Automattic’s Notice of Certification Under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for WordPress.com VIP Services

Automattic Inc. (“Automattic” or “we”) certified certain of our services, in which we act as a data processor, under the EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce, as further specified below. To learn more about these Privacy Shield programs, and to view our certification, please visit https://www.privacyshield.gov/.

 

Scope of Personal Data Covered by Automattic’s Privacy Shield Certification

Automattic’s WordPress.com VIP service provides website hosting, support and professional services to enterprises and other high profile, high traffic online publishers.

The WordPress.com VIP service is primarily an online publishing system, built on the popular WordPress open source platform. VIP clients use the WordPress.com VIP service to build, publish, maintain, and support websites that often serve as the face of their business or publication. In the course of using the service, WordPress.com VIP clients may create and upload data for public dissemination, such as articles and other website content, much of which is ultimately published publicly to their site. VIP clients may also create or collect other types of data, in the course of the operation and use of their site.

In connection with our WordPress.com VIP service, our VIP clients may provide personal data to Automattic about their own customers and end users in participating EU countries and Switzerland that the VIP clients (the data controllers) collect through the operation and use of their websites (“VIP Services Personal Data”). VIP clients may collect VIP Services Personal Data when, for example, (1) an end user creates an account with the VIP client (for clarity, not a WordPress.com account); (2) a VIP client administrator adds content to the site that may include VIP Services Personal Data, or (3) a VIP client provides directory or other information about its end users as part of an intranet (i.e., a website that is only accessible to authorized, internal personnel) used by that VIP client. The type of VIP Services Personal Data varies by each VIP client, but typically includes personal data that allows our VIP clients’ customers and end users to access and use the VIP client’s website, such as a username and e-mail address. Automattic adheres to the principles of the EU-U.S. and Swiss-U.S Privacy Shield frameworks with respect to VIP Services Personal Data.

This Privacy Shield Certification applies to our core WordPress.com VIP services, and does not include any plug-ins provided by third parties or Automattic (e.g., Jetpack and WooCommerce), or any other software or services, that our VIP clients elect to use on their websites. The certification also does not cover personal data related to WordPress.com user accounts or our standard WordPress.com service, but you can read more about our privacy policy for that personal data here: https://automattic.com/privacy/.

 

Our Collection, Use and Sharing of VIP Services Personal Data

Why Automattic Collects and Uses VIP Services Personal Data

Our VIP services include hosting, support, and other professional services to optimize WordPress.com for security, performance and scalability. We process VIP Services Personal Data as a data processor for the purpose of providing VIP services to our VIP clients―for example, to allow VIP clients’ customers to interact with and use the VIP clients’ websites, follow the instructions from our VIP clients, and fulfill obligations that we have under our contracts with our VIP clients.

 

Sharing of VIP Services Personal Data with Third Parties

We may transfer VIP Services Personal Data to third party service providers who help us provide our VIP services to our VIP clients.

Under certain circumstances, we may remain liable for the acts of those third-party service providers for their handling of VIP Services Personal Data that we transfer to them.

 

Compelled Disclosure

We may be required to disclose VIP Services Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

 

Your Rights With Respect to VIP Services Personal Data

Requests for Access, Correction, or Deletion of VIP Services Personal Data

Individuals in the EU and Switzerland have rights to access personal data about them, and to limit use and disclosure of their personal data. If you are an individual in the EU or Switzerland who believes that you are a customer or end user of one of our VIP clients, and wish to request access to (or to limit use or disclosure of) any VIP Services Personal Data that we may have about you, you can submit a written request to us at vipprivacyshield@automattic.com.

 

Since we act as a service provider to our VIP clients, we will direct the inquiry to the applicable VIP client(s), who can respond to your request. Please include the name of the applicable VIP cient(s) in your request, if known, so that we can refer the request to them.

 

Dispute Resolution

If you are an individual in the EU or Switzerland who believes that your personal data is included in the VIP Services Personal Data, you may direct any concerns or complaints to us at vipprivacyshield@automattic.com.

If we do not resolve your complaint, you may contact JAMS, our designated independent dispute resolution provider for Privacy Shield inquiries. You can contact JAMS, which is based in the United States, through its website at the following link:

https://www.jamsadr.com/eu-us-privacy-shield

If neither Automattic nor JAMS resolves your complaint, you may, in certain circumstances, be able to seek binding arbitration through the Privacy Shield Panel. You can read more about binding arbitration in Annex I to the Privacy Shield Principles.

 

Other Things You Should Know

Our commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.