SAS Privacy Statement for Residents of the European Economic Area (EEA) and United Kingdom (UK)
This version of the SAS Privacy Statement is applicable to residents of the EEA and the UK whose personal data is covered by the General Data Protection Regulation (GDPR) or the UK Data Protection Act. If you are not a resident of the EEA or the UK, please refer to the SAS Privacy Statement.
SAS Institute Inc., our subsidiaries and affiliates ("SAS" or "we" or “us”) care about your privacy and are committed to processing your personal data in accordance with fair information practices and applicable data privacy laws. The SAS entity(ies) responsible for the collection and use of your personal data for the purposes described in this Privacy Statement are indicated in the "How to Contact Us" section of this document. Note that we share and transfer your personal data with SAS Institute Inc. located in the United States of America, and may do so with other SAS entities as further discussed below.
This Privacy Statement (i) describes how we collect, use, protect, share, and transfer your personal data; and (ii) describes your rights and choices regarding your personal data, and how to exercise those rights with SAS.
Scope of this Privacy Statement
This Privacy Statement applies to personal data we collect when you visit this website and our other websites and mobile apps that we operate and that reference this Privacy Statement (collectively, the "Websites"). We may also collect information from you in other ways, including information collected during technical support contacts, on registration forms, in person (e.g., business cards), and from third parties. If we provide a separate or supplemental notice when we collect personal data from you, that notice will control to the extent of any conflict.
This Privacy Statement does not apply to:
(ii) Personal data in customer-controlled data to which SAS may be given access in connection with SAS' provision of technical support services, which is subject to SAS Technical Support Policies;
(iii) Personal information included in customer-controlled data to which SAS may be given access in connection with consulting services or our Intelligent Advertising offerings, which is subject to agreements between SAS and its customers.
As used in this statement, "personal data" means any information relating to an identified or identifiable individual, and is intended to include all data defined as "personal data" under the GDPR.
Personal Data We Collect and How We Collect It
The information SAS may collect about you includes:
- Contact information such as your name, postal address, telephone number and email address.
- Information about your professional interests and experiences with our products or services.
- Business and marketing information that helps us provide our services to you, including your contact, language and marketing preferences.
- Transaction information, including purchase history, order and contract information, delivery and technical support details, and billing information.
- Technical information, such as details about your device, your browser, how you use our website, including what pages of our websites you visit and when, and IP addresses.
- Security data used for authentication and fraud prevention.
SAS collects this information in several ways:
- Through information you provide in your SAS Profile.
- Through registration, surveys and other online forms.
- As part of an ongoing sales process.
- While providing technical support, consultation, live chat or product information.
- Through the process of maintaining and upgrading our products.
- Through automated means such as communications protocols, email communications, cookies, web beacons and pixels, and other related technologies in accordance with the SAS Statement on Cookies and Related Technologies.
- Through our mobile applications (some of which may be managed by third parties on behalf of SAS).
- Through your participation in surveys, contests and promotions.
- Through your use of social connectors and SAS-affiliated social networking areas, including interactions with us on third-party social media platforms.
- Through your interest in SAS ads placed on third-party sites.
- Through using statistical analysis or other automated means to make inferences about your interest in particular SAS products and services.
Personal data or other data collected online may also be combined with information you provide to us through other sources such as product registration, call centers, or in conjunction with events such as trade shows, training seminars, contests and promotions, and conferences. Where permitted by applicable law, other information gathered from social media platforms and other published sources may be added to the data you provide.
We will only collect the information that we deem necessary for the purposes listed below. As a result, we may not be able to address a request or provide a product or a service if we are missing some of this information.
How We Use Your Personal Data
SAS may use your personal data in the following ways:
- To fulfill subscription requests, orders for software and services made online and to provide other information you request.
- To provide customer support, and communicate with you about your orders, purchases or accounts with us, requests, questions and comments.
