Corporate Governance

 

Data Privacy Policy

  • During the course of normal business operations, Avaya collects personal information about its employees and third parties, including but not limited to BusinessPartners, vendors, resellers and customers. Avaya may also receive unsolicited documents or materials that contain personal information (e.g. resumes, e-mails).  
  • "Personal information" (defined below) should be used for the business purposes for which it was collected or intended, unless there is a legitimate business need and legal justification for using it for another purpose.
  • "Sensitive personal information" (defined below) must be treated with special care and not shared inside or outside of Avaya except as permitted by law and there exists a compelling or legitimate business need or other legal justification.  
  • Sharing personal information outside of Avaya or across international borders should be done only after appropriate consideration of the legal restrictions on the further use of the data, the security of the data, and the legal justification for any international transfer.  
  • The security of this information must be preserved consistent with the Avaya Security Policies. Employees should immediately report any loss or, misuse of, or damage to personal information to dataprivacy@avaya.com, compliance@avaya.com or call Avaya Security (1-877-99-ETHIC (1-877-993-8442) for U.S. or +1-908-953-7276 for non-U.S. callers) or by logging in to www.ethicspoint.com
  • The consequences of violating privacy laws can be serious.  Violations can harm Avaya’s brand and reputation, can subject Avaya to class action and other litigation, and can subject the company and individuals to criminal penalties and imprisonment.  
  • Avaya values the protection of personal privacy and permits individuals appropriate opportunity to inspect and correct information collected about them. 
  • Any questions, concerns, or disputes regarding this Policy should be directed to compliance@avaya.com or, if applicable, your local data privacy officer. 
  • Failure to follow this Policy may result in disciplinary action, up to and including dismissal.

Data Privacy Policy


I. Overview


Operating with Integrity implies continuous respect for personal information relating to our employees, consultants, agents and other third parties with whom we do business, including customers, BusinessPartners, vendors and resellers.  The protection of the privacy of personal information is an important commitment.  Personal information must not be gathered excessively, used improperly or handled carelessly.  Avaya expects all employees, (as well as those acting on our behalf including but not limited to non-employee workers (NEWs), outsourced personnel/contractors and any other individuals conducting business on behalf of or under the direction of Avaya) to adhere to this Policy and to ensure that appropriate privacy and security restrictions are in place when personal information is collected, stored and transferred. 

The purpose of this Policy is to promote compliance with these objectives and with the various privacy and data protection principles of (and the national and international laws and regulations of) the countries in which Avaya operates (e.g., the European Union (EU) Data Protection Directive). This Policy also provides our employees and the general public – including actual and potential customers, government regulators, BusinessPartners, vendors, resellers, consultants, agents and other third parties with whom we do business - a statement of our commitment to the principles of data privacy and data protection.

The purpose of this Policy is to promote compliance with these objectives and with the various privacy and data protection principles of (and the national and international laws and regulations of) the countries in which Avaya operates (e.g., the European Union (EU) Data Protection Directive). This Policy also provides our employees and the general public – including actual and potential customers, government regulators, BusinessPartners, vendors, resellers, consultants, agents and other third parties with whom we do business - a statement of our commitment to the principles of data privacy and data protection.

This Policy is available online at the Ethics and Compliance website


II. Types of Information


Throughout our business and internal operations, Avaya obtains, gathers and maintains a variety of "personal information," including "sensitive personal information," about its employees and third parties, including BusinessPartners, vendors, resellers and customers.  

A.      Personal Information

For purposes of this Policy, "personal information" includes any information that identifies, relates to, describes, or is capable of being associated with, an identified or identifiable natural person.  Such personal information includes, but is not limited to, an individual’s: 

  • name
  • signature
  • image (e.g., a photograph)
  • employee personnel number
  • address
  • telephone number
  • passport number
  • driver's license or state identification card number
  • insurance policy number
  • education information
  • employment information
  • website "user id"
  • passwords
  • general health information
  • date of birth

B.      Sensitive Personal Information

Certain personal information that is collected about individuals is considered particularly sensitive and is subject to heightened protection.  For purposes of this Policy, "sensitive personal information" includes but is not limited to personal information pertaining to an individual’s:

  • racial or ethnic origin
  • marital status
  • physical characteristics or description
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • social security, tax or other similar identification numbers issued by governmental agencies 
  • personal financial information including but not limited to bank account numbers, credit card numbers or debit card numbers
  • medical data or other information related to an individual’s health
  • criminal record
  • sexual orientation or affectional preference.

III. Collecting and Using Information


The protections in this Policy regarding the collection and use of personal and sensitive personal information apply not only to information about employees, but also to personal and sensitive personal information collected regarding customers, vendors, BusinessPartners, resellers and other non-employee third parties.

