Privacy Within Our Products

Avaya aims to collect only the information necessary to conduct business. It implements robust measures to protect individuals' personal data.

We have prepared this general privacy statement ("Privacy Statement") to disclose common privacy practices related to the products (“Products”) being offered by Avaya Inc. or its respective worldwide affiliate / subsidiary (“Avaya”). Additional information on the processing of “Personal Data” (i.e., data that identifies or may be used to identify an individual) within Avaya Products may be disclosed in the respective Product privacy statement (“Product Privacy Statement”), in the Product description documentation or in the privacy notice provided prior to Personal Data collection, as applicable. Regarding general privacy practices at Avaya, please review our Global Privacy Policy and Binding Corporate Rules.

Processing of Personal Data within Avaya Products

Security of Personal Data within Avaya Products

Avaya Products and Data Subject’s Rights

Personal Data Controls Within Avaya Products

Other Technology Features Within Avaya Products

Sharing of Personal Data

International Data Transfers

Privacy Statement Update Procedure

Interpretation of This Privacy Statement

Further Information and Contact Details of Avaya Privacy Officers

Processing of Personal Data within Avaya Products

In order to conduct global business in this increasingly electronic economy, the collection and use of Personal Data is often necessary and desirable for businesses and individuals involved. It is Avaya's goal to balance the benefits of our and our enterprise customers' business with the right of individuals as regards their Personal Data. Therefore, Avaya respective Products have certain technology features embedded that enable our enterprise customers to meet respective requirements prescribed by privacy laws. Moreover, Avaya is here to advise on the individual settings of respective system and to work with its customers to make sure they are able to use the Products in the most privacy-enhancing ways.

What type of Personal Data may be processed by Avaya Products?

Our Products may process a variety of Personal Data for specific needs – for example, collecting a name and a phone number in a phone directory to allow connection with the person at a later date, or collecting the assigned user and IP address of a phone to route calls. We do our best to inform our enterprise customers about possible processing activities within our Products and grant customers control over such data. Depending on the respective Product, such Personal Data may include (but is not limited to) data subject’s name, contact information (e.g., company, title / position, email address, phone number, physical address), connection data (e.g., IP address, operating system, internet service provider, browser, GPS / location data), communication data (e.g., presence, video usage - screen sharing, the recipient/caller ID, the recipient/caller phone number, duration / time / date of calls, recorded voicemails, saved contacts), network information (e.g., other phone network participants’ calling activities), troubleshooting data (e.g., log files) and metadata derived thereof. Details of Personal Data categories collected by Avaya Products are captured in the respective Product Privacy Statement – see section titled “Personal Data Controls Within Avaya Products” below for more information.

What categories of data subjects may be in scope?

The categories of data subjects affected by the processing of Personal Data result from enterprise customers’ individual usage of Product(s) provided by Avaya. They typically include, but are not limited to, employees, agents, advisors and customers (individuals) of Avaya enterprise customers.

Will Avaya have access to Personal Data processed within Avaya Products?

Avaya may only access certain Personal Data in the regular course of business (e.g., by fulfilling the agreement / enterprise customer’s instructions, for the purposes communicated to the enterprise customer or data subjects, as permitted by applicable law, etc.) while providing requested products and services.

For how long Personal Data may be retained by Avaya and / or by Avaya Products?

Avaya will retain and use Personal Data as required to accomplish the purposes for which it was collected or as necessary to resolve disputes, enforce contracts and / or comply with our legal obligations. Respective Avaya Products provide enterprise customers (i.e., data controllers) with certain technical measures to decide for how long Personal Data should be retained within the Product.

In what way Personal Data may be processed by Avaya Products?

Processing of Personal Data may include using, storing, recording, transferring, adapting, summarizing, amending, sharing, anonymizing and destroying Personal Data as necessary under the circumstances or as otherwise required by applicable law.

