At Zayo, we know how important privacy is to our Customers and individuals. Zayo Group and its subsidiaries and Zayo Europe and its subsidiaries (“The Organization”) are committed to protecting your information. Please read this Privacy Policy (“the Policy”) carefully as it sets out the information related to how we handle your personal information.
Contact us
Questions, concerns, and requests regarding this Privacy Policy should be addressed to our Privacy Office, in writing, at privacy.office@zayo.com or write to one of the following physical addresses:
| Head office Zayo Group LLC 1401 Wynkoop St #500 Denver, Colorado 80202 | European office Zayo Group UK Limited 4th Floor, The Relay Building 114 Whitechapel High Street London E1 7PT UK |
Requests must clearly articulate the nature of the concern/request as specifically as possible. Prior to release of any information, we may be required to ask for additional information from the Customer in order to verify identity before disclosure.
If you suspect a data breach incident, immediately contact our Privacy Office at privacy.office@zayo.com.
If a Customer considers that privacy requests have not been addressed adequately by Zayo or the processing of personal data infringes GDPR, they have the right to lodge a complaint with the office of the Data Protection Commissioner or Supervisory Authority in the country where they reside.
Introduction
This Policy sets out how we collect and use personal information, and your choices and rights regarding our use of your personal information.
This Policy describes our practices when using your information when you:
- Enter into a service agreement and contract with Zayo;
- Express an interest in or have signed up to receive sales information, newsletters, webinars, and product/service materials such as e-books;
- Visit our websites (including our public and/or member-based websites) or social media sites or use one of our web-based Customer account management portals or mobile applications.
This Policy also applies to information we collect from you via our survey or diagnostic tools as outlined in more detail below. You may be shown an additional confidentiality notice before participating in a survey or diagnostic. Please note that in cases where the terms of any such survey- or diagnostic-specific confidentiality notice conflict with any terms in this Policy, the terms of that notice will take precedence over the terms in this Policy. We will not use information we collect via our survey or diagnostic tools to contact you for marketing purposes.
This Policy will apply whether you have provided the information directly to us or we have obtained it from a different source, such as a third party.
Interactions with your data
Fiber & Transport and Network Connectivity
Zayo provides infrastructure and bandwidth services that permit Customers to transport data in accordance with Customer contractual requirements. The Customer is responsible for ensuring the data transmitted through these services is appropriately protected and compliant with current privacy legislation. Although the information moving through Company infrastructure may include Customer information, Zayo is not acting in the role of processor of Customer data; Zayo does not possess any direct or administrative access to any Customer content that is transmitted through our communication infrastructure. This separation is maintained through both technological and security controls implemented on our service architecture.
Cloud services (Object Based Storage Services)
Zayo provides and operates cloud based capabilities and infrastructure that permit storage and lifecycle management activities for Customer content. Zayo only permits access by a limited number of employees to Customer-stored content at the request of the authorized Customer party requesting Zayo to access such content, and such access by Zayo employees is limited to certain administrative functions, such as resetting passwords to provide the authorized Customer party access to Customer content. Zayo requires these employees to read, understand, and acknowledge compliance with Zayo’s policies governing such access. Through the Cloud Services Offering, Zayo is acting in the role of a processor on behalf of the Customer (the controller). Zayo has prepared a Data Processor Addendum (“DPA”) in accordance with GDPR Article 28. Customers may make a request through their designated Zayo contact to initiate the process for executing a DPA.
Voice services
Zayo provides cloud-based voice and collaboration solutions that deliver voice and PBX features, video meetings and messaging, and contact management features through an intuitive cloud interface. Customers may access a dashboard of reports, and may subscribe to a call recording feature. To access the Customer dashboard, a new user receives a system-generated password in a separate email from the application setup instructions. The user is instructed to change the password and neither the Customer administrator nor Zayo have access to user passwords. Zayo has an application management password for all applications, including our call recording solutions. Zayo only permits access by a limited number of employees for the purpose of providing Customer assistance and troubleshooting. Access to Zayo’s highest level master portal is limited to a select few employees.
Customer portals for programming phones may be accessed only by select Zayo employees upon request of the Customer. These portals are limited to phone systems and do not provide access to applications such as meetings or call recordings.
Zayo provides telecommunications and infrastructure offerings to Customers globally. As part of providing those offerings, Zayo may act as a processor. Zayo collects and stores Personal Data for purposes of providing its offerings, informing Customers of additional offerings, tracking use activity on its websites, and marketing efforts related to its offerings.
Use of your data
The Organization uses Customer data for the following purposes:
- Contract Administration: Zayo processes personal data contact information as necessary for the performance of offerings pursuant to a contract between Zayo and its Customer. Contact information is needed for ongoing contract administration, to provide Customer notices and service announcements, to assist with service incident resolution, to install and maintain services on Customer premises and to address billing and payment inquiries.
