Data Subject Rights Policy

1. Data Subject Rights. Where ANSYS processes personal data about individuals (including personal data of customers, contacts, employees, other workers and others), certain data protection rights are provided under data protection laws. An individual may exercise these rights by making a request to ANSYS (a "Data Rights Request"). Data subject rights (outlined more fully in Section 9, below) include:

1.1 Access to a copy of the personal data retained by ANSYS;

1.2 Erasure of personal data retained by ANSYS (this right is also referred to as the "right to be forgotten");

1.3 Ceasing processing activities of personal data by or behalf of ANSYS based on some objection;

1.4 Rectification (correction) of personal data retained by ANSYS;

1.5 Restriction of the processing activities for personal data by ANSYS;

1.6 Portability of personal data from ANSYS to another entity;

1.7 Excluding the individual from automated decision-making by ANSYS; and

1.8 Removing the individual from any direct marketing by ANSYS.

The details outlined below describe how ANSYS, as a data controller (the entity determining the purpose and manner in which data is processed), will respond to any Data Rights Requests.

2. Responsibility to respond to a Data Rights Request

2.1 The data controller of an individual's personal data is primarily responsible for responding to a Data Rights Request and for helping the requestor to exercise their rights under applicable data protection laws. For example, where an employee makes a Data Rights Request to ANSYS, ANSYS is the data controller for the personal data held and processed about the employee in the employment relationship.

2.2 Although ANSYS does not currently offer products and services for which ANSYS acts as a data processor, if ANSYS processes an individual's personal data as a data processor, such as on behalf of a customer who is the data controller, ANSYS must promptly inform the data controller of the Data Rights Request and provide reasonable assistance to help the requestor exercise his or her rights in accordance with the data controller's duties under applicable data protection laws.

3. Personal data ANSYS shares with third parties

3.1 If ANSYS shares personal data with third parties (such as data processors), it is ANSYS' responsibility to inform those third parties of any Data Rights Request to rectify, delete, or restrict personal data unless it would involve disproportionate effort or it is impossible.

3.2 If requested, ANSYS must provide details of those third parties to which a requestor's personal data has been disclosed.

4. How to make a Data Rights Request

4.1 Any Data Rights Requests, as outlined by this policy, may be directed to privacy@ansys.com.

4.2 If, as an ANSYS employee, you receive a Data Rights Request from another ANSYS employee, former employee, customer, or others the request should immediately be sent to the ANSYS Data Privacy Officer at privacy@ansys.com, together with the date on which the request was received and any other details provided by the requestor.

4.3 Any questions regarding Data Rights Requests should be directed to the ANSYS Data Privacy Officer at privacy@ansys.com.

5. Verification process

5.1 The Data Privacy Officer or others who may assist in the process will make an initial assessment of any Data Rights Request to assess whether ANSYS is the data controller or a data processor and will verify that the request is valid. Any Data Rights Request must be made by the individual about whom the personal data pertains and verification of identity may be required.

5.1.1 If it is determined that a customer or other third party is the data controller in relation to a Data Rights Request, ANSYS will notify the appropriate data controller of the request as soon as possible and will assist the data controller with complying with such request (in accordance with any contract terms or other obligations outlined by applicable data protection law).

5.1.2 If it is determined that ANSYS is the data controller in relation to a Data Rights Request, the requestor will be contacted in writing to confirm receipt of the request and seek confirmation of identity (if not already validated).

5.2 Where ANSYS is not exempt under applicable data protection laws from fulfilling a Data Rights Request, and following receipt of any further information needed to satisfy the request, ANSYS will respond to the request as outlined below.

6. Exemptions to a Data Rights Request

6.1 A data controller may decline to act on a Data Rights Request if the request is excessive and/or manifestly unfounded (for example because of repeated requests for the same data). Where ANSYS is permitted to decline a request, ANSYS must be able to demonstrate that the request is excessive and/or manifestly unfounded.

6.2 In some cases, specific additional exemptions may apply. Where specific exemptions apply to particular Data Subject Rights, these exemptions are more fully explained below.

6.3 If ANSYS is exempt from the requirement of fulfilling a Data Rights Request, ANSYS will notify the requestor that it intends to decline the request and the basis for the exemption.

