Email: dataprivacy@avaya.com
Postal Address: Avaya UK, Building 1000,
Cathedral Square, Cathedral Hill, Guildford,
Surrey GU2 7YL, United Kingdom
Click here for additional contact details.
This Avaya Global Privacy Policy (“Policy”) establishes Avaya's[1] approach to compliance with data protection laws when “Processing”[2] “Personal Data”[3]. It does not replace any specific data protection requirements that might apply to a business unit or function. Where respective local laws and regulations mandate additional restrictions on the collection, use and disclosure of Personal Data that exceed those contained in this Policy, the local laws and regulations will prevail.
This Policy describes how Personal Data will be Processed to meet Avaya’s data protection standards and to comply with privacy laws and regulations. Instructions and / or guidelines regarding Personal Data Processing activities at Avaya are provided to Avaya employees and contractors in internal policies.
Data protection law gives individuals certain rights in connection with the way in which their Personal Data is Processed. If organizations do not comply with data protection law, they may be subject to sanctions and penalties imposed by the national data protection authorities and the courts. When Avaya Processes Personal Data, this activity and the Personal Data in question are covered and regulated by data protection law.
When an organization Processes Personal Data for its own purposes, that organization is deemed to be a "Data Controller" of that information and is, therefore, primarily responsible for meeting the legal requirements under data protection law.
On the other hand, when an organization Processes Personal Data on behalf of a third party (e.g., content hosted on behalf of an Avaya customer) that organization is deemed to be a "Data Processor" of the information. In this case, the Data Controller of the Personal Data (i.e., Avaya’s customer) will be primarily responsible for meeting the legal requirements.
This Policy, together with Binding Corporate Rules: Controller and Processor Policies (approved by the European data protection authorities), describe the general practices of handling Personal Data at Avaya.
Avaya is always committed to provide transparency on all Personal Data Processing activities and to comply with all applicable privacy laws and regulations. Due to the vast range of products and services, this is being done through various privacy statements / privacy factsheets. Avaya, depending on its role (Data Controller vs. Data Processor), takes a layered approach to thoroughly inform its customers and / or Data Subjects, as applicable, about the handling of their Personal Data. When Avaya is a Data Controller, it fulfils its transparency obligations (e.g., the kinds of Personal Data that Avaya collects and holds; how Avaya collects and holds Personal Data; the purposes for which Avaya collects, holds, uses and discloses Personal data, etc.) via applicable ad hoc privacy statements; when Avaya is a Data Processor, it provides information to its customers (the Data Controllers) so that they are able to meet their transparency obligations.
Unless agreed otherwise or set out in a more specific privacy statement or privacy factsheet, in the course of business Avaya will transfer Personal Data overseas to leverage its international resources, including affiliated companies and trusted third parties, for the purpose of providing requested solutions or otherwise transacting our business. This means that both Personal Data provided to Avaya in the role of a Data Controller or in the role of a Data Processor will be transferred internationally. This includes various types of Personal Data: (i) on the one hand, Personal Data such as business contact data and other information that is being Processed by Avaya to close and administrate the agreements with customers, as well as our own employees’ Personal Data, and (ii) on the other hand, Personal Data that is required for the purpose of providing our solutions (usually deemed as “Processing on behalf” under various privacy laws). The latter mainly results from contractual arrangements with our customers and, in particular, their individual usage of (and input into) the solutions provided by Avaya. The types of such Personal Data typically include name, contact information (company, title / position, email address, phone number, physical address), connection data, location data, video / call (recordings) data, and metadata derived thereof, etc. Further information regarding privacy within respective Avaya solutions can be found in offer / service descriptions, product privacy statements/privacy factsheets or on the Privacy Within Our Products page.
Many countries / regions have legislation addressing the international transfers of Personal Data. For instance, European data protection law prohibits the transfer of Personal Data to countries outside Europe[4] that do not ensure an adequate level of data protection, unless the exporting entity implements one of the contractual or legal mechanisms established in the law. Some of the countries in which Avaya operates are not regarded by European data protection authorities as providing an adequate level of protection for individuals’ privacy and data protection rights.
