“We will ensure that your personal data is protected and appropriately handled and used by Avaya. Now and in the future.”
Global Privacy Officer
- During the course of normal business operations, Avaya collects personal information about its employees and third parties, including, but not limited to, partners, vendors, resellers and customers. Avaya may also receive unsolicited documents or materials that contain personal information (e.g., resumes, e-mails);
- Personal information (defined below) should be used for the business purposes for which it was collected or intended, unless there is a legitimate business need and legal justification for using it for another purpose;
- Sensitive personal information (defined below) must be treated with special care and not shared inside or outside of Avaya except as permitted by law and where there exists a compelling or legitimate business need or other legal justification;
- Sharing personal information outside of Avaya or across international borders should be done only after appropriate consideration of the legal restrictions on the further use of the data, the security of the data, and the legal justification for any international transfer;
- The security of this information must be preserved consistent with the Avaya Security Policies. Employees should immediately report any loss of, misuse of, or damage to Personal information to email@example.com or call Avaya Security (1-877-99-ETHIC for U.S. or for non-U.S. callers) or by logging in to www.ethicspoint.com. Suspected data breaches involving personal information of customers should preferably be reported via Ethics Point (using the "data breach" category) to ensure 24h breach notification handling;
- The consequences of violating privacy laws can be serious. Violations can harm Avaya’s brand and reputation, can subject Avaya to class action and other litigation, and can subject the company and individuals to criminal penalties and imprisonment;
- Avaya values the protection of personal privacy and provides individuals appropriate opportunities to inspect and correct information collected about them;
- Any questions or concerns regarding this Policy should be directed to firstname.lastname@example.org or, if applicable, your local data privacy steward;
- Failure to follow this Policy may result in disciplinary action, up to and including dismissal.
The purpose of this Policy is to promote compliance with these objectives and with the various privacy and data protection principles of (and the national and international laws and regulations of) the countries in which Avaya operates (e.g., the European Union (EU) Data Protection Directive, Personal Information Protection Act (Japan), State of Massachusetts Data Privacy Law (201 CMR 17.00)). This Policy also provides employees and the general public – including actual and potential customers, government regulators, partners, vendors, resellers, consultants, agents and other third parties with whom we do business – with a statement of commitment to the principles of data privacy and data protection.
Please note that Avaya and its employees may only be able to fully implement this Policy insofar as Avaya is the “data controller”, i.e., autonomously decides about the collection, processing and use of the personal information. When acting as a service provider, i.e., “data processor”, for a customer, Avaya acts upon instructions, but still may have compliance obligations and may be obligated to notify its customer of an alleged infringement.
Where local laws and regulations mandate additional restrictions on the collection, use and disclosure of personal information that exceed those contained in this Policy, the local laws and regulations will prevail.
Types of Information
Throughout its business and internal operations, Avaya obtains, gathers and maintains a variety of “personal information,” including “sensitive personal information,” about its employees and third parties, including partners, vendors, resellers and customers.
For purposes of this Policy, “personal information” includes any information that identifies, relates to, describes, or is capable of being associated with, an identified or identifiable natural person. Such personal information includes, but is not limited to, an individual’s:
- image (e.g., a photograph);
- employee personnel number;
- telephone number;
- passport number;
- driver's license or state identification card number;
- insurance policy number;
- education information;
- employment information;
- website “user id”;
- date of birth.
Sensitive Personal Information
Certain personal information that is collected about individuals is considered particularly sensitive and is subject to heightened protection. For purposes of this Policy, “sensitive personal information” includes, but is not limited to, personal information pertaining to an individual’s:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- social security, tax identification numbers issued by governmental agencies;
- personal financial information including, but not limited to, bank account numbers, credit card numbers or debit card numbers;
- criminal record;
- sexual orientation.
Principles of Data Privacy and Data Protection
Avaya’s commitment to protecting personal information follows nine common principles. In understanding that all modern data protection laws are based on these principles, employees will be able to quickly get a sense of whether an envisaged product, service or process sufficiently considers privacy.
Transparency. Individuals shall be informed about which personal information related to them is collected, for what purpose and how it is used.
Lawfulness. All collection and use of personal information needs some form of justification such as: consent from the individual, legitimate interest or some other justification provided by the law.
Purpose Limitation. Personal information may only be used for the original purpose for which it was collected or obtained. Additional purposes will likely require additional justification.
Adequacy. Personal information shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is collected or is processed.
Data Quality. Personal information shall be accurate and, where necessary, kept up to date. Often, this can only be achieved with the active support from the individual.
Retention. Personal information shall not be kept longer than is required for the processing purpose unless a longer retention period is required or permitted by law.
User Rights. The individual has a right to know what personal information a data controller holds about him or her and for what purpose. The individual may have the right to have the personal information relating to him or her erased, rectified, completed or amended.
