In order to conduct global business in this increasingly electronic economy, the collection and use of Personal Data is often necessary and desirable for businesses and individuals involved. It is Avaya's goal to balance the benefits of our and our enterprise customers' business with the right of individuals as regards their Personal Data. Therefore, Avaya respective Products have certain technology features embedded that enable our enterprise customers to meet respective requirements prescribed by privacy laws. Moreover, Avaya is here to advise on the individual settings of respective system and to work with its customers to make sure they are able to use the Products in the most privacy-enhancing ways.
What type of Personal Data may be processed by Avaya Products?
Our Products may process a variety of Personal Data for specific needs – for example, collecting a name and a phone number in a phone directory to allow connection with the person at a later date, or collecting the assigned user and IP address of a phone to route calls. We do our best to inform our enterprise customers about possible processing activities within our Products and grant customers control over such data. Depending on the respective Product, such Personal Data may include (but is not limited to) data subject’s name, contact information (e.g., company, title / position, email address, phone number, physical address), connection data (e.g., IP address, operating system, internet service provider, browser, GPS / location data), communication data (e.g., presence, video usage - screen sharing, the recipient/caller ID, the recipient/caller phone number, duration / time / date of calls, recorded voicemails, saved contacts), network information (e.g., other phone network participants’ calling activities), troubleshooting data (e.g., log files) and metadata derived thereof. Details of Personal Data categories collected by Avaya Products are captured in the respective Product Privacy Statement – see section titled “Personal Data Controls Within Avaya Products” below for more information.
What categories of data subjects may be in scope?
The categories of data subjects affected by the processing of Personal Data result from enterprise customers’ individual usage of Product(s) provided by Avaya. They typically include, but are not limited to, employees, agents, advisors and customers (individuals) of Avaya enterprise customers.
Will Avaya have access to Personal Data processed within Avaya Products?
Avaya may only access certain Personal Data in the regular course of business (e.g., by fulfilling the agreement / enterprise customer’s instructions, for the purposes communicated to the enterprise customer or data subjects, as permitted by applicable law, etc.) while providing requested products and services.
For how long Personal Data may be retained by Avaya and / or by Avaya Products?
Avaya will retain and use Personal Data as required to accomplish the purposes for which it was collected or as necessary to resolve disputes, enforce contracts and / or comply with our legal obligations. Respective Avaya Products provide enterprise customers (i.e., data controllers) with certain technical measures to decide for how long Personal Data should be retained within the Product.
In what way Personal Data may be processed by Avaya Products?
Processing of Personal Data may include using, storing, recording, transferring, adapting, summarizing, amending, sharing, anonymizing and destroying Personal Data as necessary under the circumstances or as otherwise required by applicable law.
Data security is a top priority for Avaya, just as it is for Avaya enterprise customers. Avaya has highly-skilled professionals to help ensure processing of information and Personal Data under its custody and responsibility is protected, whether related to Avaya's remote maintenance services, our cloud offerings or to any other solutions where Avaya processes data. Avaya has implemented and will maintain technical and organizational security measures that are appropriate with respect to the nature of Personal Data which is collected and processed by its Products. All Personal Data in transit and stored will be protected by using, for instance, encryption and / or access-control measures; Personal Data will be stored in different locations by using different protocols. Exact technical details are provided in respective Product Privacy Statement (see section titled “Personal Data Controls Within Avaya Products” below for more information).
Data privacy laws (in particular, General Data Protection Regulation (the “GDPR”)), as well as often containing security and accountability principles that require data controllers to consider all aspects of their data processing activities, also empower individuals with some rights over the storage and use of their data. Data subjects can require data controllers to grant them rights, such as: right of access, erasure, portability and rectification over their personal data. The ability to effectively process and address these rights needs to be considered by the data controller, who must assess if any changes are required to policies, business processes and supporting systems.
The purpose of the information provided below is to describe the functional capabilities of Avaya Products, relative to individual rights prescribed by certain data privacy laws, such as GDPR, and to inform how Avaya Products may help our enterprise customer to comply with respective requirements. Below we will focus on explaining these rights under GDPR. These rights will have certain variances under other privacy laws.
