Last Updated: 9 December 2019
Our efforts are guided by Privacy by Design principles set forth in the GDPR. Privacy by Design refers to having privacy as an objective when developing personal data collection and processing measures. While not an exhaustive list, some examples of situations in which we apply Privacy by Design include when we (i) develop the features of our products and services; (ii) specify the business purposes for which we collect personal data when you use http://www.forcepoint.com and any of its sub-domains, do business with Forcepoint or use Forcepoint products; (iii) deploy any information systems that will be processing personal data, (iv) design and employ security measures to protect personal data in the systems our customers use; and (v) dispose of personal data that is no longer required to satisfy business or legal objectives.
1. FORCEPOINT’S PERSONAL DATA ROLES
Forcepoint collects personal data as described below in furtherance of its business activities. Forcepoint typically collects such data directly, but may work through third parties. Whether Forcepoint collects personal data directly or through a third party Forcepoint is a data controller as defined and with the responsibilities provided in the GDPR.
Forcepoint is a processor of personal data collected through its customers’ use of Forcepoint products and services. Under these circumstances, the customer is the data controller and Forcepoint is the data processor as defined and with the responsibilities provided in the GDPR. Forcepoint’s processing of personal data collected through the use of its products and services is done in accordance with the terms of the Forcepoint Data Processing Agreement (DPA) for the Provision of Forcepoint Products. The Forcepoint DPA located at https://www.forcepoint.com/data-processing-agreement.
2. PRIVACY SHIELD PARTICIPATION
Forcepoint is pleased to participate in and adhere to the Principles of the Privacy Shield Framework program (https://www.privacyshield.gov/). The Privacy Shield program was established by the United States (US) government, in consultation with the European Commission and others. Privacy Shield provides a reliable and GDPR compliant means for transferring personal data from the European Union (EU) to the US. Our participation in Privacy Shield assures EU-based data subjects’ personal data continues to benefit from European data protection laws when transferred to Forcepoint’s offices and vendors in the United States.
Forcepoint annually self–certifies its commitment to apply the Framework Principles to all personal data received or collected from the EU. The Department of Commerce reviews the Forcepoint self-certification and if it determines our self-certification is acceptable will include Forcepoint in the list of active Privacy Shield participant companies. The Privacy Shield list can be found by clicking on this link: Privacy Shield list. Forcepoint’s compliance with the Privacy Shield principles is subject to the enforcement powers of the US Federal Trade Commission.
Note: If Forcepoint has occasion to transfer personal data from the EU to non-EU countries other than the United States we will implement Standard Contractual Clauses or other measures approved by EU law so as to ensure the transfer is lawful. A copy of the Standard Contractual Clauses are incorporated in the Forcepoint Data Processing Agreement.
3. PERSONAL DATA WE COLLECT AND/OR PROCESS
General: We receive and store information, including information that can be used to identify you ("personal data"), entered on our Website or given to us in any other way. This occurs, for example, when you make inquiries about the Website or about Forcepoint partners, products or services (whether via the Website or otherwise). Except to the limited extent that may be necessary in the context of online job applications, we neither request nor collect sensitive personal data (i.e., personal data specifying criminal offences/convictions, medical or health conditions, biometric or genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual).
Information that we automatically collect when you use the Website: When you use our Website, we automatically collect the following information:
- Navigation and click-stream data
- HTTP protocol elements
- Search terms
Forcepoint does not collect and use your Personal Data information unless you choose to register yourself on the website.
Personal Data we collect when you register with us online or create an online account: You can browse the Website without registering with us or creating an online account. If you choose not to register with us or create an online account we will not collect and use your personal data. However, in order to access certain resources or services via the Website (e.g., to download reports or papers, access technical alerts or to join technical forums), you will need to register with us. If you register and create an online account, we collect certain personal data about you such as:
- Your first and last name;
- Your telephone number;
- Email address;
- Job function;
- Job title;
- Organization name, size and location; and
- Whether or not you are acting on behalf of a current customer.
Personal Data we collect when we obtain online feedback from you: We collect your name, online contact information and any other personal data that you choose to provide in the context of obtaining online feedback from you. At your option, we may also collect your organization's name and physical contact information although we may already hold this information if you have provided it to us for another purpose.
