Global privacy policy

We will ensure that your personal data is always protected and appropriately handled and used by Avaya.

This Avaya Global Privacy Policy establishes Avaya's1 approach to compliance with data protection laws when processing2 personal data3. It does not replace any specific data protection requirements that might apply to a business unit or function. Where respective local laws and regulations mandate additional restrictions on the collection, use, and disclosure of personal data that exceed those contained in this policy, the local laws and regulations will prevail.

This policy describes how personal data will be processed to meet Avaya’s data protection standards and to comply with privacy laws and regulations. Instructions and/or guidelines regarding personal data processing activities at Avaya are provided to Avaya employees and contractors in internal policies.

What is data protection law?

Data protection law gives individuals certain rights in connection with the way in which their personal data is processed. If organizations do not comply with data protection law, they may be subject to sanctions and penalties imposed by the national data protection authorities and the courts. When Avaya processes personal data, this activity and the personal data in question are covered and regulated by data protection law.

When an organization processes personal data for its own purposes, that organization is deemed to be a data controller of that information and is, therefore, primarily responsible for meeting the legal requirements under data protection law.

On the other hand, when an organization processes personal data on behalf of a third party (e.g., content hosted on behalf of an Avaya customer) that organization is deemed to be a data processor of the information. In this case, the data controller of the personal data (i.e., Avaya’s customer) will be primarily responsible for meeting the legal requirements.

Transparency of personal data processing activities by Avaya

This policy, together with Binding Corporate Rules: Controller and Processor Policies (approved by the European data protection authorities), describes the general practices of handling personal data at Avaya. Avaya is always committed to provide transparency on all personal data processing activities and to comply with all applicable privacy laws and regulations. Due to the vast range of products and services, this is being done through various privacy statements/privacy fact sheets. Avaya, depending on its role (data controller vs. data processor), takes a layered approach to thoroughly inform its customers and/or data subjects, as applicable, about the handling of their personal data.

When Avaya is a data controller, it fulfils its transparency obligations (e.g., the kinds of personal data that Avaya collects and holds; how Avaya collects and holds personal data; the purposes for which Avaya collects, holds, uses and discloses personal data, etc.) via applicable ad hoc privacy statements. When Avaya is a data processor, it provides information to its customers (the data controllers) so that they are able to meet their transparency obligations.

Unless agreed otherwise or set out in a more specific privacy statement or privacy fact sheet, in the course of business Avaya will transfer personal data overseas to leverage its international resources, including affiliated companies and trusted third parties, for the purpose of providing requested solutions or otherwise transacting our business. This means that both personal data provided to Avaya in the role of a data controller or in the role of a data processor will be transferred internationally. This includes various types of personal data:

  • Personal data such as business contact data and other information that is being processed by Avaya to close and administrate the agreements with customers, as well as our own employees’ personal data
  • Personal data that is required for the purpose of providing our solutions (usually deemed as “processing on behalf” under various privacy laws.

The latter mainly results from contractual arrangements with our customers and, in particular, their individual usage of (and input into) the solutions provided by Avaya. The types of such personal data typically include name, contact information (company, title/position, email address, phone number, physical address), connection data, location data, video/call (recordings) data, and metadata derived thereof, etc.

Further information regarding privacy within respective Avaya solutions can be found in offer/service descriptions, product privacy statements/privacy fact sheets, or on the Privacy Within Our Products page.

How does data protection law affect Avaya internationally?

Many countries/regions have legislation addressing the international transfers of personal data. For instance, European data protection law prohibits the transfer of personal data to countries outside Europe4 that do not ensure an adequate level of data protection, unless the exporting entity implements one of the contractual or legal mechanisms established in the law. Some of the countries in which Avaya operates are not regarded by European data protection authorities as providing an adequate level of protection for individuals’ privacy and data protection rights.

What is Avaya doing about it?

