Enterprise Online Privacy Statement

Privacy and data protection at DXC

This policy has been updated on June 9, 2022 to reflect DXC’s continued efforts in striving to provide best-in-class privacy and data protection. The section ‘Information Security, Accuracy and Retention’ has been updated to make available to you an overview of the technical and organizational measures (“TOMs”) implemented by DXC. Moreover, as indicated by the TOMs, DXC now maintains a formal Privacy Information Management System (PIMS) that achieved formal certification as defined in ISO/IES 27701 for its global and regional delivery centers.

At DXC our commitment to privacy goes beyond the minimum legal and regulatory requirements. We strive for best-in-class data protection and privacy management, which requires a sound data privacy governance structure and an effective data privacy compliance and best practices program to ensure DXC meets ever-changing and increasingly complex regulatory standards and all contractually agreed privacy obligations.

DXC's Global Privacy and Data Protection Office has strategic and operational responsibility for this program, which is adequately resourced and appropriately organized to ensure the policies and compliance processes, technology and physical controls and security we rely upon to govern the collection, use, storage and transfer of personal data all over the world meets statutory and regulatory requirements. Therefore, DXC's approach is to coordinate the contribution of several corporate disciplines - including ethics and compliance, legal, human resources, and information and physical security - to achieve our "best in class" data protection and privacy management objectives.

Strong board and executive management commitment to DXC's compliance with privacy law through appropriate organizations and programs.

    DXC’s Ethics and Compliance

    • The Ethics and Compliance organization’s charter and responsibilities are evidenced by Board resolution, which assigns day-to-day management responsibility for DXC’s ethics and compliance program to DXC’s Vice President, Ethics and Compliance.
    • The Ethics and Compliance Mission: Promote throughout the global DXC Technology community a culture of performance with integrity that encourages ethical conduct and values, and drives compliance with the Code of Business Conduct, internal policies, and the law.

    DXC's Global Privacy and Data Protection Office (PDPO).

    • Led by DXC’s Group Data Protection Officer based in the European Union (EU), DXC's global PDPO is a well-resourced and qualified strategic compliance function that operates under the authority of DXC's Ethics and Compliance organization.
    • The PDPO is responsible and accountable to advise DXC's businesses on best practices in privacy compliance, and to develop policies, procedures, training, risk assessment and monitoring programs that enable DXC to provide adequate levels of personal data protection for its clients, employees and other relevant individuals in all geographies and jurisdictions the world over.

    Compliance Policies, Standards, and Processes.

    • A strong, globally applicable Privacy and Data Protection Policy which reflects the Generally Accepted Privacy Principles ("GAPP") applicable to the collection, use, storage, and processing of personal data.
    • Comprehensive and cohesive compliance standards, processes, and procedures, which ensure consistent privacy and data protection across all of DXC's legal entities and businesses.

    Employee Training and Awareness

    • DXC takes a holistic approach to ensure privacy-aware employees throughout the employment lifecycle including new-hire instructions, annual awareness briefings, targeted training for high-risk populations, and periodic awareness messaging.

    Strong Risk Management Programs

    • In light of the inherent exposures to DXC's operational and strategic goals, DXC is committed to ensuring that risk management is a core competency, and an integral part of DXC's business operations that supports and informs reliable, quality decision making.
    • Subject to the Chief Risk Officer’s management and direction, the resources in both the Ethics and Compliance organization and its Privacy and Data Protection Office are integral parts of DXC's overall risk assessment program and posture, which includes internal and external audit and monitoring functions.
    • With regular privacy risk assessments, the PDPO monitors emerging exposures and remediates weaknesses in an effort to constantly mature DXC's compliance capabilities.

    A consistent Privacy Impact Assessment program is carried out on new and changed services, systems, and processes, aiming to disclose potential issues before they become a problem.

    Formal data breach handling procedures and a robust 24/7 operated incident response center supplement regulatory and contractual notification requirements, enabling constant vigilance and readiness in case of a crisis.

    Strong, Collaborative Cross-Disciplinary Partnerships

    • Inclusive of key internal stakeholders, including strong collaborative ties to DXC’s information and physical security, legal, human resources, and key business unit personnel without whom strict compliance with privacy laws is not possible.

    Flexible Service Delivery Model

    • A strong and robust global service delivery model that is flexible enough to meet the privacy requirements of the highly sensitive, regulated, and classified data environments.

    Formal Dispute Resolution Mechanism

    • A one-stop point of contact for our employees and clients for any privacy related matters regardless of the geography, business, or service. If you have specific concerns or requests, please feel free to send an email to privacy@dxc.com.

