Data Privacy Framework Notice

Last updated: June 24, 2024 

Introduction

This Data Privacy Framework Notice (“Notice”) describes how Panopto, Inc. (“Panopto”) complies with the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (“Swiss-US DPF”) as set forth by the US Department of Commerce. Panopto has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles and the Swiss-US Data Privacy Framework Principles (collectively, “DPF Principles”) with regard to the processing of personal data received from the European Union (“EU”) in reliance on the EU-US DPF, the United Kingdom and Gibraltar (“UK”) in reliance on the UK Extension to the EU-US DPF, and Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this Notice and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program and to view our DPF certification, please visit https://www.dataprivacyframework.gov/.

Since the requirements for compliance with the DPF vary depending on whether Panopto is acting as a processor on behalf of its customers or as a data controller for its own data processing, Panopto’s policies and manner of compliance are described separately below. Please keep these distinctions in mind when you review this Notice. The practices Panopto employs under the EU-US DPF, as outlined below, also apply to data transferred from the UK to the United States in compliance with the UK Extension to the EU-US DPF, and from Switzerland to the United States in compliance with the Swiss-US DPF.

Panopto as a Data Processor

The services Panopto provides to its customers primarily include a video hosting platform with tools for creating, managing and distributing video, audio, written and other content over the Internet. Customers are responsible, in their sole discretion, for provisioning accounts to authorized users to give them access to Panopto’s services, and for removing an account once a given user is no longer permitted to have such access. In each case, the customer is the controller of the personal data of its users, and Panopto is merely a processor carrying out data processing activities in accordance with the customer’s instructions. In this capacity, Panopto does not own or control any of the personal data it processes on behalf of its customers. Instead, all such data is owned and controlled by Panopto’s customers.

Before starting any processing on behalf of Panopto’s customers, Panopto enters into a contract with the customer (as the data controller) that ensures that the customer will comply with applicable data protection laws. Any personal data processed by Panopto will not be further disclosed to third parties except where permitted or required by this contract, the DPF, or applicable data protection laws. This contract will also specify that Panopto will carry out the processing with appropriate data security measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction. As a processor on behalf of its customers (who again are the data controllers), Panopto is not in a position to apply other DPF Principles applicable to data controllers with respect to the personal data received for processing from its customers.

Panopto as a Data Controller

Panopto collects limited personal data from individuals when they provide it directly through one of Panopto’s websites, as well as information acquired through information providers. Panopto develops and maintains databases containing personal data on individuals and enterprises located throughout Europe. This data is used to provide requested information or content, to market Panopto’s services, and for other related purposes. In this capacity, Panopto acts as a data controller of the personal data collected. As a data controller, Panopto is required to comply with all DPF Principles.

Notice

In its capacity as a processor on behalf of its customers, prior to the transfer of personal information from the EU, UK, or Switzerland to the United States, Panopto requires contractual confirmation from the customer (as the data controller) that the personal data has been provided to Panopto in accordance with applicable data protection laws, thereby ensuring the data subjects have been provided with proper notice regarding how their personal data will be used. In addition, Panopto provides notice about its privacy practices relating to personal data it collects from its customers as a processor in the Panopto Authorized User Privacy Policy.

When Panopto collects personal data directly from data subjects as a controller, it provides notice about its privacy practices relating to such personal data in the Panopto Website Visitor Privacy Policy.

Choice

When Panopto obtains personal data in its role as a processor for its customers, Panopto’s customers are responsible for providing the relevant individuals with certain choices with respect to the customers’ use or disclosure of the individuals’ personal data.

When Panopto collects personal data as a controller from an individual, that individual can choose to opt out of receiving marketing emails from Panopto by following the unsubscribe instructions provided in those emails. In addition, individuals can request to have their personal data removed from Panopto’s databases by sending an email to [email protected]

Panopto may be required to disclose personal information in response to lawful requests by public authorities, including requests to meet national security or law enforcement requirements.

Onward Transfer

Panopto complies with the notice and choice principles as described above for all personal data disclosed or transferred to a third party. Panopto takes reasonable and appropriate steps to ensure that the third party effectively processes the personal data transferred in a manner consistent with Panopto’s obligations under the DPF Principles.

