Personal Information, we will refer your request to that customer and support them in responding to your request.

7. Recourse, Enforcement and Liability. Red Hat has established procedures to periodically verify implementation of and compliance with the Principles. Red Hat conducts an annual self-assessment of its practices regarding Personal Information intended to verify that the assertions Red Hat makes about its practices are true and that such practices have been implemented as represented.

   In compliance with the DPF, Red Hat commits to resolve DPF Principles-related complaints about our collection and use of your Personal Information.  EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the DPF should first contact Red Hat at: privacy@redhat.com or through one of our other contact methods described below.

   In compliance with the DPF, Red Hat commits to refer unresolved complaints concerning our handling of Personal Information received in reliance on the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint.  These dispute resolution services are provided at no cost to you.  

   For residual complaints not fully or partially resolved by other means, you may be able to invoke binding arbitration as detailed in the Principles available here.

   Red Hat is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”).

Amendment. This Notice may be amended consistent with the requirements of the DPF. When we update this Notice, we will also revise the "Last Updated" date at the top of this document.

Questions or complaints. If you have any questions, concerns or complaint regarding our privacy practices, or if you’d like to exercise your choices or rights, you can contact us:

• By email at privacy@redhat.com
• by mailing to Red Hat, Inc., Attn: Legal, 100 E. Davie Street, Raleigh, NC 27601, USA