Last revision: September 16th, 2024


Enterprise Online Privacy Statement

Privacy and data protection at DXC

This policy has been updated on November 16, 2020 to reflect DXC’s continued commitment for international data transfers after DXC suspended its participation in the EU-U.S. Privacy Shield Framework.

At DXC our commitment to privacy goes beyond the minimum legal and regulatory requirements. We strive for best-in-class data protection and privacy management, which requires a sound data privacy governance structure and an effective data privacy compliance and best practices program to ensure DXC meets ever-changing and increasingly complex regulatory standards and all contractually agreed privacy obligations.

DXC's Global Privacy and Data Protection Office has strategic and operational responsibility for this program, which is adequately resourced and appropriately organised to ensure the policies and compliance processes, technology and physical controls and security we rely upon to govern the collection, use, storage and transfer of personal data all over the world meets statutory and regulatory requirements. Therefore, DXC's approach is to coordinate the contribution of several corporate disciplines - including ethics and compliance, legal, human resources, and information and physical security - to achieve our "best in class" data protection and privacy management objectives.

Subject to the following exceptions, this Privacy Statement applies to all DXC Sites and Services. A privacy policy or statement specific to a particular DXC service, program or subsidiary may supersede or supplement this Privacy Statement. The Privacy Statement also governs the offline collection and processing of Personal Data concerning DXC and its customers, business partners, job applicants, employees and former employees (collectively, Data Subjects). Where a contract with a customer defines different requirements, those take precedence. 

Operating within the DXC Integrity organization, DXC has established a comprehensive set of integrated ethics and compliance as well as privacy and data protection programs and initiatives. Outlined below, these promote and support the responsible collection, use, storage and transfer of Personal Data. 

Governance

  • DXC Integrity is chartered by Board resolution. The DXC Integrity Charter assigns functional leadership and oversight of programs to the Vice President, Chief Ethics and Compliance Officer. Key programs are: Ethics & Compliance and Global Data Protection (GDP).
  • DXC Integrity’s mission is to promote a culture of performance with integrity that encourages ethical conduct, reinforces our corporate values and drives compliance with the Code of Conduct, internal policies and the law.
  • Privacy and data protection matters are managed by the GDP Program. The GDP Program is led by DXC’s Group Data Protection Officer based in the European Union (EU).
  • The GDP Program is responsible and accountable for advising DXC's businesses on best practices in privacy compliance. We have designed policies, compliance processes, technology, physical controls and security that govern the collection, use, storage and transfer of Personal Data to promote compliance with statutory and regulatory requirements. We coordinate the application of multiple disciplines—ethics and compliance, legal practice, human resource management, information security, physical security and others—to achieve our data protection and privacy management objectives.

Compliance Policies, Standards, and Processes

  • DXC has adopted a Global Privacy and Data Protection Policy which reflects the Generally Accepted Privacy Principles (GAPP) applicable to the collection, use, storage and processing of Personal Data.
  • Additionally, comprehensive compliance standards and procedures promote consistent privacy and data protection across all DXC legal entities and businesses.
  • The GDP team carries out a privacy assessment as needed on new and changed services, systems and processes; the objective is to identify and resolve potential issues before they become significant.

Employee Communications and Training

  • DXC regularly communicates with employees, including contractors and temporary workers, about the importance of privacy and data protection, raising awareness of privacy-related issues and risks. Privacy and data protection is incorporated into the new hire onboarding process. Periodic awareness messaging is broadly distributed using a variety of channels. Mandatory privacy and data protection training is included within the required annual Code of Conduct training. We provide risk-based, targeted training where necessary. 

Risk Assessment, Monitoring and Auditing

  • DXC conducts periodic risk assessments to identify, assess, prioritize and mitigate privacy and data protection risks.
  • DXC monitors and audits its privacy policies and procedures to mitigate privacy risks.

