Privacy
Policy
Introduction
Ribbon has developed and adopted this Privacy Policy to
describe and guide our processing of personal information.
In addition to the restrictions and obligations of this
Policy, we seek to comply with the letter and spirit of applicable laws that
protect the privacy of personal information.
The obligations and responsibilities set out in this Privacy
Policy are applicable to the Ribbon group and its personnel and will be made
available on Ribbon’s intranet and external websites. The obligations and
responsibilities set out in the Privacy Policy are in addition to any other
applicable policies or agreements entered into with Ribbon and any applicable
laws and regulations. We monitor privacy, data protection and security laws and
regulations as they apply to our operations and services worldwide. In some
cases, a territory’s data privacy and security laws may establish requirements
which may diverge from our Privacy Policy. If any such laws conflict with our
Privacy Policy, we will comply with the applicable law.
This privacy policy has been layered and linked as shown
below in order to allow readers to easily access specific elements of the
policy.
The
Information We Collect or Process
Third
Party Web Sites, Plugins or Widgets
Cross-Border
Personal Information Transfers
Transfers
of Personal Information from the EU, UK and Switzerland to Other Jurisdictions
The
Swiss-U.S., the EU-U.S., and the UK Extension of the EU-U.S., Data Privacy
Framework
Security
and Integrity of Personal Information
Recourse,
Complaints and Enforcement
This policy is global, applying to all Ribbon collection and
processing of personal information within the Ribbon group of companies. It
applies to personal information regardless of format. For example, the
policy applies to computerized records and electronic information as well as
paper-based files.
The concepts enumerated in this policy guide Ribbon's
selection and expectations of its agents and subcontractors and other
recipients to whom Ribbon transfers and relies on for processing of personal
information.
Ribbon provides certain services through its entities which
are subject to data protection laws including but not limited to the EU General
Data Protection Regulation (EU Regulation 2016/679), the UK GDPR as implemented
under the UK Data Protection Act 2018 as well as US, Canadian, Australian and
Indian law.
Data Processor
Ribbon provides several business-to-business (B2B) services
including those shown below.
|
Service |
Description |
|
Ribbon Connect Services |
Secure
cloud-based connection services for enterprises and service providers. |
|
Ribbon Identity Assurance Services |
Cloud-based
services that securely provides call origination identity assurance services
including STIR/SHAKEN services. |
|
Technical Support and Professional Services |
Services
provided to network operators which includes post-sales product technical
issue resolution, installation and upgrade services. |
Personal information processed in the context of these
services is typically controlled by or originated from other companies, such as
our customers, subscribers or other business partners. While Ribbon does
process data in its role of providing the above services and underlying
technology platforms, it does not own, control or direct the use of any of the
personal information stored or processed on behalf of the above parties.
Accordingly, Ribbon’s accountabilities insofar as such
processing is subject to the GDPR correspond to those of a data processor as
provided for under Chapter IV of the regulation. Ribbon relies on guidance and
direction of the applicable data controller(s), who determine the purposes and
generally the means of processing such personal information.
Data Controller
In some cases, Ribbon may collect and process personal
information for our own legitimate business purposes including:
European Economic Area and Switzerland
This notice contains information required under GDPR
Articles 13 and 14 and details Ribbon’s data controller accountabilities with
respect to the processing activities described herein. Ribbon is established in
the EU Member States and Switzerland under several entities. Ribbon’s EU
and Swiss entities are subsidiaries of the following entity:
Ribbon Networks B.V.
Evert van de Beekstraat 1-60
The Base A
4th Floor, Room 60
1118 CL Schiphol
The Netherlands
legal.privacy@rbbn.com
Ribbon’s Data Protection Officers can be contacted as
follows:
|
Country |
Entity |
Contact |
|
Ireland |
Ribbon
Communications International Limited |
EU Data Protection Officer The Multis Building Parkmore West Business Park Parkmore, Co. Galway H91 X7Y3, Ireland |
|
Germany |
Ribbon
Communications Germany GmbH |
Germany Data Protection Officer Hendrik Muschal fellaws Muschal Brachmann PartG mbB Meinekestraße 27 10719 Berlin |
United Kingdom
This notice contains information required under UK GDPR
Articles 13 and 14 and details Ribbon’s data controller accountabilities with
respect to the processing described herein. Ribbon is established in the
UK. Ribbon’s Data Protection Officer can be contacted as follows:
|
Country |
Entity |
Contact |
|
United Kingdom |
Ribbon
Communications UK Limited |
UK Data Protection Officer Bray House |
California
Ribbon collects, uses and discloses personal information
which is subject to the California Consumer Privacy Act (“CCPA”). This
notice contains information required by the CCPA. Ribbon is committed to
complying with the CCPA.
