Service Privacy Statement

Version 1.0, Effective October 1, 2005


1 Scope

1.1 This Privacy Statement outlines how MessageLabs and its clients comply with privacy regulations in relation to the email security services offered by MessageLabs.

2 Background and definitions

2.1 Clients contract with MessageLabs to deliver email security services. MessageLabs is a data processor which processes email on behalf of its client who is the data controller.

2.2 The term data controller is defined in US Safe Harbour and EU privacy legislation as the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. The data controller retains full responsibility for the data vis-à-vis the individual(s) concerned.

2.3 The term data processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

2.4 The U.S. Health Insurance Portability and Accountability Act of 1996 uses similar principles and the terms "covered entities" and "business associate" instead of data controller and data processor. Similarly the U.S. Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" uses the terms "financial institution" and "service provider".

2.5. All legislation referred to here requires that the relationship between a data controller and a data processor is covered by a contract before outsourcing related to the processing of personal data takes place. The purpose of the contract is to protect the interests of the data controller, i.e. the person or body who determines the purposes and means of processing, who retains full responsibility for the data vis-à-vis the individuals concerned. The contract thus specifies the processing to be carried out and any measures necessary to ensure that the data are kept secure.

2.6 MessageLabs only delivers its email security services to clients under a contract which defines the privacy obligations of its clients and MessageLabs.

3 MessageLabs obligations

3.1 MessageLabs exact obligations vis-à-vis our clients are set out in a contract between the client and MessageLabs and may vary according to the jurisdiction of our client an their area of business. This chapter lists typical obligations that are set out in the contract to ensure compliance with the most common privacy legislation.

3.2 The typical obligations are:

  • To comply with the the U.S. Safe Harbour principles, EU data protection legislation or other similar national legislation as a data processor.
  • To ensure that the data is only used for the purpose of providing our email security service and purposes that are authorised and requested by our client.
  • To ensure that processing and the resulting reports are accurate and up to date.
  • To ensure that appropriate technical and organisational measures are taken against unauthorised processing of personal data and against accidental loss or destruction of, or damage to, personal data. (Security)
  • To keep the data confidential.
  • To ensure that personal data is not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  • To cooperate with relevant data protection authorities and enabling relevant regulatory authorities to perform audits.
4 Client obligations

4.1 To ensure that we process personal data in accordance with relevant privacy regulations we will only offer our service under a contract which defines the obligations of MessageLabs and our client according to applicable privacy legislation. We will always require our clients to comply with relevant privacy legislation as the data controller.

4.2 The typical obligations of a data controller are:

  • To comply with the the U.S. Safe Harbour principles, EU data protection legislation or other similar national legislation as a data controller.
  • To ensure that personal data is processed fairly and lawfully. This may include obtaining consent from or at least inform the data subjects about the processing taking place and its purpose. It may also include to register under U.S. Safe Harbour or with the relevant EU or national data protection authorities.
  • To ensure that personal data is collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
  • To ensure that processing is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.
  • To ensure that data is accurate and, where necessary, kept up to date.
  • To ensure that data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
  • To ensure that the data subjects right of access to data is respected. This includes providing the data subject of a copy of information held and to rectify any errors.
5 Information sharing

5.1 MessageLabs does not control the sharing of personal information related to our service. This is governed by our client, the data controller, in accordance with the client privacy policy and applicable privacy legislation.

5.2 When authorised by our client, MessageLabs may further sub contract service related processing to data processors, agents and service providers. We will do this only for a specific purpose and under a contract which will require the third party to act only on our instructions, to adhere to relevant privacy legislation, to keep the data secure and confidential.

5.3 MessageLabs will not transfer personal data to other entities without authorisation or request from our client unless MessageLabs is legally required to do so, for example, by a court order or subpoena.

6 End user personal information

6.1 If you are an end-user of our service you should contact our client for any information related to information held about you and the privacy policy which governs the relationship between you and our client.

6.2 In many cases our client will be you employer. If you cannot identify our client we recommend that you use whois to identify the owner of a domain. If this fails you may contact us on the address below so that we can help you make contact with the client who is the data controller for your personal information.

7 Safe Harbour and EU privacy legislation statement

7.1 As described in this document MessageLabs will fulfil its obligations as a data processor in accordance with U.S Safe Harbour and EU privacy legislation whenever we are required to do so by the contract with our client.

7.2 MessageLabs will cooperate with the U.S. Department of Commerce and EU data protection authorities.

8 Changes

8.1 MessageLabs reserves the right to make changes to this statement. If we do we will publish the new statement on this site.

9 Contact information

9.1 Any queries regarding this statement should be submitted to The Legal Department, MessageLabs Inc. 512 Seventh Avenue, 6th Floor, New York, NY 10018 USA, phone +1 646 519 8100 or The Legal Department, MessageLabs Limited, 1240 Lansdowne Court, Gloucester Business Park, Gloucester , GL3 4AB , United Kingdom, phone +44 1452 627600.