MRI Software LLC Data Protection Framework Program Policy
In order to provide an adequate level of protection for Personal Data received from the European Union (EU), the United Kingdom (UK) and/or Switzerland, MRI Software LLC (“MRI” or the “Company”) adheres to the EU-US Data Protection Framework Program Principles and the UK Extension to the EU-US Data Protection Framework Program, and the Swiss-US Data Protection Framework Program developed by the United States Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration (collectively, “DPF”). This DPF Program Policy (the “Policy”) sets forth the privacy principles that MRI follows when processing Personal Data received from the EU, the UK, and Switzerland. The privacy principles in this Policy are based on the DPF Principles referenced above. For purposes of enforcing compliance with the DPF, MRI is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission. If there is any conflict between the terms in this Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF Program, please visit the U.S Department of Commerce’s DPF website located at: https://www.dataprivacyframework.gov/s/. For a comprehensive list of all certified entities please visit: https://www.dataprivacyframework.gov/s/participant-search.
MRI’s Role as a Service Provider to its Customers and Prospective Customers
MRI is a leading provider of hosted and non-hosted enterprise real estate management software and services. Through its MRI SaaS solution, MRI offers maintenance, support and other services to its customers to store, manage, and configure their and their affiliates’ and/or customers’ real estate and investment management data. MRI provides its MRI SaaS solution to customers located in the EU, the UK, and Switzerland by hosting these solutions in MRI’s data centers located in the United States (US) or remotely from the EU, the UK, or the US. MRI provides product development services, maintenance and support, solution engineering services, professional technical services and product technical support services (collectively, the “Services”) to its hosted and non-hosted customers and prospective customers in the EU, the UK, and Switzerland through employees who may be located in the US, the EU, or the UK, or who may be present at the customer’s or prospective customer’s site in the EU, the UK, or Switzerland.
Customers using the MRI SaaS solution are responsible for managing the data that they store at MRI’s data centers. These responsibilities include determining the types of information that are stored, how that information will be used, to whom it will be disclosed, and for what purposes. Similarly, MRI’s hosted or non-hosted customers and prospective customers who share data with MRI in connection with any of its Services are responsible for deciding which categories of data will be shared and for what purposes except as otherwise contracted by the Customer and MRI. When MRI processes data received from a customer or prospective customer (“Customer Data”), whether for its MRI SaaS solution or in connection with its provision of the Services, MRI does so only pursuant to the customer’s or prospective customer’s instructions, prior authorization or written agreement with MRI.
The Customer’s and Prospective Customer’s Responsibilities with Respect to its Personal Data
MRI’s customers and prospective customers may choose to include Personal Data among the Customer Data stored at MRI’s data centers in the United States or shared with MRI in connection with its provision of Services in the US, the EU, the UK, or Switzerland. “Personal Data,” for purposes of this Policy, means any individually identifiable information about a natural person or any information from which an individual reasonably could be identified.
Before processing any information on behalf of its customers or prospective customers located in the EU, the UK, or Switzerland, MRI will enter into a written agreement with the customer or prospective customer responsible for the Personal Data in compliance with applicable data protection law. Under this agreement, the customer or prospective customer agrees to comply with all applicable data protection laws. MRI processes only the Personal Data that its customers or prospective customers have chosen to share with the Company. MRI has no direct or contractual relationship with the subject of this Personal Data (the “Data Subject”). As a result, when Customer Data includes Personal Data, the customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws. However, MRI recognizes the Data Subject’s right to access its Personal Data. A Data Subject who seeks to access, or who seeks to correct, amend, or delete inaccurate data should therefore direct his or her request to the customer that transferred such data to MRI for processing. The customer will then provide the necessary access to the individual as determined under the applicable local data protection law. MRI will assist its customers as needed to fulfill any such request.
In fulfilling its obligations involving Human Resources data (“HR data”), as defined in the DPF Program, MRI commits to cooperate with the competent EU, UK, or Swiss authorities, as applicable, and comply with advice given by the appropriate regulators with regard to HR data transferred from the EU, the UK, and/or Switzerland, as applicable. Personal Data collected by MRI in the provision of the Services is not generally considered HR data under the DPF Program meaning. However, should MRI process HR data entered into MRI’s software by the Company’s customers or prospective customers, the Company commits to fully cooperating with the appropriate regulatory bodies in any investigation. It is the MRI customer’s or prospective customer’s responsibility to ensure that Personal Data it collected can be legally collected in the country of origin. The customer or prospective customer is also responsible for providing to the Data Subject any notices required by applicable law and for responding appropriately to the Data Subject’s request to exercise his or her rights with respect to Personal Data. In addition, the customer or prospective customer is responsible for ensuring that its use of MRI’s SaaS solution or MRI’s Services is consistent with any privacy policy the customer or prospective customer has established and any notices it has provided to Data Subjects.
MRI is not responsible for its customer’s or prospective customer’s privacy policies or practices or for the customer’s or prospective customer’s compliance with them. MRI does not review, comment upon, or monitor its customer’s or prospective customer’s privacy policies or the customer’s or prospective customer’s compliance with such policies. MRI also does not review instructions or authorizations to MRI to determine whether the instructions or authorizations are in compliance with, or conflict with, the terms of a customer’s or prospective customer’s published privacy policy or of any notice provided to Data Subjects.
MRI’s Compliance with the DPF Principles
While MRI employees located in the EU, the UK, and Switzerland have responsibilities for providing services for MRI’s SaaS solutions customers and prospective customers and also for providing Services to other customers and prospective customers, MRI employees located at the Company’s headquarters and elsewhere in the US also provide Services and maintenance and support for MRI’s SaaS solution and other customers and prospective customers. To provide such Services and maintenance and support, MRI may be required to transfer Customer Data, including Personal Data, to the United States.
Without the customer’s or prospective customer’s prior authorization, transfers will consist exclusively of remote access to Personal Data physically in the EU, the UK, or Switzerland, and/or transfer of Personal and/or Client Data by MRI employees located in the U.S. (either (i) at MRI’s data centers in the US, in the case of an MRI SaaS solution customer or prospective customer; or (ii) at the customer’s or prospective customer’s own data center in the case of Services provided by MRI). MRI will not physically transfer any Personal Data stored in the EU, the UK, or Switzerland, to the US without the customer’s or prospective customer’s prior consent.
MRI will apply the following DPF Principles to Personal Data transferred to the US, whether physically or by remote access:
Notice
MRI works with our customers to help them provide notice of data processing to individuals, including information concerning (1) the purposes for which Personal Data is collected and used; (2) a contact person to whom enquiries or complaints may be directed; (3) the types of third parties to whom the Personal Data is disclosed; and (4) the choices and means the individuals are offered for limiting use and disclosure of Personal Data.
Choice
MRI supports our customers’ abilities to provide choice to Data Subjects on how Personal Data is processed by MRI. Where so requested by a Data Subject, MRI shall assist its customers in fulfilling a Data Subjects access, rectification, erasure, or data portability request, a request to restrict processing of Personal Data, or an objection to processing.
Accountability for Onward Transfer
MRI will not disclose Personal Data, except as otherwise contractually committed, to a third party, except for subcontractors and third-party agents, who assist MRI in providing MRI’s SaaS solution or other Services to its customers and prospective customers. MRI will disclose Personal Data to a subcontractor or third-party agent only after informing the customer or prospective customer and obtaining the customer’s or prospective customer’s prior authorization for the disclosure. Before transferring Personal Data to a subcontractor or third-party agent, MRI will obtain assurances from the recipient that it will safeguard Personal Data in a manner consistent with this Policy. If MRI learns that a recipient is using or disclosing Personal Data in a manner contrary to this Policy, MRI will take reasonable steps to prevent such use or disclosure. Under the DPF, MRI may be liable for onward transfer of personal data to third parties.
MRI also may disclose Personal Data as required by applicable law, for example, in response to a court order or subpoena. Before making any such disclosure, MRI will promptly inform the customer or prospective customer, so it may take such actions as it deems necessary to protect the rights of Data Subjects.