    This Privacy Statement applies to all DXC-owned websites, domains, and services and those of our wholly owned subsidiaries ("DXC sites or services"), except that a privacy policy or statement specific to a particular DXC service or program may supersede or supplement this Privacy Statement. Personal information concerning DXC and its customers, including outsourcing and other services clients, business partners, employees, former employees, and applicants for employment (“covered individuals”) collected and processed offline is also governed by this Privacy Statement except where the contract with a covered individual defines different requirements which will take precedence over this Privacy Statement.

    Personal information is any information that personally identifies an individual or from which an individual could be identified. This may include a name, address, telephone number, email address and other private personal attributes.

    DXC collects, uses, stores and transfers (collectively “processes”) personal information to manage its relationship with its customers, employees, business partners and other third parties (“covered individuals”) and better serve covered individuals by personalizing their experience and interaction with DXC. Such processing is done in compliance with applicable laws, including appropriate notice and consent, along with required filings with data protection authorities, where required.

    DXC may collect and process personal information through a variety of means, including, as examples, access to DXC sites or services, or other ordering channels, employment processes, during conversations or correspondence with DXC representatives, through purchase of goods or services or in the course of an online application.

    Fulfilling your Transaction Request

    If we receive any requests related to, for example, a product or service, a callback, or specific marketing materials, we will use your personal information to fulfill your request. In this context, we may share information with others, for instance, DXC's group companies and business partners, involved in fulfillment. In connection with a transaction, we may also contact you as part of our customer satisfaction surveys or for market research purposes subject to applicable laws and regulations.

    Personalizing your Experience on our Web Sites

    We may use information we collect about you to provide you with a personalized experience on our Web sites, such as providing you with content in which you may be interested and making navigation on our sites easier.

    Providing Support

    We may use your personal information to support DXC products or services you have purchased from us, including technical support, where we may sometimes have incidental access to data that you have provided to us or data that is located on your system. This data may contain information about you, your organization’s employees, customers, partners, or suppliers (collectively “customer data”). This Privacy Statement does not apply to our access to or handling of your customer data; the conditions regarding the handling and processing of your customer data is covered by the applicable terms of use or other agreements between you and DXC and its group companies.

    Marketing

    The information you provide to DXC, as well as the information we have lawfully collected about you indirectly, may be used by DXC for marketing purposes. We will offer you the opportunity to opt-in to DXC using your information in this way. You may at any time choose not to receive marketing materials from us by following the unsubscribe instructions included in each e-mail you may receive, by visiting the DXC Preference Center, or by contacting DXC directly at privacy@dxc.com.

    Some of our offerings may be co-branded, that is sponsored by both DXC and third parties, such as DXC Alliance Partners. If you sign up for these offerings, be aware that your information may also be collected by and shared with those third parties. We encourage you to familiarize yourself with their privacy policies to gain an understanding of the manner in which they will handle information about you. If you would like to review, rectify or request deletion of any Personal Information we have about you, you can submit a request by emailing DXC’s privacy office at privacy@dxc.com.

    Recruitment

    In connection with a job application or inquiry, whether advertised on a DXC Web site or otherwise, you may provide us with information about yourself, such as a resume. We may use this information throughout DXC and its group companies in order to address your inquiry or consider you for employment purposes.

    Monitoring or Recording of Calls, Chats and Other Interactions

    Certain online transactions may involve you calling us or us calling you. They may also involve online chats. Please be aware that it is DXC's general practice to monitor and in some cases record such interactions for staff training or quality assurance purposes or to retain evidence of a particular transaction or interaction.

    Mobile Applications and Use of Information in the Social Computing Environment

    DXC makes available mobile applications for download from various mobile application marketplaces. DXC also provides social computing tools on some of its websites to enable collaboration among members who have registered to use them. These include forums, wikis, blogs and other social media platforms.

    When downloading and using these applications or registering to use these social computing tools, you may be asked to provide certain personal information. These applications and tools may also include supplemental privacy statements with specific information about collection and handling practices. We encourage you to read those supplemental statements to understand how the tools and applications may process your data.

    Any other content you post, such as pictures, information, opinions, or any other type of personal information that you make available to other participants on these social platforms or applications, is not subject to this Privacy Statement. Rather, such content is subject to the terms of use of those applications or platforms, and any additional guidelines and privacy information provided in relation to their use, as well as the process by which you can remove your content from such tools. You should be aware that the content you post on any such social computing platforms may be made broadly available to others inside and outside DXC.

    Protect the Rights and Property

    We may also use or share your information to protect the rights or property of DXC, our business partners, suppliers, clients, or others when we have reasonable grounds to believe that such rights or property have been or could be affected. In addition, we reserve the right to disclose your personal information as required by law and when we believe that disclosure is necessary to protect our rights, or the rights of others, or to comply with a judicial proceeding, court order, law enforcement or legal process.

