MRI’s Role as a Service Provider to its Customers and Prospective Customers
MRI is a leading provider of hosted and non-hosted enterprise real estate management software and services. Through its MRI SaaS solution, MRI offers maintenance, support and other services to its customers to store, manage, and configure their and their affiliates’ and/or customers’ real estate management data. MRI provides its MRI SaaS solution to customers located in the EU, the EEA or Switzerland by hosting these solutions in MRI’s data centers located in the United States (US) or remotely from either the EU or the US. MRI provides product development services, maintenance and support, solution engineering services, professional technical services and product technical support services (collectively, the “Services”) to its hosted and non-hosted customers and prospective customers in the EU, the EEA and Switzerland through employees who may be located in the US or the EU, or who may be present at the customer’s or prospective customer’s site in the EU, the EEA or Switzerland.
Customers using the MRI SaaS solution are responsible for managing the data that they store at MRI’s data centers. These responsibilities include determining the types of information that are stored, how that information will be used, to whom it will be disclosed, and for what purposes. Similarly, MRI’s hosted or non-hosted customers and prospective customers who share data with MRI in connection with any of its Services are responsible for deciding which categories of data will be shared and for what purposes except as otherwise contracted by the Customer and MRI. When MRI processes data received from a customer or prospective customer (“Customer Data”), whether for its MRI SaaS solution or in connection with its provision of the Services, MRI does so only pursuant to the customer’s or prospective customer’s instructions, prior authorization or written agreement with MRI.
The Customer’s and Prospective Customer’s Responsibilities with Respect to its Personal Data
MRI’s customers and prospective customers may choose to include Personal Data among the Customer Data stored at MRI’s data centers in the United States or shared with MRI in connection with its provision of Services in either the US or the EU. “Personal Data,” for purposes of this Policy, means any individually identifiable information about a natural person or any information from which an individual reasonably could be identified.
Before processing any information on behalf of its customers or prospective customers located in the EU, the EEA or Switzerland, MRI will enter into a written agreement with the customer or prospective customer responsible for the Personal Data in compliance with applicable data protection law. Under this agreement, the customer or prospective customer agrees to comply with all applicable data protection laws. MRI processes only the Personal Data that its customers or prospective customers have chosen to share with the Company. MRI has no direct or contractual relationship with the subject of this Personal Data (the “Data Subject”). As a result, when Customer Data includes Personal Data, the customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws.
MRI’s Compliance with the Safe Harbor Principles
While MRI employees located in the EU have responsibilities for providing services for MRI’s SaaS solutions customers and prospective customers and also for providing Services to other customers and prospective customers, MRI employees located at the Company’s headquarters and elsewhere in the US also provide Services and maintenance and support for MRI’s SaaS solution and other customers and prospective customers. To provide such Services and maintenance and support, MRI may be required to transfer Customer Data, including Personal Data, to the United States.
Without the customer’s or prospective customer’s prior authorization, transfers will consist exclusively of remote access to Personal Data physically in the EU, EEA, or Switzerland and/or transfer of Personal and/or Client Data by MRI employees located in the U.S. (either (i) at MRI’s data centers in the US, in the case of an MRI SaaS solution customer or prospective customer; or (ii) at the customer’s or prospective customer’s own data center in the case of Services provided by MRI). MRI will not physically transfer any Personal Data stored in the EU, the EEA or Switzerland to the US without the customer’s or prospective customer’s prior consent.
MRI will apply the following Safe Harbor Principles to Personal Data transferred to the US, whether physically or by remote access:
MRI will not disclose Personal Data, except as otherwise contractually committed, to a third party, except for subcontractors and third-party agents, who assist MRI in providing MRI’s SaaS solution or other Services to its customers and prospective customers.
MRI will disclose Personal Data to a subcontractor or third-party agent only after informing the customer or prospective customer and obtaining the customer’s or prospective customer’s prior authorization for the disclosure. Before transferring Personal Data to a subcontractor or third-party agent, MRI will obtain assurances from the recipient that it will safeguard Personal Data in a manner consistent with this Policy. If MRI learns that a recipient is using or disclosing Personal Data in a manner contrary to this Policy, MRI will take reasonable steps to prevent such use or disclosure.
