Global privacy policy

This Avaya Global Privacy Policy (the “Policy”) establishes and defines the foundation of Avaya's¹ approach to compliance with data protection laws and regulations and applies as a minimum standard for all “Processing”² of “Personal Data”³ by Avaya.

In addition, Avaya’s Binding Corporate Rules Controller and Processor Policies, which have been approved by the European Data Protection Authorities, are incorporated herein by reference, and form an integral part of this Policy. In case of conflicts with this Policy, the Binding Corporate Rules Policies take precedence.

This Policy does not replace any specific additional personal data protection or personal data handling requirements or instructions that might apply to a business unit or function. Where local laws and regulations include additional requirements for the Processing of Personal Data that exceed those contained in this Policy, the respective local laws and regulations prevail.

Compliance with data protection law and this Policy, including Avaya’s Binding Corporate Rules and any other specific data protection requirements, is mandatory for all Avaya staff members globally.

Data protection law gives individuals certain rights in connection with the way in which their Personal Data is Processed. If organizations do not comply with data protection law, they may be subject to sanctions and penalties imposed by the national data protection authorities and courts. When Avaya Processes Personal Data, this activity and the Personal Data in scope are covered and regulated by data protection law.

When an organization determines the purpose and means of the Processing of Personal Data, that organization is deemed to be a “Data Controller” for the respective Processing activity and is therefore primarily responsible for meeting the legal requirements under data protection law.

On the other hand, when an organization only Processes Personal Data on behalf and per the instructions of a different organization, it is deemed to be a “Data Processor” for the respective Processing and only responsible for the contractual and processor-specific obligations. In this scenario, the “Data Controller”, who determines the overall purpose and means of the Processing of Personal Data, remains primarily responsible for meeting the legal requirements.

Besides national legislation addressing the Processing of Personal Data within or into the respective jurisdiction, many countries have implemented rules that also address international transfers of Personal Data. For instance, European data protection law prohibits the transfer of personal data to countries outside of Europe4 that do not ensure an adequate level of data protection, unless the respective exporters and importers implement appropriate transfer safeguards defined by law.

Avaya must always provide full transparency for all Personal Data Processing activities.

Avaya acts as Data Controller of external Personal Data only in very limited areas, e.g., for business contact management, communications with customers, business partners and vendors, to operate its websites and other digital properties, marketing and events, for licensing, etc. Details on the Personal Data Processing when Avaya acts as Controller can be found in Avaya’s General Privacy Statement, the internal Personnel Privacy Statement and/or other individual ad hoc privacy statements presented as appropriate, such as the Job Applicant Privacy Statement.

When Avaya acts as Data Processor, e.g., when providing services to business customers that include the Processing of Personal Data, detailed information on the respective Processing of Personal Data can be found in the respective service descriptions, the agreements with Avaya and/or Avaya’s Privacy Fact Sheets.

More information on the Data Processing of Avaya’s hardware and software products can be found in the respective product documentation, on the Privacy Within Our Products page or by reaching out to your sales contact.

The provisions of Avaya’s Binding Corporate Rules Controller Policy are worldwide standards that apply to all relevant Group Members when Processing Personal Data in the Role of a Data Controller (e.g., for purposes of carrying out Avaya’s business activities, employment administration, and supply chain management), as a Data Processor acting on behalf of another Group Member, or when Group Members act as joint Data Controller. Below is a summary of the data protection rules and practical commitments that Avaya must adhere to under the Binding Corporate Rules Controller Policy.

BINDING RULES

Rule 1 – Lawfulness of processing

• Avaya must ensure that all Processing is at all times  based on lawful grounds.

Rule 2 – Fairness and transparency

• Avaya must inform and explain to individuals, at the time when their Personal Data is collected, how their Personal Data will be Processed.

Rule 3 – Purpose limitation

• Avaya must only Process Personal Data for specified, explicit and legitimate purposes and not further Process that Personal Data in a manner that is incompatible with those purposes.

Rule 4 – Accuracy

• Avaya must keep Personal Data accurate and up to date.

Rule 5 – Data minimization

• Avaya must only Process Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

Rule 6 – Limited retention of Personal Data

• Avaya must only keep Personal Data for as long as is necessary for the purposes for which it is collected and further Processed.

Rule 7 – Security, integrity and confidentiality

• Avaya must implement appropriate technical and organizational measures to ensure a level of security of Personal Data that is appropriate to the risk to the rights and freedoms of individuals.

Rule 8 – Service provider management

• Avaya must ensure that our service providers are bound by strict contractual terms and also adopt appropriate and equivalent security measures when Processing Personal Data.

Rule 9 – Data breach handling

• Avaya must comply with data security breach notification requirements as required under applicable data protection law.