- Physical Security Controls: Zayo processes identity information as necessary for the performance of a contract between Zayo and the Customer. Customer contracts require that physical security controls be implemented to prevent unauthorized access to colocation facilities and Customer equipment. Identity information is collected to authenticate individuals based on Customer approvals.
- Traffic Data: Zayo monitors and processes network traffic data consistent with its legitimate interests to support the offerings provided pursuant to a contract between Zayo and its Customer, to ensure the integrity of services and to support security incident and event management functions.
- Website: Zayo processes website visitor information and contact information with our legitimate interest to offer and provide products and services, send promotional materials and marketing communications regarding programs, offers and surveys, deliver targeted online advertising, communicate with returning visitors and auto fill web-based forms, respond to inquiries and to operate, evaluate and improve our business. Zayo processes website application information with our legitimate interest to create and maintain user credentials to allow authenticated user access to self-serve functions related to telecommunication services or to submit recruitment information for consideration of employment.
Processing of your data
Zayo acts as a processor, not a controller of Customer data. Customer personal data retained by the Organization is limited to billing information and service provisioning, and is stored separately from our solutions environment. Any processing or storage of personal data is primarily limited to Customer contact information necessary for service provisions. The Organization conducts comprehensive reviews of its data processing activities, including internal data transfer assessments and resulting Data Processing Addendums (DPAs) to ensure compliance.
When personal data is processed, it is processed in the following instances:
- Contact Information: Zayo receives personal data from data subjects in their role as employees of our Customers. Information required by Zayo to enable communications with Customers, administer Customer accounts, and in accordance with contractual obligations is limited to name, business address, telephone number, job title, and email address. Zayo may also collect certain publicly available social media information to facilitate provisioning of our offerings and communications with our Customers.
- Website Application and Other Associated Service Portals: Zayo processes personal data contact information associated with the creation of application user credentials (eg. Tranzact, Workday recruitment, Zayo service portals, etc.), and collects website visitor information in the form of generic website statistics and cookies including device, operating system and browser type, country and time zone indicators and other system settings. Zayo collects this information directly from data subjects through the interaction and use of our websites. See the Zayo Cookie Notice for more specific details on data collection, use, and ability to block cookies.
- Marketing: Zayo utilizes websites for the display of corporate information as well as to market and transact Zayo Offerings. Customers and website visitors interact with various functions on these pages that may require the collection and use of Personal Data to complete those functions.
- Opt Out: If Zayo uses personal data for the purpose of sending Customers sales and marketing communications, Customers may manage the receipt of marketing and non-transactional communications from Zayo, click the Manage preference link located on the bottom of Zayo marketing emails.
Notwithstanding the above, Customers will continue to receive marketing and non-transactional communications from Zayo unless they manage the receipt of such communications by clicking the Manage preference link. Opting out of marketing communications does not opt Customers out of receiving important business communications related to their current relationships with Zayo, such as communications about the Offerings Zayo provides to their companies. - Submission of Personal Data by Customer: In cases where contact information is provided by the Customer in accordance with contractual requirements, the Customer is responsible for ensuring that any personal data submitted to Zayo has been obtained in accordance with relevant data protection requirements and that, where applicable, Customer has obtained any required consent from the data subject prior to providing personal data to Zayo.
- Identity Information: For Customers that require access to Zayo facilities, Zayo collects government issued identity information (e.g., drivers license, passport), palm or fingerprint biometric identifiers, and CCTV video image. Zayo collects this information directly from the data subject at each designated Zayo facility.
- Network Traffic Data: Zayo collects data that is captured through system logging and data flow management systems including, but not limited to, source and destination Internet Protocol (IP) addresses and domain name, date and time indicators, and other network layer protocol header information as collected based on service capabilities. Although IP addresses are collected within network traffic logs, Zayo does not possess the necessary capabilities without the involvement of the impacted Customer to identify an individual.
Payment Card Information (PCI)
With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).
- Merchant: Zayo accepts credit card payments from Customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded redirects where Customers engage directly with third party payment processors. Third party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
- Service Provider: Zayo provides a handful of services that may impact the security of Customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its Customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the Customer CDE. Zayo complies with its PCI requirements and completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.
Data subject rights as a Customer
The Organization shall provide data subjects with the following:
- Right to Access: Individuals may request access to their personal data
- Right to Correction: Individuals may request to rectify inaccuracy of their data
- Right to Erasure: Individuals may request deletion of their data, subject to legal and regulatory obligations
- Right to Restriction of Processing: Individuals may request their data in a structured, commonly used format
- Right to Data Portability: Individuals may object to data processing based on legitimate interests or direct marketing
- Right to Opt Out: Individuals may opt out of the sale of their personal information
- Right to Not Be Discriminated Against: Individuals may exercise their privacy rights without discrimination
Customers may manage the receipt of marketing and non-transactional communications from Zayo by clicking the Manage preference link located on the bottom of Zayo marketing emails.