MRI also may disclose Personal Data as required by law, for example, in response to a court order or subpoena. Before making any such disclosure, MRI will promptly inform the customer or prospective customer, so it may take such actions as it deems necessary to protect the rights of Data Subjects.
Security For Personal Data
MRI is committed to safeguarding the Personal Data that it receives from the EU, the EEA and Switzerland. While MRI cannot guarantee the security of Personal Data, the Company takes reasonable precautions to protect Personal Data in the Company’s possession from loss, misappropriation and unauthorized access, disclosure and destruction.
MRI utilizes a combination of online and offline security technologies, procedures and organizational measures to help safeguard Personal Data. For example, facility security is designed to prevent unauthorized access to Company computers. Electronic security measures — including, for example, network access controls, passwords and access logging — provide reasonable protection from hacking and other unauthorized access. MRI also protects Personal Data through the use of firewalls, role-based restrictions and, where deemed appropriate by MRI, encryption technology. MRI limits access to Personal Data to employees, subcontractors, and third-party agents that have a specific business reason for accessing such Personal Data. Individuals who have been granted access to Personal Data will be made aware of their responsibilities to protect such information and will be provided training and instruction on how to do so.
MRI’s customers and prospective customers are responsible for ensuring that they collect only that Personal Data needed to accomplish the purposes disclosed to the Data Subject. They also are responsible for providing MRI with instructions for the processing of Personal Data consistent with the purposes stated in the notice. MRI will process Personal Data only in accordance with the customer’s or prospective customer’s instructions.
MRI’s customers and prospective customers also are responsible for ensuring that (a) the Personal Data they collect is accurate, complete, current and reliable for its intended uses; and (b) Personal Data is retained only for as long as is necessary to accomplish the customer’s or prospective customer’s legitimate business purposes or for as long as may be permitted or required by applicable law. MRI will cooperate with customers’ and prospective customers’ reasonable requests for assistance in meeting these obligations.
When MRI receives Personal Data, it does so on its customer’s or prospective customer’s behalf. To request access to, or correction, amendment or deletion of, Personal Data, Data Subjects should contact the MRI customer or prospective customer that collected their Personal Data. MRI will cooperate with its customers’ and prospective customers’ reasonable requests for assistance in permitting Data Subjects to exercise their rights under applicable data protection laws.
MRI will conduct periodic self-assessments of its relevant practices to verify adherence to this Policy and the Safe Harbor Principles. Any employee who intentionally violates this Policy will be subject to disciplinary action up to and including termination of employment. Any Data Subject who has a complaint concerning MRI’s processing of Personal Data should contact MRI’s Legal Department by emailing email@example.com or by calling 216-825-6710, or the MRI customer or prospective customer that collected the Data Subject’s Personal Data.
For complaints and disputes that cannot be resolved between MRI and the complainant, MRI has agreed to participate in the dispute resolution procedures of the panel established by the EU data protection authorities (DPAs) to resolve disputes pursuant to the Safe Harbor Privacy Principles, as well as to cooperate and comply with the Federal Data Protection and Information Commissioner of Switzerland. The panel may be contacted at firstname.lastname@example.org and the EU DPAs may be contacted directly via the information provided at http://ec.europa.eu/justice/data-protection/bodies/ authorities/eu/index_en.htm. The contact information for the Swiss FDPIC can be found at: http://www.edoeb.admin.ch/kontakt/index.html?lang=en.
For More Information
Data Subjects with questions about MRI’s processing of Personal Data should first contact the MRI customer or prospective customer that collected the information. MRI’s Legal Contact can be contacted by email at email@example.com, by phone at 216-825-6710, or by mail at (Attn. Legal Department) 28925 Fountain Parkway, Solon, Ohio 44139 USA. The informational Safe Harbor website, created and managed by the U.S. Department of Commerce, may be visited at the website http://export.gov/safeharbor/index.asp.
MRI may revise this Policy at any time. If the Company decides to change this Policy, the Company will post the revised Policy at this location.
Effective Date: October 22, 2012
We self-certify compliance with: