Last updated: October 2023
Iron Mountain companies as data controllers
Iron Mountain Information Management, LLC in the U.S.A. and its subsidiaries (“Iron Mountain” or “We”) value your privacy. This Privacy Notice explains how Iron Mountain collects, uses, and shares information that identifies its customers, prospect customers, vendors, business partners and website visitors (“Personal Data”), when We act as a data controller. A data controller is an entity that decides why and how Personal Data is used (processed).
Iron Mountain’s global standards and local rules
This Privacy Notice sets forth our global privacy standards.
Apart from Iron Mountain’s global standards, We adhere to all relevant and applicable local privacy laws. Thus, depending on the region where our business is located, we comply, among others, with the General Data Protection Regulation 2016/679 (EU GDPR), and the data protection laws applicable in the EEA countries where We operate, the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018; the California Consumer Privacy Act 2018 (CCPA) 2018, Brazil General Data Protection Law 2020 (LGPD); China Personal Information Protection Law 2021 (PIPL), and the Singapore Personal Data Protection Act 2012.
Country Supplements and local Privacy Notices
Certain Iron Mountain’s subsidiaries may be obliged to adhere to such local data protection laws that require the disclosure of their own country specific privacy statements (that are usually provided to you by our local Iron Mountain subsidiary at the time of Personal Data collection). You can access the country specific supplements here:
For the translated version of this Privacy Notice, please see relevant country websites. For instance, the German version of this document is accessible at our German language websites.
Legal grounds for processing
We conduct our business with privacy and data protection in mind. We ensure that processing has a legitimate basis and is compliant with applicable privacy law. In most cases We collect and use your Personal Data based on the following legal grounds:
- Contract performance: when processing is necessary to conclude and perform contracts with our customers, vendors, business partners, or other stakeholders;
- Consent: when We have obtained your consent for processing your Personal Data (e.g., for sending marketing communications about our products or services or tracking your activities on our websites via cookies to improve your customer experiences);
- Legitimate interest: when We wish to fulfill our legitimate business purposes (e.g., for displaying website content relevant to your geographical location or otherwise customize). We rely on legitimate interest only if this is proportionate and guarantees the good balance between our business goals and your privacy rights;
- Compliance with applicable laws: when processing is necessary to comply with the relevant legal or regulatory obligations that We have (e.g., when We need to share Personal Data with the public and tax authorities).
Collection and Use of Personal Data
Depending on your relationship with Iron Mountain and subject to the applicable laws and regulations, We may collect and use your Personal Data as follows:
- Business Contact Details (customers, prospect customers, vendors): business contact information (e.g., business contact, professional address, telephone number); personal data of customers’ and vendors’ representatives (e.g., name, contact details); structured data (e.g., proprietary data); technical information (e.g., customer portal, user IDs and passwords, access logs), processed for the following main purposes: contract negotiation and execution, regulatory compliance, business developments and relations, claim management, administration, accounting, improving our services and providing them to customers.
- Audit, Investigations, Due Diligence Personal Data (customers, vendors): name, contact details (e.g., address, phone number, email address), title/function, tax number, bank account information as well as other information relating to the vendor or customer relationship, processed for the following main purposes: audit, investigation, operational security, regulatory compliance, due diligence screening, claims management, litigation purpose.
- Online Collection of Personal Data (website visitors): information collected via Iron Mountain websites such as contact details, login credentials, online comments, and feedback from online forums and surveys etc., processed for the following main purposes: enabling efficient use of our websites, optimising the functionality of such websites, engaging with customers/prospects and suppliers in online forums, conducting and evaluating customer satisfaction.
- Children Personal Data: We are concerned about the safety of children when they use the Internet and will never knowingly collect Personal Data from minors (children under 16 years of age, or any other age defined under applicable law).
- Direct Marketing (customers, prospect customer): We might use your Business contact details (e.g., e-mail) to provide you with information about our products and services which We believe might be of your interest. For this purpose, We may also create a personal profile containing business-related information on the company you work for or the interactions between us with the aim of being able to offer you and the company you work for relevant information and suitable offers for our services and products and to improve our personal communication with you. Iron Mountain will only send you such communications (e.g., by email and/or contact you by telephone) if you gave us your prior consent to receive it (“opt in consent”) or as permitted until you have opted out of receiving such communications. Withdrawal of consent or opting out for marketing communication: If you are receiving marketing communications but would no longer like to, you may withdraw your consent or opt out at any time here.
We collect Personal Data from the following sources:
- customers and prospect customers (legal entities and individuals)
- customers’ representatives and proxies (e.g., individuals representing the company for the purpose of contract management)
- Iron Mountain websites visitors
- third parties (Iron Mountain’s vendors)
- Iron Mountain companies, affiliates
- public enforcement authorities, including tax authorities, courts, administrative authorities etc.
- publicly available sources (professional social media; official registers etc.), to the extent allowed by applicable law and regulations.
Collecting Personal Data as a data processor
We process Personal Data of our customers as a data processor without reviewing the content or origin of such Personal Data. We may collect, store and process such Personal Data solely on our customers’ behalf and at their direction. Our customers who use our services in this way are data controllers and are responsible for obtaining any consents, permissions and for providing privacy notice required for the collection and use of such information.
We may share your Personal Data internally (within the Iron Mountain company group) and externally (to third parties such as our suppliers, advisors, business partners for Iron Mountain). Subject to applicable law and regulations, We may share and/or disclose your Personal Data in a way explained in this Section.
Internal sharing: Iron Mountain has its headquarters in Boston, Massachusetts (U.S.A), but operates worldwide. Thus, to achieve business goals – with privacy in mind – We may share your Personal Data with other Iron Mountain subsidiaries in accordance with, and as described by, this Notice.
External sharing: We may also share your Personal Data with third parties, including:
- Iron Mountain suppliers: providing services to Iron Mountain may require processing of your Personal Data (e.g., providing customer relationship management tool or general IT support, distributing marketing materials, etc.). In this case, these entities may receive and process your Personal Data only under Iron Mountain’s instructions and for the purposes of carrying out services for us.
- Other third party for sale, merger, transfer of a business or division purposes: this also includes due diligence screening purposes which may also require the disclosure of Personal Data to Iron Mountain’s consultants or financial auditors.
- Public authorities: We may also have a legal obligation to disclose your Personal Data, even without your permission. The purposes of such disclosures include among others: (a) responding to lawful requests of public authorities, regulators, and law enforcement authorities and (b) protecting Iron Mountain’s rights and properties.
Iron Mountain data sharing standards
We will not share your Personal Data with third parties without your consent, unless to: (a) fulfil a legitimate business purpose of Iron Mountain (e.g., to use a service delivered by a supplier); (b) respond to duly authorised requests of public authorities; (c) comply with applicable laws and regulations; (d) enforce/protect the rights and properties of Iron Mountain; or; (e) protect the rights of our employees, and other individuals using Iron Mountain property when allowed and in each case in accordance with applicable law. We does not and will not sell your personal data.
Your Personal Data may be transferred to or accessed by other Iron Mountain companies and subsidiaries and third parties globally. The recipients may be located in countries that do not provide an adequate level of protection to your Personal Data from the perspective of the origin country.
We ensure that Personal Data, subject to the transfer, is adequately protected as required by the applicable data protection laws of the origin country. While transferring your Personal Data, We normally rely on one or more of the following:
- Standard Contractual Clauses (“SCCs”) for international transfers of Personal Data, as may be applicable and relevant, (e.g., transfer of EU/UK/Swiss Personal Data to countries such as the U.S.A and India). If you would like to receive more information about the appropriate safeguards and/or receive a copy of the SCCs for your review, please contact us at firstname.lastname@example.org.
- Where required by applicable law, We request your consent for transfer of your Personal Data.
- Iron Mountain has executed an intercompany agreement on the transfer and processing of Personal Data within its company group to enable internal transfer of Personal Data.
- Iron Mountain complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). You may find more information here.
We will retain your Personal Data for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Notice. In some circumstances We may retain your Personal Data for longer periods of time, for instance where We are required to do so in accordance with legal, regulatory, tax or accounting requirements. In specific circumstances We may retain your Personal Data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if We reasonably believe there is a prospect of litigation relating to your Personal Data or dealings.
Where We have obtained your Personal Data in order to provide you with marketing information for our products and services, your Personal Data will be stored by us as long as you do not change your mind to receive such information or, if required by law, it will be removed earlier if you do not show any interest in our products and services following our communications (i.e. you are inactive) in order to avoid future contact with you for marketing purposes. We maintain a data retention notice which we apply to records in our care. Where your Personal Data is no longer required We either delete it by erasing electronic files and shredding physical records or anonymise them in a way that We are no longer able to identify you. Iron Mountain has dedicated internal policies that keep us compliant with the retention rules.
We always protect your Personal Data in accordance with the highest security standards. To ensure protection of your Personal Data from loss or unauthorised use, access, or disclosure, We always apply appropriate technical, organisation and administrative measures. Some of the steps We take are: placing confidentiality requirements on our staff members and service providers; destroying or permanently anonymising Personal Data if it is no longer needed for the purposes for which it was collected. We always check current market standard norms (e.g., ISO norms) and stay up to date with the newest security measures appropriate to the risk related to protection of your Personal Data.
We respect your data subject/consumer rights and, in as provided for by applicable privacy laws, you may exercise your right(s) to:
- access and obtain a copy of your Personal Data – note that We may need to check your identity first to avoid disclosure to any unauthorised person and also respect the right to privacy of other individuals when providing you access or copy of your Personal Data;
- rectify or erase your Personal Data – if data is inaccurate or incomplete;
- restrict the processing of your Personal Data – e.g., when you question the accuracy of processing, and We restrict processing only until your request is verified;
- delete or anonymise your Personal Data (under GDPR “right to be forgotten”) unless there are exceptions, e.g., when law allows us such processing;
- ensure so-called “data portability” - upon your request, Iron Mountain might “transfer” your Personal Data to another organisation/company if processing is based on your consent or the performance of a contract;
- object to the processing of your Personal Data - e.g., when We process your Personal Data based on our legitimate interest or for direct marketing purposes and the processing is carried out by automated means;
- obtain a copy of Personal Data safeguards applied for transfers outside your jurisdiction - e.g., the copy of SCCs;
- lodge a complaint with your local supervisory authority: Data Protection Authority, e.g., ICO in the UK;
- withdraw your consent for the processing of your Personal Data (however this does not affect the lawfulness of processing based on consent before its withdrawal).
Subject to legal and other permissible considerations, We will make every reasonable effort to respond to your request as soon as possible (in any case within the timeframe required by law) or inform you if We require further information to fulfil your request. In some cases, your ability to access or control your Personal Data will be limited, as required, or permitted by applicable law. We may ask you for additional information to verify your identity and for security purposes, before disclosing the requested Personal Data to you. We also reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
If you have a privacy concern, complaint or question to Iron Mountain please contact us:
Global Privacy & Compliance
Global Privacy Officer
EEA/UK Group Data Protection Officer
You may find both the name of our local subsidiary and contact details here (for Crozier entities here) by selecting region and country. We will aim to ensure that your complaint is resolved in a timely and appropriate manner and treat your requests and complaints confidentially. Our representative will contact you within a reasonable time after receipt of your complaint observing whether there are any local rules that indicate a deadline to resolve your request.
We will publish a revised version of this Privacy Notice any time when we update it with the revision date set out in the document. The privacy notice/policy link of each Iron Mountain website will easily direct you to that newest version of this Privacy Notice.