Your search did not match any results.
We suggest you try the following to help find what you’re looking for:
I. The first section (Services Personal Information Data Processing Terms) describes the privacy and security practices that Oracle Corporation and its affiliates (“Oracle”) employ when handling Services Personal Information (as defined below) for the provision of Technical Support, Consulting, Cloud or other services (the “Services”) provided to Oracle customers (“You” or “Your”) during the term of Your order for Services. Additional terms may be specified in the relevant privacy and security practices for the Services You have ordered.
Services Personal Information is personal information that is provided by You, resides on Oracle, customer or third-party systems and environments, and is processed by Oracle on Your behalf in order to perform the Services. Services Personal Information may include, depending on the Services: information concerning family, lifestyle and social circumstances; employment details; financial details; online identifiers such as mobile device IDs and IP addresses, and first party online behavior and interest data. Services Personal Information may relate to Your representatives and end users, such as Your employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.
II. The second section (System Operations Data Processing Terms) describes the privacy and security practices that apply to personal information that may be incidentally contained in Systems Operation Data that is generated by the interaction of (end-)users of our Services (“Users”) with the Oracle systems, tools and networks used to monitor, safeguard and deliver Services to our customer base.
Systems Operations Data may include access, event, diagnostic and other log files, as well as statistical and aggregated information that relates to the use and operation of our Services, and the systems and networks these Services run on.
III. The third section (Communications and Notifications to Customers and Users) applies to both Services Personal Information and personal information contained in Systems Operations Data, describes how Oracle handles legally required disclosure requests, and informs You and Users how to communicate with Oracle’s Global Data Protection Officer or file a complaint.
Oracle treats all Services Personal Information in accordance with the terms of Sections I and III of this Policy and Your order for Services.
Oracle may process Services Personal Information for the processing activities necessary to perform the Services, including for testing and applying new product or system versions, patches, updates and upgrades, and resolving bugs and other issues You have reported to Oracle.
You are the controller of the Services Personal Information processed by Oracle to perform the Services. Oracle will process your Services Personal Information as specified in Your Services order and Your documented additional written instructions to the extent necessary for Oracle to (i) comply with its processor obligations under applicable data protection law or (ii) assist You to comply with Your controller obligations under applicable data protection law relevant to Your use of the Services. Oracle will promptly inform You if, in our reasonable opinion, Your instruction infringes applicable data protection law. Oracle is not responsible for performing legal research and/or for providing legal advice to You. Additional fees may apply.
You control access to Your Services Personal Information by Your end users, and Your end users should direct any requests related to their Services Personal Information to You. To the extent such access is not available to You, Oracle will provide reasonable assistance with requests from individuals to access, delete or erase, restrict, rectify, receive and transmit, block access to or object to processing of Services Personal Information on Oracle systems. If Oracle directly receives any requests or inquiries from Your end users that have identified You as the controller, we will promptly pass on such requests to You without responding to the end user.
Oracle has implemented and will maintain technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Services Personal Information. These measures, which are generally aligned with the ISO/IEC 27001:2013 standard, govern all areas of security applicable to the Services, including physical access, system access, data access, transmission, input, security oversight, and enforcement.
Oracle employees are required to maintain the confidentiality of personal information. Employees' obligations include written confidentiality agreements, regular training on information protection, and compliance with company policies concerning protection of confidential information.
See additional details regarding the specific security measures that apply to the Services are set out in the security practices for these Services, including regarding data retention and deletion, available for review.
Oracle promptly evaluates and responds to incidents that create suspicion of or indicate unauthorized access to or handling of Services Personal Information.
If Oracle becomes aware and determines that an incident involving Services Personal Information qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Services Personal Information transmitted, stored or otherwise processed on Oracle systems that compromises the security, confidentiality or integrity of such Services Personal Information, Oracle will report such breach to You without undue delay.
As information regarding the breach is collected or otherwise reasonably becomes available to Oracle and to the extent permitted by law, Oracle will provide You with additional relevant information concerning the breach reasonably known or available to Oracle.
To the extent Oracle engages Oracle affiliates and third party subprocessors to have access to Services Personal Information in order to assist in the provision of Services, such subprocessors shall be subject to the same level of data protection and security as Oracle under the terms of Your order for Services. Oracle is responsible for its subprocessors’ compliance with the terms of Your order for Services.
Oracle maintains lists of Oracle affiliates and subprocessors that may process Services Personal Information. Additional information is available to You via My Oracle Support (https://support.oracle.com) Document ID 2121811.1, or other applicable primary support tool provided for the Services.
Oracle is a global corporation with operations in over 80 countries and Services Personal Information may be processed globally as necessary in accordance with this policy and other relevant privacy terms specified applicable to Your Services. If Services Personal Information is transferred to an Oracle recipient in a country that does not provide an adequate level of protection for personal information, Oracle will take adequate measures designed to protect the Services Personal Information, such as ensuring that such transfers are subject to the terms of the EU Standard Contractual Clauses or other adequate transfer mechanism as required under relevant data protection laws.
