Supplemental Privacy Notice for Individuals Within the EU, Switzerland, UK, and Brazil

If you are located in the European Union, Switzerland, United Kingdom, or Brazil (“Covered Jurisdictions”), applicable data protection laws provide you with specific rights regarding your Personal Information. This Regional Privacy Notice (the “Regional Notice”) supplements the information contained in Dynatrace’s Website Privacy Notice (the “Notice”). In the event of a conflict between this Regional Notice and the Notice, this Regional Notice shall take precedence. Any capitalized terms not defined in this Regional Notice or the Notice have the meanings set forth in the applicable data protection laws including the EU and UK General Protection Data Regulation (“GDPR”), The Switzerland Ordinance on the Federal Act on Data Protection (“FADP”), and the Brazilian General Personal Data Protection Law (“LGPD”).

This Regional Notice does not apply to workforce-related personal information collected from employees, job applicants, contractors, or similar individuals.

Legal Basis for Processing.

When Dynatrace processes your Personal Information, it has a legal basis for doing so in accordance with data protection laws of the Covered Jurisdictions. Dynatrace will only process your Personal Information: (i) on the basis of your express consent; (ii) where the processing is necessary for a legal obligation to which Dynatrace is subject; (iii) the processing is necessary to protect your vital interests; or (iv) for Dynatrace’s or a third party’s legitimate interest, but only where that interest is not overridden by your interests or fundamental rights and freedoms.

Legitimate Interests

We process certain Personal Information for a variety of legitimate interests including Dynatrace’s interests in: (i) developing its business through identifying and pursuing sales leads and increasing awareness of its brand and service offerings; (ii) maintaining and improving the Site functionality; and (iii) maintaining and improving our Services.

Where we process your Personal Information based on legitimate interests, you can object to this processing in certain circumstances by emailing privacy@dynatrace.com. In such cases, we will cease processing Personal Information unless we have compelling legitimate grounds to continue processing or where processing is necessary for legal reasons.

Consent

In certain cases we process Personal Information such as device identification and analytics data with your express opt-in consent. In any case where we rely on your consent to process your Personal Information, you may freely withdraw your consent through the Dynatrace Cookie Preference Center or by emailing privacy@dynatrace.com, as applicable.

Individual Rights. You may have certain rights with respect to your Personal Information under the Covered Jurisdiction. These rights include but are not limited to:

• The right to access, correct, update or request deletion of your Personal Information;
• The right to object to processing of your Personal Information;
• The right to ask us to restrict processing of your Personal Information;
• The right to request portability of your Personal Information;
• In the limited circumstances where we have collected and process your Personal Information for a specific purpose with your consent, then you can withdraw your consent for that specific processing at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted based on your consent prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent. Once we have received notification that you have withdrawn your consent, we will no longer process your Personal Information for the purpose originally agreed to, unless we have another legal basis for processing; and
• The right to complain to a data protection authority about our collection and use of your Personal Information. For more information specific to your Covered Jurisdiction, please contact your local data protection authority.

To exercise any of the foregoing rights, you may submit a request through our privacy request form, which also includes information on how to unsubscribe from marketing communications as noted below under “Marketing”.

To verify your request, you must provide sufficient information to allow us to reasonably verify you are the person about whom we collected Personal Information, and you must describe your request with sufficient detail to allow us to properly understand, evaluate, and respond to your request.

When we receive your request to exercise your rights: (a) we will acknowledge receipt of your request; (b) we will try to match the information you provide in making the request with information we may maintain about you; and (c) we may ask you to provide additional information to verify your identity, including Personal Information. Dynatrace considers various factors when determining how to verify your identity, such as the sensitivity and value of the data, the risk of harm, the likelihood of fraud.

We will only use Personal Information we collect during the verification process for the purpose of verifying your identity. If you maintain an account with us, we may use that account to verify your identity. If we are unable to verify your identity, we may decline to comply with your request, and let you know why. We will focus on responding to your request for access or deletion within the time period required by law. If we require additional time, we will inform you of the reason and extension period. We may charge a fee to process or respond to your request if it is excessive or repetitive.

Transfers to Third Parties and Countries outside of the Covered Jurisdictions.

Prior to transferring Personal Information across borders, Dynatrace ensures that it has implemented appropriate mechanisms for all data transfers in compliance with applicable data protection laws, including standard contractual clauses approved by the European Commission to safeguard the transfer of Information we collect from the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland. We use approved Standard Contractual Clauses (“SCCs”) to assure that Personal Information is adequately protected when it is transferred out of the EEA, the UK, or Switzerland to countries without an adequate level of data protection. This includes implementing the SCCs for transfers of Personal Information between our group of companies and with our customers, third-party service providers and partners.

In addition, Dynatrace complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce (collectively, the “DPF”). We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”). To learn more about the DPF program and to view our certification, please visit https://www.dataprivacyframework.gov.

If you have questions or concerns regarding our privacy practices in relation to our DPF certification, we encourage you to first contact us at privacy@dynatrace.com. Dynatrace commits to refer unresolved privacy complaints under the DFP Principles to an independent recourse mechanism, JAMS, based in the United States. If your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information and to file a complaint. If your complaint has not been resolved by other means, you may have the ability to invoke binding arbitration as outlined more fully on the DPF website. The services of JAMS are provided at no cost to you.

Dynatrace is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission, and Dynatrace may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. If we transfer your Personal Information onward to a third party, we will continue to remain liable under the DPF Principles if the Personal Information is processed in a manner inconsistent with the DPF Principles.

Automated Decision Making. Dynatrace does not make any automated decisions about you without first obtaining your express, opt-in consent.

Marketing. Pursuant to the data protection laws in Covered Jurisdictions, Dynatrace does not process Personal Information for the purpose of direct marketing by email, SMS or telephone without first obtaining your express, opt-in consent (where required). If you wish to unsubscribe from receiving or edit your choices regarding marketing communications, please visit www.dynatrace.com/unsubscribe. Where permitted by data protection laws, we may also process your Personal Information for the purposes of direct marketing where you have not opted-out and we have a legitimate interest in doing so which is not overridden by your interests or fundamental rights and freedoms as a data subject.