Security For Personal Data
MRI is committed to safeguarding the Personal Data that it receives from the EU, the UK, and Switzerland. While MRI cannot guarantee the security of Personal Data, the Company takes reasonable precautions to protect Personal Data in the Company’s possession from loss, misappropriation and unauthorized access, disclosure and destruction.
MRI utilizes a combination of online and offline security technologies, procedures and organizational measures to help safeguard Personal Data. For example, facility security is designed to prevent unauthorized access to Company computers. Electronic security measures — including, for example, network access controls, passwords and access logging — provide reasonable protection from hacking and other unauthorized access. MRI also protects Personal Data through the use of firewalls, role-based restrictions and, where deemed appropriate by MRI, encryption technology. MRI limits access to Personal Data to employees, subcontractors, and third-party agents that have a specific business reason for accessing such Personal Data. Individuals who have been granted access to Personal Data will be made aware of their responsibilities to protect such information and will be provided training and instruction on how to do so.
Data Integrity and Purpose Limitation
MRI’s customers and prospective customers are responsible for ensuring that they collect only that Personal Data needed to accomplish the purposes disclosed to the Data Subject. They also are responsible for providing MRI with instructions for the processing of Personal Data consistent with the purposes stated in the notice. MRI will process Personal Data only in accordance with the customer’s or prospective customer’s instructions.
MRI’s customers and prospective customers also are responsible for ensuring that (a) the Personal Data they collect is accurate, complete, current and reliable for its intended uses; and (b) Personal Data is retained only for as long as is necessary to accomplish the customer’s or prospective customer’s legitimate business purposes or for as long as may be permitted or required by applicable law. MRI will cooperate with customers’ and prospective customers’ reasonable requests for assistance in meeting these obligations.
Access/Correction
When MRI receives Personal Data, it does so on its customer’s or prospective customer’s behalf. To request access to, or correction, amendment or deletion of, Personal Data, Data Subjects should contact the MRI customer or prospective customer that collected their Personal Data. MRI will cooperate with its customers’ and prospective customers’ reasonable requests for assistance in permitting Data Subjects to exercise their rights under applicable data protection laws.
Recourse, Enforcement, and Liability
MRI will conduct periodic self-assessments of its relevant practices to verify adherence to this Policy, the DPF Principles, and the DPF Program. Any employee who intentionally violates this Policy will be subject to disciplinary action up to and including termination of employment. In compliance with the DPF Principles, MRI commits to resolve complaints about our collection or use of your personal information. Any Data Subject who has a complaint concerning MRI’s processing of Personal Data should contact MRI’s Legal Department by emailing legal@mrisoftware.com or by calling 216-825-6710, or the MRI customer or prospective customer that collected the Data Subject’s Personal Data.
MRI has further committed to refer unresolved DPF complaints related to non-HR data to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/file-a-dpf-claim for more information on arbitration regarding the DPF Program or to file a complaint. The services of JAMS are provided at no cost to you. Finally, as a last resort and in limited situations, EU, UK, and Swiss individuals may seek redress from the DPF Panel, a binding arbitration mechanism.
MRI is committed to cooperating with the EU, the UK, and Swiss data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU, the UK, and Switzerland in the context of the employment relationship.
For More Information
Data Subjects with questions about MRI’s processing of Personal Data should first contact the MRI customer or prospective customer that collected the information. MRI’s Legal Contact can be contacted by email at legal@mrisoftware.com, by phone at 216-825-6710, or by mail at (Attn. Legal Department) 28925 Fountain Parkway, Solon, Ohio 44139 USA. The informational DPF website, created and managed by the U.S. Department of Commerce International Trade Administration, may be visited at the website https://www.dataprivacyframework.gov/s/.
Changes to this Data Protection Framework Program Policy
MRI may revise this Policy at any time. If the Company decides to change this Policy, the Company will post the revised Policy at this location.
Effective Date: 10 October 2023