Automattic’s Notice of Certification Under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for WordPress VIP Services
Automattic Inc. and our U.S. subsidiary WPVIP Inc. (together “Automattic” or “we”) certified certain of our services, in which we act as a data processor, under the EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce, for personal information transferred from the European Union, the United Kingdom and Switzerland, as further specified below. To learn more about these Privacy Shield programs, and to view our certification, please visit https://www.privacyshield.gov/.
Scope of Personal Data Covered by Automattic’s Privacy Shield Certification
Automattic’s WordPress VIP service provides website hosting, support and professional services to enterprises and other high profile, high traffic online publishers.
The WordPress VIP service is primarily an online publishing system, built on the popular WordPress open source platform. WordPress VIP clients use the WordPress VIP service to build, publish, maintain, and support websites that often serve as the face of their business or publication. In the course of using the service, WordPress VIP clients may create and upload data for public dissemination, such as articles and other website content, much of which is ultimately published publicly to their site. WordPress VIP clients may also create or collect other types of data, in the course of the operation and use of their site.
In connection with our WordPress VIP website hosting service, our WordPress VIP clients may provide personal data to Automattic about their own customers and end-users in participating EU countries, the United Kingdom and Switzerland that the WordPress VIP clients (the data controllers) collect through the operation and use of their websites (“Hosting Services Personal Data”). WordPress VIP clients may collect Hosting Services Personal Data when, for example, (1) an end-user creates an account with the WordPress VIP client (for clarity, not a WordPress account); (2) a WordPress VIP client administrator adds content that includes Hosting Services Personal Data to a site hosted by WordPress VIP; or (3) a WordPress VIP client provides directory or other information about its end users as part of an intranet (i.e., a website that is only accessible to authorized, internal personnel) used by that WordPress VIP client. The type of Hosting Services Personal Data varies by each WordPress VIP client, but typically includes personal data that allows our WordPress VIP clients’ customers and end-users to access and use the WordPress VIP client’s website, such as a username and e-mail address.
The WordPress VIP service also includes Parse.ly which is a content analytics service that allows customers to track user engagement with the content on their sites and applications. In the course of providing the Parse.ly service, Automattic processes personal data regarding such users including, but not limited to, names, addresses, email addresses, ip addresses, unique user IDs and browsing history (“Parse.ly Personal Data”).
Parse.ly Personal Data and Hosting Services Personal Data are referred to herein together as “WordPress VIP Services Personal Data”.
Automattic adheres to the principles of the EU-U.S. and Swiss-U.S Privacy Shield frameworks with respect to WordPress VIP Services Personal Data.
Our Collection, Use and Sharing of WordPress VIP Services Personal Data
Why Automattic Collects and Uses WordPress VIP Services Personal Data
Our WordPress VIP services include hosting, support, content analytics and other professional services to optimize WordPress.com for security, performance, and scalability. We process WordPress VIP Services Personal Data as a data processor for the purpose of providing WordPress VIP services to our WordPress VIP clients.
Sharing of WordPress VIP Services Personal Data with Third Parties
We may transfer WordPress VIP Services Personal Data to third-party service providers who help us provide our WordPress VIP services to our WordPress VIP clients.
Under certain circumstances, we may remain liable for the acts of those third-party service providers for their handling of WordPress VIP Services Personal Data that we transfer to them.
We may be required to disclose WordPress VIP Services Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Your Rights With Respect to WordPress VIP Services Personal Data
Requests for Access, Correction, or Deletion of WordPress VIP Services Personal Data
Individuals in the EU, the United Kingdom, and Switzerland have rights to access personal data about them, and to limit use and disclosure of their personal data. If you are an individual in the EU, the United Kingdom or Switzerland who believes that you are a customer or end-user of one of our WordPress VIP clients, and wish to request access to (or to limit use or disclosure of) any WordPress VIP Services Personal Data that we may have about you, you can submit a written request to us at firstname.lastname@example.org.
Since we act as a service provider to our WordPress VIP clients, we will direct the inquiry to the applicable WordPress VIP client(s), who can respond to your request. Please include the name of the applicable WordPress VIP client(s) in your request, if known, so that we can refer the request to them.
If you are an individual in the EU, the United Kingdom or Switzerland who believes that your personal data is included in the WordPress VIP Services Personal Data, you may direct any concerns or complaints to us at email@example.com.
If we do not resolve your complaint, you may contact JAMS, our designated independent dispute resolution provider for Privacy Shield inquiries. You can contact JAMS, which is based in the United States, through its website at the following link:
If neither Automattic nor JAMS resolves your complaint, you may, in certain circumstances, be able to seek binding arbitration through the Privacy Shield Panel. You can read more about binding arbitration in Annex I to the Privacy Shield Principles.
Other Things You Should Know
Our commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.