Incident Handling

  • DXC has established robust privacy incident handling procedures and operates a 24/7 incident response center, which will go into effect in the event of a suspected or confirmed privacy breach. These measures supplement regulatory and contractual notification requirements.

Cross-Disciplinary Partnerships

  •  The GDP Program relies on collaborative partnerships with key business units and other corporate functions such as Cyber Security, Information Technology, Legal and Human Resources, to meet privacy compliance goals.

Flexible Service Delivery Model

  • DXC’s global service delivery model is designed to be comprehensive and flexible to meet the privacy requirements of highly sensitive, regulated, and classified data environments.

Formal Dispute Resolution Mechanism

  • We provide a single point of contact to privacy@dxc.com for our employees and customers for privacy related matters, regardless of geography, business or service.

 

This section defines various terms that are frequently used in this Policy.

Business Unit

A DXC legal entity or organization, including:

  • Corporate support organizations
  • Subsidiaries
  • Related corporations, partnerships or professional associations, affiliates, divisions or groups and their subsidiary operations and operating units.

Cookie

A string of information that a website saves on a visitor’s computer for tracking purposes. The visitor’s internet browser provides this information to the website operator each time the visitor returns to the site. 

Customer Data

Personal Data belonging to a DXC customer, which may include information about the organization, their employees, customers, business partners or suppliers. 

Data Processing

The collection, use, storage or transfer of Personal Data by DXC. It is necessary for DXC to process Personal Data to manage its relationship with its customers, employees, business partners and other third parties (Data Subjects); processing is done in compliance with applicable laws.

Data Subject

An individual, whether identified or identifiable, whose Personal Data is subject to Data Processing by DXC. Data Subjects include DXC's customers, business partners, job applicants, current and former employees, contractors and temporary workers.

DXC Sites and Services

All DXC-owned websites, domains and services and those of our wholly owned subsidiaries.

Personal Data

Any information relating to an identified or identifiable living human being that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. 

Sensitive Personal Data

Processing of Personal Data that requires more protection because it is sensitive and subject to certain limitations under privacy laws. These may include: government identifiers, precise geolocation, racial or ethnic origin, political beliefs, religious beliefs, genetic or biometric data, mental health or sexual health, sexual orientation and trade union membership.

DXC may collect and process Personal Data in connection with a variety of interactions that you may have with DXC as a Data Subject. These include access to DXC Sites or Services; ordering channels; hiring and employment administration processes; communications with DXC representatives; or the purchase of goods or services.

The Personal Data We Collect

To the extent required and permitted by law, DXC may collect and use the following information:

  • Your name and other contact information
  • Communication preferences and details
  • Login and authentication information
  • Online profile information
  • Online activity
  • Purchasing information
  • Payment methods and history
  • Information about the device(s) you use
  • Information about the service(s) you use
  • Support information
  • Cookies
  • Social media information
  • Date of birth
  • Copy of identification document
  • Payment information 
  • Subscription preferences
  • Financial and credit history
  • Location information

Personal Data Voluntarily Provided

DXC collects Personal Data about you in connection with many of our services, with the goal of improving our service to you and providing you with the best possible experience. When using our webstore or website, you may be prompted to make an account which may hold personal data such as name, mailing address, email address, or credit card information. When contacting DXC, you may be required to submit contact information. When communicating with DXC, all communications will be transmitted and stored by us. To be clear, you may be providing Personal Data when: i) communicating with DXC via phone calls, chats, emails, web forms, social media and other methods of communication; ii) subscribing to DXC’s marketing materials; or iii) applying for a job.

Personal Data Collected from Other Sources

DXC may also collect information about you from other sources to help us correct or supplement our records, improve the quality or personalization of our services to you, and prevent or detect fraud.