A.      Personal Information  

Avaya collects personal information only where the information is reasonably related to the conduct of its business.  Avaya provides notice about the purposes for which it collects and uses this information, and may provide the opportunity to "opt-in" or "opt-out" of certain collections and uses (as may be required by applicable or local law).  Avaya is committed to limiting the use of personal information to only those purposes for which the data was originally collected, or as subsequently authorized by consent of the individual to whom the information relates, or as permitted by law.  Such consent may be obtained either explicitly where "opt-in" is required under local law, or implicitly, by providing a reasonable way to "opt-out" of further use of the information.

Employees who collect and use personal information must be certain to provide appropriate notice of the intent to collect and use.   Employees responsible for externally facing websites through which this type of information is collected must be familiar with Avaya’s website privacy policy (see Avaya Privacy Statement for more information).                          

B.      Sensitive Personal Information  

As a general matter, Avaya does not collect or use sensitive personal information unless there is a compelling business need to do so and the person to whom it relates has provided explicit, affirmative consent.  Exceptions to this rule may exist where  permitted by law, but advice must first be obtained from Avaya Law prior to any such collection.    

Special care must be taken regarding the use of social security, tax and other similar identification numbers issued by governmental agencies.  These must not be posted publicly, printed on access cards, transmitted over unsecured Internet connections, used as a password or personal identification number, or printed on materials to be sent by mail unless use of the number is required.  For example, in the US, no more than the last four digits of an employee’s social security number may appear on pay stubs or itemized statements. Similar precautions should be taken outside of the US as required by local law.

Employees, particularly in Human Resources, Information Technology and Information Security, Law and Finance who are routinely exposed to sensitive personal information must be especially vigilant and demonstrate proper discretion.


IV. Sharing Information


As a general rule Avaya does not sell, rent, or lease personal information. All employees have a responsibility to exercise due care when sharing with others (as permitted by law and within the limitations described below) the personal information to which they have access, regardless of whether that information relates to employees or third parties.  In addition, employees must exercise special care when dealing with sensitive personal information.

A. Sharing of Personal Information

Within Avaya.  Personal information may be shared only among employees within Avaya who have a legitimate business "need to know" for the purposes of internal administration and operations or for other reasonable and valid business purposes referred to in this Policy.  Personal information may also be processed and transferred within Avaya when necessary in connection with contractual commitments. 

With Third Parties.  From time to time, Avaya uses third parties to provide services on its behalf, such as for marketing or administrative purposes.  Avaya shares personal information with these third parties as necessary to provide those services (e.g., payroll and health insurance) or for other legitimate purposes.  In these cases, the third parties are not permitted to use personal information for any purposes other than those for which they are specifically authorized.  Contracts with these third parties should contain appropriate legal provisions requiring the vendor to maintain the confidentiality and security of personal information and prohibiting them from using the information for any other purpose.  Avaya employees responsible for overseeing a contract with a third party who may have access to personal information should contact Avaya Law for assistance.

International Sharing.  Avaya operates across international boundaries and may transfer personal information across these borders via its computer and telephone systems and in paper documents in order to meet its business and legal needs and requirements.  Even intra-company transfers of personal information may result in the transfer of data between countries that have differing legal requirements for privacy protection, such as when personal information is transferred from the EU to the US.    

The transfer of personal information collected or processed in the EU to third parties (including Avaya) located in countries outside of Europe is permitted only in particular circumstances provided for in the EU Data Protection Directive.  Avaya Inc. has been "Safe-Harbor certified" for the transfer of personal information collected or processed in the EU, to the US. Additionally, Avaya has implemented inter-company data transfer agreements between countries in the EU to permit the free transfer of such data. Avaya seeks to ensure that any non-EU entity receiving the data provides protections that are equivalent to those deemed "adequate" by the EU.  If you have any questions regarding the proper protections that are required, you should consult Avaya Law for assistance.

B. Sharing of Sensitive Personal Information

As a general rule, Avaya does not share sensitive personal information with anyone within or across national boundaries without the explicit, affirmative consent of the person to whom it relates.  Exceptions to this rule may exist as permitted by law or for internal administration and operations or for other reasonable and valid business purposes referred to in this Policy (e.g., Human Resources administration), but Avaya expects personnel to obtain advice from Avaya Law before sharing such information. 

C. Special Sharing Rules

Notwithstanding the above restrictions on sharing, personal information and sensitive personal information may be transferred and used in whatever ways are necessary to protect the vital interests of Avaya, its employees, its customers or the public.  In particular, Avaya may use or disclose this information if required or permitted to do so by law, such as to investigate, protect and defend its legal rights, to adhere to US or international law, or to comply with legal process.  Avaya may also provide this information to third parties in connection with actual or contemplated mergers, bankruptcy, acquisitions, or other corporate transactions. In general, and where possible, Avaya will seek to balance the privacy concerns of the individuals and the requirements of the requesting party.