In the event the Services agreement between You and Oracle references the Oracle Data Processing Agreement for Oracle Services (“DPA”), further details on the relevant data transfer mechanism that applies to Your order for Oracle Services are available in the DPA. In particular, for Services Personal Information transferred from the European Economic Area (“EEA”) or Switzerland, such transfers are subject to Oracle’s Binding Corporate Rules for Processors (BCR-P) or the terms of the EU Standard Contractual Clauses. For Services Personal Information transferred from the United Kingdom (UK), such transfers are subject to the UK Addendum or other appropriate transfer mechanism.
The audit shall be conducted no more than once during a twelve-month period, during regular business hours, subject to Oracle’s on-site policies and regulations, and may not unreasonably interfere with business activities. If You would like to use a third party to conduct the audit, the third party auditor shall be mutually agreed to by the parties and the third-party auditor must execute a written confidentiality agreement acceptable to Oracle. Upon completion of the audit, You will provide Oracle with a copy of the audit report, which is classified as confidential information under the terms of Your agreement with Oracle.
Oracle will contribute to such audits by providing You with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Services. If the requested audit scope is addressed in a SOC 1 or SOC 2, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and Oracle provides such report to You confirming there are no known material changes in the controls audited, You agree to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report. Additional audit terms may be included in Your order for Services.
Except as otherwise specified in an order for Services or required by law, upon termination of Services, Oracle will return or delete any remaining copies of Your production customer data, including any Services Personal Information, located on Oracle systems or Services environments. Additional information on data deletion functionality is provided in the applicable Services Descriptions.
Oracle Corporation and its affiliated entities are responsible for processing personal information that may be incidentally contained in Systems Operations Data in accordance with Sections II and III of this Policy. See the list of Oracle entities. Please select a region and country to view the registered address and contact details of the Oracle entity or entities located in each country.
We may collect or generate Systems Operations Data for the following business purposes:
Where relevant, our legal basis for processing Your personal information is as follows:
Personal information contained in Systems Operations Data may be shared throughout Oracle’s global organization for Oracle’s business purposes. A list of Oracle entities is available as indicated above.
We may also share such personal information with the following third parties:
If personal information contained in Systems Operations Data is transferred to an Oracle recipient in a country that does not provide an adequate level of protection for personal information, Oracle will take measures designed to adequately protect information about Users, such as ensuring that such transfers are subject to the terms of the EU Standard Contractual Clauses or other adequate transfer mechanism as required under relevant data protection laws.
Oracle has implemented appropriate technical, physical and organizational measures in accordance with the Oracle Corporate Security Practices designed to protect personal information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access as well as all other forms of unlawful processing (including, but not limited to, unnecessary collection) or further processing.
To the extent personal information about You is contained in Systems Operations Data, You may request to access, correct, update or delete personal information contained in Systems Operations Data in certain cases, or otherwise exercise Your choices with regard to Your personal information by filling out an inquiry form. We will respond to your request consistent with applicable law.
If You are a California resident, You may request that Oracle disclose the following information:
If You are a California resident, you may obtain information about exercising your rights, as described above, by contacting us at 1-800-633-0748. For information on the CCPA requests Oracle received, complied with, or denied for the previous calendar year, please visit Oracle’s Annual Consumer Privacy Reporting page, available here.
Oracle may be required to provide access to Services Personal Information and to personal information contained in Systems Operations Data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect Your or a User’s safety or the safety of others, investigate fraud, or respond to government requests, including public and government authorities outside Your or a User’s country of residence, for national security and/or law enforcement purposes.
Oracle will promptly inform You of requests to provide access to Services Personal Information, unless otherwise required by law.
Written inquiries to the Global Data Protection Officer may be addressed to:
Global Data Protection Officer
233 South Wacker Drive
Chicago, IL 60606
For personal information collected INSIDE the EU/EEA, You may contact Oracle’s external EU Data Protection Officer by filling out the inquiry form and selecting “Other Privacy Inquiry - Contact our DPO” in our drop down box or by written inquiry to.
D-85579 Neubiberg / München
For personal information collected INSIDE Brazil, written inquiries to the Brazilian Data Protection Officer may be addressed to:
Rua Dr. Jose Aureo Bustamante, 455
Vila São Francisco
São Paulo, BR
If You or a User have any complaints regarding our compliance with our privacy and security practices, please contact us. We will investigate and attempt to resolve any complaints and disputes regarding our privacy practices. Users also have the right to file a complaint with a competent data protection authority.
Previous versions: 4/9/21 | 1/19/21 | 10/20/20 | 3/7/19 | 2/14/19