We will only collect, use and share your Personal Data where we are satisfied that we have an appropriate legal right to do so. We may have the legal right to do so because -

(1) you have consented to us using the Personal Data 

(2) our use of your Personal Data is in our legitimate interest as a commercial organization

(3) our use of your Personal Data is necessary to perform a contract or take steps to enter into a contract with you

(4) and/or our use of your Personal Data is necessary to comply with a relevant legal or regulatory obligation that we have 

Fulfilling your Transaction Request

We will use your Personal Data to fulfill requests you make for DXC’s products or services, marketing materials or anything else requiring action from DXC. To fulfill your request, we may share information with others, including DXC group companies and business partners involved in fulfillment. In connection with a transaction, we may also contact you as part of our customer satisfaction surveys or for market research purposes; any such contact will comply with applicable laws and regulations.

Personalizing your Experience on our Web Sites

We may use information we collect about you to provide you with a personalized experience on our websites by providing you with content that may interest you or make navigating our websites easier. We use the data we collect during your time on our websites to improve your future experience. The data collected during the course of browsing our websites will be analyzed and used to generate statistics that help us improve our website, products and services to you.

Providing Support

We may use your Personal Data to support DXC products or services that you have purchased. This includes technical support, which can involve incidental access to data you have provided to us or is located on your system. This Customer Data may contain information about you, your organization’s employees, customers, partners, or suppliers. This Privacy Statement does not apply to our access to or handling of your Customer Data on systems not owned or controlled by DXC. The handling and processing of your Customer Data is covered by the terms of use between you and DXC and its group companies.

Marketing

The information you provide to DXC, as well as the information we lawfully collect about you, may be used by DXC for marketing purposes. You may opt in/opt out to allow DXC to use your information. At any time, you may choose not to receive marketing materials from us. Each marketing email we send you will include instructions on how to unsubscribe. Alternatively, you may unsubscribe from marketing communications by visiting the DXC Preference Center, or by contacting DXC directly at privacy@dxc.com.

Some of our offerings may be co-branded, as they are sponsored by both DXC and third parties, such as DXC Alliance Partners. If you sign up for these offerings, be aware that your information may be collected by or shared with those third parties. You should familiarize yourself with their privacy policies to gain an understanding of the way they will handle information about you.

Recruitment

In connection with a job application—whether advertised on a DXC website or otherwise—you may provide us with information about yourself, such as a resume or curriculum vitae (CV). We may use this information throughout DXC and our group companies to assess your job application.

Monitoring or Recording of Calls, Chats and Other Interactions

Certain online transactions may involve you calling us or us calling you. They may also involve online chats. DXC may monitor, and in some cases record, such interactions for staff training or quality assurance purposes or to retain evidence of a particular transaction or interaction.

Mobile Applications and Use of Information in Social Media

DXC makes available mobile applications for download from various marketplaces. DXC also employ social media tools on some of its websites, including forums, wikis, blogs and other social media platforms. These tools promote collaboration among those who have registered to use them. When downloading and using these applications or registering to use these social media tools, you may be asked to provide certain Personal Data. These applications and tools may also include supplemental privacy statements with specific information about collection and handling practices. We encourage you to read those supplemental statements to understand how the tools and applications may process your data.

Any other content you post, such as pictures, information, opinions or any other type of Personal Data that you make available to other participants on these social platforms or applications, is not subject to this Privacy Statement. Rather, such content is subject to the terms of use of those applications or platforms, and any additional guidelines and privacy information provided in relation to their use, as well as the process by which you can remove your content from such tools. You should be aware that the content you post on any such social computing platforms may be made broadly available to others inside and outside DXC.

Automated Decision-Making

We will not take any action that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Protecting DXC’s Rights and Property

We may also use or share your information to protect the rights or property of DXC, our business partners, suppliers, customers or others when we have reasonable grounds to believe that such rights or property have been or could be affected. In addition, we reserve the right to disclose your Personal Data as required by law and when we believe that disclosure is necessary to protect our rights, or the rights of others, or to comply with a judicial proceeding, court order, law enforcement or legal process.

