Iron Mountain companies as data controllers
Iron Mountain Information Management, LLC in the U.S.A. and its subsidiaries (“Iron Mountain” or “We”) value your privacy. This Privacy Notice explains how Iron Mountain collects, uses, and shares information that identifies its customers, prospect customers, vendors, business partners and website visitors (“Personal Data”), when We act as a data controller. A data controller is an entity that decides why and how Personal Data is used (processed).
Iron Mountain’s global standards and local rules
This Privacy Notice sets forth our global privacy standards.
Apart from Iron Mountain’s global standards, We adhere to all relevant and applicable local privacy laws. Thus, depending on the region where our business is located, we comply, among others, with the General Data Protection Regulation 2016/679 (EU GDPR), and the data protection laws applicable in the EEA countries where We operate, the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018; the California Consumer Privacy Act 2018 (CCPA) 2018, Brazil General Data Protection Law 2020 (LGPD); China Personal Information Protection Law 2021 (PIPL), and the Singapore Personal Data Protection Act 2012.
Country Supplements and local Privacy Notices
Certain Iron Mountain’s subsidiaries may be obliged to adhere to such local data protection laws that require the disclosure of their own country specific privacy statements (that are usually provided to you by our local Iron Mountain subsidiary at the time of Personal Data collection). You can access the country specific supplements here:
Legal grounds for processingWe conduct our business with privacy and data protection in mind. We ensure that processing has a legitimate basis and is compliant with applicable privacy law. In most cases We collect and use your Personal Data based on the following legal grounds:
- Contract performance: when processing is necessary to conclude and perform contracts with our customers, vendors, business partners, or other stakeholders;
- Consent: when We have obtained your consent for processing your Personal Data (e.g., for sending marketing communications about our products or services or tracking your activities on our websites via cookies to improve your customer experiences);
- Legitimate interest: when We wish to fulfill our legitimate business purposes (e.g., for displaying website content relevant to your geographical location or otherwise customize). We rely on legitimate interest only if this is proportionate and guarantees the good balance between our business goals and your privacy rights;
- Compliance with applicable laws: when processing is necessary to comply with the relevant legal or regulatory obligations that We have (e.g., when We need to share Personal Data with the public and tax authorities).
Depending on your relationship with Iron Mountain and subject to the applicable laws and regulations, We may collect and use your Personal Data as follows:
- Business Contact Details (customers, prospect customers, vendors): business contact information (e.g., business contact, professional address, telephone number); personal data of customers’ and vendors’ representatives (e.g., name, contact details); structured data (e.g., proprietary data); technical information (e.g., customer portal, user IDs and passwords, access logs), processed for the following main purposes: contract negotiation and execution, regulatory compliance, business developments and relations, claim management, administration, accounting, improving our services and providing them to customers.
- Audit, Investigations, Due Diligence Personal Data (customers, vendors): name, contact details (e.g., address, phone number, email address), title/function, tax number, bank account information as well as other information relating to the vendor or customer relationship, processed for the following main purposes: audit, investigation, operational security, regulatory compliance, due diligence screening, claims management, litigation purpose.
- Online Collection of Personal Data (website visitors): information collected via Iron Mountain websites such as contact details, login credentials, online comments, and feedback from online forums and surveys etc., processed for the following main purposes: enabling efficient use of our websites, optimising the functionality of such websites, engaging with customers/prospects and suppliers in online forums, conducting and evaluating customer satisfaction.
- Children Personal Data: We are concerned about the safety of children when they use the Internet and will never knowingly collect Personal Data from minors (children under 16 years of age, or any other age defined under applicable law).
- Direct Marketing (customers, prospect customer): We might use your Business contact details (e.g., e-mail) to provide you with information about our products and services which We believe might be of your interest. For this purpose, We may also create a personal profile containing business-related information on the company you work for or the interactions between us with the aim of being able to offer you and the company you work for relevant information and suitable offers for our services and products and to improve our personal communication with you. Iron Mountain will only send you such communications (e.g., by email and/or contact you by telephone) if you gave us your prior consent to receive it (“opt in consent”) or as permitted until you have opted out of receiving such communications. Withdrawal of consent or opting out for marketing communication: If you are receiving marketing communications but would no longer like to, you may withdraw your consent or opt out at any time here.
We collect Personal Data from the following sources:We conduct our business with privacy and data protection in mind. We ensure that processing has a legitimate basis and is compliant with applicable privacy law. In most cases We collect and use your Personal Data based on the following legal grounds:
- customers and prospect customers (legal entities and individuals)
- customers’ representatives and proxies (e.g., individuals representing the company for the purpose of contract management)
- Iron Mountain websites visitors
- third parties (Iron Mountain’s vendors)
- Iron Mountain companies, affiliates
- public enforcement authorities, including tax authorities, courts, administrative authorities etc.
