Supplemental Privacy Notice for Individuals Within the EU, Switzerland, UK, and Brazil

If you are located in the European Union, Switzerland, United Kingdom, or Brazil (“Covered Jurisdictions”), applicable data protection laws provide you with specific rights regarding your Personal Information. This Regional Privacy Notice (the “Regional Notice”) supplements the information contained in Dynatrace’s Privacy Notice (the “Notice”). In the event of a conflict between this Regional Notice and the Notice, this Regional Notice shall take precedence. Any capitalized terms not defined in this Regional Notice, or the Notice have the meanings set forth in the applicable data protection laws including the EU and UK General Protection Data Regulation (“GDPR”), The Switzerland Ordinance on the Federal Act on Data Protection (“FADP”), and the Brazilian General Personal Data Protection Law (“LGPD”).

Important Note: This Regional Notice does not apply to workforce-related Personal Information collected from employees, job applicants, contractors, or similar individuals.

Our legal basis for collecting and using your Personal Information will depend on the Personal Information concerned and the specific context in which we collect it. However, we will collect Personal Information from you only where we need such information to perform a contract with you, where we need to comply with a legal obligation, where you provide consent to process your Personal Information, where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we have your consent to do so. In some cases, we may need the Personal Information to protect your vital interests or those of another person.

If you have any questions about or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us as described below.

Because we operate at a global level and use cloud-based global information systems to manage our business, we may need to transfer Personal Information to countries other than the ones in which the information was originally collected. Your Personal Information may be collected, used, processed, stored, or disclosed by us and our service providers outside your home jurisdiction, including the U.S. and in some cases, other regions such as Asia, and Europe. These countries may have data protection laws that are different from the laws of your country.

Dynatrace will only transfer Personal Information to another country including within the Dynatrace corporate family, in accordance with applicable privacy laws, and provided there is adequate protection in place for the Personal Information. We may transfer Personal Information to our parent company in the United States for management and operational purposes. A list of all Dynatrace Group locations to which your Personal Information may be transferred pursuant to an intercompany data transfer agreement complying with applicable privacy laws can be found at https://www.dynatrace.com/company/locations/ (excluding partner locations).

We rely on European Commission’s Standard Contractual Clauses and the respective UK or Swiss Addendum for transfers of Personal Information between the Dynatrace companies, which require all group companies to protect Personal Information they process from the European Economic Area in accordance with EU data protection laws. Our Standard Contractual Clauses can be provided on request.

We may also transfer your Personal Information to our third-party service providers (described in the “How We Disclose Your Information” section of our Notice) based in a different country, particularly the European Economic Area, the United States, Asia, Switzerland or the UK. In this case, Dynatrace ensures that it has implemented appropriate mechanisms for all data transfers in compliance with applicable data protection laws, including standard contractual clauses approved by the European Commission to safeguard the transfer of Information we collect from the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland. We use approved Standard Contractual Clauses (“SCCs”) to assure that Personal Information is adequately protected when it is transferred out of the EEA, the UK, or Switzerland to countries without an adequate level of data protection. This includes implementing the SCCs for transfers of Personal Information between our group of companies and with our customers, third-party service providers and partners. Data transfer agreements are accessible upon request by contacting us at the details shown further below.

In addition, Dynatrace complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce (collectively, the “DPF”). We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”). To learn more about the DPF program and to view our certification, please visit https://www.dataprivacyframework.gov.

If you have questions or concerns regarding our privacy practices in relation to our DPF certification, we encourage you to first contact us at privacy@dynatrace.com or as described below. Dynatrace commits to refer unresolved privacy complaints under the DFP Principles to an independent recourse mechanism, JAMS, based in the United States. If your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information and to file a complaint. If your complaint has not been resolved by other means, you may have the ability to invoke binding arbitration as outlined more fully on the DPF website. The services of JAMS are provided at no cost to you.

Dynatrace is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission, and Dynatrace may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. If we transfer your Personal Information onward to a third party, we will continue to remain liable under the DPF Principles if the Personal Information is processed in a manner inconsistent with the DPF Principles.

You may have certain rights with respect to your Personal Information under the Covered Jurisdiction. These rights include, but are not limited to:

• The right to access, correct, update or request deletion of your Personal Information;
• The right to object to processing of your Personal Information (including for direct marketing purposes);
• The right to ask us to restrict processing of your Personal Information;
• The right to request portability of your Personal Information;
• In the limited circumstances where we have collected and process your Personal Information for a specific purpose with your consent, then you can withdraw your consent for that specific processing at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted based on your consent prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent. Once we have received notification that you have withdrawn your consent, we will no longer process your Personal Information for the purpose originally agreed to, unless we have another legal basis for processing; and
• If you live in France: the right to instruct us on the processing (retention, deletion, and disclosure) of your Personal Information after your death. You can change or revoke such instructions at any time.
• The right to complain to a data protection authority about our collection and use of your Personal Information, but we encourage you to first contact us with any questions or concerns. For more information specific to your Covered Jurisdiction, please contact your local data protection authority. For the EU you can find a list of competent data protection authorities at https://edpb.europa.eu/about-edpb/board/members_en, for the UK it is the Information Commissioner https://ico.org.uk/global/contact-us/, for Switzerland it is the Federal Data Protection and Information Commissioner https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html, and for Brazil it is the National Data Protection Authority (ANPD) https://www.gov.br/anpd/pt-br.

To exercise any of the foregoing rights, you may submit a request through Dynatrace Privacy Request Form.

To verify your request, you must provide sufficient information to allow us to reasonably verify you are the person about whom we collected Personal Information, and you must describe your request with sufficient detail to allow us to properly understand, evaluate, and respond to your request.

When we receive your request to exercise your rights: (a) we will acknowledge receipt of your request; (b) we will try to match the information you provide in making such request with information we may maintain about you; and (c) we may ask you to provide additional information to verify your identity, including Personal Information. Dynatrace considers various factors when determining how to verify your identity, such as the sensitivity and value of the data, the risk of harm, and the likelihood of fraud.

We will only use Personal Information we collect during the verification process for the purpose of verifying your identity. If we are unable to verify your identity, we may decline to comply with your request, and let you know why. We will focus on responding to your request for access or deletion within the period required by law. If we require additional time, we will inform you of the reason and extension period. We may charge a fee to process or respond to your request if it is excessive or repetitive.

Please note that your rights may be limited, for example if fulfilling your request would reveal Personal Information about another person, if you ask us to delete information which we are required by law or have compelling legitimate interests to keep, or if we have another legal reason or overriding interest to do so. Where we collect Personal Information to administer our contract with you or to comply with our legal obligations, this is mandatory, and we will not be able to manage our contractual relationship without this information. In all other cases, provision of the requested Personal Information is optional, but this may affect your ability to receive certain Services, where the information is needed for those purposes.

If you have any questions about our privacy practices or this Regional Notice, or to exercise your rights as detailed in this Regional Notice, appeal our decision related to the exercise of your rights or other related Privacy issues, please use Dynatrace Privacy Request Form, or send an email to privacy@dynatrace.com.

If you have any complaints regarding our compliance with this Regional Notice, please contact us first. We will investigate and attempt to resolve complaints and disputes regarding the use and disclosure of Personal Information in accordance with this Regional Notice and applicable law.

You can also write to us as follows: please contact us at:

Our address is:

Dynatrace LLC
Attn: Privacy Questions

1601 Trapelo Road, Suite 116
Waltham, MA 02451
United States of America

+1.781.530.1000

You may also contact our Data Protection Officer at privacy.dpo@dynatrace.com.