Rule 10 – Rights of individuals

• Avaya must adhere to the Data Subject rights procedure and respond to any requests from individuals to exercise their data protection rights in accordance with applicable law.

Rule 11 – Restrictions on transfers outside the EEA

• Avaya must not transfer Personal Data to third parties outside Europe without ensuring adequate protection.Avaya must ensure the adequate protection of any Personal Data that may be onward transferred outside Europe.

Rule 12 – Accountability

• Avaya must be able to demonstrate compliance with its Binding Corporate Rules Controller Policy and applicable laws.
• Avaya must carry out a data protection impact assessment when the Processing is likely to result in a high risk for the individuals concerned, where required to comply with applicable laws.
• Avaya must maintain records of data Processing activities under its responsibility.
• Avaya must implement Privacy by Design and Privacy by Default for new systems and applications.
• Avaya Affiliates (in the event of acting as joint controllers) shall determine their respective roles and responsibilities in an arrangement or other legally binding document.

Rule 13 – Action where national legislation prevents compliance with the Controller Policy      

• Avaya must assess the laws and practices of the third country outside Europe before transferring Personal Data to such country.
• Avaya must ensure that the Data Privacy Officer will be involved in the assessment whenever there is a need to put in place safeguards in addition to those envisaged under the Binding Corporate Rules (Controller) Policy.

Rule 14 – Compliance with the Controller Policy·

• No transfer shall be made to a group member acting as an importer unless such group member is effectively bound by the Binding Corporate Rules Controller Policy and can deliver compliance. 
• A group member acting as importer shall promptly inform the exporter if it is unable to comply with the Binding Corporate Rules Controller Policy, for whatever reason, including the reasons described under Rule 13. 
• Where an importer is found to be in breach of the Binding Corporate Rules Controller Policy or is unable to comply with them, the group member acting as an exporter shall suspend the transfer to such importer.

Rule 15 – Return or deletion of personal information

• A group member acting as an importer should, at the choice of the exporter, immediately return or delete all Personal Data in its possession that has been transferred under the Binding Corporate Rules Controller Policy  (including any copies thereof) if the exporter has suspended the transfer and compliance with the Binding Corporate Rules Controller Policy is not restored within a reasonable time; or if the Importer is in substantial or persistent breach of the Binding Corporate Rules Controller Policy or fails to comply with a binding decision of the competent court or data protection authority regarding the obligations under the Binding Corporate Rules Controller Policy; or the importer ceases to be bound by the Binding Corporate Rules Controller Policy (unless protection is maintained in accordance with the applicable laws).

PRACTICAL COMMITMENTS

Commitment 1 – Staff and support

• Avaya shall have appropriate staff and support to ensure and oversee privacy compliance throughout the business.

Commitment 2 – Privacy training

• Avaya ensures all staff are educated about the need to protect personal information in accordance with the Binding Corporate Rules Controller Policy.

Commitment 3 – Audit

• Avaya shall verify compliance with the Binding Corporate Rules Controller Policy and carry out data protection audits on a regular basis in accordance with the Audit Protocol set out in Appendix 5 of its Binding Corporate Rules Controller Policy.

Commitment 4 – Complaint handling

• Avaya must enable individuals to raise data protection complaints and concerns.

Commitment 5 – Cooperation with data protection authorities

• Avaya will cooperate with the competent data protection authorities on any issue related to the Avaya Binding Corporate Rules Controller Policy in accordance with its Binding Corporate Rules Controller Policy.

Commitment 6 – Update of the Binding Corporate Rules Controller Policy

• Avaya will report changes to its Binding Corporate Rules Controller Policy to the competent data protection authorities.

Commitment 7 – Requests for disclosure of Personal Data by a public authority in a third country

• If a group member, acting as an importer, receives a legally binding request for disclosure of Personal Data by a public authority (e.g., law enforcement authority or state security body) under the laws of a third country outside Europe, it must comply with the Data Request Procedure set out in Appendix 9 of its Binding Corporate Rules Controller Policy.
• In no event shall a Group Member transfer Personal Data to any public authority (such as any law enforcement, state security or other government authority) in a third country in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.

The provisions of Avaya’s Binding Corporate Rules Processor Policy are worldwide standards that apply to all Group Members when Processing Personal Data in the role of a Data Processor. Below is a summary of the data protection principles and practical commitments that Avaya must adhere to under the Binding Corporate Rules Processor Policy.

BINDING RULES

Rule 1 – Lawfulness of Processing

• Avaya shall ensure that all Processing is carried out in accordance with applicable laws.
• Avaya shall cooperate and to the extent reasonably possible assist a Data Controller without undue delay to comply with its obligations under applicable data protection laws. 

