HEWLETT PACKARD ENTERPRISE PRIVACY STATEMENT
This Privacy Statement is effective as of December 21, 2022.
Hewlett Packard Enterprise Company and its subsidiaries (HPE or We) respect your privacy. This Privacy Statement informs you about our privacy practices including details of the personal data we collect, use, disclose and transfer as well as choices you can make and rights you can exercise in relation to your personal data. This Privacy Statement is available from a link on the footer of every HPE web page.
HPE respects and takes into account the major privacy principles and frameworks around the world, including, but not limited to, the OECD Guidelines on the Protection of Privacy and Transborder Flows, the EU General Data Protection Regulation 2016/679 (GDPR), and the APEC Privacy Framework. HPE’s privacy practices described in this Privacy Statement also comply with the APEC Cross Border Privacy Rules (CBPR) System.
1. How we use personal data
We collect personal data only if required to provide our products or services, fulfil our legitimate business purposes and/or comply with applicable laws and regulations. Depending on your relationship with HPE we collect and process your personal data as follows:
- HPE products and services: contact details, login credentials and interactions with our digital assets and content, for the following main purposes: account creation and management; entering into and performing agreements with you or your organization; providing support and tools to activate licenses and request support; managing and fulfilling orders; deploying and delivering products and services; conducting quality controls; managing returns of defective media; operating and providing access to customer portals, hosted management services and mobile applications; consulting; notifications of contract expiry and renewal options; developing and improving our products and services and ensuring compliance with regulatory requirements.
- HPE Financial Services: contact details, driving license, passport, identity card details, records of good standing and other information as may be relevant (e.g., information from publicly available resources) for the following main purposes: providing lease, loan, and other financial services; conducting anti-money laundering and other regulatory checks; initiating credit approval process and facilitating the purchase and resale of equipment.
- Sales and marketing: contact details, identification information, information required to purchase our products and services online, profile, role and preferences, login credentials, digital activity information and other information as may be relevant (e.g. information from publicly available sources) for the following main purposes: sales and marketing; advertising; creating and delivering targeted adverts and offers; conducting marketing campaigns; managing contacts and preferences; generating leads and opportunities; managing lead generation activities; sales engagement activities; organizing and managing events, webinars, virtual meetings; and engaging in social media interactions.
- Online Data Collection Tools: digital activity information for the following main purposes: enabling efficient use of our websites, mobile applications, products, and services; collecting statistics to optimize the functionality of our websites, mobile applications, products and services; improving user experience and delivering content tailored to their interests; and improving marketing and advertising campaigns.
- Online forums and surveys: contact details, login credentials, comments, and feedback for the following main purposes: engaging with partners and suppliers in online forums; conducting customer satisfaction and engagement surveys.
- Partner and supplier programs: contact details for the following main purposes: managing relations with partners and suppliers; engaging and delivering products and services to customers in which case we may receive personal data directly from you or from our partners.
- Training and education: contact details for the main purpose of conducting trainings and managing education programs for customers, partners, and suppliers.
- Due diligence screening: contact details and other information as may be relevant (e.g., information from publicly available sources) for the following main purposes: conducting anticorruption due diligence on third parties and conducting required investigations, in compliance with applicable laws.
- Brand-protection programs: contact details, login credentials and other relevant information (e.g. information from publicly available sources) for the main purpose of conducting investigations into HPE product-related fraud, compliance, grey marketing, theft and/or counterfeit.
- Security and authentication: contact details, identification information and CCTV footage for the following main purposes: ensuring safety and security of HPE staff and premises; login credentials, protecting HPE’s network and other digital assets; providing access to restricted areas and information assets and protecting personal data from unauthorized access.
- Whistleblowing: contact details and information about alleged misconducts for the main purpose of detecting, preventing, and investigating misconduct by HPE staff, customers, partners, and suppliers.
- Enquiries and complaints: contact details and information included in enquires and complaints for the main purpose of addressing and resolving enquiries and complaints.
- Recruitment: contact details for the purpose of sending job alert subscriptions managed by HPE or our recruitment partners; contact details and information made publicly available on professional social networks such as LinkedIn for the purpose of identifying and contacting potential job candidates. For information regarding personal data processed in connection with a job application or job offer, please refer to our Recruitment Notice.
