Commitment to Privacy
SAS (“we”, “us” and “our”) offersHosted Managed Services, which includes software as a service (SaaS), enterprise hosting, remote managed services and other analytics solutions, and the subject-matter experts to manage them. We provide these solutions to organizations (“you” and “your”) and your employees, consumers, patients and students (“data subjects”) around the world.
The privacy of your data subjects is important to us. We are providing this policy to describe and explain our information practices and the measures we take to protect their privacy and comply with applicable laws and our obligations. This policy also describes your choices regarding use, access and correction of your data subjects’ personal data so that you can better understand our practices and ensure that they are consistent with any privacy notices you have made available to them.
Scope of Policy
Data Transfers and the EU-US Privacy Shield Framework
SAS participates in, and has certified its compliance with, the EU-US Privacy Shield Framework, with respect to personal data transferred from European Union (EU) member countries by its Hosted Managed Services in the United States, in connection with enterprise hosting, SaaS, remote managed services and other analytics solution offerings (such personal data, “EU Personal Data”). However, as of July 16, 2020, due to the Court of Justice of the EU’s decision in the Schrems II case, SAS no longer relies on the EU-US Privacy Shield Framework as a transfer mechanism under the EU General Data Protection Regulation for EU Personal Data and instead relies on EU Standard Contractual Clauses (SCCs). SAS uses these SCCs and supplemental measures in accordance with European Commission and European Data Protection Board guidance. Nonetheless, SAS is committed to subjecting all EU Personal Data received in reliance on each Privacy Shield Framework to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certifications, visit the US Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov. Please note that our Privacy Shield Framework certifications do not apply to information collected by SAS from visitors to SAS.com, information collected by SAS in connection with individuals’ creation of a SAS Profile, or information collected by SAS through other offerings.
SAS is responsible for the processing of EU Personal Data it receives under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. SAS complies with the Privacy Shield Principles for all onward transfers of EU Personal Data, including the onward transfer liability provisions.
With respect to EU Personal Data received by or transferred to the SAS Hosted Managed Services, SAS is subject to the regulatory enforcement powers of the US Federal Trade Commission. In certain situations, SAS may be required to disclose EU Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements. However, as of the date of this policy, SAS has never received such a request.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our US-based third-party dispute resolution provider (free of charge), at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Data Processed and Purposes of Processing
SAS Managed Hosted Services collects and processes two kinds of personal data: Customer Information and Client Information.
Customer Information is information that we receive from you, or from a third party at your direction, about your data subjects. We collect only the Customer Information that you provide to us or direct us to collect or access in order to provide services to you. Customer Information may include personal data about different types of individuals, including: consumers, employees, patients, students, donors, volunteers, business clients, suppliers and other business partners. Such personal data may include basic contact information, such as name, postal address, email address and phone number, as well as more sensitive personal data, such as financial information, personal health information, clinical trial data, demographic information, purchase information, market-research information, and employee and student performance information. Indeed, SAS may obtain any type of data about any type of individual that you upload to our products, send to us through online or offline mechanisms, or direct us to collect from third-party aggregators, such as Dun & Bradstreet.
We operate under the assumption that it is your obligation as a data controller to notify individuals whose personal data may be included in your Customer Information about the personal data you collect and the purposes for which you collect it, to obtain their consent to our processing of their personal data, where required, and to ensure that such personal data is reliable for its intended use, accurate, complete and current. We have no direct relationship with the individuals whose personal data is included in the Customer Information we process.
We collect and process Customer Information only for the purpose of providing services to you and in accordance with our agreements with you. In certain situations, we may supplement Customer Information provided by you with information from other sources. This is done only when you specifically request, and we agree to, such supplementation. This supplementation of Customer Information is for the sole purpose of providing services to you. We will retain Customer Information for the duration stipulated in our agreement with you, or longer, as necessary to comply with our legal obligations, resolve disputes or enforce our agreements.