Avaya must take proper steps to ensure that it processes personal data on an international basis in a safe and lawful manner. Avaya has implemented processes and controls to abide by these requirements. Avaya has obtained the approval from European data protection authorities and adopted its global Binding Corporate Rules: Controller and Processor Policies, which set out a framework to satisfy data protection law requirements (these policies, including their appendixes, e.g., Data Subject Right Procedure, Complaint Handling Procedure, Cooperation Procedure, Law Enforcement Data Access Procedure, etc., are incorporated herein by reference and form an integral part of this policy). Such framework shall apply to all personal data processing activities conducted by Avaya globally.

Avaya Binding Corporate Rules: Controller Policy

The standards described in the Avaya Binding Corporate Rules (Controller) Policy are worldwide standards that apply to all group members1 when processing any personal data for purposes of carrying out Avaya’s business activities, employment administration, and supply chain management. Below is a summary of basic data protection principles and practical commitments that Avaya must observe when it processes personal data as a data controller. They are described in detail in the aforementioned policy.

Basic principles

Principle 1 – Lawfulness of processing

  • Avaya shall ensure that all Processing is carried out in accordance with applicable laws.

Principle 2 – Fairness and transparency

  • Avaya shall inform and explain to individuals, at the time when their Personal Data is collected, how their Personal Data will be Processed.

Principle 3 – Purpose limitation

  • Avaya shall only obtain and Process Personal Data for those purposes which are known to the individual or which are within their expectations and are relevant to Avaya.
  • Avaya shall only Process Personal Data for specified, explicit and legitimate purposes and not further Process that information in a manner that is incompatible with those purposes, unless such further Processing is consistent with the applicable law of the country in which the Personal Data was collected.

Principle 4 – Data minimization and accuracy

  • Avaya shall keep Personal Data accurate and up to date.
  • Avaya shall only Process Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

Principle 5 – Limited retention of personal data

  • Avaya shall only keep Personal Data for as long as is necessary for the purposes for which it is collected and further Processed.

Principle 6 – Security, integrity and confidentiality

  • Avaya shall implement appropriate technical and organizational measures to ensure a level of security of Personal Data that is appropriate to the risk to the rights and freedoms of individuals.
  • Avaya shall ensure that providers of services to Avaya also adopt appropriate and equivalent security measures.
  • Avaya shall comply with data security breach notification requirements as required under applicable law.

Principle 7 – Rights of individuals

  • Avaya shall adhere to the Data Subject rights procedure and will respond to any requests from individuals to access their Personal Data in accordance with applicable law.
  • Avaya shall deal with requests to rectify or erase Personal Data, to exercise the right to data portability, to restrict or to object to the Processing Personal Data in accordance with the Data Subject rights procedure. 

Principle 8 – Ensuring adequate protection for trans-border transfers

  • Avaya shall not transfer Personal Data to third parties outside Europe without ensuring adequate protection.

Principle 9 – Safeguarding the use of sensitive personal data

  • Avaya will only Process sensitive Personal Data where the individual’s explicit consent has been obtained unless Avaya has an alternative legitimate basis for doing so consistent with the applicable law of the country in which the Personal Data was collected.

Principle 10 – Legitimizing direct marketing

  • Avaya shall allow customers to opt-out of receiving marketing information.

Principle 11 – Automated individual decisions including profiling

  • Avaya shall ensure it has the appropriate controls in place to adhere to applicable legislation and policies on individual’s right not to be subject to a decision based solely on automated Processing, including profiling, unless such automated Processing is authorized by law.

Principle 12 –Accountability

  • Avaya shall carry out a data protection impact assessment when the Processing is likely to result in a high risk for the individuals concerned.
  • Avaya shall maintain records of data Processing activities under its responsibility.
  • Avaya shall implement Privacy by Design and Privacy by Default for new systems and applications.

Practical commitments

Commitment 1 – Staff and support

  • Avaya shall have appropriate staff and support to ensure and oversee privacy compliance throughout the business.