Avaya must take proper steps to ensure that it Processes Personal Data on an international basis in a safe and lawful manner. Avaya has implemented processes and controls to abide by these requirements. Avaya has obtained the approval from European Data Protection Authorities and adopted its global Binding Corporate Rules: Controller and Processor Policies, which set out a framework to satisfy data protection law requirements (these policies, including their appendixes, e.g. “Data Subject Right Procedure”, “Complaint Handling Procedure”, “Cooperation Procedure”, “Law Enforcement Data Access Procedure”, etc., are incorporated herein by reference and form an integral part of this Policy). Such framework shall apply to all Personal Data Processing activities conducted by Avaya globally.
The standards described in the Avaya Binding Corporate Rules (Controller) Policy are worldwide standards that apply to all “Group Members”[1] when Processing any Personal Data for purposes of carrying out Avaya’s business activities, employment administration and supply chain management. Below is a summary of basic data protection principles and practical commitments that Avaya must observe when it Processes Personal Data as a Data Controller. They are described in detail in the aforementioned policy.
Principle 1 – Lawfulness of Processing
Principle 2 – Fairness and Transparency
Principle 3 – Purpose Limitation
Principle 4 – Data Minimization and Accuracy
Principle 5 – Limited Retention of Personal Data
Principle 6 – Security, Integrity and Confidentiality
Principle 7 – Rights of Individuals
Principle 8 – Ensuring Adequate Protection for Trans Border Transfers
Principle 9 – Safeguarding the Use of Sensitive Personal Data
Principle 10 – Legitimising Direct Marketing
Principle 11 – Automated Individual Decisions Including Profiling
Principle 12 –Accountability
Commitment 1 – Staff and Support
Commitment 2 – Privacy Training
Commitment 3 – Audit
Commitment 4 - Complaint Handling
Commitment 5 – Cooperation With Data Protection Authorities
Commitment 6 – Action Where National Legislation Prevents Compliance with the Avaya Binding Corporate Rules Controller Policy
Commitment 7 - Government Requests for Disclosure of Personal Data
The standards described in the Avaya Binding Corporate Rules (Processor) Policy are worldwide standards that apply to all Group Members when Processing any Personal Data on behalf of and under the instructions from a Data Controller which is not a Group Member, such as for instance in the context of providing a service to an enterprise customer. Below is a summary of basic data protection principles and practical commitments that Avaya must observe when it Processes Personal Data as a Data Processor. They are described in detail in the aforementioned policy.
Principle 1 – Lawfulness of Processing
Principle 2 – Fairness and Transparency
Principle 3 – Purpose Limitation
Principle 4 – Data Minimization and Accuracy
Principle 5 – Limited Retention of Personal Data
Principle 6 – Security and Confidentiality
Principle 7 – Rights of Individuals
Principle 8 – Accountability
Commitment 1 – Staff and Support
Commitment 2 – Privacy Training
Commitment 3 – Audit
Commitment 4 – Complaint Handling
Commitment 5 – Cooperation With Data Protection Authorities
Commitment 6 - Action Where National Legislation Prevents Compliance with the Avaya Binding Corporate Rules Processor Policy
Avaya reserves the right to change, modify or update this Policy at any time. Please review it frequently for any updates.
If you have any questions regarding the provisions of this Policy, your rights under this Policy or any other data protection issues, you can contact Avaya Global Privacy Office at the address below, which will either deal with the matter or forward it to the appropriate person or department within Avaya.
Attention: Global Privacy Officer
Email: dataprivacy@avaya.com
Address: Avaya UK, Building 1000, Cathedral Square, Cathedral Hill, Guildford, Surrey GU2 7YL, United Kingdom
Revised: November 2021.
[1] “Avaya” includes Avaya Inc. (2605 Meridian Parkway, Suite 200, Durham, NC 27713, USA) and designated affiliates ("Group Members"), detailed list of such designated affiliates is incorporated into Avaya Binding Corporate Rules: Controller and Processor Policies by reference.
[2] "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
[3] "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
[4] For the purpose of this Policy reference to Europe means the European Economic Area and Switzerland.