In order to provide an adequate level of protection for Personal Data received from the European Union (EU) and/or Switzerland, MRI Software LLC (“MRI” or the “Company”) adheres to the EU-U.S. Privacy Shield Principles and the Swiss-U.S. Privacy Shield Framework developed by the United States Department of Commerce and the European Commission and the United States Department of Commerce and Switzerland. This Privacy Shield Policy (the “Policy”) sets forth the privacy principles that MRI follows when processing Personal Data received from the EU and Switzerland. The privacy principles in this Policy are based on the Privacy Shield Principles referenced above. For purposes of enforcing compliance with the Privacy Shield, MRI is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, please visit the U.S Department of Commerce’s Privacy Shield website located at: https://www.privacyshield.gov. For a comprehensive list of all certified entities please visit: https://www.privacyshield.gov/list.
MRI’s Role as a Service Provider to its Customers and Prospective Customers
MRI is a leading provider of hosted and non-hosted enterprise real estate management software and services. Through its MRI SaaS solution, MRI offers maintenance, support and other services to its customers to store, manage, and configure their and their affiliates’ and/or customers’ real estate and investment management data. MRI provides its MRI SaaS solution to customers located in the EU and Switzerland by hosting these solutions in MRI’s data centers located in the United States (US) or remotely from either the EU or the US. MRI provides product development services, maintenance and support, solution engineering services, professional technical services and product technical support services (collectively, the “Services”) to its hosted and non-hosted customers and prospective customers in the EU and Switzerland through employees who may be located in the US or the EU, or who may be present at the customer’s or prospective customer’s site in the EU or Switzerland.
Customers using the MRI SaaS solution are responsible for managing the data that they store at MRI’s data centers. These responsibilities include determining the types of information that are stored, how that information will be used, to whom it will be disclosed, and for what purposes. Similarly, MRI’s hosted or non-hosted customers and prospective customers who share data with MRI in connection with any of its Services are responsible for deciding which categories of data will be shared and for what purposes except as otherwise contracted by the Customer and MRI. When MRI processes data received from a customer or prospective customer (“Customer Data”), whether for its MRI SaaS solution or in connection with its provision of the Services, MRI does so only pursuant to the customer’s or prospective customer’s instructions, prior authorization or written agreement with MRI.
The Customer’s and Prospective Customer’s Responsibilities with Respect to its Personal Data
MRI’s customers and prospective customers may choose to include Personal Data among the Customer Data stored at MRI’s data centers in the United States or shared with MRI in connection with its provision of Services in either the US, the EU, or Switzerland. “Personal Data,” for purposes of this Policy, means any individually identifiable information about a natural person or any information from which an individual reasonably could be identified.
Before processing any information on behalf of its customers or prospective customers located in the EU or Switzerland, MRI will enter into a written agreement with the customer or prospective customer responsible for the Personal Data in compliance with applicable data protection law. Under this agreement, the customer or prospective customer agrees to comply with all applicable data protection laws. MRI processes only the Personal Data that its customers or prospective customers have chosen to share with the Company. MRI has no direct or contractual relationship with the subject of this Personal Data (the “Data Subject”). As a result, when Customer Data includes Personal Data, the customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws. However, MRI recognizes the Data Subject’s right to access its Personal Data. A Data Subject who seeks to access, or who seeks to correct, amend, or delete inaccurate data should therefore direct his or her request to the customer that transferred such data to MRI for processing. The customer will then provide the necessary access to the individual as determined under the applicable local data protection law. MRI will assist its customers as needed to fulfill any such request.
MRI’s Compliance with the Privacy Shield Principles
While MRI employees located in the EU and Switzerland have responsibilities for providing services for MRI’s SaaS solutions customers and prospective customers and also for providing Services to other customers and prospective customers, MRI employees located at the Company’s headquarters and elsewhere in the US also provide Services and maintenance and support for MRI’s SaaS solution and other customers and prospective customers. To provide such Services and maintenance and support, MRI may be required to transfer Customer Data, including Personal Data, to the United States.
Without the customer’s or prospective customer’s prior authorization, transfers will consist exclusively of remote access to Personal Data physically in the EU or Switzerland, and/or transfer of Personal and/or Client Data by MRI employees located in the U.S. (either (i) at MRI’s data centers in the US, in the case of an MRI SaaS solution customer or prospective customer; or (ii) at the customer’s or prospective customer’s own data center in the case of Services provided by MRI). MRI will not physically transfer any Personal Data stored in the EU or Switzerland, to the US without the customer’s or prospective customer’s prior consent.
MRI will apply the following Privacy Shield Principles to Personal Data transferred to the US, whether physically or by remote access:
MRI works with our customers to help them provide notice of data processing to individuals, including information concerning (1) the purposes for which Personal Data is collected and used; (2) a contact person to whom enquiries or complaints may be directed; (3) the types of third parties to whom the Personal Data is disclosed; and (4) the choices and means the individuals are offered for limiting use and disclosure of Personal Data.