The right of access
The Right of Access typically provides for various obligations, including confirmation from a data controller as to what Personal Data is being processed about them, to whom it is being disclosed or transferred and whether the Personal Data is subject to automatic decision making. Under GDPR, a data controller must provide a copy of the Personal Data held and processed by it to the data subject in electronic form and has up to one month to comply with the request (unless the requests are complex or numerous, in which case the deadline is extended to no more than three months in total). In servicing the individual’s right, the data controller must verify the identity of the person making the request, and, if the request is made electronically, should provide the information in a commonly used electronic format. Compliance to this part of GDPR requires the ability to find an individual’s Personal Data across all information within the respective Product.
The right of rectification
Under GDPR an individual has the Right of Rectification, meaning the individual is entitled to request to have their Personal Data rectified if it is inaccurate or incomplete. A data controller has up to one month to comply with the request or show cause for denial (unless the requests are complex or numerous, in which case the deadline is extended to three months).
The right to data portability
GDPR offers the Right to Data Portability for an individual. This right allows the data subject to obtain and reuse their Personal Data for their own purposes across different services. In effect, this right means that the individual has the right to access and transfer Personal Data from one data controller to another without being obstructed due to “technical limitations” claimed by a data controller. This right arises on Personal Data which the data subject has provided the data controller with. To service the individual’s right, the data controller must provide the Personal Data in a structured, commonly used and machine-readable form, such as .CSV files (although GDPR does not prescribe the format). Compliance to this part of GDPR may require the ability to find and copy an individual’s Personal Data across all information systems and deliver a copy to the individual.
The right to erasure
The Right to Erasure, also known as the “Right to be Forgotten”, enables an individual to request the deletion or removal of Personal Data where there is no lawful reason for its continued processing or where the data subject withdraws his/her consent. The organization can refuse to comply with a request for erasure where the Personal Data is processed to comply with a legal obligation or for other “public interest” reasons, such as to exercise the right of freedom of expression and information. As such, the right to erasure does not provide an absolute “Right to be Forgotten”. Compliance to this part of GDPR may require the ability to find and delete an individual’s Personal Data across all information systems.
The obligation to have a lawful basis to process Personal Data
A data controller is obligated to have a legal basis for the personal data they collect and process. For information systems that have the capability to track or record communications or transactions, an individual may have the right (depending upon the legal basis for the tracking or recording) to give or withhold consent at any time. Compliance to this part of GDPR will in some instances require the ability to gain consent as a legal basis prior to Personal Data collection. Therefore, certain Avaya Products may provide the ability to customize the user experience for the purpose of obtaining informed and freely given consent.
For more information please see “Personal Data Controls Within Avaya Products” section below. In addition, to the extent enterprise customer, in its use of Products provided by Avaya, does not have the ability to address the data subject request, Avaya may upon customer’s request and in accordance with contractual arrangements with such enterprise customer, be able to assist customer in responding to the data subject request, to the extent Avaya is legally permitted to do so and the response to such data subject request is required under applicable data protection laws and regulations. Please direct any such requests to Avaya Global Privacy Office at email@example.com.
When developing business processes around data subject’s under applicable privacy laws, it is useful to consider the lifecycle of Personal Data in the business.
From the lifecycle diagram above, you can determine the key aspects that must be considered in the development of a business’s privacy compliance processes and procedures:
In evaluating the questions noted above and developing company compliance processes, it is important that all IT systems – including Avaya systems – be considered. Within the scope of respective Avaya Product, Personal Data may be involved in almost all transactions of the system including voice and video calls, conferences, and text messages. This information will be stored in multiple places including recordings, databases, system logs, directories, histories, and backups.
Personal Data collection
Avaya Products collect Personal Data for specific needs - for example, collecting a name and a phone number in a phone directory to allow connection with the person at a later date, or collecting the assigned user and IP address of a phone to route calls. Some information may be saved in system logs for future diagnostic or audit purposes. When the information is no longer needed, these logs may be destroyed. System backups may also capture some Personal Data to the extent it exists in the data being backed up. For this reason, both the active system data and backups must be considered when assessing Personal Data in Avaya Products. Exact details of Personal Data collected by Avaya Products are captured in the respective Product Privacy Statement.
Supporting the Personal Data lifecycle
Avaya Products incorporate multiple capabilities to support the data lifecycle and compliance with privacy laws (such as GDPR). Some of the different types of capabilities are described below.