- Student virtual work experience programs through the Forage platform (for students 18 and older): profile information (e.g., contact details, photo) education (e.g., school, degree, stage of degree), work preferences (e.g., location, type of work, skills), country and inferences.
- Mergers and acquisitions: contact details and information included in enquires and pulse surveys for the following main purposes: addressing queries and shaping and refining the on-boarding and integration experience.
2. How we share personal data
HPE does not sell, rent, or lease personal data to others except as described in this Privacy Statement. We may share and/or disclose your personal data as follows:
Disclosure within the HPE group of companies. HPE has its headquarters in the United States of America and operates worldwide. HPE may disclose your personal data as necessary within the HPE group of companies in connection with how we use your personal data.
Disclosure to third parties. HPE retains suppliers and service providers to manage or support its business operations, provide professional services, deliver products, services, and customer solutions and to assist HPE with marketing and sales communication initiatives. Those third parties may receive and process your personal data under appropriate instructions, as necessary to support and facilitate how we use your personal data. Suppliers and service providers are required by contract to keep confidential and secure the information they process on behalf of HPE and may not use it for any purpose other than to carry out the services they are performing for HPE.
Where HPE engages with partners, resellers and/or distributors as part of its business operations, HPE may disclose your personal data to them in order to facilitate sales and delivery of its products and services. Partners, resellers and/or distributors are required by contract to keep confidential and secure the information received from HPE and may use it only for the said purposes, unless otherwise authorized by you or applicable laws and regulations.
Except as described in this Privacy Statement, HPE will not share your personal data with third parties without your permission, unless to: (i) respond to duly authorized information requests of police and governmental authorities; (ii) comply with law, regulation, subpoena, or court order; (iii) enforce/protect the rights and properties of HPE or its subsidiaries; or (iv) protect the rights or personal safety of HPE, our employees, and third parties on or using HPE property when allowed and in each case in accordance with applicable law.
Circumstances may arise where, whether for strategic or other business reasons, HPE decides to sell, buy, merge, or otherwise reorganize businesses in some countries. Such a transaction may involve the disclosure of personal data to prospective or actual purchasers, or the receipt of it from sellers. It is HPE’s practice to seek appropriate contractual protection for personal data in these types of transactions.
3. How we transfer personal data internationally
HPE may transfer your personal data as necessary within the HPE group of companies and to other third parties. The recipients may be located in countries which do not provide the same level of data protection as the country in which you are located. HPE will take steps to ensure personal data we transfer is adequately protected as required by applicable data protection laws. Where required by local law, we will request your consent to transfer your personal data.
Transfers within HPE group of companies. HPE has an intra-company agreement on the transfer and processing of personal data within the HPE group of companies. This agreement also forms the basis of HPE’s Binding Corporate Rules for Controller which have been approved by the Data Protection Regulators in Europe and some other countries. The BCRs allow HPE to ensure that personal data transferred internationally within the HPE group is adequately protected in accordance with applicable data protection laws. If you would like to learn more about our BCRs and the countries that have approved them, please click here.
HPE’s privacy practices described in this Privacy Statement comply with the APEC Cross Border Privacy Rules (CBPR) System, including transparency, accountability, and choice regarding the collection and use of personal data. The CBPR system provides a framework for organizations to ensure protection of personal data transferred among participating APEC economies. More information about the CBPR framework can be found here. The CBPR certification does not cover information that may be collected through downloadable software on third party platforms. If you have an unresolved privacy or data use concern related to HPE’s APEC Certification that we have not addressed satisfactory, please contact our U.S. based third party dispute resolution here.
Transfers to third parties. With respect to transfers to third parties located in countries which do not provide an adequate level of data protection, HPE will take appropriate safeguards such as signing EU Standard Contractual Clauses, or other model clauses approved by a data protection authority, with the recipient, relying on approved codes of conduct or certification mechanisms adopted by the recipient or binding and enforceable commitments of the recipient. If you would like to receive more information about the appropriate safeguards and/or receive a copy of the relevant mechanism for your review, please contact the HPE Privacy Office.