Top

Security of Personal Data within Avaya Products

Data security is a top priority for Avaya, just as it is for Avaya enterprise customers. Avaya has highly-skilled professionals to help ensure processing of information and Personal Data under its custody and responsibility is protected, whether related to Avaya's remote maintenance services, our cloud offerings or to any other solutions where Avaya processes data. Avaya has implemented and will maintain technical and organizational security measures that are appropriate with respect to the nature of Personal Data which is collected and processed by its Products. All Personal Data in transit and stored will be protected by using, for instance, encryption and / or access-control measures; Personal Data will be stored in different locations by using different protocols. Exact technical details are provided in respective Product Privacy Statement (see section titled “Personal Data Controls Within Avaya Products” below for more information).

Top

Avaya Products and Data Subject’s Rights

Data privacy laws (in particular, General Data Protection Regulation (the “GDPR”)), as well as often containing security and accountability principles that require data controllers to consider all aspects of their data processing activities, also empower individuals with some rights over the storage and use of their data. Data subjects can require data controllers to grant them rights, such as: right of access, erasure, portability and rectification over their personal data. The ability to effectively process and address these rights needs to be considered by the data controller, who must assess if any changes are required to policies, business processes and supporting systems.

The purpose of the information provided below is to describe the functional capabilities of Avaya Products, relative to individual rights prescribed by certain data privacy laws, such as GDPR, and to inform how Avaya Products may help our enterprise customer to comply with respective requirements. Below we will focus on explaining these rights under GDPR. These rights will have certain variances under other privacy laws.  

The right of access

The Right of Access typically provides for various obligations, including confirmation from a data controller as to what Personal Data is being processed about them, to whom it is being disclosed or transferred and whether the Personal Data is subject to automatic decision making. Under GDPR, a data controller must provide a copy of the Personal Data held and processed by it to the data subject in electronic form and has up to one month to comply with the request (unless the requests are complex or numerous, in which case the deadline is extended to no more than three months in total). In servicing the individual’s right, the data controller must verify the identity of the person making the request, and, if the request is made electronically, should provide the information in a commonly used electronic format. Compliance to this part of GDPR requires the ability to find an individual’s Personal Data across all information within the respective Product.

The right of rectification

Under GDPR an individual has the Right of Rectification, meaning the individual is entitled to request to have their Personal Data rectified if it is inaccurate or incomplete. A data controller has up to one month to comply with the request or show cause for denial (unless the requests are complex or numerous, in which case the deadline is extended to three months).

The right to data portability

GDPR offers the Right to Data Portability for an individual. This right allows the data subject to obtain and reuse their Personal Data for their own purposes across different services. In effect, this right means that the individual has the right to access and transfer Personal Data from one data controller to another without being obstructed due to “technical limitations” claimed by a data controller. This right arises on Personal Data which the data subject has provided the data controller with. To service the individual’s right, the data controller must provide the Personal Data in a structured, commonly used and machine-readable form, such as .CSV files (although GDPR does not prescribe the format). Compliance to this part of GDPR may require the ability to find and copy an individual’s Personal Data across all information systems and deliver a copy to the individual.

The right to erasure

The Right to Erasure, also known as the “Right to be Forgotten”, enables an individual to request the deletion or removal of Personal Data where there is no lawful reason for its continued processing or where the data subject withdraws his/her consent. The organization can refuse to comply with a request for erasure where the Personal Data is processed to comply with a legal obligation or for other “public interest” reasons, such as to exercise the right of freedom of expression and information. As such, the right to erasure does not provide an absolute “Right to be Forgotten”. Compliance to this part of GDPR may require the ability to find and delete an individual’s Personal Data across all information systems.

The obligation to have a lawful basis to process Personal Data

A data controller is obligated to have a legal basis for the personal data they collect and process. For information systems that have the capability to track or record communications or transactions, an individual may have the right (depending upon the legal basis for the tracking or recording) to give or withhold consent at any time. Compliance to this part of GDPR will in some instances require the ability to gain consent as a legal basis prior to Personal Data collection. Therefore, certain Avaya Products may provide the ability to customize the user experience for the purpose of obtaining informed and freely given consent.

