General Data Protection Regulation (GDPR) Compliance Information

Introduction

Internap Holding LLC (“HorizonIQ”), together with its domestic and foreign subsidiaries (collectively, “HorizonIQ”), provides high-performance data center services including colocation, managed hosting, cloud, and network services across a global network of data centers and POP locations. HorizonIQ customers may use HorizonIQ services to store, transmit, encrypt, decrypt, modify, process and otherwise manipulate or transmit data. In most cases, HorizonIQ does not directly control how its services and infrastructure are utilized and what information is stored on or transmitted through such infrastructure.

Certain of this data may constitute protected “personal data” as defined in the E.U. General Data Protection Regulation (“GDPR”). In addition, certain of the HorizonIQ Services may constitute “processing” as defined in GDPR. As such, GDPR may apply to HorizonIQ in certain circumstances, depending on the services provided and data stored.

The following disclosures concerning HorizonIQ’s compliance with GDPR are presented for informational and compliance purposes only. Nothing in these disclosures constitutes a representation that any particular data or service is governed or subject to GDPR, nor do these disclosures represent or constitute any contract or undertaking with any customer or prospective customer.

Effective Date of GDPR

GDPR became effective on May 25, 2018. On and after that date, HorizonIQ complies with GDPR to the extent applicable.

HorizonIQ’s Status Under GDPR

Under GDPR, HorizonIQ may be designated as (i) a “processor” subject to GDPR with respect to certain data sets; (ii) a “controller” subject to GDPR with respect to certain data sets; or (iii) not subject to GDPR for certain data sets.

Processor

If GDPR applies, in most cases, HorizonIQ will be a “processor.” This means that HorizonIQ will store or perform some other set of operations on a data set that contains “personal data” for a customer, at the customer’s written direction.

Example: HorizonIQ provides managed services hosting to Customer A, a retailer based in France. This customer stores shoppers’ names, birthdates, email addresses and credit card information and many of these shoppers are EU citizens. Customer A is a “controller” of the shopper data. In connection with the managed services hosting, HorizonIQ has logical access to the shopper data, and therefore, HorizonIQ is a “processor” of the shopper data. HorizonIQ processes data for Customer A pursuant to a data processor agreement.

Controller

HorizonIQ also collects and stores contract information, payment information, employee records, and other information for the purposes of conducting business, marketing, employment, and more. In these cases, HorizonIQ is a controller of data.

Example: HorizonIQ enters into a contractual agreement with Customer B concerning the use of colocation space. Customer B is based in the E.U. HorizonIQ receives personal information regarding employees of Customer B during negotiations, including the employees’ work email addresses. HorizonIQ is a “controller” of this data.

GDPR Does Not Apply

For other relationships, GDPR will not apply, either because the data does not constitute protected data, or because the customer is not subject to GDPR.

Example: A US-based customer purchases managed hosting services for marketing data concerning US citizens. GDPR does not apply.

Example: An EU-based customer purchases colocation services from HorizonIQ. HorizonIQ does not have logical access to any customer data. HorizonIQ does not have logins, passwords, or any other data, and cannot access the server. HorizonIQ provides only physical security of the actual machine storing the data. HorizonIQ is not a data processor because HorizonIQ does not perform any operation on the customer’s data. It is not necessary to execute a processor agreement with HorizonIQ under GDPR.

Example: An EU-based customer purchases network services from HorizonIQ. HorizonIQ does not have logical access to any customer data in connection with network services. It is not necessary to execute a processor agreement with HorizonIQ under GDPR, because HorizonIQ is acting as a “mere conduit” of the data and is not considered a processor of the data.

HorizonIQ Responsibilities

Security: HorizonIQ implements standard up-to-date security measures to secure the environment and connections through which HorizonIQ provides its services. HorizonIQ can deliver additional and/or alternative measures upon customer’s request.

Disclosure: HorizonIQ will not disclose any information to any third party unless authorized by law, or authorized by either the data subject, controller, or processor as the case may be.

HorizonIQ Compliance As Processor

If HorizonIQ is a “processor” under GDPR for a particular data set, HorizonIQ will enter into a processor agreement or data processor addendum. This agreement is required by GDPR and governs the terms of HorizonIQ’s processing of the protected data at issue.

