PRIVACY POLICY – IRON MOUNTAIN SINGAPORE

We respect your privacy, Iron Mountain Singapore Pte Limited (referred to as “Iron Mountain” or “We” or “Our” in this Privacy Policy) have developed this Privacy Policy to inform you of how We process and protect the Personal Data that We Collect, Use, or share with third parties. It also covers how Iron Mountain makes the Personal Data it holds available for access to and correction by you.

This Privacy Policy has been drafted having regard to Iron Mountain's obligations under Personal Data Protection Act 2012 (the “PDPA” or the “Act). This Privacy Policy is a public document and has been prepared in light of the “Openness Obligation” (Section 12) under the Act.

Please read this Privacy Policy. By using the Iron Mountain Website, or by receiving notification from Iron Mountain of how you may access this Privacy Policy, whether by phone, email or otherwise, you are consenting to the Collection, Use and Disclosure of your Personal Data as set forth in this Privacy Policy.

1. COLLECTION OF YOUR PERSONAL DATA

1.1 Iron Mountain Collects Personal Data about customers, prospective customers, vendors, prospective vendors, contractors, job candidates, the general public (via our CCTVs) and Website users which is reasonably necessary for, or directly related to, one or more of our functions or activities. The Personal Data may be collected through our Website, over the phone, or otherwise.

1.2 At or before the time, or, if that is not practicable, as soon as practicable after, We Collect your Personal Data, We will notify you upon your request of the matters required pursuant to Section 20 of the Act – by providing you with a hard copy of this Privacy Policy, or by notifying you of how you may access this Privacy Policy.

1.3 Iron Mountain will not Collect Personal Data secretly or in an underhanded way and will not sell your Personal Data to any third party (except in the course of a sale of the business, etc.).

2. HOW WE USE YOUR INFORMATION AND WHEN WE MAY SHARE IT

2.1 Iron Mountain holds Personal Data which it has Collected for its Primary Purposes, including but not limited to:

  • (a) providing you with the products and services ordered from us or in relation to products or services We order from you;
  • (b) answering your inquiry or job application;
  • (c) sending you additional materials relating to Iron Mountain and services that may be of interest to you;
  • (d) providing you with effective customer service; and
  • (e) for security measures relating to our services.

2.2 Iron Mountain also holds Personal Data for purposes other than its Primary Purposes (Secondary Purposes). You provide your consent to us using your Personal Data for the following Secondary Purposes:

  • (a) billing and account management;
  • (b) business planning and product development;
  • (c) providing you with relevant information, including promotions, about the products and services of Iron Mountain and its affiliates;
  • (d) enabling us to better understand your needs and interests;
  • (e) improving the content, functionality and usability of our Website;
  • (f) improving our marketing and promotional efforts;
  • (g) displaying personalised advertising when you visit our Website;
  • (h) for any other purpose identified in any other agreement between you and Iron Mountain;
  • (i) issues, news or other information relevant to your dealings with Iron Mountain, or about Iron Mountain generally, or the industries in which you or Iron Mountain operates; and
  • (j) as otherwise described in this Privacy Policy.

2.3 Iron Mountain may Use and/or Share your Personal Data for any Secondary Purposes not included in this Privacy Policy if:

  • (a) the Secondary Purpose is related to a Primary Purpose; and
  • (b) you would have a Reasonable Expectation that We would Use the information for that Secondary Purpose.

2.4 From time to time We may Share your Personal Data to organisations outside of Iron Mountain in order to deliver the services you require or if required for other legal reasons. Your Personal Data is Shared with these organisations in relation to us providing Our services to you or to meet such other legal requirements. These organisations carry out, amongst other services, Our:

  • (a) billing and debt- recovery functions;
  • (b) customer inquiries;
  • (c) information technology services;
  • (d) marketing and communication services (including market research);
  • (e) website usage analysis;
  • (f) to support or facilitate any of those activities described in Points 2.1 and 2.2 herein; and
  • (g) advisers and insurers.

Iron Mountain adopts contractual or other means in compliance with the “Protection & Retention Limitation Obligation” (Sections 24 & 25 of the Act) to prevent:

  • (a) your Personal Data transferred to above organisations from being kept longer than is necessary for the purpose or for other legal or business purposes;
  • (b) unauthorised access, collection, use, disclosure, copying, modification, disposal of or similar risks to your Personal Data transferred to organisation for the provision of the above services.

Furthermore We will take reasonable practicable steps to ensure that these organisations are bound by confidentiality obligations in relation to the protection of your Personal Data.

