Quest ODME Privacy Shield Policy

Scope

Quest commits to comply with the Privacy Shield Principles in our processing of all Personal Information we receive from our Customers or their Users in the EEA and Switzerland in connection with the Quest On Demand Migration for Email software-as-a-service application (“ODME” or the “Application”) and related support services (“Services”).  This Privacy Shield Policy outlines our policy and practices for implementing the Principles, including the types of information we gather, how we use it and the notice and choice individuals may have regarding our processing and/or use of their Personal Information. Quest is subject to the regulatory and enforcement jurisdiction of the U.S. Federal Trade Commission (FTC).

Types of Personal Information Collected

Quest processes Customer Data including any Personal Information contained therein at the direction of and pursuant to the instructions of Quest’s Customers.  Quest also collects several types of information from our Customers, including:

• Information and correspondence our Customers and Users submit to us in connection with their use of ODME and related Services.
• Information we receive from our business partners on behalf of Customers and Users in connection with their use of ODME or related Services.

In addition, Quest collects general information about its Customers, including a Customer’s company name and address, credit card information, and the Customer representative’s contact information (“General Information”) for billing and contracting purposes.

Purposes of Collection and Use

Quest may use Personal Information submitted by our Customers and Users as necessary to provide the Application and Services including updating, enhancing, securing and maintaining the Application and to carry out Quest’s contractual obligations to our Customers. 

The Privacy Shield Principles

Notice

Quest will collect and process certain Personal Information for the purposes outlined herein in connection with our ODME application and related Services. Where Quest receives transfers of Personal Information from the EU or Switzerland to the United States, Quest requires contractual provisions from the EU or Swiss Data Controller (our Customer) that the Personal Information has been provided to us by our Customer in accordance with the applicable EU Member State or Swiss data protection laws.

Choice

In connection with Customers’ and their Users’ use of ODME Quest receives Personal Information from our Customers who have obtained that Personal Information from individuals in accordance with the applicable EU Member State or Swiss data protection laws.

In accordance with the Principles, Quest will offer Customers and Users choice to the extent we (i) disclose their Personal Information to third party Data Controllers and/or Processors, or (ii) use Personal Information for a purpose that is materially different from the purposes for which the Personal Information was originally collected or subsequently authorized by the Customer or User. Unless Quest offers Customers and Users an appropriate choice, Quest uses Personal Information only for purposes that are materially the same as those indicated in this Policy. Customers and Users can opt out of any disclosure of personal data to a third party or the use of data for a purpose other than the one for which it was initially collected by using Quest’s “opt-out” feature. Requests to opt out of such uses or disclosures of Personal Information should be sent to: quest.odme@quest.com.

Third Party Disclosures

We may disclose Personal Information from our Customers to the extent needed to deliver the Application and/or the Service or respond to requests for information on products or services or otherwise support the customers’ business needs:

• to our subsidiaries and affiliates;
• to contractors, business partners and service providers we use to support the Application and/or the Service;
• in the event Quest sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation), in which case Personal Information held by us about our Customers will be among the assets transferred to the buyer or acquirer;
• in the event of an audit related to Privacy Shield or other government inquiry;
•  if required to do so by law or legal process;
• in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements.

Liability for Onward Transfers

Quest complies with Privacy Shield’s Principle regarding accountability for onward transfers.  Quest remains liable under the Principles if its onward transfer recipients process Personal Information in a manner inconsistent with the Principles, unless Quest proves that it was not responsible for the event giving rise to non-compliance or damage.

Data Security

Quest shall take reasonable steps to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Quest has put in place appropriate physical, electronic and managerial procedures to safeguard and secure Personal Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Quest cannot guarantee the security of Personal Information on or transmitted via the Internet. Quest may be required to reveal an individual’s Personal Information in response to a legal request from public authorities including, but not limited to, the need to meet national security and/or law enforcement requirements.

Data Integrity

Quest shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Quest shall take reasonable steps to ensure that Personal Information which it processes is accurate, complete, current and reliable for its intended use.

Access

Individuals in the EEA and Switzerland generally have the right to access their Personal Information.  As an agent processing Personal Information on behalf of its Customers, Quest does not own or control the Personal Information that it processes on behalf of its Customers or their Users and does not have a direct relationship with the Users whose Personal Information may be processed in connection with providing ODME or related Services.  Since each of our Customers is in control of what information, including any Personal Information, it collects from its Users, how that information is used and disclosed, and how that information can be changed, Users of ODME should contact the applicable Customer administrator with any inquiries about how to access or correct Personal Information contained in Customer Data, as defined below.  To the extent a User makes an access or correction request to Quest, we will refer the request to the appropriate Quest Customer and will support such Customer as needed in responding to any request.

To access or correct any general information Customer has provided, the Customer should contact their Quest account representative directly or by using the contact information indicated below. 

Enforcement

Quest uses a self-assessment approach to assure compliance with this Privacy Shield Policy and periodically verifies that the Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to reasonably resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Principles.

Dispute Resolution

In compliance with the EU-US and Swiss-US Privacy Shield Principles, Quest Software commits to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact Quest Software at:

Quest Software Inc.
Attn: Brad Kirby
4 Polaris Way
Aliso Viejo, CA 92656
Or emailed to: brad.kirby@quest.com

Quest Software has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint.

Note that as a last resort and under limited circumstances EU and Swiss individuals with unresolved complaints may invoke a binding arbitration option before the Privacy Shield Panel.

Definitions

“Customer” means any entity that purchases ODME and/or the related Services.

“Customer Data” means the electronic data transferred to Quest by or for a Customer or its Users.

“Personal Information” or “Information” means information that (1) is transferred from the EU and Switzerland to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual.

“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.

“User” means an individual authorized by Customer to access and use the Application.

Personal Information that is transferred by clients to Quest in the United States from the European Union or Switzerland falls under one of the following two situations:

• “Data Processor”: When acting as a Data Processor on behalf of its clients, Quest acts only on the instructions of its “data controller” clients and does not control or share such data without direction from the client. For such processing, Quest enters into appropriate written agreements with each client evidencing and confirming that the client is the data controller for the purpose of the EU Data Directive and is in compliance with the applicable data protection laws. Quest does not determine what types of data its clients store on Quest’s servers or how that data is acquired, categorized, classified, accessed, exchanged or otherwise processed. Types of data include intellectual property, identifiable and de-identifiable patient records, emails, names, clinical trial data, validated data and non-validated data. Quest’s clients have control over such data at all times, and Quest’s clients are responsible for compliance with all applicable data protection principles for their own customers. Quest processes that data at the direction of its clients and in accordance with the terms of its written contracts with its clients.
• “Data Controller”:  Quest provides the platform for its clients to store and process data. Types of data include intellectual property, identifiable and de-identifiable patient records, emails, names, clinical trial data, validated data and non-validated data. Data can be transferred by clients to Quest over secure and encrypted channels or via transportable media. Quest simply accepts client data, but does not create, modify or delete client data of record.

Amendments or Changes to this Policy

This Privacy Shield Policy may be amended or changed from time to time consistent with the requirements of the Privacy Shield. Quest will post any revised Policy on this website.

Contact Information

Questions, comments or complaints regarding Quest’s Privacy Shield Policy or data collection and processing practices must be mailed to:
Quest Software Inc.
Attn: Brad Kirby
4 Polaris Way
Aliso Viejo, CA 92656
Or emailed to: brad.kirby@quest.com