Client Information is personal data about people in your organization, such as account managers and users, who interact with SAS’s Hosted Managed Services and its systems. Client Information usually is limited to name, work email address, work phone number and job title. We collect Client Information through online forms, email, phone and other written means that you use to provide it to us. We use Client Information to support your account, maintain our business relationship with you, respond to your inquiries and perform accounting functions
Client Information may also include User Information. User Information is information generated by computers that interact with our systems. User Information may be collected through the following:
- Web server logs/web analytics. In the process of administering this site, we maintain and track usage through web server logs and may use web analytic tools to review log information. These logs provide information, such as what types of browsers are accessing our sites, what country the access request is originating from, what pages receive high traffic and the times of day our servers experience significant load. We use this information to improve the content and navigation features of our sites.
We may also use User Information to help us prevent and detect security threats, fraud or other malicious activity, to manage billing for those subscription services based on usage and to ensure the proper functioning of our products and services.
SAS may additionally use Customer Information and Client Information for the following purposes:
- To maintain and upgrade a system. Our technical staff may require periodic access to services data that may include Customer Information or Client Information, to monitor system performance, test systems, and develop and implement upgrades to systems. Any temporary copies of such services data created as a necessary part of this process are maintained only for time periods relevant to those purposes.
- To address performance and fix issues. On occasion, we may develop new versions, patches, updates and other fixes to our programs and services, such as security patches that address newly discovered vulnerabilities. In accordance with the terms of your order for services, we may remotely access a user’s computer, while that user observes, in order to troubleshoot a performance issue.
- To meet legal requirements. SAS may be required to provide personal data to comply with legally mandated reporting, disclosure or other legal process requirements when we believe, in our sole discretion, that disclosure is necessary to protect our rights, or to respond to a government request.
If requested by you, and agreed to by SAS, SAS Hosted Managed Services systems may be configured to enable you and your users to access other third-party websites whose privacy practices may differ from those of SAS. If you or your data subjects submit personal data to any of those websites, such information is governed by their privacy statements. We encourage you and your data subjects to carefully read the privacy statement of any website you or your data subjects access through our systems. Depending on your country, you may also have the right or choice to: (1) restrict or object to processing of the data, (2) receive the data to transmit it to another company (3) withdraw any consent provided, and/or (4) lodge a complaint with your supervisory authority.
Data Access and Correction; Choices for Limiting Use and Disclosure
The EU General Data Protection Regulation and the EU-US Privacy Shield Framework requires that EU data subjects have rights to access personal data about themselves that an organization holds and, more specifically, a right to: (1) obtain confirmation whether personal data about them is being processed; (2) have the data communicated to them so they may verify its accuracy and the lawfulness of the processing; and (3) have the data corrected, amended or deleted.
With respect to Customer Information, we operate under the assumption that it is your obligation as data controller to provide your data subjects a means of accessing their data and requesting that such data be corrected, amended or deleted. Under our current business model, we have no direct interaction with your data subjects and so have no direct way for them to submit these requests to us. If you are a SAS Hosted Managed Services customer, and you receive such a request from a data subject about whom we host personal data, and you would like our assistance in responding to that request, please contact our privacy office at email@example.com or Legal Division/Privacy Officer, SAS Campus Drive, Cary, NC 27513. We will respond to requests within 30 days of receipt.
With respect to Client Information, certain SAS Hosted Managed Services systems enable users to access and amend or correct their own personal data. Otherwise, if you or your users would like to request access to or correction of Client Information, please contact our privacy office at firstname.lastname@example.org or Legal Division/Privacy Officer, SAS Campus Drive, Cary, NC 27513. We will respond to requests within 30 days of receipt.
The EU-US Privacy Shield Framework requires that participants offer data subjects a choice to opt out of uses and disclosures of their data that are materially different from the purposes for which that data was originally collected or subsequently authorized. For data that is considered “sensitive data” under EU data protection rules and the (for example, EU Personal Data relating to medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sex life), Privacy Shield participants must obtain an affirmative opt-in from data subjects for disclosures of such data or for the use of such data for purposes other than those for which it was originally collected or subsequently authorized.
With respect to Customer Information, we operate under the assumption that it is your obligation as data controller to obtain from your data subjects the appropriate consent to transfer their data to us and for us to process their data, to provide agreed-upon services to you and to disclose their data to third parties, consistent with this Policy and our agreements with you. We will not share, sell, rent or trade with third parties for their marketing purposes any Customer Information collected by us, unless you direct us to do so and have the appropriate authorization to do so. If your data subject would no longer like to be contacted by you or by SAS at your direction, please inform the data subject to contact you, as SAS’s customer, directly.