V. No Inappropriate Automated Decision Making


Avaya does not engage in processing of personal information for automated decision making purposes unless appropriate human mechanisms are in place to safeguard against inaccurate or improper decisions.  That is, computers are not used to make decisions without appropriate review of such decisions by individuals.


VI. Personnel Monitoring


In order to protect our physical security, Avaya may engage in the electronic monitoring of personnel activities and our facilities where permissible by law. Please refer to Avaya's Security Policies (Policy 3.0 - Security Requirements For Data Privacy) for additional information.


VII. Information Security and Data Integrity


Information security is an integral component of Avaya’s data protection obligations.  Avaya implements, maintains and updates adequate and reasonable security procedures and practices, as required in order to protect personal and other confidential and/or proprietary information.

Avaya expects that employees responsible for collecting, storing and transferring personal information will take all necessary and appropriate precautions to:

  • restrict access to personal information to only those employees and specific third-party vendors who have a legitimate "need to know" in order to conduct Avaya business;
  • utilize encryption and/or password protections (at a minimum) when transmitting personal information electronically;
  • prevent unauthorized access, destruction, use, modification, or disclosure of personal information; and
  • maintain physical, electronic, and procedural safeguards in compliance with national, federal, state and local regulations to protect the personal information. 

Under its Records Management Program, and in compliance with various laws, Avaya requires employees to take reasonable steps to destroy, or arrange for the destruction of, personal information within our custody or control, when retention is no longer required. Acceptable methods of destruction include (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.  Employees should take strides to ensure that redundant or duplicate personal information is identified and destroyed.

You should notify Avaya Security immediately if any personal information is lost, compromised or stolen, or its integrity is otherwise impaired. Avaya Security can be reached on a 24-hour basis within the U.S. on 1-877-99-ETHIC (1-877-993-8442) and for non-U.S. calls on 1-908-953-7276. Alternatively, you can submit good faith reports by logging on to www.ethicspoint.com or by sending an email to dataprivacy@avaya.com or compliance@avaya.com*. You also can direct any questions about this Code of Conduct or any compliance related policy to compliance@avaya.com. Under the direction of Avaya Security or Global Ethics & Compliance, Avaya will investigate all reports, including those made anonymously, and provide feedback when appropriate.

Please refer to Avaya's Security Policies (Policy 3.0 - Security Requirements For Data Privacy) for specific additional information.


VIII. Requests for Access to Personal Information


Anyone about whom Avaya maintains personal information may request to inspect and, if appropriate, correct the personal information held by Avaya. (In the EU, employees must complete a "Data Protection Data Subject Access Request Form" available from your local Data Privacy Steward.) Except for employees in the EU, requests for corrections should be sent to dataprivacy@avaya.com and must be reasonable in nature and scope. Avaya will promptly respond to such requests as soon as practicable, generally within 30 days (or such other number of days, if any, as required by local law) in a manner that protects the privacy of others.  Avaya may require additional information from the requesting party in order to assure itself of the legitimate basis for the request and the identity and authority of the requestor. Upon receipt and verification of the corrected personal information, Avaya will adjust its data or records accordingly.


IX. Other Rights of Individuals


Individuals may request that Avaya not use their personal information for direct marketing purposes.  Avaya may create a database so that when a relevant request has been made, records relating to such individual(s) can be flagged so as to prevent them from being used for direct marketing purposes.  Other rights may exist in the EU or elsewhere that permit individuals in limited circumstances to ask Avaya to stop processing personal information relating to them (see Section VII. Requests for Access to Personal Information). Where local laws and regulations provide for such additional rights on the collection, use and disclosure of personal information, the local laws and regulations will prevail.


X. Modification of Policy


Avaya reserves the right to change, modify or update this Policy at any time. Please remember to check the Ethics and Compliance website regularly for any updates.


XI. Complaint Procedure and Dispute Resolution


Avaya is committed to resolving any disputes that may arise relating to this Policy.  Should the company’s efforts to resolve an issue fail, Avaya commits to the submission of such disputes before a mutually-agreeable, independent party to provide an appropriate, independent means of resolving such disputes.


XII. Questions


If you have any questions regarding this Policy, including questions regarding the collection, use or sharing of personal and sensitive personal information, please contact  dataprivacy@avaya.com, compliance@avaya.com  or Avaya Law.

 

Contact us with questions

Contact Information ›

How to Buy

Call Us

U.S. or Canada: 1-866-GO-AVAYA

All Other Locations: 1-908-953-6000