- To manage our relationship with our vendors, suppliers and other business partners, and communicate with them.
- To inform you about important news about SAS, our new products and services, product updates, technical support issues, events and special offers we think you may be interested in.
- To make the Websites easier for you to use, such as by identifying you across platforms or devices for a consistent user experience, and customizing content and advertising relevant to your interests through analytics and profiling technology.
- To facilitate the use of certain features of the Websites, including collaborative forums and communication channels like SAS Support Communities, should you wish to use them.
- To protect the security and integrity of SAS Websites, systems, servers and other technical assets.
- To prevent and detect fraud or other prohibited or illegal activity.
- To anonymize some of this data where SAS wants to gain insights about history, processes, operations and customer experiences that do not require information that can be associated with an identifiable individual.
- To operate, evaluate and improve our business (including developing new products and services; managing our communications; and performing accounting, auditing, billing, reconciliation and collection activities).
- To meet legal requirements, or as required by a judicial process or a government request, and to establish, exercise or defend a legal claim.
- To comply with industry standards and our policies.
In addition, we analyze our web services such as browser session page views, registrations, demos, downloads and email responses in aggregate and sometimes at the individual level in order to improve the quality of those offerings and to better tailor our marketing to our customers' needs. We may also use statistical analysis to accomplish the purposes listed above, including to better understand your marketing preferences and tailor our offerings to you.
We may process your personal data for the above purposes when:
- It is needed for contract performance or to take steps to enter into a contract with you,
- SAS needs it to comply with certain legal obligations,
- SAS’ legitimate business interests require it, including for marketing and improving our services, protecting against fraud and other liabilities, ensuring compliance and our ability to assert legal defenses, and guaranteeing the security our networks and systems, and
- We obtain your consent, for example before sending you promotional emails about SAS products and services.
How We Share and Transfer Your Personal Data
We will not sell, rent, lease, or disclose your personal data to others except as described in the Privacy Statement.
We may share your personal data with other SAS entities. SAS is a global corporation with subsidiaries, and affiliates and business partners in many countries, and with technical systems that cross borders. As a result, when we share your personal data with other SAS entities, we may transfer this data across country borders, and store or process in the United States or any other country in which SAS or its subsidiaries, affiliates, or business units maintain facilities are located. SAS has taken measures to ensure that all personal data is transferred among SAS entities, including to countries outside of the EEA and the UK, in a legally compliant manner. For any such transfers, we rely on Standard Contractual Clauses between SAS entities. You may obtain a copy of our Standard Contractual Clauses (from which the commercial information and information that is not relevant has been removed) by sending a request to firstname.lastname@example.org.
We may also disclose your personal data to third parties, including:
- Our vendors, subcontractors, and processors; and/or business partners for purposes related to those described above
- Companies other than SAS entities in connection with a sale or transfer of all or part of our business or assets
- Information you choose to make available to participants in SAS Support Communities and other online communication channels
- Law enforcement or other government officials upon request if we believe such disclosure necessary or appropriate
- As we otherwise believe is necessary to protect our rights or property, including the security and integrity of the Websites.
Some of these third parties may be located outside of the EEA and the UK. When transfers to these third parties occur, we transfer your personal data in compliance with applicable law, such as by concluding Standard Contractual Clauses with our vendors, subcontractors, processors, and business partners. Where applicable, you can obtain a copy of such Standard Contractual Clauses (from which the commercial information and information that is not relevant has been removed) by sending a request to email@example.com.
Your Rights and Choices
The GDPR and/or the UK Data Protection Act provide you with certain rights regarding your personal data. A brief description of some of those rights follows:
- Access, Correction and Portability. You may reasonably access the personal data relating to you. You also have the right to request to correct incomplete, inaccurate or outdated personal data. To the extent required by applicable law, you may request the transmission of the personal data you have provided to us to you or another company.