- publicly available sources (professional social media; official registers etc.), to the extent allowed by applicable law and regulations.
Collecting Personal Data as a data processorWe process Personal Data of our customers as a data processor without reviewing the content or origin of such Personal Data. We may collect, store and process such Personal Data solely on our customers’ behalf and at their direction. Our customers who use our services in this way are data controllers and are responsible for obtaining any consents, permissions and for providing privacy notice required for the collection and use of such information.
We may share your Personal Data internally (within the Iron Mountain company group) and externally (to third parties such as our suppliers, advisors, business partners for Iron Mountain). Subject to applicable law and regulations, We may share and/or disclose your Personal Data in a way explained in this Section.
Internal sharing: Iron Mountain has its headquarters in Boston, Massachusetts (U.S.A), but operates worldwide. Thus, to achieve business goals – with privacy in mind – We may share your Personal Data with other Iron Mountain subsidiaries in accordance with, and as described by, this Notice.
External sharing: We may also share your Personal Data with third parties, including:
- Iron Mountain suppliers: providing services to Iron Mountain may require processing of your Personal Data (e.g., providing customer relationship management tool or general IT support, distributing marketing materials, etc.). In this case, these entities may receive and process your Personal Data only under Iron Mountain’s instructions and for the purposes of carrying out services for us.
- Other third party for sale, merger, transfer of a business or division purposes: this also includes due diligence screening purposes which may also require the disclosure of Personal Data to Iron Mountain’s consultants or financial auditors.
- Public authorities: We may also have a legal obligation to disclose your Personal Data, even without your permission. The purposes of such disclosures include among others: (a) responding to lawful requests of public authorities, regulators, and law enforcement authorities and (b) protecting Iron Mountain’s rights and properties.
Iron Mountain data sharing standardsWe will not share your Personal Data with third parties without your consent, unless to: (a) fulfil a legitimate business purpose of Iron Mountain (e.g., to use a service delivered by a supplier); (b) respond to duly authorised requests of public authorities; (c) comply with applicable laws and regulations; (d) enforce/protect the rights and properties of Iron Mountain; or; (e) protect the rights of our employees, and other individuals using Iron Mountain property when allowed and in each case in accordance with applicable law. We does not and will not sell your personal data.
Your Personal Data may be transferred to or accessed by other Iron Mountain companies and subsidiaries and third parties globally. The recipients may be located in countries that do not provide an adequate level of protection to your Personal Data from the perspective of the origin country.
We ensure that Personal Data, subject to the transfer, is adequately protected as required by the applicable data protection laws of the origin country. While transferring your Personal Data, We normally rely on one or more of the following:
- Standard Contractual Clauses (“SCCs”) for international transfers of Personal Data, as may be applicable and relevant, (e.g., transfer of EU/UK/Swiss Personal Data to countries such as the U.S.A and India). If you would like to receive more information about the appropriate safeguards and/or receive a copy of the SCCs for your review, please contact us at firstname.lastname@example.org.
- Where required by applicable law, We request your consent for transfer of your Personal Data.
- Iron Mountain has executed an intercompany agreement on the transfer and processing of Personal Data within its company group to enable internal transfer of Personal Data.
- Iron Mountain adheres to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, although in accordance with EU law, Iron Mountain no longer relies on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of personal data.
- access and obtain a copy of your Personal Data – note that We may need to check your identity first to avoid disclosure to any unauthorised person and also respect the right to privacy of other individuals when providing you access or copy of your Personal Data;
- rectify or erase your Personal Data – if data is inaccurate or incomplete;
- restrict the processing of your Personal Data e.g., when you question the accuracy of processing, and We restrict processing only until your request is verified;
- delete or anonymise your Personal Data (under GDPR “right to be forgotten”) unless there are exceptions, e.g., when law allows us such processing;
- ensure so-called “data portability” - upon your request, Iron Mountain might “transfer” your Personal Data to another organisation/company if processing is based on your consent or the performance of a contract;
- object to the processing of your Personal Data - e.g., when We process your Personal Data based on our legitimate interest or for direct marketing purposes and the processing is carried out by automated means;
- obtain a copy of Personal Data safeguards applied for transfers outside your jurisdiction - e.g., the copy of SCCs;
- lodge a complaint with your local supervisory authority: Data Protection Authority, e.g., ICO in the UK;
- withdraw your consent for the processing of your Personal Data (however this does not affect the lawfulness of processing based on consent before its withdrawal).