For more information please see “Personal Data Controls Within Avaya Products” section below. In addition, to the extent enterprise customer, in its use of Products provided by Avaya, does not have the ability to address the data subject request, Avaya may upon customer’s request and in accordance with contractual arrangements with such enterprise customer, be able to assist customer in responding to the data subject request, to the extent Avaya is legally permitted to do so and the response to such data subject request is required under applicable data protection laws and regulations. Please direct any such requests to Avaya Global Privacy Office at dataprivacy@avaya.com.

Top

Personal Data Controls Within Avaya Products

When developing business processes around data subject’s under applicable privacy laws, it is useful to consider the lifecycle of Personal Data in the business.

From the lifecycle diagram above, you can determine the key aspects that must be considered in the development of a business’s privacy compliance processes and procedures:

• What is the use of the Personal Data collected?
• How is Personal Data collected and where is it stored?
• What is the legal basis for processing the Personal Data?
• How is consent to collect and process the Personal Data obtained, if required?
• How is the Personal Data accessed for the defined usage?
• How is unauthorized access to the Personal Data prevented?
• How and when will the Personal Data be transferred out of your control?
• How and when is the collected Personal Data destroyed, deleted or returned?

In evaluating the questions noted above and developing company compliance processes, it is important that all IT systems – including Avaya systems – be considered. Within the scope of respective Avaya Product, Personal Data may be involved in almost all transactions of the system including voice and video calls, conferences, and text messages. This information will be stored in multiple places including recordings, databases, system logs, directories, histories, and backups.

Personal Data collection

Avaya Products collect Personal Data for specific needs - for example, collecting a name and a phone number in a phone directory to allow connection with the person at a later date, or collecting the assigned user and IP address of a phone to route calls. Some information may be saved in system logs for future diagnostic or audit purposes. When the information is no longer needed, these logs may be destroyed. System backups may also capture some Personal Data to the extent it exists in the data being backed up. For this reason, both the active system data and backups must be considered when assessing Personal Data in Avaya Products. Exact details of Personal Data collected by Avaya Products are captured in the respective Product Privacy Statement.

Supporting the Personal Data lifecycle

Avaya Products incorporate multiple capabilities to support the data lifecycle and compliance with privacy laws (such as GDPR). Some of the different types of capabilities are described below.

Encryption

Encryption at rest secures the content of a file or database in a manner that makes it unusable by anyone who does not have proper authorization. Some Avaya Products have options to support encryption, while others do not. For those that do not, compensating controls can be put in place (see “Access controls” below.) Encryption in transit needs to be applied to all data communication in the systems. Most Avaya Products support TLS1.2 with the latest encryption (AES256 for confidentiality and SHA-2 for hashing, and digital signatures for authentication).

Menus

Some Avaya Products support the development of interactive menus where customers can be prompted and provide feedback. In many cases, these menus can be used to acquire the consent needed to collect and use Personal Data and for the technology to be used in the most privacy-enhancing way.

Access controls

Most Avaya products provide access controls that can be used to limit the ability of individuals or systems to access collected data. A variety of access controls may be provided as follows:

• Passwords – passwords are used to gain access to the Product. These can be defined by the system or linked to a larger, corporate directory. When system passwords are used, password policy controls are provided such as complexity rules, lock-outs on failed attempts, required change intervals, etc.
• Multi-Factor Authentication – certain Avaya Products support multi-factor authentication. Access is forbidden unless the configured type and number of authentications are provided. This is typically configured to be a password and special authentication card.
• Role Based Access Control – role-based access controls (“RBAC”) allows for the system to grant fine-tuned capabilities to each log-in that has been assigned to a “role” in order to manage what they can access and change in the system.
• Certificates – Avaya Products leverage X.509 certificates that are used to secure the communication exchange between two different system elements ensuring that the communication is authentic and confidential. Communications exchange can be further protected by requiring each communication element to mutually authenticate the other side before exchanging information. Mutual authentication requires certificates to be generated and installed on each communication element. Certificates can be generated directly by the system, by the enterprises certification generation facilities, or by 3rd party public entities.
• Filesystem Access Controls – file access controls restrict ownership, and the type of information access granted to individual accounts within the operating system of the product. These controls should be configured to adhere to the security principle of least privilege.
• Network Access Control Lists – access control lists restrict network connections according to predefined “allow” and “deny” lists kept local to the system.