3. DIRECT MARKETING

3.1 Iron Mountain only targets businesses with its services. Although Personal Data may be collected from any individual through Our website or otherwise for various purposes (i.e., to download a document, respond to a query or a job application), with respect to direct marketing purposes, We intend to use Personal Data that is collected from individuals in their official capacities and Our promoted services are clearly meant for the use of the targeted business. If these requirements are met, Iron Mountain does not need to obtain consent from this individual and the other provisions of the Act neither apply to Iron Mountain.

3.2 Should We have doubts that the collected Personal Data relates to individuals in their official capacities, We ask for consent for Using and/or Sharing any Personal Data Collected from you for Direct Marketing purposes in accordance with the Act, whether Collected via telephone, the Website, or otherwise, but subject to the terms of this Privacy Policy.

3.3 In each Direct Marketing communication, We will include:

  • (a) a prominent statement appearing on the relevant piece of marketing material notifying you of your right to Opt Out from further Direct Marketing; and
  • (b) simple means for you to Opt Out of receiving further Direct Marketing communications of that kind.

3.4 Should you Opt Out, We will stop Using and/or Disclosing your Personal Data for Direct Marketing purposes.

4. ENSURING INFORMATION IS ACCURATE AND UP-TO-DATE

We take reasonable precautions to ensure that the Personal Data We Collect, Use and Share is complete, relevant and up-to-date.

However, the accuracy of that information depends to a large extent on the information you provide. That's why We recommend that you:

  • let us know if there are any errors in your Personal Data; and
  • keep us up-to-date with changes to your Personal Data. You may change your personal details by using the relevant facility on Our Website or by contacting Iron Mountain via contact details described in Point 12.

5. HOW WE PROTECT YOUR INFORMATION

5.1 Iron Mountain will take reasonable steps to protect your Personal Data from misuse, interference, loss and unauthorised access or disclosure. This may include taking reasonable steps to destroy or permanently de-identify Personal Data once it is no longer needed for any purpose for which it may be Used or Shared in accordance with Section 23 and 24 of the Act ("Accuracy and Retention Limitation Obligation”).

5.2 Iron Mountain will not attempt to match de-identified or make anonymous data Collected through surveys or such online devices as "cookies", with information identifying an individual, without notifying the relevant individual.

5.3 Iron Mountain requires employees and contractors to perform their duties in a manner that is consistent with Iron Mountain' legal responsibilities in relation to privacy, including those in this Privacy Policy.

5.4 Iron Mountain will take reasonable steps to ensure that Personal Data is only accessible by people who have a genuine "need to know" as well as "right to know."

6. HOW YOU CAN ACCESS OR CORRECT YOUR INFORMATION

6.1 Iron Mountain will permit Our records containing your Personal Data to be accessed by you when required by Section 21 of the Act (“Access Obligation”). We may, however, refuse to provide you with access to your Personal Data if one or more of those matters contained in the Act - circumstances in which data user shall or may refuse to comply with data access request– applies, i.e., the provision of that Personal Data, as the case may be, could reasonably be expected to

  • (a) threaten the safety or physical or mental health of an individual other than the individual who made the request;
  • (b) cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
  • (c) reveal Personal Data about another individual;
  • (d) reveal the identity of an individual who has provided Personal Data about another individual and the individual providing the Personal Data does not consent to the disclosure of his identity; or
  • (e) be contrary to the national interest.

Additionally We may also refuse to provide you with access to your Personal Data or other information in respect of the matters specified in the Fifth Schedule of the Act (“Exceptions from Access Requirement”)

6.2 If Iron Mountain is satisfied that:

  • (a) having regard to the purpose for which the information is held, the information is inaccurate, out of date, incomplete or irrelevant or misleading; or
  • (b) you (as the person to whom the Personal Data relates) request that We correct the information; We will take reasonable steps to correct Our records containing your Personal Data as soon as practically possible in accordance with Section 22 of the Act (“Correction Obligation”) and with the exceptions stipulated in the Sixth Schedule of the Act (“Exceptions from Correction Requirement”).

6.3 If We have refused to grant you access to your Personal Data in accordance with Point 6.1 above, We will still take all reasonable steps to provide you with access to your Personal Data in a way that meets both your needs and Our needs.

6.4 If you:

  • (a) wish to lodge a request to access and/or correct your Personal Data; or
  • (b) have been refused access to your Personal Data by us for any reason described in this Privacy Policy and you wish to challenge that refusal; you may do so by contacting the Data Protection Officer as per the details in Point 12.