Customers may update, correct, or remove personal data or to object to the processing of their information related to website visit or web application support, by contacting privacy.office@zayo.com or by using the Support options on portals or applications.
Note: Where contact information has been provided by an employer (our Customer), Customers must direct their requests to their employer for corrective action. Due to the nature of personal data use, Zayo reserves the right to verify any corrections with Customer contract authorities prior to making any changes.
Cross-border data transfers
The Organization is not prohibited from transferring personal information to an organization in another jurisdiction for processing. However, the Organization is held accountable for the protection of personal information transfers under each individual outsourcing arrangement.
The Organization is responsible for protecting personal information under its control. Personal information may be transferred to third parties for processing but contractual or other means are required to provide a comparable level of protection while the information is being processed by the third party.
Third party data sharing and transfers
Generally, Zayo may disclose Customer personal data: (i) as set forth in a Data Processor Addendum (DPA) between Zayo and a Customer; (ii) as required by law or legal process; (iii) to law enforcement authorities or other government entities; and (iv) when Zayo believes disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of alleged fraudulent or illegal activity.
Zayo endeavors to limit data transfers wherever possible, however, Zayo does provide personal data, limited to name, contact information, and title, to its subprocessors to fulfill its obligations to its Customers and for administrative purposes. Where such data transfers are necessary, Zayo ensures that recipients of this data have appropriate safeguards and contractual terms in place, including Standard Contractual Clauses under GDPR where applicable.
When the Organization transfers personal information for processing, it can only be used for the purposes for which the information was originally collected. “Processing” is interpreted to include any use of the information by a third party processor for a purpose for which the transferring organization can use it.
Third party processors must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. It does not mean that the protections must be the same across the board, but it does mean that they should be generally equivalent.
Data retention and disposal
Zayo retains personal data contact information and website application information for as long as the Customer maintains an active account and for seven (7) years after account termination in order to comply with legal and financial reporting obligations. In some cases, such as when required by law or rule, Zayo will keep personal data contact information for longer periods (e.g., E-Rate retention requirements). For all other cases, when personal data contact information is no longer required in support of a defined purpose, it is properly and securely deleted.
Images and video recordings
Zayo retains identity information for the duration of valid access to designated facilities. CCTV images are kept up to 30 days after which they are deleted.
Network traffic
The Organization retains network traffic data for 90 days, then archives for one (1) year before being deleted.
Website information
The Organization retains website visitor information related to generic website statistics for the life of the website in an archive. Web cookie information is retained in alignment with cookie expiration dates.
Security
We have implemented administrative, technical, and physical security measures to help prevent unauthorized access. Despite these measures, no data transmission over the Internet can be entirely secure, and we cannot guarantee or warrant the security of any information you transmit via our websites or apps. Please note that you are responsible for maintaining the security of your credentials used to access any Zayo service or account, and you must report suspected unauthorized activity to us.
We make reasonable efforts to restrict access to information to only those employees, contractors, and agents who need such access in order to operate, develop, improve, or deliver our programs, products, and services.
Incident response
If you suspect a data breach incident, immediately contact our Privacy Office at privacy.office@zayo.com.
Events involving unauthorized access, release, theft, or use of sensitive, protected, or confidential customer data are treated as security incidents by the Organization. Upon incident identification and confirmation, the Organization shall:
- Take immediate steps to secure systems and prevent further unauthorized access.
- Assess what data was exposed, identify the customers affected, and evaluate potential risks.
- Promptly notify customers via email about the breach and inform them of any actions they should take, such as changing passwords or monitoring accounts.
- Notify regulatory authorities as per applicable laws.
- Offer support services as applicable to the incident.
- Provide updates on any investigation, steps to breach resolution, and inform customers about any necessary further actions.
- Review the incident, identify root causes, and strengthen security measures to prevent future breaches.