Audit logs

Audit logs, especially security audit logs, are also a key part of managing compliance. Audit logs record system activity and can be used to identify possible problems or cyber-attacks.

Customer specific customisations

Avaya Products are meant to be general purpose and can be configured and integrated into a customer’s overall business information processing architecture. It is expected that Avaya Products and non-Avaya equipment work together to perform overall information processing for the business. It is also common to use certain Avaya Products (e.g., Avaya Aura Experience Portal) to execute information processing scripts that have been written or customized by the customer or other agents.

Finding specific information

An overview of privacy-related security controls and available methods of access and handling of various types of Personal Data within Avaya Products as well as instructions on how to locate respective Product Privacy Statements (a.k.a. “Data Privacy Controls Addendums”) for specific Avaya branded Products in the portfolio are available here. To find and access the respective document – Product Privacy Statement, navigate to the Product in question and select the “Application & Technical Notes” box. You will find the document in the list produced.

Click here to download “Personal data controls for enabling GDPR compliance programs” whitepaper.

Top

Other Technology Features Within Avaya Products

Our Products may have multiple technology features (e.g., voice, video, analytics, licensing tools, etc.) enabled. The foregoing has been grouped into the following categories (the list below does not represent an exhaustive number of all technology features which may be embedded into respective Avaya Products, and is provided for information purposes only) that help to understand how such technology features may be associated with privacy and for what purposes Avaya may use such information. Additional information about the technology features embedded into Avaya’s Products may be provided in respective contract and related documentation, such as the Product Privacy Statement, the Product description documentation, or in the notice provided prior to the collection of Personal Data.  

Voice and video recordings

Respective Avaya Products are capable of automatically collecting and storing a whole range of information (e.g., audio, video data). This information may include (but is not limited to) user’s current presence, video usage, screen sharing, IP address, the recipient ID, the recipient phone number, the caller ID, the caller phone number, duration of calls, time of calls, date of calls, recorded voice box messages (including ID, phone number, time and date), saved contacts, network information (e.g., showing other phone network participants’ calling activities) and other log information. The possibility to permanently delete such data as well as the network information about data subject’s (calling - communicating) behaviour may be limited, depending on user’s access rights and the overall access right management by the enterprise customer (data controller) or network provider.

Licensing tools

Certain Avaya Products may include tools that gather information about when and on what hardware the software is installed. Avaya uses such information to keep track of whether the installation is in accordance with licenses purchased by its enterprise customers.

Telecommunications diagnostic tools

Avaya may collect and process information about the use of our Products including the circumstances of telecommunication such as dialled numbers or start and end times of phone calls (sometimes referred to as “metadata”). We use such Personal Data to fulfil the contractual obligations we have towards our customers, to protect our IT systems against threats and misuse, and to comply with our legal obligations.

Usage metering tools

Respective Avaya Products have usage metering and analytics capabilities embedded. Such tools provide accurate tracking of customer usage of the Product and also provide the capacity for analysing enterprise customer’s usage patterns and generating usage reports required for billing purposes.

Cookies and analytics tools

To improve effectiveness, performance, functionality and usability of our Products Avaya may rely on a third party analytics service providers (including, but not limiting to, Google Inc., having an office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA – more information about privacy practices within Google technologies and how individuals can express their choices regarding privacy is available here) to automatically collect and generate aggregated user data.  For web-based Products it may be possible to block or delete cookies by changing browser settings (as described under the heading "How Can You Control Cookies?" in our Cookie Statement); for installable on a device Products (i.e., software) there may be an option to manually (on a corporate account or user basis) disable analytics under settings of respective Product.

Cloud services

Certain Avaya Products are provided over the internet, hence Avaya users’ Personal Data is stored on data centres located globally and may be outside their country of residence. Such storage and a model for enabling simple, very convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) is referred to as a “cloud service”. Avaya’s cloud Products are built on flexible architectures that support unparalleled compatibility and world-class interoperability with a clear focus on the reliability, security and needs of our customers. When Avaya acts for an enterprise customer in its capacity as the provider of a cloud content management and file sharing platform, Avaya may not have regular access to Personal Data of its enterprise customer except if providing maintenance or other services requested by the enterprise customer.