6.5 Iron Mountain will not charge a fee for processing an access request unless the request is complex or is resource intensive. Iron Mountain does, however, reserve the right to charge an administration fee if an individual requests access to their Personal Data more than once in a three month period.

6.6 Where Iron Mountain offers online account management facilities, customers can use this capability to control aspects of their account, including amending or updating certain Personal Data.

7. OPENNESS

7.1 Iron Mountain’s Data Protection Officer will be the first point of contact for inquiries about privacy issues. If you wish to make an inquiry or complaint regarding your privacy, you should contact this person as per the details in Point 12.

7.2 You will find that the Iron Mountain’s Website contains a copy of this Privacy Policy.

8. STAYING ANONYMOUS

8.1 Iron Mountain will not make it mandatory for visitors to Our Website to provide Personal Data unless such Personal Data is required to answer an inquiry or provide a service. Iron Mountain may however request visitors to provide Personal Data voluntarily to Iron Mountain (for example, as part of a competition or questionnaire).

8.2 Iron Mountain will allow you to transact with us anonymously or by using a pseudonym wherever that is reasonable and practicable.

9. TRANSFERRING PERSONAL DATA

9.1 If We send Personal Data out of Singapore, Iron Mountain will take appropriate steps to ensure that the recipient is bound by legally enforceable obligations so at to provide to your transferred Personal Data a standard of protection that is comparable to that under the Act.

9.2 Iron Mountain may Share Personal Data to a recipient without complying with 9.1 if:

  • (a) you are Expressly Informed of the intended transfer of your Personal Data to the recipient, and you consent in writing; or
  • (b) We reasonably believe that the recipient is subject to a law or a binding scheme that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Act seeks to protect the same and you can access mechanisms to enforce the protection of your Personal Data under that law or that scheme; or
  • (c) We exercised due diligence to ensure that the Personal Data will not be treated in a manner which will contravene the Act.

10. CHANGES TO THE PRIVACY POLICY

Iron Mountain may, in its sole discretion, update this Privacy Policy at any time and from time to time. Any changes will be effective when posted on Our Website. Your continued use of Our Website will indicate your acceptance of any changes to the Privacy Policy. All Personal Data, Collected both before and after any changes take effect, will be subject to the terms of the then current policy, for which you will be taken to have provided consent, unless you indicate otherwise by contacting the Data Protection Officer as per the details in in Point 12. We encourage you to refer back to this page and especially prior to providing us with any Personal Data.

11. GLOSSARY

Collect means gather, acquire or obtain by a lawful and fair means, information in circumstances where the individual is identifiable or identified.

Direct Marketing involves the Use and/ or Sharing of Personal Data to communicate directly with an individual to promote goods or services through written, verbal or electronic means of communication for the company that the individual is acting for and behalf of. The goods or services which are marketed may be those of Iron Mountain or those of an independent third party organisation on behalf of Iron Mountain.

Sharing generally means the release of information outside Iron Mountain, including under a contract to carry out an "outsourced function."

Expressly Informed means the circumstance where We have provided you with a clear statement (either verbal or in writing) of the fact that that We will not be accountable under the Act and you will not be able to seek redress under the Act in the event that you provide consent to the Sharing of your Personal Data by us to a recipient outside of Singapore and this recipient handles your Personal Data in breach of the Act.

Opt
Out means an individual's expressed request not to receive Direct Marketing communications.

Iron Mountain
means Iron Mountain Singapore Pte Limited

Personal Data means any data (a) relating directly or indirectly to a living individual;(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable. This includes, but is not limited to, an individual’s name, address, telephone number and email address.

Primary Purpose is the main reason for the Collection of any Personal Data.

Reasonable Expectation means an individual's reasonable expectation that their Personal Data might be Used or Shared for the relevant purpose.

Secondary Purpose means a purpose of Use or Sharing other than a Primary Purpose.

Use means the handling of Personal Data within Iron Mountain.

Website means the website of Iron Mountain and related webpages.

12. CONTACTING IRON MOUNTAIN

If you have questions concerning this Privacy Policy, please contact the Data Protection Officer on:

  • 65-6262-5622 between 8.30am and 6pm Monday to Friday; or
  • via email at sales.enquiry @recall.com.sg; or
  • by writing to the Data Protection Officer, Iron Mountain Singapore Pte Ltd, 28 Quality Road, Singapore 618828

You can obtain further information about your privacy rights and the Act from the Personal Data Protection Commission by visiting its web site at http://www.pdpc.gov.sg/

This Privacy Policy was last updated on 23 December 2014.