Privacy Shield Notice

Last reviewed and updated July 20, 2017

Commitment to the Privacy Shield principles

We (Medallia Inc.) have certified our data processing activities under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, the “Frameworks”). Our certification will be found here.

As described below, we subject to the principles of the Frameworks for certain personal data that we receive from companies or individuals in the European Economic Area (“EEA”) and Switzerland. We also receive some data in reliance on other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.

In addition, this Notice does not apply to data that we collect about employees of our subsidiaries in the EEA or Switzerland, or to data that we collect from other jurisdictions; we cover the legal requirements for these data transfers using the Standard Contractual Clauses, as well as separate notices.

Products

We adhere to the principles of the Frameworks with respect to our processing of personal data submitted by our customers and their survey takers in the following SaaS platforms:

  • Medallia Experience Cloud: Core; and
  • Medallia Experience Cloud: Digital.

Data processed

As a data controller, we process personal data of representatives of our customers, potential customers, vendors, service providers, professional advisors, business partners, consultants or other third parties in the EEA and Switzerland (“EEA Business Contacts”) to support our business operations, for example, in the context of sending marketing communications, making sales calls, providing support, invoicing, and collections. From our EEA Business Contacts, we typically collect name, job title, company affiliation and contact information.

As a data processor, we process personal data of EAA and Swiss individuals on behalf of the customers of our SaaS platforms listed above (“EEA Customer Data”). Our customers use our SaaS platforms to process personal data at their discretion, including data pertaining to their own customers and employees.

The customers who use our SaaS platforms provide information on how they process their customers and employees’ data in their own, separate privacy notices. We support the customers who use our SaaS platforms as a data processor but do not control these customer’s data processing practices.

Purposes of collection and use

We collect and use personal data of EEA Business Contacts for purposes of providing information about our products and services to our customers, communicating with business partners, providing support, billing our customers, and conducting related tasks for legitimate business purposes. With respect to marketing, you may opt-out of receiving marketing communications from Medallia.

We collect and use EEA Customer Data for the purposes of providing those platforms to our customers. We may access the data to provide the services, to correct and address technical or service problems, to follow instructions of the Medallia customer (and their customers and employees) who submitted the data, or in response to contractual and legal requirements.

Third parties who may process personal data

Medallia uses a limited number of third party service providers and partners to assist us in providing our products and services to our customers. Medallia maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our Privacy Shield obligations.

We may share the personal data of EEA Business Contacts with the providers of our business productivity software (such as email and teleconferencing platforms), consumer relationship management software, marketing and data enhancement software (including marketing communications automation platforms), help desk ticketing software, and billing and collections software in order to enable their respective business functions. If you purchase Medallia products and services through our channel partners, such as distributors and resellers, we may provide the personal data of EEA Business Contacts to such third parties to provide you with information about Medallia’s products and services.

We may share EEA Customer Data with our subsidiaries, affiliates, partners and contractors who provide managed services and support for such platforms. We may also share EEA Customer Data with vendors to support our technical operations (including vendors who assist us with visitor analytics and SaaS event logging), assist with data transmission (including content delivery networks), and provide data storage.

Depending on the technology integrations or features chosen by the customers who purchase our SaaS platforms, we may also provide EEA Customer Data to partners who provide such integrations or features (including, for example, interactive voice response, SMS, translation integrations, and screen capture features).

Where we have received your personal data under the Frameworks and subsequently transfer it to a third party agent or service provider for processing, then we remain liable if such third party agent or service provider processes your personal data in a manner inconsistent with the Framework’s principles.

We may also disclose personal data of EEA Business Contacts and EEA Customer Data where we are legally required to disclose (e.g., under statutes, contracts or otherwise), in response to lawful requests by public authorities (including to meet national security or law enforcement requirements), or where the disclosure is permitted by law or the Privacy Shield principles and we have a legitimate business interest in such disclosure.

Your right to access, limit use, and limit disclosure

EU and Swiss residents have rights to access, correct and delete their personal data, and to limit use and disclosure of their personal data. Medallia honors these rights by responding to legitimate requests to access, correct, delete, limit use, or disclosure of personal data to [email protected]. Because Medallia has limited ability to access EEA Customer Data, if you send us a request related to EEA Customer Data please provide the name of the Medallia customer who provided us with or asked us to collect your data. We will refer your request to that customer, and we will support them as needed in responding to your request.

EEA Business Contacts may choose to unsubscribe from marketing communications by following the link contained in each marketing email to Medallia’s subscription preferences center.

Inquiries and complaints

If you have any questions regarding this notice or if you need to update, change or remove personal data that we control, you can do so by contacting [email protected] or by regular mail addressed to: Medallia Inc., Attn: General Counsel, 450 Concar Drive, San Mateo, CA 94402, United States.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, Medallia will cooperate with EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner (DPAs). Medallia will comply with information and advice provided by the DPAs with respect to such unresolved concerns, and will take appropriate steps to correct Privacy Shield compliance issues. Click here for a list of EU DPAs.

Under certain conditions, more fully described on the Privacy Shield website at www.privacyshield.gov, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Investigatory and enforcement powers of the FTC

Medallia is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).