Geolocation-based services

Certain Avaya Products need to have information disclosed about user’s current location to function properly.  A data subject has to make the choice to enable location services - it is not set on by default. Avaya collects such information from user’s device GPS signal, or as inferred from nearby Wi-Fi networks, or mobile network transmitting stations, or other technologies to determine your devices’ approximate location. The information includes user’s geographical position and information identifying your device such as a phone or SIM card number. Avaya collects and processes geolocation information insofar as necessary for providing the service requested. If we use geolocation information for our own purposes such as analysis of the use of the service, we do so in statistical, non-personally identifiable form.

The user may at any time disallow the application or service to collect geographical location by selecting the appropriate setting in the relevant application or service or in user’s device operating system. The latter action will prevent user from accessing and relying on geolocation-based services.

Top

Sharing of Personal Data

Within Avaya

Personal Data processed by Avaya Products may be shared within Avaya affiliates / subsidiaries for the purpose of delivering / supporting / maintaining the Products. To ensure such transfers of Personal Data within Avaya affiliates / subsidiaries are safeguarded legally, Avaya complies with applicable legislation on international data transfers and has implemented the appropriate safeguards to enable such transfers (for more information, please refer to out Binding Corporate Rules).

With External Sub-processors

Avaya will only appoint external sub-processors that provide sufficient guarantees in respect of the commitments made by Avaya to its enterprise customers. In particular, such sub-processors will be able to provide appropriate technical and organizational measures that will govern their use of the Personal Data to which they will have access in accordance with the terms of the contract or other legally binding document Avaya has with respective enterprise customer.

Specific Disclosure Rules

Avaya may also disclose certain Personal Data to third parties in other special instances, including: (i) as required to do so by law, such as to comply with a court order or similar legal process; (ii) when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others or defend against legal claims; (iii) for the purposes of prevention of fraud or other crime; (iv) in connection with or during negotiation of any merger, acquisition, sale of all or a portion of our assets, financing, liquidation, reorganization; and (v) in anonymized form which can no longer be used to identify data subjects.

Top

International Data Transfers

While providing / supporting / maintaining Products Avaya may need to transfer Personal Data around the world over public or private networks. As such, Personal Data transfers may naturally include territories outside respective countries, including outside the European Economic Area (“EEA”), where data protection requirements may differ and be less comprehensive. The transfers of Personal Data between respective Avaya affiliates / subsidiaries are governed by our Binding Corporate Rules.  If Avaya needs to transfer Personal Data originating from the EEA to third party sub-processors (i.e., Avaya’s sub-contractors that are not Avaya affiliates / subsidiaries) located in countries outside the EEA that have not received a binding adequacy decision by the European Commission, such transfers shall be subject to (i) the terms of Standard Contractual Clauses (as per European Commission’s Decision 2010/87/EU); or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the GDPR.

Top

Privacy Statement Update Procedure

We reserve the right to amend or change this Privacy Statement at any time, so please review it frequently. If we change this Privacy Statement, we will post the revised version with an updated revision date. By continuing to use our Products after such revisions are in effect, you accept and agree to the revisions and abide by them.

Top

Interpretation of This Privacy Statement

Any interpretation of this Privacy Statement will be done by the Avaya Global Privacy Officer. This Privacy Statement does not create or confer upon any individual any rights or impose upon Avaya any obligations outside of, or in addition to, any rights or obligations imposed by the privacy laws applicable to such individual's Personal Data. Should there be, in a specific case, any inconsistency between this Privacy Statement and such privacy laws, this Privacy Statement shall be interpreted to comply with such privacy laws.

Top

Further Information and Contact Details of Avaya Privacy Officers

If you have any questions about this Privacy Statement or concerns about how we manage your Personal Data, please contact the Avaya Privacy Officers at dataprivacy@avaya.com or by postal mail to Avaya UK, Building 1000, Cathedral Square, Cathedral Hill, Guildford, Surrey GU2 7YL, United Kingdom or Avaya Deutschland GmbH, Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany.

Revised: January 2020.