Definitions
| Term | Definition |
|---|---|
| California Consumer Protection Act (CCPA) | CCPA gives consumers more control over the personal information that businesses collect about them. CCPA regulations provide guidance on how to implement the law. This law secures privacy rights for California consumers, including: – The right to know about the personal information a business collects about them and how it is used and shared – The right to delete personal information collected from them (with some exceptions) – The right to opt-out of the sale or sharing of their personal information – The right to non-discrimination for exercising their CCPA rights https://oag.ca.gov/privacy/ccpa |
| Colorado Privacy Act | A state privacy law that grants Colorado residents greater control over their personal data and imposes obligations on businesses handling that data. The CPA aligns with other state privacy laws like California’s CCPA but has unique provisions. https://coag.gov/resources/colorado-privacy-act/ |
| Controller | The entity that determines the processes and means of processing. Zayo is not the controller of Customer data. |
| Customer Proprietary Network Information (CPNI) | Information the Organization has about its Customers and their products and services, such as: Quantity Technical configuration Type Destination Location Usage Customers are notified of their CPNI rights when they first become a Customer and at least every other year thereafter. Customers have 30 days to opt out after being notified of CPNI rights.Customer marketing is restricted for Customers who have opted out. Marketing and Sales must omit opt-out Customers from communications or campaigns that fall outside of their current categories of service.Customer consent is implied for marketing within a Customer’s existing categories of service. https://www.fcc.gov/document/Customer-proprietary-network-information-cpni |
| Data | All information of individuals that is processed. Processing and/or storage of personal data transferred by Customers is limited to contact information (e.g., names, addresses, contact details, IP addresses) of Customer employees, representatives, contractors or agents who are involved or interact with Zayo in the provision of services by Zayo to the Customer under the agreement. Zayo is not the controller of Customer data. |
| Data Subject | Person providing personal data or from whom such information is collected. |
| General Data Protection Regulation (GDPR) | A European Union (EU) law that governs the way in which we can use, process, and store personal data (information about an identifiable, living person). https://gdpr-info.eu/ |
| Health Insurance Portability and Accountability Act (HIPAA) | See Protected Health Information (PHI). |
| Offerings | Communications and products offered by Zayo to its Customers. |
| Payment Card Information (PCI) | Payment card information is defined as a credit card number in combination with one or more of the following data elements: Cardholder name Service code Expiration date CVC2, CVV2 or CID value PIN or PIN block Contents of a credit card’s magnetic stripe https://www.pcisecuritystandards.org/ |
| Personal Data or Personally Identifiable Information (PII) | The US Department of Labor defines PII as “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” https://www.dol.gov/general/ppii#:~:text=Personal%20Identifiable%20Information%20%28PII%29%20is,either%20direct%20or%20indirect%20means. |
| Personal Information Protection and Electronic Documents Act (PIPEDA) | PIPEDA sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. PIPEDA also applies to the personal information of employees of federally-regulated businesses. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/ |
| Processor | The entity that processes personal data on behalf of the controller. |
| Processing | Any set of actions which is performed on personal data such as collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, or destroying. |
| Protected Health Information (PHI) | The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. https://www.hhs.gov/hipaa/index.html |
Applicable law
- GDPR applies to any Personal Data collected from a Data Subject and requires Zayo to have certain safeguards and process in place to ensure, among other things, that Personal Data is processed for a legitimate purpose, lawfully and transparently, collected for a specific purpose and not used in a manner inconsistent with that purpose, and appropriate safeguards are in place to ensure Personal Data is not processed in a manner that is unauthorized or unlawful. To the extent applicable, Zayo performs Offerings in compliance with Article 49(1) of the GDPR.
- CCPA provides California consumers certain rights concerning how, when, and why businesses collect personal information. Zayo does not resell any Personal Data. If Zayo resells Personal Data in the future, this Policy will be amended accordingly.
- CPA provides Colorado residents rights similar to the GDPR, including access, correction, deletion, and data portability. It mandates consumer opt-out for targeted advertising and data sales.
- CPNI relates to the quantity, technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by any Customer of a telecommunications carrier, and that is made available to the carrier solely by virtue of the Customer-carrier-relationship; and information contained in all the bills pertaining to telephone exchange service or telephone toll service received by a Customer of a carrier. Zayo has a CPNI policy that details how Zayo treats CPNI, and when employees or representatives may access and use CPNI. All employees or representatives of Zayo receive mandatory annual CPNI training, including, without limitation, training with respect to when they are and are not authorized to access and use CPNI. Failure by any of our employees to comply with Zayo’s policies concerning CPNI is subject to disciplinary actions which may, depending upon the severity of the failure, result in termination of employment.
- PIPEDA is a Canadian law that protects the personal information of individuals. It applies to private sector organizations, non-profits, and federal government organizations engaged in commercial activities across Canada, except in provinces with substantially similar privacy laws (e.g., Alberta, British Columbia, and Quebec). PIPEDA does not prohibit transferring data outside Canada, but organizations remain responsible for its protection.
- Other Applicable Laws – Zayo also monitors and establishes other compliance measures for laws pertaining to privacy other than those set out in this Policy. Concerning such laws, Zayo conducts annual training for applicable employees, and requires employees to attest they have completed such training.
Changes to this policy
From time to time, we may change and/or update this Policy. If this Policy changes in any way, we will post an updated version on this website. We recommend you regularly review this website to ensure that you are always aware of our information practices and any changes to such. Any changes to this Policy will go into effect and be posted on our website.