4. How to manage communications and preferences
HPE may provide you with information that complements our products and services and/or communications about our new products, services and offers. If you or your organization purchased our products or services, you may receive alerts, software updates or responses to support requests that are part of our products and services. If you choose to receive HPE communications, you may also choose to subscribe to receive specific newsletters and publications. In some cases, you may also choose whether to receive the information and communication by email, telephone, or post.
Manage communication choices. You can change your choices and preferences relating to HPE communications by:
- Accessing online - Get connected with updates from HPE, indicating or changing your preferences and providing your email address;
- Accessing HPE MyAccount, a single-login service that lets you register with HPE enabled websites using a single user identifier and password of your choice. HPE MyAccount allows you to set your privacy preferences for email and telephone contact from HPE.
Unsubscribe from communications. In the event you no longer wish to receive HPE communications, you can unsubscribe from such communications by:
- Following opt-out or unsubscribe link and/or instructions included in each email subscription communication;
- Accessing the Communication preference center, selecting “Unsubscribe” and providing your email address;
- Indicating to the caller that you do not wish receive calls from HPE anymore.
In the event your opt-out or unsubscribe request has not been resolved in a timely manner, please contact the HPE Privacy Office with details of your name, contact information, and description of the communications you no longer wish to receive from HPE.
Please note that these options do not apply to communications relating to the administration of orders, contracts, support, product safety warnings, or other administrative and transactional notices, where the primary purpose of these communications is not promotional in nature.
5. Automatic Data Collection Tools
HPE also allows third-party advertising companies to use Automatic Data Collection Tools on our web sites and applications in order to understand how you interact with our web sites and applications, to optimize our advertisements and marketing and to serve advertisements specific to your interests on other web sites and applications you may visit or use. HPE may use retargeting and behavioral advertising technologies, a set of practices collectively referred to as “Interest Based Advertising” to tailor those advertisements to your perceived interests based on information collected through Automatic Data Collection Tools.
Automatic Data Collection Tools may also be used when you share information using a social media sharing button on our websites. The social network will record that you have done this and may use this information to send you targeted advertisements. The types of Automatic Data Collection Tools used by these companies and how they use the information is governed by their privacy policies.
When you enter your contact details on a web form on an hpe.com site, in order to subscribe to a service, download a white paper or request information about HPE’s products and services, your contact details may be stored in a cookie on your device. This information is then accessed on subsequent visits to hpe.com sites, allowing us to track and record the sites you have visited and the links you have clicked, in order to better personalize your on-line experience, and future HPE communications.
If you choose to receive marketing emails or newsletters from HPE, we may track whether you’ve opened those messages and whether you’ve clicked on links contained within those messages, through the use of web beacons and personalized URLs embedded in these communications. This allows HPE to better personalize future communications and limit these communications to subjects that are of interest to you.
Choices Regarding Automatic Data Collection & Online Tracking. While HPE web sites at this time do not recognize automated browser signals regarding tracking mechanisms, such as "do not track" instructions, you can generally express your privacy preferences regarding the use of most Automatic Data Collection Tools through your web browser or device settings. You can set your browser in most instances to notify you before you receive certain Automatic Data Collection Tools, giving you the chance to decide whether to accept them or not. You can also generally set your browser or device to turn off certain Automatic Data Collection Tools. If you are accessing our web sites or applications in countries of the European Union (EU), or countries where the EU regulations apply, you are given the choice to accept or refuse our use of non-essential cookies (as described in the section titled ‘How HPE uses Automatic Data Collection Tools’ above) through a ‘cookie preference’ banner that appears on our web pages. The banner stops being displayed when you have made your choice, but it can be brought back on display by selecting the ‘Cookies’ link on the footer of every HPE web page. California residents may have additional choices as described in the Specific Information for California Residents page.
Since these Automatic Data Collection Tools allow you to take advantage of some of our web sites' and applications’ features, we recommend that you leave them turned on. If you block, turn off or otherwise reject certain Automatic Data Collection Tools, some web pages or user experiences may not display properly or you will not be able, for instance, to add items to your shopping cart, proceed to checkout, or use any web site services that require you to sign in.