Personal Data we collect when you do business with Forcepoint: We may collect and process Customer, Vendor or Business Partner Personal Data when you conduct business with Forcepoint on behalf of a Customer or prospective customer, or as, or on behalf of, a vendor, supplier, consultant, professional adviser or other third party. "Customer, Vendor or Business Partner Personal Data" means information relating to an identified or identifiable natural person that Forcepoint receives on behalf of a customer or prospective customer, or from or on behalf of a vendor, supplier, consultant, professional adviser or any other third parties that does business with Forcepoint, whether or not such natural person is also a Website user. Examples of Customer, Vendor or Business Partner Personal Data include:
- Customers’, Vendors’, or Business Partners’ points’ of contact connection or communication details (such as name, business phone numbers and business address);
- Business contact information (such as job title, responsibilities, department and name of organization);
- Financial information (such as financial account information) if needed to take payment or fulfill contractual obligations or for related purposes;
- Information necessary to evaluate Forcepoint's and Business Partners’ and Vendors’ performance; and
- If you also hold an online Forcepoint account, we add any purchase information we collect, including details of the purchase and your business address, to your online account information.
Personal Data that we collect when you apply online for employment: You may elect to submit personal data through our website to be considered for employment at Forcepoint. Such data includes your name, your address, your phone number, your email address, job preferences, experience, desired salary, relocation preferences, work authorization, security clearance, education, job skills and other information contained on your resume or curriculum vitae (CV). Forcepoint uses such data solely for consideration of your candidacy for employment, to communicate with you and to generate related correspondence, including offer letters and employment agreements. Such data may also be used, subject to applicable local laws, to conduct necessary background checks for compliance and other employment related purposes. Finally, Forcepoint only retains such data for as long as is necessary to address your employment interest and any questions that may arise regarding your applications’ processing. Your submission of your personal data or resume through our website constitutes your consent to the collection, storage and use of that data, including in the United States, as described above.
Personal Data received from the use of certain Forcepoint products: Forcepoint products enable customers to monitor their networks to protect against cyber threats and, depending on the product, we may receive the personal data of end users of such monitored networks (“End User Personal Data”). The type of End User Personal Data we may receive from the use of such monitored networks includes:
- Forcepoint Subscriber ID information: Customer ID (i.e., the ID used to identify which customer is sending or receiving files), User ID or Visitor ID (the ID used to identify client IP visiting the file), network user name, first name, last name, company name, country, and email address.
- Communication information: email metadata, including email addresses of sender and recipient, sender email in SMTP transaction and email subject.
- Traffic data: proxy log, web traffic logs, apache browsing logs, browsing and diagnostic logs, IP addresses, URL information, website session data and files submitted by end users of Forcepoint products.
- Such other data as the Forcepoint customer collects in furtherance of its cybersecurity program.
In Section 4 below we explain how End User Personal Data is processed in accordance with our customers’ decisions regarding what is necessary to protect the security and other vital interests of the customer and their monitored networks’ users. Forcepoint may use End User Personal Data for the legitimate interest purpose of ensuring the products work effectively.
Personal Data we obtain from other sources: We also may periodically obtain both personal data and non-personal data about you from Forcepoint subsidiaries, business partners or resellers and other third-party sources. We may add personal data and other information we obtain from these sources to personal data and other information we may already hold about you, such as:
- Updated business address information;
- Purchase history;
- Demographic information; and
- Credit information about Customers, Vendors or Business Partners from credit reference agencies (for more information see Section 4 below).
4. HOW WE USE YOUR PERSONAL DATA
Personal Data: We use or may use your personal data for the following purposes (or as otherwise described at the point of collection) in line with the requirements of data protection laws and the “legitimate interests” we determine necessitate the collection:
- Creating and administering records about your online account (if you have one), including your organization’s purchase history;
- To provide you with information, access to resources or other products or services that you have requested from us on behalf of your organization;
- To send you customer service-related communications, including in relation to administering your organization's online account and providing online services to you on behalf of your organization;
- To provide technical product support to Customers and to enhance Customer technical product support services.
- To address any communications you may send to Forcepoint;
- To alert you to upgrades and enhancements to our products and to new products and/or services, including by email, in accordance with your communication preferences. Please see the "Your Choices" section below for further information about how you can control these updates;
- To request your feedback;
- To assess financial, credit or insurance risks arising from any relationship or prospective relationship with a Customer, Vendor or Business Partner;
- To complete and support the current activity, Website and system administration, research and development, and to improve the navigation and content of the Website;
- To carry out User analysis, User profiling and decision making2, for customers who opt in to sharing their data with us;
- To improve the Website; and
- To improve our products and services.
Website usage data: We use tools to measure Website visitor performance, click data, engagements with content on the Website, pathing, form completions, etc. We also aggregate such data without Personal Data and use it to analyze user behavior and make decisions about how to improve the user experience.
Marketing: We and our business partners may contact you by mail, telephone, fax, email or other electronic messaging service with offers of goods, services, promotions or other information that may be of interest to you in accordance with your communication preferences. Where required by applicable law, your prior consent will be obtained before sending you direct marketing. You may withdraw your consent at any time by changing your communications preferences. (See Section 6, "Your Choices", below).
Forcepoint does not in any way sell, lease or rent your information to third parties.