Commitment 2 – Privacy training

  • Avaya shall provide appropriate privacy training to employees who have permanent or regular access to personal data, who are involved in the processing of personal data, or in the development of tools used to process personal data in accordance with the Privacy Training Program set out in Appendix 4 of its Binding Corporate Rules Controller Policy.

Commitment 3 – Audit

  • Avaya shall verify compliance with the foregoing principles and shall carry out data protection audits on a regular basis in accordance with the Audit Protocol set out in Appendix 5 of its Binding Corporate Rules Controller Policy.

Commitment 4 - Complaint handling

  • Avaya shall ensure that individuals may exercise their right to lodge a complaint and will handle such complaints in accordance with the Complaint Handling Procedure set out in Appendix 6 of its Binding Corporate Rules Controller Policy.

Commitment 5 – Cooperation with data protection authorities

  • Avaya shall cooperate with the data protection authorities on any issue related to the Avaya Binding Corporate Rules Controller Policy in accordance with the Cooperation Procedure set out in Appendix 7 of its Binding Corporate Rules Controller Policy.

Commitment 6 – Action where national legislation prevents compliance with the Avaya Binding Corporate Rules Controller Policy

  • Avaya will ensure that where it believes that the legislation applicable to it may prevent company from fulfilling its obligations under its Binding Corporate Rules Controller Policy or such legislation has a substantial effect on its ability to comply with the Binding Corporate Rules Controller Policy, Avaya will promptly inform the Data Privacy Officer and the EU entity with data protection responsibilities, unless otherwise prohibited by a law enforcement authority.
  • Avaya will ensure that where there is a conflict between the legislation applicable to it and its Binding Corporate Rules Controller Policy, the Data Privacy Officer will make a responsible decision on the action to take and will report to the data protection authority with competent jurisdiction in case of doubt.

Commitment 7 - Government requests for disclosure of personal data

  • If Avaya Group Member receives a legally binding request for disclosure of Personal Data by a law enforcement authority or state security body that is subject to Avaya Binding Corporate Rules Controller Policy, it must comply with the Government Data Request Procedure set out in Appendix 9 of its Binding Corporate Rules Controller Policy.
  • In no event shall transfers of Personal Data from any Avaya Group Member transfer Personal Data to any law enforcement, state security or other government authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.

Avaya Binding Corporate Rules: Processor Policy

The standards described in the Avaya Binding Corporate Rules (Processor) Policy are worldwide standards that apply to all Group Members when Processing any Personal Data on behalf of and under the instructions from a Data Controller which is not a Group Member, such as for instance in the context of providing a service to an enterprise customer. Below is a summary of basic data protection principles and practical commitments that Avaya must observe when it Processes Personal Data as a Data Processor. They are described in detail in the aforementioned policy.

Basic principles

Principle 1 – Lawfulness of processing

  • Avaya shall ensure that all Processing is carried out in accordance with applicable laws.
  • Avaya shall cooperate and to the extent reasonably possible assist a Data Controller without undue delay to comply with its obligations under applicable data protection laws. 

Principle 2 – Fairness and transparency

  • Avaya shall assist a Data Controller to comply with the requirement to inform and explain to individuals how their Personal Data will be Processed in accordance with applicable laws.

Principle 3 – Purpose limitation

  • Avaya shall only Process Personal Data on behalf of, and in accordance with, the instructions of a Data Controller. 

Principle 4 – Data minimization and accuracy

  • Avaya shall assist a Data Controller to keep the Personal Data accurate and up to date.

Principle 5 – Limited retention of personal data

  • Avaya shall only keep Personal Data for as long as is necessary under the terms of the contract or other legally binding document with a Data Controller. 