- Objection. You may object to any uses or disclosures of your personal data that are not (i) required by law, (ii) necessary for the fulfillment of a contractual obligation or (iii) required to meet a legitimate need of SAS. If you do object, we will work with you to find a reasonable accommodation.
- Deletion. You may also request the deletion of your personal data, as permitted under applicable law. This may apply, for instance, where this information is outdated or the processing is no longer necessary or is unlawful; where you withdraw your consent to our processing based on such consent; or where we determine we should accommodate an objection you have raised to our processing. However, sometimes we may need to retain your personal data. For example, this may occur in situations in which we need to comply with our legal obligations, for the establishment, exercise, or defense of legal claims, or in some cases, to fulfill the purposes for which your information was gathered.
- Restriction of Processing. You may request that we restrict processing of your personal data while we are processing your request or complaint pertaining to (i) the accuracy of your personal data, (ii) the lawfulness of the processing of your personal data, or (iii) our legitimate interests in processing this information. You may also request that we restrict processing of your personal data if you wish to use the personal data for litigation purposes.
- Withdraw your Consent. You may withdraw any consent you previously gave us regarding the processing of your personal data at any time. Such withdrawal will not affect the lawfulness of the processing before your consent was withdrawn.
In addition, SAS offers you the choice of receiving different types of communication and information related to our company, products and services. You may subscribe to e-newsletters or other publications; you may also elect to receive marketing communications and other special offers from us via email. If at any time you would like to change your email communication preferences, we provide unsubscribe links and an opt-out mechanism for your convenience. You may also access and manage your preferences from your SAS Profile page. In some cases, you may separately elect to receive marketing communications from other SAS business units and affiliates, such as JMP, a division of SAS; you may opt out from email communication about JMP products and services at any time.
You may exercise these rights free of charge unless the request is unfounded or excessive, for instance because it is repetitive. In some situations, we may refuse to act or may impose limitations on your rights, as permitted by applicable law. Before SAS is able to provide you with any information or correct any inaccuracies, we may ask you to verify your identity and/or provide other details to help us respond to your request. SAS reserves the right not to respond to requests generated through third-party applications or automated processes without direct validation of the requests by data subjects using the resources provided by SAS for the exercise of these rights as described in this Statement.
To exercise your rights, please complete the Data Privacy Rights Form or contact us using the information provided below. In all cases, you have a right to file a complaint with a data protection authority in particular in the country of your habitual residence, your place of work or where you consider that your privacy rights have been infringed.
Data Security and Data Retention
SAS takes care to guard the security of your personal data. We apply appropriate physical, technical and organizational measures that are reasonably designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. We maintain a comprehensive information security program that is proportionate to the risks associated with the processing. We use enhanced security measures when processing any sensitive information, such as by employing encryption technology when collecting or transferring credit card information. Credit card numbers are used only for processing payment and are not used for other purposes.
We keep your personal data for as long as necessary to fulfill the purposes outlined in this Statement, to adhere to our policies, and for any period as legally required or permitted by applicable law.
Links to third-party websites from our Website are provided solely as a convenience to you. If you use these links, you will leave this site. We have not reviewed these third-party sites and do not control them. SAS does not assume responsibility for any of these sites, their content, or their privacy policies. SAS does not endorse or make any representations about them or any information, software or other products or materials found there, or any results that may be obtained from using them. If you decide to access any of the third-party sites linked to this site, you do so at your own risk and we invite you to read their privacy policies.
Changes to This Statement
If there are updates to the terms of this Privacy Statement, we will post those changes here and update the revision date in this document so that you will always know what information we collect online, how we use it, and what choices you have. Your continued use of the Website following the posting of changes to this Privacy Statement means you accept those changes.
How to Contact Us
If you have questions or complaints in relation with this Privacy Statement, or to exercise your privacy rights described above, please contact us via email at firstname.lastname@example.org, or by post at the address of the SAS entity that is the data controller in your jurisdiction.
Revised February 5, 2020