    DXC will not sell, rent or lease your personal information to others.

    As a global organization with business processes, management structures and technical systems that cross borders, DXC may share information about you within DXC and transfer it to countries in the world where we do business in connection with the uses identified above and in accordance with this Privacy Statement. Our Privacy Statement and our internal policies and practices are designed to provide a globally consistent level of protection for personal information all over the world. Even in countries whose laws provide for less protection for your information, DXC will still handle and protect your information in the manner described in this Privacy Statement.

    DXC retains service providers, suppliers, and other alliance partners located in various countries to manage or support its business operations, provide professional services, deliver customer services and solutions, and otherwise process information on DXC behalf. It is DXC's practice to require such service providers, suppliers and alliance partners to handle personal data and other confidential information in a manner consistent with DXC's policies.

    Circumstances may arise where, whether for strategic or other business reasons, DXC decides to sell, buy, merge or otherwise reorganize businesses in some countries. Such a transaction may involve the disclosure of personal information to prospective or actual purchasers, or the receipt of such information from sellers. It is DXC’s practice to seek appropriate protection for information in these types of transactions.

    Please be aware that in certain circumstances, personal information may be subject to disclosure to government agencies pursuant to judicial proceeding, court order, law enforcement or legal process. We may also share your information to protect the rights or property of DXC, our business partners, suppliers or clients, and others when we have reasonable grounds to believe that such rights or property have been or could be affected.

    Registration is not required to gain access to DXC websites. However, if you choose to receive certain services, specific material and information your subscription is required on certain DXC websites.

    In this regard, DXC may collect personal information from you including your name, phone number, email address, or other information you choose to provide at various times, for example, when you complete an online form or request or participate in an online community.

    You can make or change your choices about receiving either subscription or general communications at the data collection point, within your account preference settings or by using other methods, which are listed in this Privacy Statement. You may opt-out at any time using the links at the bottom of any email or via the DXC Preference Center.

    Please note, this option does not apply to communications primarily for the purpose of administering business relationships, including contracts, support, or other administrative and transactional notices where the primary purpose of these communications is not promotional in nature.

    DXC recognizes and respects the varying national laws and obligations and their impact on cross-border data transfers. When transferring personal information outside of the country of collection for the purposes identified above, DXC will do so in compliance with applicable law.

    In the development of DXC’s privacy policies and standards, we respect and take into account the major privacy and data protection principles and frameworks around the world and any amendments applied thereto from time-to-time, including as examples the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, the APEC Privacy Framework, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Act.

    EU Personal Data Transfers

    For personal data originating from a European Union (EU) member state, DXC uses a variety of lawful data transfer mechanisms for this purpose, including EU Standard Contractual Clauses (SCCs).

    DXC has an intragroup agreement on the transfer and processing of personal data within the DXC group worldwide which has the EU Standard Contractual Clauses incorporated. This agreement allows DXC to ensure that personal data, including data originating from the EU, which is transferred cross-border and processed by other DXC group companies, including those located outside the EU, is adequately protected in accordance with applicable data protection law.

    The decision of the European Court of Justice (ECJ) invalidating the Privacy Shield framework ─ in place to streamline and legitimize data transfers between the US and EU member nations ─ led DXC to suspend its participation in this framework.

    Although DXC had been certified for compliance with the Privacy Shield framework, we have used and maintain properly executed data transfer agreements, including the EU Standard Contractual Clauses (SCCs), to legitimize all of our customer personal data transfers globally, including those that were necessary to conduct customer and company business between the US and EU nations. These agreements continue in full force and effect today.

    DXC is committed to the lawful treatment and confidential handling of sensitive information, including personal information about California residents, and has adopted a set of global information management policies including privacy and data protection, security, system access, information classification, and other relevant policies governing the collection, use, disclosure, transfer, retention, and deletion of information.

    DXC as a “Service Provider” (as defined in the CCPA) confirms that it will process personal information which it retains, uses, or discloses in connection with its performance under any contract: (1) only on behalf of and for the benefit of the “Business” (as defined in the CCPA) from which it has received or on whose behalf it gathered the personal information; (2) only in accordance with the contract and Business’s prior written instructions, if any; unless (3) as otherwise required by the CCPA. DXC confirms that it will not process personal information for any purpose other than for the specific purpose of performing the services specified in the contract.

    Security is a high priority for DXC and to protect the personal data and other confidential information and maintain its accuracy and integrity we have implemented appropriate administrative, technical and physical safeguards to prevent unauthorized access, use or disclosure. We require the same high standard of information security and information management of any third parties we share your data with.