7. Timeframe for responding to Data Rights Requests

7.1 Data Subject Requests must usually be responded to without undue delay and no later than one (1) month following receipt of the request. Where a request is particularly complex, additional time may be required.

7.2 Where a request cannot be completed in the typical timeframe, ANSYS is entitled to extend the response period by up to two (2) additional months provided ANSYS gives the requestor notice within the original timeframe of the intent to respond and the reason for the delay.

8. Fee for Data Rights Requests

8.1 ANSYS is not permitted to charge for responding to a Data Rights Request unless the request is determined excessive and/or manifestly unfounded or ANSYS is otherwise exempt from the obligation to act on the request (as outlined above). In such cases and where ANSYS agrees to respond to a request, a reasonable fee may be charged based on the administrative costs of providing the information or taking the action requested.

9. Data Rights Requests in more detail

9.1 Requests for access to personal data

The right of access: Right of an individual to obtain confirmation of whether a data controller processes personal data about him or her and, if so, to be provided with the details of the personal data processed and specific aspects of processing activities related to such personal data, and to receive a copy of such details.

9.1.1 Information to be provided in response to a request

9.1.1.1 An individual is entitled to request a copy of the personal data about him or her held and being processed by a data controller. Such data must be provided in intelligible form.

9.1.1.2 Information provided in response to a request should include:

(i) A description of the personal data and categories of personal data concerned;

(ii) The estimated period for which the personal data will be stored;

(iii) The purposes for which the personal data is being held and processed;

(iv) The recipients or types of recipients to whom the data is, or may be, disclosed by the data controller;

(v) Confirmation of the individual's right to request rectification or deletion of the personal data or to restrict or object to processing of the data;

(vi) Confirmation of the individual's right to lodge a complaint with a competent data protection authority;

(vii) Details about the source of the personal data if it was not collected from the individual;

(viii) Details about whether the personal data is subject to automated decision-making (including profiling); and

(xi) Where personal data is transferred from the European Economic Area to a country outside of the European Economic Area, the appropriate safeguards implemented by the data controller related to such transfers in accordance with applicable data protection laws.

9.1.2 Format of requests

9.1.2.1 An access request does not require any prescribed format or reference to data protection law to qualify as a valid request, although this can be helpful in identifying the type of request.

9.1.2.2 An access request does not need to be made in writing but it is helpful for record-keeping purposes and to clarify the request. If made in writing, the requestor should provide an email address and confirmation of whether the data requested can be sent via email (or otherwise specify preferred means by which the data may be received).

9.1.2.3 Requests made electronically (e.g. by email) may be responded to electronically (in a commonly used format, such as by attaching pdf documents to an email) unless the individual stipulates otherwise (such as by requesting the data be provided orally or by postal service).

9.1.3 Exemptions

9.1.3.1 ANSYS will not decline to comply with an access request unless it can demonstrate that it is not in the position to identify the requestor or it is otherwise exempt from its obligations to comply (as outlined in Section 6).

9.2 Requests to rectify personal data

The right to rectification: Right of an individual to obtain rectification, without undue delay, of inaccurate personal data a controller may process about him or her.

9.2.1 Rectification by ANSYS- If ANSYS holds inaccurate or incomplete data about an individual, the individual is entitled to request that the data is rectified.

9.2.2 Rectification by third parties- If ANSYS rectifies an individual's data in response to a request, ANSYS will seek to notify third parties with whom ANSYS has shared this data (i.e. data processors).

9.2.3 Supplementary statements to complete information- If a request to rectify data involves ensuring the data is complete, ANSYS may consider including a statement made by the requestor to provide the complete data.

9.3 Requests to delete personal data ("right to be forgotten")

The right to erasure: Right of an individual to require a controller to delete personal data about him or her on specific grounds – for example, where the personal data is no longer necessary to satisfy the purposes for which it was collected.