Encryption at rest secures the content of a file or database in a manner that makes it unusable by anyone who does not have proper authorization. Some Avaya Products have options to support encryption, while others do not. For those that do not, compensating controls can be put in place (see “Access controls” below.) Encryption in transit needs to be applied to all data communication in the systems. Most Avaya Products support TLS1.2 with the latest encryption (AES256 for confidentiality and SHA-2 for hashing, and digital signatures for authentication).
Some Avaya Products support the development of interactive menus where customers can be prompted and provide feedback. In many cases, these menus can be used to acquire the consent needed to collect and use Personal Data and for the technology to be used in the most privacy-enhancing way.
Most Avaya products provide access controls that can be used to limit the ability of individuals or systems to access collected data. A variety of access controls may be provided as follows:
Audit logs, especially security audit logs, are also a key part of managing compliance. Audit logs record system activity and can be used to identify possible problems or cyber-attacks.
Customer specific customisations
Avaya Products are meant to be general purpose and can be configured and integrated into a customer’s overall business information processing architecture. It is expected that Avaya Products and non-Avaya equipment work together to perform overall information processing for the business. It is also common to use certain Avaya Products (e.g., Avaya Aura Experience Portal) to execute information processing scripts that have been written or customized by the customer or other agents.
Finding specific information
An overview of privacy-related security controls and available methods of access and handling of various types of Personal Data within Avaya Products as well as instructions on how to locate respective Product Privacy Statements (a.k.a. “Data Privacy Controls Addendums”) for specific Avaya branded Products in the portfolio are available here. To find and access the respective document – Product Privacy Statement, navigate to the Product in question and select the “Application & Technical Notes” box. You will find the document in the list produced.
Click here to download “Personal data controls for enabling GDPR compliance programs” whitepaper.
Our Products may have multiple technology features (e.g., voice, video, analytics, licensing tools, etc.) enabled. The foregoing has been grouped into the following categories (the list below does not represent an exhaustive number of all technology features which may be embedded into respective Avaya Products, and is provided for information purposes only) that help to understand how such technology features may be associated with privacy and for what purposes Avaya may use such information. Additional information about the technology features embedded into Avaya’s Products may be provided in respective contract and related documentation, such as the Product Privacy Statement, the Product description documentation, or in the notice provided prior to the collection of Personal Data.
Voice and video recordings
Respective Avaya Products are capable of automatically collecting and storing a whole range of information (e.g., audio, video data). This information may include (but is not limited to) user’s current presence, video usage, screen sharing, IP address, the recipient ID, the recipient phone number, the caller ID, the caller phone number, duration of calls, time of calls, date of calls, recorded voice box messages (including ID, phone number, time and date), saved contacts, network information (e.g., showing other phone network participants’ calling activities) and other log information. The possibility to permanently delete such data as well as the network information about data subject’s (calling - communicating) behaviour may be limited, depending on user’s access rights and the overall access right management by the enterprise customer (data controller) or network provider.
Certain Avaya Products may include tools that gather information about when and on what hardware the software is installed. Avaya uses such information to keep track of whether the installation is in accordance with licenses purchased by its enterprise customers.
Telecommunications diagnostic tools
Avaya may collect and process information about the use of our Products including the circumstances of telecommunication such as dialled numbers or start and end times of phone calls (sometimes referred to as “metadata”). We use such Personal Data to fulfil the contractual obligations we have towards our customers, to protect our IT systems against threats and misuse, and to comply with our legal obligations.
Usage metering tools
Respective Avaya Products have usage metering and analytics capabilities embedded. Such tools provide accurate tracking of customer usage of the Product and also provide the capacity for analysing enterprise customer’s usage patterns and generating usage reports required for billing purposes.
Cookies and analytics tools
To improve effectiveness, performance, functionality and usability of our Products Avaya may rely on a third party analytics service providers (including, but not limiting to, Google Inc., having an office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA – more information about privacy practices within Google technologies and how individuals can express their choices regarding privacy is available here) to automatically collect and generate aggregated user data. For web-based Products it may be possible to block or delete cookies by changing browser settings (as described under the heading "How Can You Control Cookies?" in our Cookie Statement); for installable on a device Products (i.e., software) there may be an option to manually (on a corporate account or user basis) disable analytics under settings of respective Product.