HPE participates in the Digital Advertising Alliance (DAA and DAAC) self-regulatory program for digital online advertising (see http://www.aboutads.info/ or http://youradchoices.com/ in the US and http://youradchoices.ca/ in Canada). HPE advertisements that are targeted to you will be identified with the Ad Choices icon . If you do not want this information to be used for serving you targeted advertisements on web sites you may visit, you can click here to opt-out. For applications, please update your device settings. This will allow you to access and update your preferences. Please note that this does not opt you out of being served non-targeted advertising.
Some of our websites use Google Analytics cookies. Information collected by Google Analytics cookies will be transmitted to and stored by Google on servers in the United States of America in accordance with its privacy practices. To see an overview of privacy at Google and how this applies to Google Analytics, visit https://www.google.com/policies/privacy/. You may opt out of tracking by Google Analytics by visiting https://tools.google.com/dlpage/gaoptout.
In the USA and Canada, we participate in the Adobe Marketing Cloud Device Co-op. This helps us understand how you use our websites and apps across all the devices you use and deliver tailored promotions based on your interests to those devices. You can learn more about how Adobe does this, and how to opt-out, at https://www.adobe.com/privacy/opt-out.html .
6. How we keep personal data secure
HPE takes seriously the trust you place in us to protect your personal data. In order to protect your personal data from loss, or unauthorized use, access or disclosure, HPE utilizes reasonable and appropriate physical, technical, and administrative procedures to safeguard the information we collect and process. All systems used to support HPE’s business are governed by HPE’s corporate Cyber Security policies, which are built upon industry standards and best practices like the International Organization for Standardization (ISO) 27001 family of standards and National Institute of Standards and Technology (NIST) standards.
When collecting or transferring sensitive information we use a variety of additional security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. The personal data you provide us is stored on computer systems locked in controlled facilities which have limited access. Access to your information is restricted to HPE employees or authorized third parties who need to know that information in order to process it for us, and who are subject to strict confidentiality obligations. When we transmit sensitive information over the internet, we protect it through the use of encryption, such as the Transport Layer Security (TLS), Internet Protocol Security (IPSec), or Secure Socket Layer (SSL).
7. How long we keep personal data
Typically, we keep personal data for the length of any contractual relationship and, to the extent permitted by applicable laws, after the end of that relationship for as long as necessary to perform purposes set out in this Privacy Statement, to protect HPE from legal claims and administer our business. When we no longer need to use personal data, we will delete it from our systems and records or take steps to anonymize the data unless we need to keep it longer to comply with a legal or regulatory obligation. If you would like to receive more information about our data retention policies, please contact the HPE Privacy Office.
8. How to exercise your rights and additional information
Our privacy practices are aligned with the requirements of Europe’s General Data Protection Regulation (GDPR) and the applicable data protection laws of other countries in which we operate. We respect the rights individuals have in relation to their personal data under these laws. Depending on what data protection laws you are subject to, this additional information may be relevant and applicable to you.
Data controllers. Companies from the HPE group of companies may act as data controllers in relation to your personal data for the processing of personal data described in this Privacy Statement. You can find the up-to-date list of the HPE group of companies by clicking here. If you would like to receive more information about which HPE entity acts as data controller for your personal data, please contact the HPE Privacy Office.
Chief Privacy Officer. HPE has appointed a Chief Privacy Officer (CPO), Margaret Gloeckle, who also acts as the local Data Protection Officer in many countries we operate in. We also have local Data Protection Officers in certain countries, such as Germany and Poland. You can contact the CPO/DPO by completing the form available here or in writing to:
Hewlett Packard Enterprise
Office of Legal & Administrative Affairs – ATTENTION PRIVACY OFFICE
1701 E Mossy Oaks Rd
Spring, TX 77389
Legal basis to process personal data. We process your personal data on the following legal bases:
- Legitimate Interest. We may process your personal data as required to pursue our legitimate business interests (provided this is not overridden by interests or rights of relevant individuals). In particular, to manage, develop and improve our products and services; support our customers and sales operations; protect our staff and assets; communicate information that supplements our products and services and ensure compliance with laws and regulations.
- Performance of an agreement. We may process your personal data to enter into or fulfil agreements with your or your organizations, including to deliver and manage our products and services and allow our customers to use our products, services and supporting tools.
