Date: April 25, 2019
F5 Networks, Inc. (“F5”) has certified its compliance with the Privacy Shield principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability (the “Principles”), with respect to F5’s Silverline, BIG-IP, BIG-IQ, and signaling delivery controller products, including as delivered via the F5 Cloud Services (the “Relevant Products”).
You can learn more about Privacy Shield at https://www.privacyshield.gov and see our Privacy Shield self-certification at https://www.privacyshield.gov/list. F5’s self-certification to the Privacy Shield is subject to the investigatory and enforcement authority of the Federal Trade Commission.
Scope. F5's Privacy Shield certification covers the Relevant Products and any personal data F5 processes related to such Relevant Products on behalf of its customers that operate in the European Economic Area and Switzerland; F5 may amend this notice at any time to add additional products and services to its certification.
Personal Data Collected. F5 provides to its customers, who are businesses and other legal entities, various maintenance and support services for the Relevant Products. In order to provide such services related to the Relevant Products (and in order to provide certain Relevant Products themselves, such as Silverline and F5 Cloud Services) F5 receives and processes certain data related to its customers use of our products and services, including performance data regarding specific devices, network traffic data, and related network performance data, as well as other data that customers may submit to us in order to receive support services, which may include personal data, as well as any personal data accessed, collected, created, received or otherwise processed for the limited purpose of delivering our Silverline services to customers (the “Customer Data”). F5 has no control over whether Customer Data contains any personal data. “Customer Data” does not include (i) De-identified Data, or (ii) Device Data (both defined below).
Collection and Use of personal data. F5 processes Customer Data on behalf of and under the instructions of its customers. Subject to any requirements set forth in a relevant customer’s agreement(s) with us, F5, generally, processes Customer Data as follows:
- To provide our services to customers, to provide technical support or customer service, to respond to customer inquiries, to send customer satisfaction surveys, or to otherwise communicate with customers, and for accounting and billing purposes;
- To assess and improve the quality of our products, services, and business operations;
- To satisfy tax requirements and governmental reporting requirements;
- To plan and implement potential acquisitions and mergers;
- As required by law; and
- For other purposes consented to by customers.
Marketing and Other Secondary Uses. F5 may send customer satisfaction surveys and other informational or promotional emails to F5 customers (including our specific business contacts with such customers). We may also analyze customer usage and trends in order to provide information and make recommendations to customers about products and services which may be useful to them. F5 customers may opt out of receiving surveys and promotional communications by following the opt-out instructions in such communications; customers may also opt out of such communications, as well as product and service recommendations, by emailing us at firstname.lastname@example.org. We may still send customer service- and transaction-related communications to customers, even if they have opted out of receiving customer satisfaction surveys and other promotional communications.
Sensitive Data. F5 does not wish to receive, nor does it intentionally collect, sensitive personal data from customers. We do not request sensitive personal data from customers. If we receive any customer’s Customer Data that contains sensitive personal data, we will treat it in accordance with this Notice and will only process such data on behalf of and under the instructions of that customer.
Other Data. F5 collects, uses and maintains certain data related to its business and the services it provides to customers, which is not personal data; this privacy notice does not restrict our use and processing of such data, including:
- De-identified Data. We may de-identify and aggregate certain data we collect such that the data no longer identifies or can be linked to a particular customer or an individual data subject (“De-identified Data”), subject to the terms of any applicable customer agreements. We may use this data to improve our product and services, analyze trends, publish market research, and for other marketing, research or statistical purposes, and may disclose such data to third parties.
- Device Data. F5 maintains hardware serial numbers, appliance part numbers, disk configuration, memory amount, software or firmware version, license information, and other technical information about F5 devices, controllers and related products that customers have licensed or purchased (“Device Data”) as a part of its business records (e.g., for warranty purposes, as part of its inventory and accounting records); Device Data does not include any customer traffic, network performance or related usage information. We may use and disclose Device Data as part of our business operations and related activities.
Onward Transfers to Third Parties. We generally disclose Customer Data under the following circumstances:
- Agents and Service Providers. We may disclose Customer Data to third parties who act as agents or service providers to perform tasks on behalf of and under the instructions of F5.
- Affiliates. Because F5 is a global company, personal data may be shared with other F5 Affiliates around the world, who act as processors or sub-processors of Customer Data. F5 has executed written agreements with such Affiliates that impose appropriate safeguards for the protection of Customer Data in compliance with applicable data protection laws, and such Affiliates are required to comply with the principles in this Notice and with F5’s applicable internal policies.
- Consent. F5 may also disclose personal data for other purposes or to other third parties, when a customer has consented to such disclosure; it is our customer’s responsibility to ensure that individuals have consented to such disclosures.
- Law Enforcement or National Security. In accordance with our legal obligations, we may also transfer Customer Data, subject to a lawful request, to public authorities for law enforcement or national security purposes.
- Additional Disclosures. We may also disclose Customer Data (including any personal data or sensitive data), where otherwise required by law.
We contractually require agents, service providers, and affiliates who may process personal data related to the Relevant Products to provide the same level of protections for personal data as required under the Principles. F5 currently does not transfer personal data to a third party for its own use. F5 will remain liable under the Principles if one of its third party processors processes personal data in a manner inconsistent with the Principles, if we are responsible for the event giving rise to the damage.
Accessing personal data. Under the Principles, individuals have rights to access personal data about them, and to limit use and disclosure of their personal data. F5 has committed to respect those rights, with respect to any personal data processed under this privacy notice, related to the Relevant Products. Individuals may email F5 at email@example.com to request access to personal data maintained by F5 as part of Customer Data. Since F5 processes Customer Data on behalf of its customers, we will direct such requests to the relevant F5 customer and will assist such customer as needed in responding to the individual’s request. Customers may update their account and profile information, including business contact details, by contacting their account rep or by emailing firstname.lastname@example.org.
Contacting Us, Complaints and Dispute Resolution. We encourage EU and Swiss individuals who have questions or complaints about how we process their personal data under Privacy Shield to contact us at email@example.com. We will work to resolve your issue as quickly as possible, but in any event within 45 days of receipt.
If you have an unresolved privacy or data use complaints that we have not addressed satisfactorily, please contact, free of charge, our dispute resolution provider, JAMS, at https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim.
If you are an EU or Swiss individual and unable to resolve any complaints through any of the above methods, you may be able to invoke binding arbitration through a Privacy Shield panel, in accordance with the Privacy Shield Framework at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.