Global Protection

DXC will not sell, rent or lease your Personal Data to others. As a global organization with business processes, management structures and technical systems that cross borders, DXC may share information about you within DXC and transfer it to countries in the world where we do business subject to the uses identified above and in accordance with this Privacy Statement. This Privacy Statement and our internal policies and practices are designed to provide a globally consistent level of protection for Personal Data.

Service Providers and Alliance Partners

DXC retains service providers, suppliers, and other alliance partners located in various countries to manage or support our business operations; provide professional services; deliver customer services and solutions; and otherwise, process information on our behalf. It is DXC's practice to require such service providers, suppliers and alliance partners to handle Personal Data and other confidential information in a manner consistent with this Privacy Statement. 

Corporate Reorganization

Circumstances may arise where, for strategic or other business reasons, DXC may decide to sell, buy, merge or otherwise reorganize businesses in some countries. Such a transaction may involve the disclosure of Personal Data to prospective or actual purchasers, or the receipt of such information from sellers. It is DXC’s practice to seek appropriate protection for information in these types of transactions.

Mandatory Disclosures

DXC will only disclose Personal Data to the extent required and permitted by law, for example, if we are under a duty to disclose your Personal Data to comply with a legal obligation, establish, exercise or defend our legal rights.

Generally, registration is not required to gain access to DXC websites. However, if you choose to receive certain services, specific material or information, certain DXC websites require your subscription. In this regard, DXC may collect Personal Data from you including your name, phone number, email address or other information you choose to provide at various times; for example, when you complete an online form or request or participate in an online community.

You can make or change your choices about subscriptions or general communications at the data collection point. You can do so within your account preference settings or by using other methods, which are listed in this Privacy Statement. You may opt out at any time using the links at the bottom of any email or via the DXC Preference Center.

Please note that it is not possible to opt out of communications primarily aimed at administering business relationships; this includes contracts, support or other administrative and transactional notices where the primary purpose of the communications is not promotional in nature.

When Personal Data is transferred outside a country’s borders, we are committed to ensure special safeguards are in place to protect the data.

Compliance with International Standards

DXC’s privacy policies and standards take account of the major privacy and data protection principles and frameworks around the world, and amendments to them. Examples include: Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; European Union (EU) General Data Protection Regulation (GDPR); United Kingdom (UK) Data Protection Act; Asia Pacific Economic Cooperation (APEC) Privacy Framework; Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA); Brazil’s General Data Protection Law (LGPD); and the Australian Privacy Act.

EU/UK Personal Data Transfers

DXC uses lawful data transfer mechanisms for Personal Data originating in an EU member state or the UK. These include the EU Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA).

DXC has an Intragroup Data Processing and Transfer Agreement (IGDTA) on the transfer and processing of Personal Data within the DXC group worldwide; this incorporates the EU SCCs and UK IDTA. The IGDTA promotes adequate protection of Personal Data, including that originating in the EU or UK, which is transferred cross-border and processed by other DXC group companies located outside the EU and UK. 

Before DXC implemented the IGDTA, DXC implemented properly executed data transfer agreements, including the EU SCCs and UK IDTA, to legitimize our customer Personal Data transfers globally; these include those that are necessary to conduct customer and company business between the USA and EU/UK nations. These agreements continue in full force and effect today.

Information security is a high priority for DXC. To protect Personal Data and other confidential information, and to maintain its accuracy and integrity, we have implemented appropriate administrative, technical and physical safeguards. These are designed to prevent unauthorized access, use or disclosure of Personal Data. We hold third parties with whom we share Personal Data to the same high information security standards. 

We apply the same rigor to maintaining the accuracy of Personal Data. We will retain Personal Data only for as long as legally required or permitted and in accordance with DXC Records and Data Management Policy.

For more information, please refer to DXC’s overview of Technical and Organizational Measures (TOMs). As indicated by the TOMs, DXC maintains a Privacy Information Management System (PIMS) that achieved an ISO/IES 27701 certification for strategic global and regional delivery centers.

