Compare Plans

Privacy

Learn how our processes and policies provide protection for customer data. 

Privacy is Paramount

Avaya’s goal is to balance the benefits of doing business with us with your right to prevent misuse of personal data. Here, you will find useful information about how we safeguard your privacy, including our protection practices, customer education about privacy laws, and privacy measures built into our products. 

Your confidence in us is fundamental to Avaya. We are continuously strengthening privacy protections in our products, services, and internal operations. Email us at dataprivacy@avaya.com if you have any questions or concerns about privacy practices at Avaya. 

Data Processing

Avaya’s obligations, commitments, and processes for managing customer personal and corporate data is documented in the Avaya Data Processing Agreement. 

Data Processing Agreement

Binding Corporate Rules

The EU regulatory authorities have approved Avaya’s processor Binding Corporate Rules, acknowledging Avaya’s high global standards when processing customer data. 

Binding Corporate Rules

Sub-Processors

Avaya uses Sub-Processors to provide certain services on its behalf. Sometimes, Sub-Processors process customer data. Avaya has data processing agreements with these Sub-Processors to protect the data they process on behalf of Avaya and its customers. 

Avaya Sub-Processors

Privacy Fact Sheets

Learn how Avaya processes customer data in our cloud offerings and products. Explore product technical features available to customers to process their personal data. 

Privacy Fact Sheets

Frequently Asked Questions

What mechanisms has Avaya implemented to ensure appropriate safeguards for the transfer of personal data outside of EEA, Switzerland, and UK where Avaya is acting as processor? icon-dropdown-arrow

When providing services to a customer, Avaya may transfer personal data outside of EEA, Switzerland and UK in its capacity as processor. The General Data Protection Regulation (GDPR) has been incorporated into UK’s domestic legislation, and therefore the data transfer mechanism permitted under the GDPR for transfers of personal data outside the EEA will also apply to transfers from the UK. Regarding Switzerland, the Federal Act on Data Protection follows a similar framework as the GDPR and therefore, the same data transfer mechanisms apply to transfers from Switzerland.  

Importers of personal data processed by Avaya on behalf of customers include Avaya affiliates and certain third-party vendors we engage to provide our services (Sub-Processors).

Intra-Group Transfers: Whenever Avaya, acting as a processor, shares personal data originating in the EEA, it will do so based on its processor binding corporate rules (Processor BCRs), which establish adequate protection of such personal data and are legally binding on Avaya affiliates.  

Avaya’s Processor BCRs were approved by the European Data Protection Authorities on February 5, 2018. Avaya’s application for Binding Corporate Rules in the UK is currently pending. 

Transfers to Third-Party Sub-Processors: For its Sub-Processors, Avaya has in place Data Processing Agreements (DPAs), which incorporate controller-to-processor standard contractual clauses (SCCs) to ensure safe, secure, and legal data transfers from the EEA, Switzerland, and UK. 

Avaya has incorporated the new SCCs into its DPA, so all new Sub-Processors enter into these contractual obligations. For existing Sub Processors, Avaya implements new SCCs in accordance with the requirements and timelines established by the European Commission.

How does Avaya comply with its processor obligations under GDPR? icon-dropdown-arrow

Avaya is the processor of certain customer data, which customers entrust Avaya to process on their behalf. Avaya’s obligations and commitments as a processor under GDPR are set forth in our DPA’s and in our Processor BCR’s. 

Does Avaya conduct Transfer Impact Assessments? icon-dropdown-arrow

To comply with the Schrems II ruling and the provisions of the standard contractual clauses, Avaya conducts transfer impact assessments (TIAs) on personal data transferred from the EEA, UK, and Switzerland to third countries which have not been granted adequacy status.  

Avaya has developed an internal process for conducting TIAs. This includes gathering information from our Sub-Processors when they are onboarded and undertaking a country-level analysis.  

How does Avaya engage and use third parties to perform services on its behalf in connection with the provision of Avaya services? icon-dropdown-arrow

In connection with the engagement of third parties that process personal data as a Sub-Processor, Avaya follows processes and procedures: 

  1. Contractual Commitment and International Data Transfers: Avaya enters into data processing agreements with all its Sub-Processors, which requires the Sub-Processors to maintain proper privacy, security, and confidentiality of personal data on terms substantially like the contractual commitments Avaya makes to its own customers in the Data Processing Agreement. Avaya relies on the EU Standard Contractual Clauses unless there is another legitimate data transfer mechanism in place.  

  1. Security Review Processes: Avaya maintains policies and processes for conducting security reviews of Sub-Processors. The Avaya Global Security Team conducts an initial security review of any Sub-Processor and assesses the technical and organizational measures they should contractually commit to protect personal data. Selected Sub-Processors are audited each year to review their compliance with the technical and organizational measures they have committed to.  

  1. Privacy Review Process: Avaya has established certain third-party vendor management processes for onboarding new suppliers and for existing suppliers. For onboarding new suppliers, a transfer impact assessment process has been implemented for new suppliers that transfer personal data out of the EEU or the UK. Selected existing vendors go through an annual privacy self-assessment process.  

How does Avaya handle law enforcement information requests? icon-dropdown-arrow

As part of its Processor BCRs, all Avaya affiliates that handle personal data must follow a Government Data Request Procedure for responding to requests received from a law enforcement or other government authority to disclose personal information processed by Avaya on behalf of a customer.  

As a general principle, Avaya does not disclose personal data in response to a personal data production request unless it is under a compelling legal obligation to make such disclosure.  

Where disclosure is required, Avaya’s policy is that the customer should have the opportunity to protect the personal data requested because the customer has the greatest interest in opposing or is in a better position to comply with a data production request. For that reason, unless it is legally compelled not to do so, Avaya will provide the customer with details of the data production request.  Avaya will also, unless it is legally compelled not to do so, cooperate with the customer to address the data production request.  

How does Avaya ensure transparency about its data handling processes in Cloud solutions? icon-dropdown-arrow

To assist customers in understanding how data is processed in certain Cloud Offerings, and the technical features available to customers to determine how their data is processed, Avaya provides Privacy Fact Sheets for certain standard Cloud Offerings.

Does Avaya conduct privacy reviews of its Cloud solutions? icon-dropdown-arrow

Avaya has incorporated privacy by design and default reviews into its processes to ensure that its Cloud solutions, as well as other solutions, are designed in a manner that enables customers to comply with privacy principles and legal requirements.  

Furthermore, Avaya carries out security reviews of new suppliers, evaluating their security measures for the products and services they will be delivering.  

Does Avaya have a Data Protection Officer? icon-dropdown-arrow

Avaya has a Global Data Protection Officer and various local Data Protection Officers. The role of the Data Protection Officer is described in our Binding Corporate Rules, as well as in privacy legislation, including articles 38 and 39 of GDPR. To contact Avaya’s Data Protection Officer, email dataprivacy@avaya.com. The Avaya Data Privacy Office will address the query and/or engage the Data Protection Officer, as appropriate.