Rule 2 – Fairness and transparency

• Avaya shall assist a Data Controller to comply with the requirement to inform and explain to individuals how their Personal Data will be Processed in accordance with applicable laws.

Rule 3 – Purpose limitation

• Avaya shall only Process Personal Data on behalf of, and in accordance with, the instructions of a Data Controller. 

Rule 4 – Data minimization and accuracy

• Avaya shall assist a Data Controller to keep the Personal Data accurate and up to date.

Rule 5 – Limited retention of Personal Data

• Avaya shall only keep Personal Data for as long as is necessary under the terms of the contract or other legally binding document with a Data Controller. 

Rule 6 – Security and confidentiality

• Avaya shall implement appropriate technical and organizational measures to safeguard Personal Data processed on behalf of a Data Controller.
• Avaya shall notify a Data Controller without undue delay of any security breach affecting the Personal Data that is being Processed on behalf of a Data Controller in accordance with the terms of the contract or other legally binding document with that Data Controller.
• Avaya shall comply with the requirements of a Data Controller regarding the appointment of any sub-processor.
• Avaya shall ensure that external sub-processors undertake to comply with provisions that are consistent with the terms of the contract or other legally binding document it has with a Data Controller, the Avaya Binding Corporate Rules Processor Policy, and in particular that the sub-processor will adopt appropriate and equivalent security measures. 

Rule 7 – Rights of individuals

• Avaya shall assist Data Controllers to comply with their duty to respect the rights of individuals.

Rule 8 – Accountability

• Avaya shall demonstrate compliance to the Data Controller.
• Avaya shall maintain records of data Processing activities it is carrying out on behalf of a Data Controller.
• Avaya shall assist the Data Controller in implementing Privacy by Design and Privacy by Default tools.

PRACTICAL COMMITMENTS

Rule 9 – Staff and support

• Avaya shall have appropriate staff and support to ensure and oversee privacy compliance throughout the business.

Rule 10 – Privacy training

• Avaya shall provide appropriate privacy training to employees who have permanent or regular access to personal data, who are involved in the processing of personal data, or in the development of tools used to process personal data in accordance with the Privacy Training Program set out in Appendix 4 of its Binding Corporate Rules Processor Policy.

Rule 11 – Audit

• Avaya shall verify compliance with the foregoing principles and shall carry out data protection audits on a regular basis in accordance with the Audit Protocol set out in Appendix 5 of its Binding Corporate Rules Processor Policy.

Rule 12 – Complaint handling

• Avaya shall ensure that individuals may exercise their right to lodge a complaint and will handle such complaints in accordance with the Complaint Handling Procedure set out in Appendix 6 of its Binding Corporate Rules Processor Policy.

Rule 13 – Cooperation with data protection authorities

• Avaya will cooperate with the data protection authorities on any issue related to the Avaya Binding Corporate Rules Processor Policy in accordance with the Cooperation Procedure set out in Appendix 7 of its Binding Corporate Rules Processor Policy.

Rule 14 – Update of the Processor Policy

• Avaya will report changes to the Binding Corporate Rules Processor Policy to the competent data protection authorities.

Rule 15 - Action where national legislation prevents compliance with the Processor Policy

• Where Avaya believes that applicable legislation may prevent it from fulfilling its obligations under its Binding Corporate Rules Processor Policy or under the contract with the Customer, or where such legislation has a substantial effect on its ability to comply with the Binding Corporate Rules Processor Policy, Avaya will promptly inform (unless prohibited by law):
  • the Data Controller as provided for by Rule 2 above;
  • the Data Privacy Officer and the EU entity with data protection responsibilities; and
  • the appropriate data protection authority competent for the Data Controller and for Avaya.
• If Avaya receives a legally binding request for disclosure of Personal Data by a law enforcement authority or state security body which is subject to its Binding Corporate Rules Processor Policy, Avaya will:
  • Notify the Data Controller promptly unless prohibited from doing so by a law enforcement authority; and
  • Put the request on hold and notify the lead data protection authority and the appropriate data protection authority competent for the Data Processor unless prohibited from doing so by a law enforcement authority or state security body.

Avaya reserves the right to change, modify or update this Policy at any time. Please review it frequently for any updates.

If you have any questions regarding the provisions of this policy, your rights under this policy, or any other data protection issues, please contact the Avaya Global Privacy Office.

Last Review Date: April 2026
Last Revision Date: April 2026

¹ “Avaya” means Avaya LLC (350 Mt. Kemble Avenue, Morristown, NJ 07960, USA) and the affiliates ("Group Members"), set out here.

² "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

³ "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

⁴ For the purpose of this Policy, any reference to "Europe" means the European Economic Area and Switzerland.