Principle 6 – Security and confidentiality

  • Avaya shall implement appropriate technical and organizational measures to safeguard Personal Data processed on behalf of a Data Controller.
  • Avaya shall notify a Data Controller without undue delay of any security breach affecting the Personal Data that is being Processed on behalf of a Data Controller in accordance with the terms of the contract or other legally binding document with that Data Controller.
  • Avaya shall comply with the requirements of a Data Controller regarding the appointment of any sub-processor.
  • Avaya shall ensure that external sub-processors undertake to comply with provisions that are consistent with the terms of the contract or other legally binding document it has with a Data Controller and  Avaya Binding Corporate Rules (Processor) Policy, and in particular that the sub-processor will adopt appropriate and equivalent security measures. 

Principle 7 – Rights of individuals

  • Avaya shall assist Data Controllers to comply with their duty to respect the rights of individuals.

Principle 8 – Accountability

  • Avaya shall demonstrate compliance to the Data Controller.
  • Avaya shall maintain records of data Processing activities it is carrying out on behalf of a Data Controller.
  • Avaya shall assist the Data Controller in implementing Privacy by Design and Privacy by Default tools.

Practical commitments

Commitment 1 – Staff and support

  • Avaya shall have appropriate staff and support to ensure and oversee privacy compliance throughout the business.

Commitment 2 – Privacy training

  • Avaya shall provide appropriate privacy training to employees who have permanent or regular access to personal data, who are involved in the processing of personal data, or in the development of tools used to process personal data in accordance with the Privacy Training Program set out in Appendix 4 of its Binding Corporate Rules Processor Policy.

Commitment 3 – Audit

  • Avaya shall verify compliance with the foregoing principles and shall carry out data protection audits on a regular basis in accordance with the Audit Protocol set out in Appendix 5 of its Binding Corporate Rules Processor Policy.

Commitment 4 – Complaint handling

  • Avaya shall ensure that individuals may exercise their right to lodge a complaint and will handle such complaints in accordance with the Complaint Handling Procedure set out in Appendix 6 of its Binding Corporate Rules Processor Policy.

Commitment 5 – Cooperation with data protection authorities

  • Avaya will cooperate with the data protection authorities on any issue related to the Avaya Binding Corporate Rules Processor Policy in accordance with the Cooperation Procedure set out in Appendix 7 of its Binding Corporate Rules Processor Policy.

Commitment 6 - Action where national legislation prevents compliance with the Avaya Binding Corporate Rules Processor Policy

  • Avaya will ensure that where it believes that the legislation applicable to it may prevent it from fulfilling its obligations under its Binding Corporate Rules Processor Policy or under the contract with the Customer, or such legislation has a substantial effect on its ability to comply with the Binding Corporate Rules Processor Policy, Avaya will promptly inform (unless otherwise prohibited by law):
    • Data Controller as provided for by Principle 2 above (unless otherwise prohibited by a law enforcement authority);
    • Data Privacy Officer and the EU entity with data protection responsibilities; and
    • Appropriate data protection authority competent for the Data Controller and for Avaya.
  • Avaya will ensure that where it receives a legally binding request for disclosure of Personal Data by a law enforcement authority or state security body which is subject to its Binding Corporate Rules Processor Policy, Avaya will:
    • Notify the Data Controller promptly unless prohibited from doing so by a law enforcement authority; and
    • Put the request on hold and notify the lead data protection authority and the appropriate data protection authority competent for the Data Processor unless prohibited from doing so by a law enforcement authority or state security body.

Policy update procedure

Avaya reserves the right to change, modify or update this policy at any time. Please review it frequently for any updates.

Further information

If you have any questions regarding the provisions of this policy, your rights under this policy, or any other data protection issues, please contact the Avaya Global Privacy Office.

Revised March 2023

1 “Avaya” includes Avaya LLC (350 Mt. Kemble Avenue, Morristown, NJ 07960, USA) and designated affiliates ("Group Members"), detailed list of such designated affiliates is incorporated into Avaya Binding Corporate Rules: Controller and Processor Policies by reference. 

2 "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3 "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4 For the purpose of this Policy reference to "Europe" means the European Economic Area and Switzerland.

AvayaTop