This Statement provides a summary of the OpenText Global Privacy Program, our governance, and the activities we undertake to ensure we process Personal Information fairly, lawfully, and securely when acting as a controller and as a processor on behalf of our customers or consumers.
For the purpose of this page, we are using the following General Data Protection Regulation (GDPR) terms to outline our strategy to meet our applicable obligations.
Controller: natural or legal person, public or private, who makes decisions on the processing of Personal Information.
Processor: natural or legal person, appointed by the controller, who performs the processing of personal information on behalf of the controller.
Personal Data and Personally Identifiable Information (PII) ‘Personal Information’ shall have the meaning as defined in the applicable data protection legislation.
Compliance with data protection and privacy laws
At OpenText, we are committed to ensuring compliance with applicable data protection and privacy laws to the extent they apply to OpenText either as a Controller or as a Processor. We recognize the importance of protecting the Personal Information entrusted to us by our customers, partners and website visitors. OpenText practices as detailed below are designed to adhere to the requirements set forth by relevant data protection and privacy laws, such as the General Data Protection regulation (GDPR) and other applicable regional or national legislation. The Privacy function is responsible for tracking and monitoring changes in regulations and law, and for ensuring the privacy program is regularly reviewed and up to date.
Summary of our approach
The pillars of the OpenText privacy program for protecting Personal Information include the following: the protection of data subjects’ rights, privacy by design, the incorporation of privacy terms in contracts, and implementing and maintaining appropriate security measures to protect Personal Information from authorized access, loss or misuse:
Data Subject Rights
Privacy By Design
OpenText builds privacy into every product or service and incorporates safeguards into the design and development of products, services, and systems from the very beginning. Our development and product management teams work closely with the security team and the Privacy function to ensure appropriate expertise is included in the development process. Additionally, Privacy Risk Assessments are carried out on applicable projects, new system acquisitions and process changes.
We work with our customer to ensure that the privacy obligations are included in the contractual commitments for our products and services, establishing a regulatory-compliant data handling framework. To learn more about the data processing agreements established by OpenText, we provide as access to both our Customer Data Processing Agreement
and Supplier Data Processing Agreement
OpenText uses industry practice models, such as ISO/IEC 27001 Information Technology Security techniques and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. OpenText incorporates the ISO 27002 information security control set within the context of an information security management system (ISMS) based on ISO/IEC27001. For more details, please refer to Information Governance
on the OpenText website. OpenText conducts regular audits such as the Service Organization Controls (“SOC”) reports. To ensure industry standards are continuously observed and reported, cybersecurity compliance attestations are available (as applicable to a service) for ISO 27001, ISO 27017, ISO 27018, SOC 1 Type II, SOC 2 Type II. Third-party audit reports for OpenText products and services may be available depending on the product or service selected.
Where OpenText is a Controller, we have developed retention guidelines to provide guidance to our employees around how to manage OpenText’s records according to sound business, operational and legal practices. The purpose of these guidelines is to ensure that necessary OpenText records, documents, and other materials are adequately maintained, and, when no longer needed by OpenText, are securely discarded at the proper time (subject to any applicable legal or organizational retention requirements). Where OpenText is a Processor and has stored Personal Information as part of the services, at the end of the service(s) as required by applicable law upon the Customer’s written instruction, OpenText will return and/or delete the data (unless applicable law states otherwise). In some cases, the retention schedule will be defined in the customer contract in which case, that schedule will be followed.
Privacy Training and Awareness
OpenText has a long-standing practice of mandatory Corporate Information Security, Data Protection and Compliance, and Ethics training courses for all staff. Curriculums are regularly reviewed for new content necessary to raise awareness and educate employees about their obligations around the appropriate use and safeguarding of Personal Information. During the onboarding all new hires must complete these courses. An annual refresher course is mandatory for all staff.
on the OpenText website.
Records of Processing Activities
OpenText maintains records of processing activities (ROPA) for functional areas where OpenText processes Personal Information as a Controller and Processor on behalf of its customers. The ROPA provides an overview of types and categories of Personal Information processed by OpenText or by its (sub)processors, categories of recipients, data transfers, processing location(s), safeguards, et cetera. Processes are in place to ensure the ROPA is kept complete and accurate.
Privacy Impact Assessments
OpenText is fully committed to protecting the Personal Information of its customers, employees, suppliers, and other stakeholders. We take the privacy of Personal Information very seriously and have instituted a variety of methods and controls to ensure we know what data we collect and process, and how that data is protected. As part of this commitment, OpenText ensures that, where appropriate, business activities and projects that involve the use of Personal Information are subject to a data protection impact assessment (also referred to as a “Privacy Impact Assessment”). The purpose of this assessment is to ensure that:
The use of Personal Information is fully understood.
Risks to the rights and freedoms of natural persons resulting from the processing of Personal Information are carefully examined.
Appropriate measures are put in place to mitigate privacy risks throughout the lifecycle of the processing.
Cross Border Data Transfers
OpenText is a global company and performs some of its processing activities in countries outside of the EU including Canada, United States, India and Philippines. Where Personal Information is processed outside of a member state of the EEA, the United Kingdom and Switzerland, OpenText has ensured one of the following safeguards is in place: (1) an adequacy decision for the importing country, or (2) EU Model Clauses between the exporters and importers. To learn more about how OpenText operates regarding international transfers of data, customers can refer to OpenText position paper for a deeper understanding of our commitment to protecting Personal Information during cross-border transfers. The OpenText International Data Transfers position paper is available upon request.
OpenText may share Personal Information with vendors working on our behalf as necessary to provide OpenText products and services. OpenText has a due diligence process when outsourcing services to vendors, which includes, performing a security/privacy risk assessment if Personal Information is shared and establishing the appropriate data protection clauses in the contract. If vendors operate in countries that are not considered to provide an adequate level of data protection as established by the General Data Protection Regulation ((EU) 2016/679) (GDPR), OpenText will implement appropriate measures with the vendor to secure the data transfers are in accordance with applicable data protection regulations.
Governance and responsibility
OpenText data privacy strategy is led by a dedicated global privacy team who reports to the Vice President of Global Data Privacy. The team includes a Data Protection Officer (DPO). The DPO office can be reached at DPO@opentext.com
The average experience of Privacy team members in the field of data protection, privacy, and compliance is over 10 years and several members of the team have professional accreditations such as CIPP, CIPM, CISA, CISM or CISSP.
The organization is supported by a network of internal and external subject matter experts.
Registration with Data and Privacy Authorities
Where appropriate we are registered with country-specific data protection and privacy regulators, and the registrations are reviewed and maintained by the OpenText Privacy Function.
Changes to this Privacy Statement
OpenText reserves the right to update this Privacy Statement from time to time without prior consent to incorporate changes in our practices, technologies, privacy commitments, and any other relevant considerations. We recommend that you periodically review this Privacy Statement to stay updated on OpenText practices.
This Privacy Statement was last reviewed September 2023.