- Legal obligation. We may process your personal data to comply with applicable laws and regulations, establish or exercise our legal rights. For example, in connection with legal claims, compliance, regulatory and investigative purposes.
- Consent. We may process your personal data where you have provided your consent. In particular, where we cannot rely on an alternative legal basis or we are required by law to ask for your consent in the context of some of our sales and marketing activities, online data collection tools, or surveys. At any time, you have a right to withdraw your consent by changing your communication choices, unsubscribing from HPE communications or contacting the HPE Privacy Office.
Your rights in relation to your personal data. Depending on what data protection laws you are subject to, you may have the right to:
- Request confirmation of the processing of your data, access or obtain copies of personal data HPE processes about you;
- Rectify your personal data, if inaccurate or incomplete;
- Delete or anonymize your personal data, unless an exception applies. For instance, we may need to keep your personal data to comply with legal obligation;
- Restrict the processing of your personal data, in certain circumstances. For instance, if you contest accuracy of your personal data you may request that we restrict processing of your personal data for the time enabling us to verify the accuracy of your personal data;
- Request to limit certain uses and disclosures of your sensitive personal information;
- Opt-out of the sharing of your personal data for purposes of behavioral advertising;
- Data portability, in certain circumstances. For instance, in the EU you may request us to transmit some of your personal data to another organization if the processing is based on your consent or a contract;
- Object to processing of your personal data, in certain circumstances. For instance, in the EU you may object to direct marketing including use of your personal data for profiling for direct marketing or where we process your personal data because we have legitimate interest in doing so.
- Obtain information about the entities with which HPE has shared your personal data;
- Withdraw consent to the processing of your personal data.
California residents may opt-out from the “sale” or "share" of personal information, i.e. our use of optional Automatic Data Collection Tools, by visiting the “Do Not Sell or Share My Personal Information” page.
These rights may be limited in some situations such as where HPE can demonstrate that HPE has a legal requirement or legitimate interest to process your personal data or can legitimately apply an exemption to the exercise of a right under applicable law.
To view and update the personal data you provided directly to HPE, you can return to the web page where you originally submitted your data and follow the instructions on that web page, using HPE Passport where enabled. Otherwise, please contact us by completing the form available here or by writing to the CPO at the address indicated in the Chief Privacy Officer section above. To protect your privacy and security, we will take reasonable steps to verify your identity before processing your request. Complaint with a supervisory authority. If you consider that the processing of your personal data infringes applicable data protection laws, you may have a right to lodge a complaint with a supervisory authority in the country where you live, or work, or where you consider that data protection rules have been breached.
Your rights under HPE Binding Corporate Rules. You may have additional rights under our BCRs in Europe and other countries that have approved our BCRs. For example, as a third party beneficiary, where you believe your personal data has been transferred by an EU HPE company to an HPE company located outside the EU and processed by that company in breach of the BCR, you may have a right to:
- Lodge a complaint with the HPE company which transferred your personal data outside the EU ;
- Lodge a complaint with a supervisory authority located in the same country as the HPE company which transferred your data outside the EU;
- Bring a court action against the HPE company which transferred your personal data outside the EU.
If HPE processes your personal data on behalf of an HPE customer, then we will, in the first instance, refer your complaint to our customer to handle.
9. How to contact us
If you have any questions about our Privacy Statement, any concerns or complaint regarding our collection and use of your personal data or wish to report a possible breach of your privacy, please contact the HPE Privacy Office by email or write to our worldwide corporate headquarters address below.
We will treat your requests and complaints confidentially. Our representative will contact you within a reasonable time after receipt of your complaint to address your concerns and outline options regarding how they may be resolved. We will aim to ensure that your complaint is resolved in timely and appropriate manner.
World Wide Corporate Headquarters
Hewlett Packard Enterprise
Office of Legal & Administrative Affairs
ATTENTION -PRIVACY OFFICE
1701 E Mossy Oaks Rd
Spring, TX 77389
10. Changes to this Privacy Statement
If we modify this Privacy Statement, we will publish a revised version with an updated revision date. The privacy link on the footer of every HPE web page will then point to that new version.
11. Local language versions of this Privacy Statement and country supplements