Citrix Business Conduct

Reporting Privacy Policy

Citrix counts on our employees, customers, partners, suppliers and others to help maintain and enhance Citrix’s reputation for high standards of business conduct, in part via this online helpline which enables reporting of conduct that may be inconsistent with these standards. This Business Conduct Reporting Privacy Policy (“BCRPP” or “Policy”) applies to the information about such conduct that is provided by our customers, partners and other external parties.

This Policy does not apply to Citrix employees. The information Citrix employees submit via this helpline or via other means (such as email, phone or in person) is covered by the Citrix Internal Privacy Policy.

Citrix Systems, Inc. and its subsidiaries (“Citrix”), respect your concerns about privacy. References in this Policy to “Citrix”, “we”, “us”, and “our” are references to the Citrix entity responsible for the processing of your personal information. This Policy describes the types of personal information we collect, how we may use that personal information, with whom we may share it and how you may exercise your rights regarding our processing of that information. It also describes the measures we take to safeguard the personal information we obtain and how you can contact us about our privacy practices.

Personal information we obtain

The information we obtain subject to this Policy is limited to the information you provide when submitting a report or is otherwise collected as part of a business conduct inquiry. Specifically, it is: (i) your name and contact details (unless you report anonymously) and whether you are employed by Citrix; (ii) the name and other personal information of the persons you name in your report if you provide such information (i.e., description of functions and contact details); (iii) a description of the alleged misconduct as well as a description of the surrounding circumstances; and (iv) any additional information that you may provide or that we may collect during the course of follow-up inquiries.

How we use personal information and who may access personal data and information

Citrix uses your personal information as described in this Policy and relies on a number of legal bases as described further below:

  • We use personal information for legitimate HR purposes related to enforcing compliance with Citrix policies and applicable law, including disciplinary matters and investigations.
  • We use personal information for legitimate safety and security purposes, including for investigative purposes, protecting the health and safety of our employees and others, safeguarding and maintaining IT infrastructure, facilities and other property, and protecting the corporate network and data from intrusion or other loss. We process personal information for these purposes because it is necessary for our legitimate interests in maintaining the security of our IT systems and premises, and protecting our employees and others.
  • We also use personal information when necessary to protect Citrix’s legal interests or to comply with legal and other requirements. We process personal information for these purposes because we are required to do so by law or it is necessary for the establishment, exercise or defense of legal claims.

Data sharing

Citrix may share your personal information internally within Citrix/or with affiliates for the purposes described in this notice. We also may share your personal information with third parties that perform services on our behalf, including third-party service providers (such as the operator of this reporting tool). We require these parties to respect the security of your data and to treat it in accordance with the law.
We reserve the right to share with relevant third parties information you provide in the event of a potential or actual sale or transfer of all or a portion of our business or assets, including in the event of a merger, acquisition, joint venture, reorganization, divestiture, dissolution, liquidation or other business transaction.

We also may disclose personal information about you:

  • If we are required by applicable law, regulation or legal process (such as a court order or subpoena);
  • To law enforcement authorities or other government officials to comply with a legitimate legal request;
  • When we believe disclosure is necessary to prevent physical harm or financial loss to Citrix, its users or the public; or
  • To establish, exercise or defend our legal rights, and in connection with an investigation of suspected or actual fraud, illegal activity, security or technical issues.

Data security

Citrix has put in place security measures designed to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We have also put in place procedures to deal with any suspected data security breach.

Data retention

Citrix only retains your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

International transfer

Your personal information may be stored and processed in the United States or in another country in which Citrix or its affiliates, subsidiaries, or third party service providers conducts business. When we transfer personal information to a country outside of an employee’s location, we may use a variety of legal mechanisms authorized by law, including standard contractual clauses approved by the European Commission or other data transfer agreements.

Data subject rights

To the extent provided by the law of your jurisdiction, you may request access to the personal information we maintain about you or request that we correct, update, amend or delete your information, or that we restrict the processing of such information by contacting us as indicated below. These rights are not absolute; if we are unable to accommodate your request, we will provide written notification specifying the basis for such conclusion. Depending on your location, you may have the right to file a complaint with a government regulator if you are not satisfied with our response.

If you are a resident of California, Citrix has a California Consumer Privacy Statement which is available for review here.

How to contact us

If you have any questions about this Privacy Policy, please contact us by email at privacy@citrix.com or write to us at:

Citrix Systems, Inc.
Attn: Chief Privacy Officer
15 Network Drive
Burlington, MA 01803
United States

Last Updated: August 18, 2021