As required by applicable laws, DXC provides you with reasonable access to Personal Data that you provided to us; we also give you a reasonable ability to review and correct your data or ask for anonymization or deletion. To protect your privacy and security, we will take reasonable steps to verify your identity before granting access to your data. We may, for example, require a password and user ID to log into an application and/or other unique personal identifiers. To submit your access request, please email DXC Global Data Protection (GDP) Program at privacy@dxc.com and provide your legal name, relationship with DXC Technology, and country/state of residency.

DXC is committed to resolving any privacy complaints pertaining to DXC's collection and use of your Personal Data. Please send any privacy-related complaints or requests to privacy@dxc.com.

You may also reach out to your relevant national privacy authority and ask for their assistance. DXC is also committed to coordinating and collaborating with regulatory authorities, such as EU and UK data protection authorities.

We do not knowingly collect Personal Data online from children. Adults who interact with DXC should take care not to provide any information about children.

Rationale and Controls

By collecting Cookies or making use of an internet browser's storage capabilities, DXC is better able to identify visitors to our websites and their website access preferences. DXC may use information derived from Cookies or local storage to direct you, as a site visitor, to information similar to that which you have visited previously; in this way, we are better able to personalize your visit to our sites and can lead you to information that is likely to be of particular interest to you, based on your prior browsing history. We offer visitors to our websites the opportunity to control Cookie collection and placement. If you do not wish to have any Cookies placed on your computer, you should set your browser to refuse Cookies before visiting our websites. Please note, however, that without the aid of Cookies, certain website features may not function properly. If you wish to limit third-party advertising Cookies, you may enable your browser’s “Do Not Track” functionality.

Please note that our websites are constantly being updated and the Cookies we use will change over time. If you have any additional questions about the use of a particular Cookie, please do not hesitate to email privacy@dxc.com.

Embedded Third-Party Content

Pages on DXC’s websites will occasionally embed content from third-party sites, such as YouTube for videos. Our websites allow content to be shared through social networks, but only at your request. Embedding and sharing content may result in Cookies being placed by those third-party sites. DXC does not control the dissemination of those Cookies. Please visit these third-party sites if you wish to learn more about their use of Cookies and similar tools.

DXC makes use of third-party advertising systems to promote content on our external website. These services will often make use of Cookies and pixel tags to provide targeted DXC advertisements based on your activities and interests. 

DXC’s Prospective Applicants Privacy Notice explains how we process Personal Data that you may need to share when you apply for job openings at DXC group companies using our Careers website. The Prospective Applicants Privacy Notice supplements and should be read in conjunction with this Privacy Statement. 

DXC’s Privacy Policy Applicable to Users of store.dxc.com explains how DXC safeguards personal information provided to us by the users of our e-commerce retail website. The Privacy Policy Applicable to Users of store.dxc.com supplements and should be read in conjunction with this Privacy Statement.

DXC sites or services may provide links to third-party applications, products, services or websites for your convenience and information. DXC does not control these third-party sites or their privacy practices, which may differ from DXC's practices. We do not endorse or make representations about third-party sites and privacy practices. Any Personal Data you choose to provide to these third parties and that is collected by them is not covered by Privacy Statement. We encourage you to review the privacy policy of any site you visit before allowing the collection and use of your Personal Data.

We may provide social media features that enable you to share information with your social networks and to interact with DXC and its group companies on social media sites. Your use of these features may result in the collection or sharing of information about you. We encourage you to review the privacy policies and settings on the social media sites with which you interact to make sure you understand the information that may be collected, used and shared by those sites.

DXC may review and update this Privacy Statement periodically without any prior notice. 

We value your opinion, if you have any comments or question about this Privacy Statement, DXC's handling of your Personal Data, or a possible breach of your privacy, email DXC Global Data Protection at privacy@dxc.com

We will treat your requests or complaints confidentially. Our representative will contact you within a reasonable time after receipt of your email. We will aim to ensure that your request is resolved in a timely and appropriate manner.

You may obtain further information and guidance by contacting your local privacy authority.