Certain Avaya Products are provided over the internet, hence Avaya users’ Personal Data is stored on data centres located globally and may be outside their country of residence. Such storage and a model for enabling simple, very convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) is referred to as a “cloud service”. Avaya’s cloud Products are built on flexible architectures that support unparalleled compatibility and world-class interoperability with a clear focus on the reliability, security and needs of our customers. When Avaya acts for an enterprise customer in its capacity as the provider of a cloud content management and file sharing platform, Avaya may not have regular access to Personal Data of its enterprise customer except if providing maintenance or other services requested by the enterprise customer.
Certain Avaya Products need to have information disclosed about user’s current location to function properly. A data subject has to make the choice to enable location services - it is not set on by default. Avaya collects such information from user’s device GPS signal, or as inferred from nearby Wi-Fi networks, or mobile network transmitting stations, or other technologies to determine your devices’ approximate location. The information includes user’s geographical position and information identifying your device such as a phone or SIM card number. Avaya collects and processes geolocation information insofar as necessary for providing the service requested. If we use geolocation information for our own purposes such as analysis of the use of the service, we do so in statistical, non-personally identifiable form.
The user may at any time disallow the application or service to collect geographical location by selecting the appropriate setting in the relevant application or service or in user’s device operating system. The latter action will prevent user from accessing and relying on geolocation-based services.
Personal Data processed by Avaya Products may be shared within Avaya affiliates / subsidiaries for the purpose of delivering / supporting / maintaining the Products. To ensure such transfers of Personal Data within Avaya affiliates / subsidiaries are safeguarded legally, Avaya complies with applicable legislation on international data transfers and has implemented the appropriate safeguards to enable such transfers (for more information, please refer to out Binding Corporate Rules).
With External Sub-processors
Avaya will only appoint external sub-processors that provide sufficient guarantees in respect of the commitments made by Avaya to its enterprise customers. In particular, such sub-processors will be able to provide appropriate technical and organizational measures that will govern their use of the Personal Data to which they will have access in accordance with the terms of the contract or other legally binding document Avaya has with respective enterprise customer.
Specific Disclosure Rules
Avaya may also disclose certain Personal Data to third parties in other special instances, including: (i) as required to do so by law, such as to comply with a court order or similar legal process; (ii) when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others or defend against legal claims; (iii) for the purposes of prevention of fraud or other crime; (iv) in connection with or during negotiation of any merger, acquisition, sale of all or a portion of our assets, financing, liquidation, reorganization; and (v) in anonymized form which can no longer be used to identify data subjects.
While providing / supporting / maintaining Products Avaya may need to transfer Personal Data around the world over public or private networks. As such, Personal Data transfers may naturally include territories outside respective countries, including outside the European Economic Area (“EEA”), where data protection requirements may differ and be less comprehensive. The transfers of Personal Data between respective Avaya affiliates / subsidiaries are governed by our Binding Corporate Rules. If Avaya needs to transfer Personal Data originating from the EEA to third party sub-processors (i.e., Avaya’s sub-contractors that are not Avaya affiliates / subsidiaries) located in countries outside the EEA that have not received a binding adequacy decision by the European Commission, such transfers shall be subject to (i) the terms of Standard Contractual Clauses (as per European Commission’s Decision 2010/87/EU); or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the GDPR.
We reserve the right to amend or change this Privacy Statement at any time, so please review it frequently. If we change this Privacy Statement, we will post the revised version with an updated revision date. By continuing to use our Products after such revisions are in effect, you accept and agree to the revisions and abide by them.
Any interpretation of this Privacy Statement will be done by the Avaya Global Privacy Officer. This Privacy Statement does not create or confer upon any individual any rights or impose upon Avaya any obligations outside of, or in addition to, any rights or obligations imposed by the privacy laws applicable to such individual's Personal Data. Should there be, in a specific case, any inconsistency between this Privacy Statement and such privacy laws, this Privacy Statement shall be interpreted to comply with such privacy laws.
If you have any questions about this Privacy Statement or concerns about how we manage your Personal Data, please contact the Avaya Privacy Officers at firstname.lastname@example.org or by postal mail to Avaya UK, Building 1000, Cathedral Square, Cathedral Hill, Guildford, Surrey GU2 7YL, United Kingdom or Avaya Deutschland GmbH, Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany.
Revised: January 2020.