Privacy

When providing services to a customer, Avaya may transfer personal data outside of the EEA, Switzerland, the UK, and Brazil in its capacity as a processor.

Intra-Group Transfers: When Avaya, acting as a processor, transfers personal data originating from the EEA and Switzerland to other Avaya Group Members, it will do so based on its Binding Corporate Rules for Processors, which establish adequate protection of such personal data and are legally binding on the relevant Avaya group members globally. Notwithstanding the foregoing, the transfers of personal data originating from the UK between Avaya group members are safeguarded by the UK International Data Transfer Agreement, while such transfers of personal data originating from Brazil are governed by the appropriate Brazilian Standard Contractual Clauses.

Transfers to Third-Party Sub-Processors: For its group-external sub-processors, Avaya leverages Data Processing Agreements incorporating the appropriate standard contractual clauses (SCCs) for international transfers of personal data originating from the EEA, Switzerland or Brazil, including relevant addendums (such as the UK International Data Transfer Addendum to the EU SCCs for personal data originating from the UK) to ensure safe, secure, and legal data transfers, unless other appropriate transfer safeguards are in place.

Avaya is the processor of certain customer data, which customers entrust Avaya to process on their behalf. Avaya’s obligations and commitments as a processor under GDPR are set forth in our DPA’s and in our Processor BCR’s. 

To comply with the Schrems II ruling and the provisions of the standard contractual clauses, Avaya conducts transfer impact assessments (TIAs) on personal data transferred from the EEA, UK, and Switzerland to third countries which have not been granted adequacy status.  

Avaya has developed an internal process for conducting TIAs. This includes gathering information from our Sub-Processors when they are onboarded and undertaking a country-level analysis.  

In connection with the engagement of third parties that process personal data as a Sub-Processor, Avaya follows processes and procedures: 

1. Contractual Commitment and International Data Transfers: Avaya enters into data processing agreements with all its Sub-Processors, which requires the Sub-Processors to maintain proper privacy, security, and confidentiality of personal data on terms substantially like the contractual commitments Avaya makes to its own customers in the Data Processing Agreement. Avaya relies on the EU Standard Contractual Clauses unless there is another legitimate data transfer mechanism in place.  

2. Security Review Processes: Avaya maintains policies and processes for conducting security reviews of Sub-Processors. The Avaya Global Security Team conducts an initial security review of any Sub-Processor and assesses the technical and organizational measures they should contractually commit to protect personal data. Selected Sub-Processors are audited each year to review their compliance with the technical and organizational measures they have committed to.  

3. Privacy Review Process: Avaya has established certain third-party vendor management processes for onboarding new suppliers and for existing suppliers. For onboarding new suppliers, a transfer impact assessment process has been implemented for new suppliers that transfer personal data out of the EEU or the UK. Selected existing vendors go through an annual privacy self-assessment process.  

As part of its Processor BCRs, all Avaya affiliates that handle personal data must follow a Government Data Request Procedure for responding to requests received from a law enforcement or other government authority to disclose personal information processed by Avaya on behalf of a customer.  

As a general principle, Avaya does not disclose personal data in response to a personal data production request unless it is under a compelling legal obligation to make such disclosure.  

Where disclosure is required, Avaya’s policy is that the customer should have the opportunity to protect the personal data requested because the customer has the greatest interest in opposing or is in a better position to comply with a data production request. For that reason, unless it is legally compelled not to do so, Avaya will provide the customer with details of the data production request.  Avaya will also, unless it is legally compelled not to do so, cooperate with the customer to address the data production request.  

To assist customers in understanding how data is processed in certain Cloud Offerings, and the technical features available to customers to determine how their data is processed, Avaya provides Privacy Fact Sheets for certain standard Cloud Offerings.

Avaya has incorporated privacy by design and default reviews into its processes to ensure that its Cloud solutions, as well as other solutions, are designed in a manner that enables customers to comply with privacy principles and legal requirements.  

Furthermore, Avaya carries out security reviews of new suppliers, evaluating their security measures for the products and services they will be delivering.  

Avaya has a Global Data Protection Officer and various local Data Protection Officers. The role of the Data Protection Officer is described in our Binding Corporate Rules, as well as in privacy legislation, including articles 38 and 39 of GDPR. To contact Avaya’s Data Protection Officer, email dataprivacy@avaya.com. The Avaya Data Privacy Office will address the query and/or engage the Data Protection Officer, as appropriate.