MRI will not disclose Personal Data, except as otherwise contractually committed, to a third party, except for subcontractors and third-party agents, who assist MRI in providing MRI’s SaaS solution or other Services to its customers and prospective customers. MRI
will disclose Personal Data to a subcontractor or third-party agent only after informing the customer or prospective customer and obtaining the customer’s or prospective customer’s prior authorization for the disclosure. Before transferring Personal Data to a
subcontractor or third-party agent, MRI will obtain assurances from the recipient that it will safeguard Personal Data in a manner consistent with this Policy. If MRI learns that a recipient is using or disclosing Personal Data in a manner contrary to this Policy, MRI will take reasonable steps to prevent such use or disclosure. Under the Privacy Shield, MRI may be liable for onward transfer of personal data to third parties.
MRI also may disclose Personal Data as required by applicable law, for example, in response to a court order or subpoena. Before making any such disclosure, MRI will promptly inform the customer or prospective customer, so it may take such actions as it deems necessary to protect the rights of Data Subjects.
Security For Personal Data
MRI is committed to safeguarding the Personal Data that it receives from the EU and Switzerland. While MRI cannot guarantee the security of Personal Data, the Company takes reasonable precautions to protect Personal Data in the Company’s possession from loss, misappropriation and unauthorized access, disclosure and destruction.
MRI utilizes a combination of online and offline security technologies, procedures and organizational measures to help safeguard Personal Data. For example, facility security is designed to prevent unauthorized access to Company computers. Electronic security measures — including, for example, network access controls, passwords and access logging — provide reasonable protection from hacking and other unauthorized access. MRI also protects Personal Data through the use of firewalls, role-based restrictions and, where deemed appropriate by MRI, encryption technology. MRI limits access to Personal Data to employees, subcontractors, and third-party agents that have a specific business reason for accessing such Personal Data. Individuals who have been granted access to Personal Data will be made aware of their responsibilities to protect such information and will be provided training and instruction on how to do so.
MRI’s customers and prospective customers are responsible for ensuring that they collect only that Personal Data needed to accomplish the purposes disclosed to the Data Subject. They also are responsible for providing MRI with instructions for the processing of Personal Data consistent with the purposes stated in the notice. MRI will process Personal Data only in accordance with the customer’s or prospective customer’s instructions.
MRI’s customers and prospective customers also are responsible for ensuring that (a) the Personal Data they collect is accurate, complete, current and reliable for its intended uses; and (b) Personal Data is retained only for as long as is necessary to accomplish the customer’s or prospective customer’s legitimate business purposes or for as long as may be permitted or required by applicable law. MRI will cooperate with customers’ and prospective customers’ reasonable requests for assistance in meeting these obligations.
When MRI receives Personal Data, it does so on its customer’s or prospective customer’s behalf. To request access to, or correction, amendment or deletion of, Personal Data, Data Subjects should contact the MRI customer or prospective customer that collected their Personal Data. MRI will cooperate with its customers’ and prospective customers’ reasonable requests for assistance in permitting Data Subjects to exercise their rights under applicable data protection laws.
MRI will conduct periodic self-assessments of its relevant practices to verify adherence to this Policy, the EU-U.S. Privacy Shield Principles, and the Swiss-U.S. Privacy Shield Framework. Any employee who intentionally violates this Policy will be subject to disciplinary action up to and including termination of employment. In compliance with the Privacy Shield Principles, MRI commits to resolve complaints about our collection or use of your personal information. Any Data Subject who has a complaint concerning MRI’s processing of Personal Data should contact MRI’s Legal Department by emailing firstname.lastname@example.org or by calling 216-825-6710, or the MRI customer or prospective customer that collected the Data Subject’s Personal Data.
MRI has further committed to refer unresolved Privacy Shield complaints related to non-HR data to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information on arbitration regarding both the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield or to file a complaint. The services of JAMS are provided at no cost to you. Finally, as a last resort and in limited situations, EU and Swiss individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
MRI is committed to cooperating with the EU and Swiss data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
For More Information
Data Subjects with questions about MRI’s processing of Personal Data should first contact the MRI customer or prospective customer that collected the information. MRI’s Legal Contact can be contacted by email at email@example.com, by phone at 216-825-6710, or by mail at (Attn. Legal Department) 28925 Fountain Parkway, Solon, Ohio 44139 USA. The informational Privacy Shield website, created and managed by the U.S. Department of Commerce International Trade Administration, may be visited at the website https://www.privacyshield.gov/welcome.
MRI may revise this Policy at any time. If the Company decides to change this Policy, the Company will post the revised Policy at this location.
Effective Date: July 20, 2020