Security. Without securely storing and processing personal information, data protection cannot be ensured. Appropriate – in relation to the sensitivity of the data – technical and organizational protection measures shall be applied over all personal information.
International Data Transfer. Transferring personal information across borders should not expose the data to lower legal protection standards (please see Section V Sharing Information below).
Collecting and Using Information
The protections in this Policy regarding the collection and use of personal and sensitive personal information apply not only to information about employees, but also to personal and sensitive personal information collected regarding customers, vendors, partners, resellers and other non-employee third parties.
Avaya collects personal information only where the information is reasonably related to the conduct of its business. Avaya provides notice about the purposes for which it collects and uses this information, and may provide the opportunity to “opt-in” or “opt-out” of certain collections and uses (as may be required by applicable local law). Avaya is committed to limiting the use of personal information to only those purposes for which the data was originally collected, or as subsequently authorized by consent of the individual to whom the information relates, or as permitted by law. Such consent may be obtained either through express declaration such as ticking a box, or, if sufficient under local law, through implicit declaration such as continuing after a website cookie banner has been displayed. Some data may be collected and used based on local privacy legislation so that the individual must only be provided with a reasonable way to “opt-out” of further use of the information.
Employees who collect and use personal information must be certain to provide appropriate notice of the intent to collect and use. Employees responsible for externally facing websites through which this type of information is collected must be familiar with Avaya’s website privacy statement and solutions privacy statement.
Sensitive Personal Information
As a general matter, Avaya does not collect or use sensitive personal information unless there is a compelling business need to do so. As far as reasonably practical, the individual’s express consent should be obtained and documented. Please contact Avaya Global Data Privacy Officer at email@example.com for an assistance prior to any such collection.
Special care must be taken regarding the use of social security, tax and other similar identification numbers issued by governmental agencies. These must not be posted publicly, printed on access cards, transmitted over unsecured Internet connections, used as a password or personal identification number, or printed on materials to be sent by mail unless use of the number is required. For example, in the U.S., no more than the last four digits of an employee’s social security number may appear on pay stubs or itemized statements. Similar precautions should be taken outside of the U.S. as required by local law, in particular in relation to official means of identification such as ID cards or passports.
As a general rule Avaya does not sell, rent, or lease personal information. All employees have a responsibility to exercise due care when sharing with others (as permitted by law and within the limitations described below) the personal information to which they have access, regardless of whether that information relates to employees or third parties. In addition, employees must exercise special care when dealing with sensitive personal information.
Sharing of Personal Information
Within Avaya. Personal information may be shared only among employees within Avaya who have a legitimate business “need to know” for the purposes of internal administration and operations or for other reasonable and valid business purposes referred to in this Policy. Personal information may also be processed and transferred within Avaya when necessary in connection with contractual commitments.
With Third Parties. From time to time, Avaya uses third parties to provide services on its behalf, such as for marketing or administrative purposes. Avaya shares personal information with these third parties as necessary to provide those services (e.g., payroll, health insurance, IT services) or for other legitimate purposes. In these cases, the third parties are not permitted to use personal information for any purposes other than those for which they are specifically authorized by Avaya. Contracts with these third parties should contain appropriate legal provisions requiring the vendor to maintain the confidentiality and security of personal information and prohibiting them from using the information for any other purpose. Avaya employees responsible for overseeing a contract with a third party who may have access to personal information should contact Avaya Global Data Privacy Officer at firstname.lastname@example.org for an assistance.
International Sharing. Avaya operates across international boundaries and may transfer personal information across these borders via its computer and telephone systems and in paper documents in order to meet its business and legal needs and requirements. Even intra-company transfers of personal information will likely result in the transfer of data between countries that have differing legal requirements for privacy protection, such as when personal information is transferred from the EU to the U.S.
The transfer of personal information collected or processed in the European Economic Area (EEA) to third parties (including Avaya) located in countries outside of the EEA is permitted only in particular circumstances provided for in the EU Data Protection Directive and its implementations in the EU Member States. To ensure such transfers of personal information within Avaya are safeguarded legally, Avaya has in place EU inter-company model clauses (contracts) approved by the European Commission from time to time. In addition, Avaya seeks to ensure that any non-EEA entity receiving the data provides protections that are equivalent to those deemed “adequate” by the EU Data Protection Directive. If you have any questions regarding the proper protections that are required, please contact Avaya Global Data Privacy Officer at email@example.com for an assistance.
Sharing of Sensitive Personal Information
As a general rule, Avaya does not share sensitive personal information with anyone within or across national boundaries without the express consent of the person to whom it relates. Exceptions to this rule may exist as permitted by law or for internal administration and operations or for other reasonable and valid business purposes referred to in this Policy (e.g., Human Resources administration), but Avaya expects personnel to obtain advice from Avaya Global Data Privacy Officer (firstname.lastname@example.org) for an assistance before sharing such information.