We will not use or disclose Client Information for purposes that are materially different than those described in this Policy, or subsequently authorized, without offering data subjects a choice to opt out of such uses or disclosures.
We take reasonable measures that are designed to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Some of our security measures include the following:
- Security policies. We design and support our products and services according to documented security policies. Each year, we assess our policy compliance and make necessary improvements to our policies and practices.
- Employee training and responsibilities. We take certain steps to reduce the risks of human error, theft, fraud and misuse of our facilities. We train our personnel on our privacy and security policies, and we require our employees to sign confidentiality agreements. We also have assigned to an individual the responsibility to manage our information security program.
- Access control. We limit access to Customer Information to only those individuals who have an authorized purpose for accessing that information. We terminate those access privileges following job change or termination.
- Data encryption. All electronic transfers of non-public Customer Information between you and SAS (including sensitive personal data and sign-on credentials) are required by SAS to be done through encrypted connections.
If we confirm that your Customer Information has been accessed or used by unauthorized individuals, we will contact your designated representative to coordinate our response to the incident. If you have any questions about the security of your personal information, you can contact us at email@example.com or Legal Division/Privacy Officer, SAS Campus Drive, Cary, NC 27513.
We keep your personal data for as long as necessary to fulfill the purposes outlined in this Policy, to adhere to our policies, and for any period as legally required or permitted by applicable law.
Onward Transfers to Third Parties
SAS may disclose personal data to business partners and subcontractors, as necessary, for the purpose of providing our offerings and performing other requested services, or as otherwise appropriate in connection with a legitimate business need. These companies are authorized to use your personal data only as necessary to provide these services to us. We may also disclose personal data you provide to other SAS entities and/or business parties for purposes compatible with those described in this Policy and in accordance with our agreements with you. We will not disclose personal data to third parties for purposes other than those described in this Policy, except at your direction and with your authorization. Disclosures of EU Personal Data will be carried out in accordance with Privacy Shield requirements relating to onward transfers. We will not sell, rent or lease your personal data to others.
We may also disclose personal data to a third party, as necessary, in connection with the sale or transfer of all or part of our business. In these situations, we will require the recipient of the data to protect the data in accordance with this Policy or otherwise take steps to ensure that the personal data is appropriately protected. If SAS is involved in a sale or transfer of all or part of our business, you will be notified via email and/or a prominent notice on our website of any changes to SAS’s ownership or uses of your personal data, and of choices you may have regarding your personal data.
SAS may also disclose personal data as required or permitted by law, such as in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or when we believe in our sole discretion that disclosure is necessary or appropriate to protect our rights or to comply with a judicial proceeding, court order, law-enforcement request or other legal process.
SAS is a global corporation with subsidiaries and business partners in more than 80 countries and with technical systems that cross borders. Personal data collected on SAS Hosted Managed Services systems may be transferred across state and country borders and stored or processed in the United States or any other country in which SAS, its subsidiaries, affiliates or business units maintain facilities for the purposes of data consolidation, storage and information management. By using our systems, your organization consents to any such transfer of information outside of your country of residence. SAS, its subsidiaries, affiliates and business units will handle your information collected by our systems in a consistent manner, as described here, even if the laws in some countries may provide less protection for your information. Our privacy practices are designed to protect your personal data all over the world.
Inquiries and Complaints
If you have questions or concerns regarding this Policy or our handling of your personal data, you should first contact us by sending an email to firstname.lastname@example.org or by regular mail to the attention of:
SAS Institute Inc.
Legal Division/Privacy Officer
SAS Campus Drive
Cary, NC 27513
We will respond within a reasonable time frame.
If you do not receive acknowledgement of your inquiry, or your inquiry has not been satisfactorily addressed, please contact the US-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Changes to This Policy
We reserve the right to modify this Policy at any time. When we make only minor modifications, we may do so without notifying you. When we make material modifications, we will notify the person you have designated to us to receive such notifications 30 days in advance of the changes. It is your responsibility to keep current the contact information we have on file for that designated representative.
Effective Date: July 7, 2017
Latest Revised Date: November 17, 2021