Anonymous and Non-personal Data: We may generate, use and disclose anonymous and non-personal data and statistics about the Website for marketing and strategic purposes. Similarly, we may generate aggregate usage and statistical information related to Customers’ and end-users’ use of the Products in order to facilitate analysis and comparisons.
End User Personal Data: Certain Forcepoint products and services enable our enterprise customers to monitor use of their networks to protect against cyber threats. Such monitoring may result in the collection of End User Personal Data passing through the networks. In providing these products, Forcepoint acts as a “Data Processor” on behalf of the customer who acts as the “Data Controller” under applicable data protection laws.
As Data Controllers of the End User Personal Data, our customers retain full responsibility for ensuring the End User Personal Data collected by their use of Forcepoint products is handled in accordance with applicable privacy laws and regulations.
In its role as the Data Processor, Forcepoint will process the End User Personal Data as required to perform the service including to manage and administer Forcepoint’s customers’ services such as providing technical support, tailoring network monitoring policies, and developing product improvements. As a Data Processor, Forcepoint undertakes to comply with the laws applicable to Data Processor activities. We meet our obligations in this regard by ensuring our customer contracts (i) define Forcepoint’s and customers’ respective obligations under applicable privacy legislation and (ii) require our customers to comply with relevant privacy legislation.
5. SHARING YOUR PERSONAL DATA
We may share your personal data as follows:
- With Forcepoint affiliates, for the purposes described in Section 4 above;
- With our service providers or agents solely to the extent necessary to enable such service providers or agents to provide services to Forcepoint or on Forcepoint's behalf.
- In response to subpoenas, court orders or other legal process, for reasons relating to national security, to defend against legal claims, to protect the rights, property or safety of Forcepoint, Forcepoint Customers, Vendors or Business Partners, Website users, employees or others, or as may otherwise be required by applicable law;
- To Forcepoint auditors, legal representatives or similar agents;
- To resellers for the purposes of sales and support-related matters;
- To any third party that purchases, or to which a Forcepoint entity transfers, all or substantially all of the Forcepoint assets or business (in which case the relevant Forcepoint entity will use reasonable efforts to ensure that the third party to which it transfers personal data uses it in a manner that is consistent with this Policy);
- To credit reference agencies for the purposes of making periodic searches in the context of managing and taking decisions about Forcepoint's relationship or prospective relationship with a Forcepoint Customer, Vendor or Business Partner. Such information as is provided to credit reference agencies may be used by other credit providers to take decisions about the Forcepoint Customer, Vendor or Business Partner.
Forcepoint’s policy is to maintain contracts with all third parties with which we share personal data that restrict their access, use and disclosure of personal data in compliance with our legal obligations, including those under GDPR and Privacy Shield.
6. YOUR CHOICES
If at any time you decide you do not want us to retain any personal data we collected from you when you registered on our website, or otherwise collected about you from others as described in Section 3 of this Policy, you may request we delete your information. Instructions for contacting us are provided in Section 7 of this policy. Of course, once we delete your information you will no longer be registered with us and you will not have access to the services that are only available through registration. As noted above, even if you are not registered with us we collect Navigation and click-stream data, HTTP protocol elements, and search term data, which helps us to optimize the browsing experience. This data is not personally identifiable Personal Data if you are not registered on the website.
You may at any time change your communications preferences to withdraw your consent to receive marketing messages from Forcepoint or its business partners without de-registering with us. You may also withdraw your consent to receive marketing messages by sending an email request to firstname.lastname@example.org. Please keep in mind that if you elect to de-register you will not receive emails concerning upgrades and enhancements to Forcepoint products. However, we will continue to send you services-related (non-marketing) communications in connection with the administration of your organization's account and products or services that you have requested from Forcepoint on behalf of your organization.
7. YOUR RIGHTS: ACCESSING AND CHANGING YOUR PERSONAL DATA3
Forcepoint seeks to ensure that your personal data and preferences are accurate and complete. You have the right to update your personal data and/or preferences at any time. If you wish to review or change the personal data we have regarding you or to update your preferences regarding our retention or use of your personal data please let us know by sending an e-mail with your name, full mailing address and e-mail address to email@example.com together with a description of the changes you request4.
You may also make changes by writing to Forcepoint at:
Attention: Senior Director, Ethics & Compliance/Data Protection Officer
10900-A Stonelake Blvd., Quarry Oaks 1, Suite 350
Austin, TX 78759
EU persons have the right to seek rectification (where data is inaccurate), erasure, restriction, objection or portability of their personal data. EU persons may also have a right to receive from us a copy of their personal data we have in our possession. To exercise these rights or to obtain a copy of the personal data we hold about you, please write to the above address. Alternatively, EU Data subjects seeking to make changes to their information in Forcepoint’s possession or to update their preferences regarding our retention or use of their personal data can send an e-mail with name, full mailing address and e-mail address to firstname.lastname@example.org together with a description of the requested changes.
