Privacy
Learn how our processes and policies provide protection for customer data.
Related links
Privacy within our products
Learn about Avaya’s privacy practices in place when using our products. We collect only necessary information, and we take robust measures to protect personal data.
Privacy fact sheets
Learn how Avaya processes customer data in our cloud offerings and products. Explore product technical features available to customers to process their personal data.
Data processing addendum
Avaya’s obligations, commitments, and processes for managing customer personal data are documented in the Avaya data processing addendum.
Global privacy policy
See how Avaya processes personal data to meet defined protection standards and comply with privacy laws and regulation.
Binding corporate rules
The EU regulatory authorities have approved Avaya’s binding corporate rules, acknowledging Avaya’s high global standards when processing personal data.
Sub-processors
Avaya has executed data processing agreements with its sub-processors to protect the personal data they process on behalf of Avaya and its customers.
GDPR (General Data Protection Regulation)
Avaya enables enterprises to comply with GDPR for protecting the personal data of those using Avaya solutions in the European Union. Compliance extends to any Avaya entity, affiliate, or subsidiary worldwide processing such data.
CCPA (California Consumer Privacy Act)
In compliance with CCPA, we put customers in control of the personal information they entrust to Avaya for processing.
Lei Geral de Proteção de Dados (LGPD)
Learn all the ways Avaya supports and stays in compliance with Brazil’s LGPD law.
Canadian data privacy
See how Avaya’s privacy and security practices help Canadian customers comply with Canadian privacy laws.
PIPL (China Personal Information Protection Law)
In digital era, privacy is a priority. In accordance with PIPL, Avaya collects, stores, and processes personal data safely, transparently and honestly.
Avaya privacy office
Contact the Avaya Data Privacy Office with any questions about privacy practices at Avaya. Learn about privacy on our website, and in our products, services, and internal operations.
Frequently asked questions
What mechanisms has Avaya implemented to ensure appropriate safeguards for the transfer of personal data outside of EEA, Switzerland, and UK where Avaya is acting as processor?
When providing services to a customer, Avaya may transfer personal data outside of EEA, Switzerland and UK in its capacity as processor. The General Data Protection Regulation (GDPR) has been incorporated into UK’s domestic legislation, and therefore the data transfer mechanism permitted under the GDPR for transfers of personal data outside the EEA will also apply to transfers from the UK. Regarding Switzerland, the Federal Act on Data Protection follows a similar framework as the GDPR and therefore, the same data transfer mechanisms apply to transfers from Switzerland.
Importers of personal data processed by Avaya on behalf of customers include Avaya affiliates and certain third-party vendors we engage to provide our services (Sub-Processors).
Intra-Group Transfers: Whenever Avaya, acting as a processor, shares personal data originating in the EEA, it will do so based on its processor binding corporate rules (Processor BCRs), which establish adequate protection of such personal data and are legally binding on Avaya affiliates.
Avaya’s Processor BCRs were approved by the European Data Protection Authorities on February 5, 2018. Transfers of personal data originating in the UK are governed by the International Data Transfer Agreement (IDTA).
Transfers to Third-Party Sub-Processors: For its Sub-Processors, Avaya has in place Data Processing Agreements (DPAs), which incorporate the appropriate EU standard contractual clauses (SCCs) to ensure safe, secure, and legal data transfers from the EEA and Switzerland, supplemented by International Data Transfer Addendum for personal data originating in the UK. Avaya has incorporated the new SCCs and the UK addendum into its DPA, to ensure all Sub-Processors are bound by these contractual obligations, unless other appropriate transfer safeguards are in place.
How does Avaya comply with its processor obligations under GDPR?
Avaya is the processor of certain customer data, which customers entrust Avaya to process on their behalf. Avaya’s obligations and commitments as a processor under GDPR are set forth in our DPA’s and in our Processor BCR’s.
Does Avaya conduct Transfer Impact Assessments?
To comply with the Schrems II ruling and the provisions of the standard contractual clauses, Avaya conducts transfer impact assessments (TIAs) on personal data transferred from the EEA, UK, and Switzerland to third countries which have not been granted adequacy status.
Avaya has developed an internal process for conducting TIAs. This includes gathering information from our Sub-Processors when they are onboarded and undertaking a country-level analysis.
How does Avaya engage and use third parties to perform services on its behalf in connection with the provision of Avaya services?
In connection with the engagement of third parties that process personal data as a Sub-Processor, Avaya follows processes and procedures:
Contractual Commitment and International Data Transfers: Avaya enters into data processing agreements with all its Sub-Processors, which requires the Sub-Processors to maintain proper privacy, security, and confidentiality of personal data on terms substantially like the contractual commitments Avaya makes to its own customers in the Data Processing Agreement. Avaya relies on the EU Standard Contractual Clauses unless there is another legitimate data transfer mechanism in place.
Security Review Processes: Avaya maintains policies and processes for conducting security reviews of Sub-Processors. The Avaya Global Security Team conducts an initial security review of any Sub-Processor and assesses the technical and organizational measures they should contractually commit to protect personal data. Selected Sub-Processors are audited each year to review their compliance with the technical and organizational measures they have committed to.
Privacy Review Process: Avaya has established certain third-party vendor management processes for onboarding new suppliers and for existing suppliers. For onboarding new suppliers, a transfer impact assessment process has been implemented for new suppliers that transfer personal data out of the EEU or the UK. Selected existing vendors go through an annual privacy self-assessment process.
How does Avaya handle law enforcement information requests?
As part of its Processor BCRs, all Avaya affiliates that handle personal data must follow a Government Data Request Procedure for responding to requests received from a law enforcement or other government authority to disclose personal information processed by Avaya on behalf of a customer.
As a general principle, Avaya does not disclose personal data in response to a personal data production request unless it is under a compelling legal obligation to make such disclosure.
Where disclosure is required, Avaya’s policy is that the customer should have the opportunity to protect the personal data requested because the customer has the greatest interest in opposing or is in a better position to comply with a data production request. For that reason, unless it is legally compelled not to do so, Avaya will provide the customer with details of the data production request. Avaya will also, unless it is legally compelled not to do so, cooperate with the customer to address the data production request.
How does Avaya ensure transparency about its data handling processes in Cloud solutions?
To assist customers in understanding how data is processed in certain Cloud Offerings, and the technical features available to customers to determine how their data is processed, Avaya provides Privacy Fact Sheets for certain standard Cloud Offerings.
Does Avaya conduct privacy reviews of its Cloud solutions?
Avaya has incorporated privacy by design and default reviews into its processes to ensure that its Cloud solutions, as well as other solutions, are designed in a manner that enables customers to comply with privacy principles and legal requirements.
Furthermore, Avaya carries out security reviews of new suppliers, evaluating their security measures for the products and services they will be delivering.
Does Avaya have a Data Protection Officer?
Avaya has a Global Data Protection Officer and various local Data Protection Officers. The role of the Data Protection Officer is described in our Binding Corporate Rules, as well as in privacy legislation, including articles 38 and 39 of GDPR. To contact Avaya’s Data Protection Officer, email dataprivacy@avaya.com. The Avaya Data Privacy Office will address the query and/or engage the Data Protection Officer, as appropriate.