Special Sharing Rules
Notwithstanding the above restrictions on sharing, personal information and sensitive personal information may sometimes be transferred and used to protect the vital interests of Avaya, its employees, its customers or the public. In particular, Avaya may use or disclose this information if required or permitted to do so by law, such as to investigate, protect and defend its legal rights, to adhere to national or international law, or to comply with due legal process. In general, Avaya will seek to balance the privacy concerns of the individuals and the requirements of the requesting party.
No Inappropriate Automated Decision-making
Avaya does not engage in processing of personal information for automated decision making purposes unless appropriate human mechanisms are in place to safeguard against inaccurate or improper decisions. That is, computers are not used to make decisions without appropriate review of such decisions by individuals.
In order to protect physical security and intellectual property and to follow up on reported concerns, Avaya may engage in the electronic monitoring of personnel activities and facilities. These activities are governed by Avaya’s Security Policies.
Information Security and Data Integrity
Information security is an integral component of Avaya’s data protection obligations. Avaya implements, maintains and updates adequate and reasonable security procedures and practices, as required in order to protect personal and other confidential and / or proprietary information.
Avaya expects that employees responsible for collecting, storing and transferring personal information will take all necessary and appropriate precautions to:
- restrict access to personal information to only those employees and specific third-party vendors who have a legitimate “need to know” in order to conduct Avaya business;
- utilize encryption and / or password protections (at a minimum) when transmitting personal information electronically via public networks;
- prevent unauthorized access, destruction, use, modification, or disclosure of personal information; and
- maintain physical, electronic, and procedural safeguards in compliance with national, federal, state and local regulations to protect the personal information.
Under its records management program, and in compliance with various laws, Avaya requires employees to take reasonable steps to destroy, or arrange for the destruction of, personal information within its custody or control, when retention is no longer required. Acceptable methods of destruction include (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means. Employees should ensure that redundant or duplicate personal information is identified and destroyed.
You should notify Avaya Corporate Security immediately if any personal information is lost, compromised or stolen, or its integrity is otherwise impaired. Avaya Corporate Security can be reached on a 24-hour basis within the U.S. on +1-877-99-ETHIC (+1-877-993-8442) and for non-U.S. calls on +1-908-953-7276. Alternatively, you can submit good faith reports by logging on to www.ethicspoint.com (using "data breach" category) or by sending an email to Avaya's Data Privacy Officer at email@example.com. You also can direct any questions about the Avaya Code of Conduct or any compliance-related policy to firstname.lastname@example.org. Under the direction of Avaya Corporate Security or Compliance, Avaya will investigate all reports made in good faith, including those made anonymously, and provide feedback when appropriate.
Additional security requirements are governed by Avaya’s Security Policies
Requests for Access to Personal Information
Anyone about whom Avaya maintains personal information may request to inspect and, if appropriate, correct the personal information held by Avaya. The requests for corrections should be sent to Avaya Global Data Privacy Officer at email@example.com. Avaya will promptly respond to such requests as soon as practicable in a manner that protects the privacy of others. Avaya may require additional information from the requesting party in order to assure itself of the legitimate basis for the request and the identity and authority of the requestor. Upon receipt and verification of the corrected personal information, Avaya will adjust its data or records accordingly.
Other Rights of Individuals
Individuals may request that Avaya not use their personal information for direct marketing purposes. Avaya may create a database so that when a relevant request has been made, records relating to such individual(s) can be flagged so as to prevent them from being used for direct marketing purposes. Other rights may exist in the EU or elsewhere that permit individuals in limited circumstances to ask Avaya to stop processing personal information relating to them (please see Section Requests for Access to Personal Information). Where local laws and regulations provide for such additional rights on the collection, use and disclosure of personal information, the local laws and regulations will prevail.
Modification of Policy
Avaya reserves the right to change, modify or update this Policy at any time. Please review it frequently for any updates.
Complaint Procedure and Dispute Resolution
Avaya is committed to resolving any disputes that may arise relating to this Policy. Should the company’s efforts to resolve an issue fail, Avaya commits to the submission of such disputes before a mutually-agreeable, independent party to provide an appropriate, independent means of resolving such disputes.
If you have any questions regarding this Policy or regarding the collection, use or sharing of personal and sensitive personal information at Avaya, please contact Avaya Global Data Privacy Officer at firstname.lastname@example.org or, if applicable, your local data privacy steward.
- August, 2006
- January, 2008
- November, 2010
- August, 2013
- February, 2016
- February, 2017
 “Avaya” includes Avaya Inc. as well as each of its worldwide subsidiaries and affiliates (collectively, “Avaya”);
 In EU Member States, www.ethicspoint.com reporting is limited to concerns relating to accounting, internal control and auditing matters (i.e., SOX-related);
 Except in EU Member States where regular local reporting channels should be used;
 In EU Member States, www.ethicspoint.com reporting is limited to concerns relating to accounting, internal control and auditing matters (i.e., SOX-related).