    We will retain personal information only for as long as legally required or permitted and in accordance with DXC records and information management policies. We respect your right to privacy and upon your request DXC will no longer use your personal information unless required to provide you services or as necessary to comply with DXC’s legal obligations, resolve complaints and disputes, and enforce our agreements.

    For more information please refer to DXC’s overview of technical and organizational measures (“TOMs”)”

    DXC has implemented technology, management processes and policies aimed to maintain data accuracy. According to applicable laws, DXC provides individuals with reasonable access to personal information that they provided to DXC and the reasonable ability to review and correct the data or ask for anonymization, blockage, or deletion, as applicable. To protect your privacy and security when submitting an access request, we will take reasonable steps to verify your identity, such as requiring a password and user ID, passport number and/or other unique personal identifiers before granting access to your data. To submit your access request, please contact the DXC Global Privacy and Data Protection Office at privacy@dxc.com.

    DXC is committed to resolve any complaints you may have in relation to your privacy and DXC's collection and use of your personal information. Please send any privacy related complaints or requests, including request for access to information to privacy@dxc.com.

    Where applicable, individuals may also reach out their national privacy authorities and ask for their support. DXC is committed to coordinate and collaborate with foreign regulators, such as EU and UK privacy authorities.

    DXC is committed to resolve any complaints you may have in relation to your privacy and DXC's collection and use of your personal information. Please send any privacy related complaints or requests, including request for access to information to privacy@dxc.com.

    Where applicable, individuals may also reach out their national privacy authorities and ask for their support. DXC is committed to coordinate and collaborate with foreign regulators, such as EU and UK privacy authorities.

    A cookie is a string of information that a web site saves on a visitor’s computer and then the visitor’s browser provides to the web site operator each time the visitor returns to the information collecting web site. When DXC collects cookies or makes use of a browser's local storage capabilities, they help DXC identify visitors, their usage of the site, and their Web site access preferences. DXC may also use information derived from cookies or local storage to direct the visitor to information similar to what they visited and thereby market DXC products and services by personalizing the experience on the visitor’s web page on DXC’s site. Visitors will be offered the opportunity to control cookie placement. Visitors who do not wish to have any cookies placed on their computers should set their browsers to refuse cookies before using DXC’s web site, with the drawback that certain features of the web site may not function properly without the aid of cookies. Visitors that want to limit third party advertising cookies can enable their browser’s “Do Not Track” functionality.

    It must be noted, pages on DXC’s web site will occasionally embed content from third party sites, such as YouTube for videos and Taleo for jobs. DXC’s web site also allows for content to be shared through social networks but only at your request. Embedding and sharing content may result in as cookies being set by those third party sites. DXC does not control the dissemination of those cookies. Please visit these third party sites if you wish to learn more about their use of cookies and similar tools.

    Please note that the web site is constantly being updated and the cookies we use will change over time. If you have any additional questions about the use of a particular cookie please do not hesitate to email privacy@dxc.com.

    DXC makes use of third-party advertising systems to promote content on this website. These services will often make use of cookies and pixel tags to provide targeted advertisements based on your activities and interests. DXC does not permit third parties to advertise on this site but we do use external sites to advertise our products and services. Please visit these third-party sites for additional details regarding their privacy policies and practices.

    DXC sites or services may provide links to third-party applications, products, services, or websites for your convenience and information. DXC does not control those third-party sites or their privacy practices, which may differ from DXC's practices. We do not endorse or make any representations about third-party sites and privacy practices. The personal information you choose to provide to or that is collected by these third parties is not covered by this DXC Privacy Statement. We encourage you to review the privacy policy of any site you interact with before allowing the collection and use of your personal information.

    We may also provide social media features that enable you to share information with your social networks and to interact with DXC and its group companies on various social media sites. Your use of these features may result in the collection or sharing of information about you, depending on the feature. We encourage you to review the privacy policies and settings on the social media sites with which you interact to make sure you understand the information that may be collected, used, and shared by those sites.

    We will post a notice at the top of this page notifying users when this Privacy Statement is updated or modified in a material way. If we are going to use your personal information in a manner different from that stated at the time of collection, we will notify you, and you will have, subject to legal and/or contractual provisions, a choice as to whether or not we can use your personal information in such a way.

    We value your opinion, if you have any comments or question about this Privacy Statement, DXC's handling of your personal information, or a possible breach of your privacy you can send an email to the DXC Global Privacy and Data Protection Office at privacy@dxc.com.

    Individuals living inside the EU, UK and Switzerland seeking further information, guidance and advice may also contact their local privacy authorities.

    We will treat your requests or complaints confidentially. Our representative will contact you within a reasonable time after receipt of your complaint to address your concerns and outline options regarding how they may be resolved. We will aim to ensure that your complaint is resolved in timely and appropriate manner.