When Panopto (as a processor) sends data to its sub-processors on behalf of and at the instruction of a customer, the customer is responsible for ensuring the compliance of the transfer. When Panopto (as a controller) uses processors to perform processing tasks on its behalf and at its instruction, Panopto requires that such processors either:

  • Subscribe to the DPF (in the case of US-based processors), the applicable data protection laws in the EU, UK, or Switzerland (in the case of EU/UK/Swiss-based processors), or another adequacy finding (in the case of processors in countries outside the US or EU/UK/Switzerland); or
  • Enter into a written agreement with Panopto requiring them to process the data only for limited and specified purposes and to provide the same level of protection as Panopto provides.

In cases of onward transfer to third parties, Panopto is generally liable for the acts of any such parties that are in violation of the DPF Principles.

Security

Panopto takes reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. Any actual or potential security compromises or other inquiries concerning security should be reported to [email protected].

Data Integrity

Panopto limits the personal data it processes to that which is relevant for the purposes of the particular processing. Panopto does not process personal data in ways that are incompatible with the purposes for which such data was collected or subsequently authorized by the relevant individual. In addition, to the extent necessary for these purposes and consistent with its role as a processor or controller, Panopto takes reasonable steps to ensure that the personal data it processes is reliable for its intended use and accurate, complete and current. In this regard, Panopto relies on its customers (with respect to personal data of individuals with whom Panopto does not have a direct relationship) to update and correct the relevant personal data to the extent necessary for the purposes for which such data was collected or subsequently authorized.

Access

Panopto acknowledges the individual’s right to access their personal data. In regard to personal data that Panopto may possess in its capacity as a processor, individuals who wish to access, correct, edit, or delete their personal data should contact the relevant Panopto customer, which is the controller of your personal data and is therefore responsible for protecting your rights under applicable data protection laws. If you contact Panopto directly, we may forward your request or inquiry to the relevant Panopto customer. If requested by a customer, Panopto will provide support to that customer in responding to a data subject request.

In Panopto’s capacity as a controller, an individual may request access to the personal data Panopto maintains in its databases. The individual has the right to learn whether or not personal data about them is found in Panopto’s databases and to correct, edit, or delete such data when it is inaccurate. This right applies only to personal data about the individual making the request and is subject to other limitations as defined by law. Individuals can request access by emailing [email protected]. It is important to note that Panopto may need to verify the individual’s identity before processing the request. Panopto will process all reasonable requests for access within a reasonable time period, but reserves the right to deny access or limit access in accordance with conditions set by applicable laws. 

Enforcement

When Panopto obtains personal data in its role as a processor for its customers, individuals may submit complaints concerning the processing of their personal data to the relevant customer, in accordance with that customer’s dispute resolution process. Panopto will participate in this process at the request of the customer or the individual.

In its capacity as a controller, Panopto commits to resolve DPF Principles-related complaints about its collection and use of personal data.  EU, UK, and Swiss individuals with inquiries or complaints regarding Panopto’s handling of personal data received in reliance on the DPF should first contact Panopto as described in the “How to Contact Panopto” section below. Filing the inquiry or complaint in English will expedite the process. In compliance with the DPF, Panopto will respond within 45 days of receiving a complaint. 

Also in compliance with the DPF, Panopto commits to refer unresolved complaints concerning its handling of personal data received in reliance on the DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from Panopto, or if Panopto has not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS are provided at no cost to you. JAMS mediation may be commenced as provided for in the JAMS rules. Under certain conditions, an individual may invoke binding arbitration to resolve residual claims. Additional information on when such arbitration may be invoked can be found here: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

The US Federal Trade Commission has jurisdiction over Panopto’s compliance with the DPF.

How to Contact Panopto

To contact Panopto with questions or concerns about this Notice or Panopto’s personal data practices, or to file a complaint, write to:

Panopto, Inc.
Attn: Data Protection
600 River Avenue, Suite 100
Pittsburgh, PA 15212

[email protected]