Forcepoint’s main establishment in the EU is Forcepoint International Technology Limited (FITL), an Irish incorporated company with a registered office at Riverside One, Sir John Rogerson’s Quay, Dublin 2, Ireland, and a wholly-owned subsidiary of Forcepoint LLC. FITL is the place of central administration for Forcepoint in the EU and as such is the “Main Establishment” for Forcepoint in the EU. EU Data subjects seeking to make changes to their information in Forcepoint’s possession or to update their preferences regarding our retention or use of their personal data can send an e-mail with name, full mailing address and e-mail address to email@example.com together with a description of the requested changes.
Inasmuch as Forcepoint’s Main Establishment in the EU is located in Ireland, EU Data Subjects wishing to lodge an issue regarding Forcepoint should do so with the Data Protection Authority (DPA) established in Ireland.
8. QUESTIONS, OBJECTIONS AND COMPLAINTS
We are responsible for our collection, use and disclosure of EU Personal Data in accordance with GDPR. We also are responsible for third party agents that are processing personal data on our behalf. In certain situations, we may be required to disclose EU Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
Where we are relying on our legitimate interests to process your personal data (see section 4 above), you have the right to object to such processing, to include how we use or disclose your information. To exercise your right to object, please contact us as specified above. We will consider your objection and we will comply with it unless we have a compelling legitimate ground as permitted by applicable law.
Forcepoint is committed to reply to any questions and resolve any complaints, including complaints regarding our collection, use or disclosure of your Personal Data. Anyone with such inquiries or complaints may contact Forcepoint as specified above.
If you are a resident of the EU and you are not satisfied with Forcepoint’s response to your issue with their collection and transfer of your personal data to the United States you may then submit your complaints to Forcepoint’s alternative dispute resolution representative, the International Centre for Dispute Resolution (ICDR). ICDR can be contacted at http://go.adr.org/privacyshield.html. If none of the foregoing resolved your concern you may seek binding arbitration through the Privacy Shield Panel. The Privacy Shield arbitration program requirements can be found at this link.
9. CALIFORNIA’S “SHINE THE LIGHT” LAW
10. PROTECTING YOUR INFORMATION
Forcepoint acknowledges your trust and is committed to protecting the personal data you provide to us. To prevent unauthorized access, maintain accuracy, and ensure proper use of such data, we employ physical, technical, and administrative processes as necessary to safeguard and secure the personal data we collect.
Website users can help further protect their personal data by using a secure web browser and by changing any access passwords regularly. Please note that data transmission over the Internet is not 100% secure and any information disclosed online can potentially be collected and used other than by the intended recipient. Please be aware that, by posting information to the technical forum via the Website, you may be making this information available to the public. You should be careful not to reveal any sensitive or other personal details about yourself.
12. OTHER LINKS
13. RETENTION OF PERSONAL DATA
Forcepoint will only keep personal data it collects (i) for as long as is necessary for the purpose or purposes for which it was collected; (ii) for the purposes of performing or fulfilling a contractual obligation with the organization that you represent; (iii) for as long as required by law; or (iv) where applicable, for as long as Forcepoint may be sued.
14. MONITORING AND COMPLIANCE
We may monitor, store, review and disclose to third parties any information, including your personal data, obtained on or through the Website as may be necessary to satisfy any applicable governmental law, regulation, investigation or proceeding. Forcepoint may also disclose your personal data (1) where such disclosure is required by law; (2) to protect Forcepoint’s legal rights to the extent authorized or permitted by law; or (3) in an emergency where the health or safety of you or another individual may be endangered, to the extent permitted by law. Additionally, we may use IP addresses to identify a particular user if we believe it is needed to enforce compliance with these terms or to protect our company, employees, Website, or customers.
15. CONTACT US
Attention: Senior Director, Ethics & Compliance/Data Protection Officer
10900 Stonelake Blvd.
Quarry Oak 1, Suite 350
Austin, TX 78759
In your e-mail or letter, state your question or concern as clearly as possible.
1 Carnelian LLC, Forcepoint Federal LLC, New Websense, Inc., Port Authority Technologies, LLC, Raytheon Oakley Systems, LLC, SurfControl, Inc., Tomahawk Acquisition, Inc., Tomahawk Holdings, Inc., Websense, LLC, Red Owl Analytics, Inc., Red Owl International, LLC
2 In addition to any other options you have with regard to our retention or use of your personal data (See Section 5 of this Policy), you are asked to opt in to this usage.
3 If you are a resident of the EU and your query relates to personal data that you have provided to us through an online employment application then you may also raise your query with the Data Protection Authority in your home country. The Forcepoint Data Protection Officer will provide contact information for the Data Protection Authority upon request.