HorizonIQ Compliance As Controller

If HorizonIQ is a “controller” under GDPR, HorizonIQ will comply with applicable GDPR obligations. These include, but are not limited to the following:

  • HorizonIQ will lawfully process data.
  • HorizonIQ will enter into processing agreements with any third-party processors prior to sending personal data to such processors.
  • HorizonIQ will maintain all required records and provide required modalities for the exercise of rights of the data subject.
  • HorizonIQ will retain data only as long as necessary for the purpose for which it was obtained.
  • HorizonIQ will provide required notices.
  • HorizonIQ will adopt all required policies and procedures and train employees who handle personal data governed by GDPR.
  • HorizonIQ will implement privacy by design and privacy by default with regard to personal data governed by GDPR.
  • HorizonIQ will implement privacy by design and privacy by default with regard to personal data governed by GDPR.
  • HorizonIQ will provide all required notifications in the event of a data breach.

GDPR Compliance

To ensure GDPR Compliance, HorizonIQ undertakes the following:

  • HorizonIQ enters into data processing agreements with its customers if GDPR applies to the processing of their data.
  • HorizonIQ enters into sub-processing agreements with its providers if necessary.
  • HorizonIQ maintains all documentation required by GDPR and provides all required notices.
  • HorizonIQ maintains up-to-date security measures, performs regulator audits, and will implement additional security at the customer’s request and pursuant to the terms of applicable agreements.
  • In areas applicable to GDPR, HorizonIQ offers its customers assistance in relation to security, data subject rights, data breaches, data protection impact assessment, prior consultation, and other elements of GDPR.
  • For any further questions regarding this notification or HorizonIQ’s compliance with GDPR more generally, please contact us at: gdpr@HorizonIQ.com. Please be advised that HorizonIQ cannot respond to any questions regarding your status as a controller or processor.

HorizonIQ Processors and Subprocessors

HorizonIQ uses certain processors and subprocessors to assist it in providing HorizonIQ Services. These processors and subprocessors may process personal data. A list of current HorizonIQ processors and subprocessors is available here.

Data Subject Notifications

As set forth above, in certain instances HorizonIQ will act as a controller under GDPR. Article 13 and 14 of GDPR require HorizonIQ to provide certain information to data subjects when collecting their personal data directly from them or from third parties (such as an employer).

This summary is for informational purposes only and is qualified in its entirety by applicable privacy policies and terms of use provided elsewhere on this website and by HorizonIQ affiliates. In the event of conflict, the terms of the applicable privacy policy or terms of use shall govern.

Identity of the Controller

HorizonIQ and/or any of its domestic and foreign subsidiaries will constitute the controller for GDPR purposes in the event that the data in question is personal data under GDPR and is collected by HorizonIQ. If you have any questions or concerns regarding collection of your personal data, please contact gdpr@HorizonIQ.com.

Purposes of Processing of Data

HorizonIQ may utilize personal data in a number of ways to meet obligations under various agreements, to pursue legitimate interests such as facilitating services pursuant to contractual agreements with entities, including providing services such as colocation, managed hosting, cloud, and network services. The legal basis for this processing generally will be that it is necessary for the legitimate interests outlined above, but other bases may include compliance with legal obligations or consent.

Recipients of Data

The recipients of personal data will depend in large part on the services being provided that require the processing of personal data. In many cases, the only recipients of such data will be employees of HorizonIQ who have committed themselves to confidentiality. In other cases, HorizonIQ may transmit such data to processors or other controllers as necessary to meet HorizonIQ’s obligations.

Transfer Outside of EU/EEA

HorizonIQ may transfer personal data outside of the European Union or European Economic Area. When HorizonIQ does this, appropriate safeguards will be in place, such as the insertion of approved model clauses. HorizonIQ will only transfer personal data to foreign controllers and processors who meet these standards.

Duration of Storage

HorizonIQ will only store your data as long as required by the basis for processing. For example, HorizonIQ will only store personal data that is being processed pursuant to HorizonIQ’s legitimate interest so long as such interest is present. If HorizonIQ is processing personal data based on consent, that consent may be withdrawn by you at any time. Please contact gdpr@HorizonIQ.com to withdraw such consent.

Your Rights as a Data Subject

HorizonIQ is committed to fulfilling its obligations concerning the exercise of your rights under GDPR. Please be advised that you have the following rights under GDPR (to the extent GDPR applies to your personal data):

  • HorizonIQ enters into data processing agreements with its customers if GDPR applies to the processing of their data.
  • The right to request access to, rectification or erasure (i.e., the right to be forgotten) of personal data or restriction of processing or to object to processing;
  • The right to data portability;
  • The right to lodge a complaint with a supervisory authority; and
  • In certain circumstances, the right to know the source of the data and whether the source was public.
  • Should you have any questions regarding the exercise of these rights, please contact gdpr@ HorizonIQ.com. HorizonIQ may provide additional information in communications directly with data subjects as necessary.

Last Updated: January 2024