9.3.1 Circumstances in which right to erasure may apply

An individual may request that a data controller delete their personal data in the following circumstances:

9.3.1.1 The personal data is no longer necessary for the purpose for which it was collected, used or otherwise processed;

9.3.1.2 The personal data was unlawfully processed by data controller;

9.3.1.3 Processing occurred on the basis of consent from the individual and they withdraw consent (and no other legitimate grounds for processing the data exists);

9.3.1.4 The individual objects to the processing (see below) and no overriding legitimate grounds exist for processing the data;

9.3.1.5 The personal data needs to be deleted to comply with the data controller's legal obligations; and/or

9.3.1.6 The personal data was collected in connection with services offered on the data controller's website.

9.3.2 Erasure of personal data by third parties

9.3.2.1 If ANSYS deletes an individual's data in response to a request, ANSYS will seek to notify third parties with whom ANSYS has shared this data (i.e. data processors).

9.3.2.2 It is unlikely that ANSYS will have made personal data public but in this case and if obligated to delete the personal data pursuant to a Data Rights Request, ANSYS will also take reasonable steps, including technical measures (taking into account available technology and the cost of implementation), to inform other controllers storing, using or otherwise processing the personal data of this request for deletion, including deletion of any links to, copies or replication of this personal data.

9.3.3 Exemptions

9.3.3.1 In addition to the general exemptions outlined in Section 6, ANSYS is exempt from the obligation to delete personal data where the processing of the data is necessary for:

(i) Compliance with ANSYS' legal obligations;

(ii) Establishing, exercising or defending legal claims;

(iii) Scientific, historical or statistical purposes, and where erasure of the data would make this processing impossible or seriously impair it;

(v) Public interest reasons including (1) performance of a task carried out in the public interest, (2) exercise of official authority vested in ANSYS, or (3) for public health reasons or archiving in the public interest (although these exemptions are unlikely to apply to ANSYS); and/or

(vi) Exercising the right of freedom of expression and information.

9.4 Right to object to processing

The right to object: Right of an individual to object, on grounds related to his or her particular situation, to a controller's processing of personal data about him or her, if processing is based on the legitimate interests of the controller.

9.4.1 Circumstances in which individuals can object to processing

9.4.1.1 If ANSYS relies upon the grounds that use, storage or processing of personal data is in its legitimate interests, an individual may object to that processing.

9.4.1.2 Individuals can also object to processing where such processing is required to perform a task in the public interest or to exercise an official authority vested in the controller.

9.4.2 Exemptions

9.4.2.1 In addition to the general exemptions outlined in Section 6, ANSYS is exempt from the obligation to cease processing of personal data following an objection if:

(i) ANSYS can demonstrate compelling legitimate interests for processing the data that override the interests, rights and freedoms of the individual;

(ii) The processing is required to establish, exercise or defend a legal claim; and/or

(iii) The processing is for scientific, historical or statistical purposes carried out in the public interest.

9.5 Right to object to direct marketing

The right to object to direct marketing: Right of an individual to object to direct marketing, including profiling related to direct marketing.

9.5.1 ANSYS will seek to stop using personal data for direct marketing if it receives such a request from customers, partners, and others. ANSYS is unlikely to send direct marketing communications to employees and other workers in the context of their employment relationship or engagement.

9.6 Right to restriction

The right to restriction: Right of an individual to require a controller to restrict processing of personal data about her or her on specific grounds.

9.6.1 ANSYS will consider requests to restrict processing, although this is less likely to apply in the employment relationship (and/or the relationship with other workers).

9.6.2 Individuals may seek a restriction on ANSYS' processing of their personal data where, for example, they await a response to their request for access to their personal data.

9.7 Right to data portability

The right to data portability: Right of an individual to receive his or her personal data from a controller in a structured, commonly used and machine-readable format in order to transfer that data to another controller, where the processing is 1) based on the consent of the individual, and 2) carried out by automated means.

9.7.1 ANSYS will consider requests to exercise the right of data portability, although this is less likely to apply in the employment relationship (and/or the relationship with other workers).

9.8 Right not to be subject to automated decision-making (including profiling)

The right not to be subject to automated decision-making: Right of an individual to object to an automated decision made about the individual which has a legal or other similar effect on the individual. Individuals can ask for manual, human review in the decision-making process.

9.8.1 ANSYS will consider requests to perform a human review, rather than using automated decision-making, although this is much less likely to apply in the employment relationship (and/or the relationship with other workers).