Canada
This notice contains information required under Canada’s
federal Personal Information Protection and Electronic Documents Act (PIPEDA)
and certain provincial privacy laws including the Quebec Act Respecting the
Protection of Personal Information in the Private Sector. Ribbon’s Privacy
Officer can be contacted as follows:
|
Country |
Entity |
Contact |
|
Canada |
Ribbon
Communications Canada ULC |
Ribbon Legal Department c/o Data Protection |
Australia
This notice contains information required under Australia’s
Privacy Act 1988 (Cth) including the Australian
Privacy Principles (“APPs”). The APPs govern the way in which Ribbon
collects, holds, uses and discloses Australian personal information. A
copy of the Australian Privacy Principles may be obtained from the website of
The Office of the Australian Information Commissioner at https://www.oaic.gov.au/. Ribbon is
established in Australia and can be contacted as follows:
|
Country |
Entity |
Contact |
|
Australia |
Ribbon
Communications Australia Pty Ltd |
Ribbon Legal Department |
India
This notice contains information required under India’s
Digital Personal Data Protection Act (DPDPA). Ribbon is established in India
and can be contacted as follows:
|
Country |
Entity |
Contact |
|
India |
Ribbon
Communications Pvt Ltd |
Ribbon Legal Department |
|
India |
ECI
Telecom India Private Limited |
Ribbon Legal Department |
The Information We Collect or
Process
Ribbon processes and in certain situations collects personal
information as needed to deliver its products and services and manage its
business. When collecting or processing personal information, Ribbon does so in
a lawful, fair and transparent manner.
In many jurisdictions, Ribbon must have a legal basis to
process personal information. In most cases the legal basis for processing will
be one of the following:
When Ribbon collects or processes personal information, it
does so in a proportionate and limited manner pursuant to relevant,
appropriate, and customary purposes. Ribbon will not share or disclose personal
information for purposes other than as described herein.
The categories of information and the purposes for which
Ribbon collects or processes personal information may include the following.
For Customers & Resellers
|
Category |
Description
& Purpose(s) |
Retention |
Source
of Collection |
Share Entity |
Sell
Entity |
Categories |
|
Business Contact and Service Portal Account Information (Controller) |
Ribbon
may collect and use personal information about individual business contacts
of customers and prospective customers. Such information may include customer
account information, account identifiers, first/last name, company name, job
title and responsibilities, email address, business mailing address,
telephone numbers, as well as additional information received by Ribbon in
the course of providing products or services. We will use such
information for the purposes of establish and maintain business relationship,
providing and improving services, authorizing and extending credit, and
providing requested or supplemental information regarding Ribbon products or
services. |
Duration of customer agreement |
You Your
Employer Where
GDPR is applicable, Ribbon is a controller processing on the basis of
legitimate interests under Article 6(1)(f) |
Service Providers Ribbon Group Affiliates |
None |
Professional or employment-related information. Identifiers such as a real name, alias, postal address,
unique personal identifier, online identifier, internet protocol address,
email address, account name, social security number, driver’s license number,
passport number, or other similar identifiers. |
|
Ribbon Connect for Microsoft Teams Direct Routing Service
– Meta Data (Processor) |
Ribbon
collects and uses personal information about individuals using Ribbon Connect
direct routing services. This may include but is not limited to the phone
numbers that you call (or the phone numbers that you receive these calls
from) through our Ribbon Connect direct routing services. The date,
time, location and duration of the calls may also be collected as well as
other networking or device identifiers such as IP and SIP addressing
sufficient to identify an individual end user. This data is used for
service delivery, service level assurance and compliance with applicable
regulatory obligations.Ribbon
provides Ribbon Connect direct routing services primarily for the benefit of
organizations and subscribers in that the services transmit or route
information on their behalf. These services often merely serve as
conduits for data transmitted by third parties and subscribers. Ribbon
does not determine the purposes and means of processing of this personal
information. |
Typically Less Than 7 Days and
Subject to Rotating Buffer Overwrite Control |
Generated
Within Service Platform Where
GDPR is applicable, Ribbon is processing on the direction of a controller who
has determined the legal basis for processing under Article 6(1) |
Service Providers Ribbon Group Affiliates |
None |
Traffic data (CPNI) including telephone number. |
|
Ribbon Connect for Operator Connect Service – Meta Data
and Admin Portal Data (Processor) |
Ribbon
collects and uses personal information about individuals using Ribbon Connect
for operator connect services. |
Service Meta Data:
|
Generated
Within Service Platform
Your
Employer Where
GDPR is applicable, Ribbon is processing on the direction of a controller who
has determined the legal basis for processing under Article 6(1) |
Service Providers Ribbon Group Affiliates |
None |
Traffic data (CPNI) including telephone number. Professional or employment-related information. Identifiers such as a real name, alias, postal address,
unique personal identifier, online identifier, internet protocol address,
email address, account name, social security number, driver’s license number,
passport number, or other similar identifiers. |
|
Ribbon Identity Assurance Service Data (Processor) |
Ribbon’s
Identity Assurance solution provides call origination identity assurance
services including STIR/SHAKEN. Service data includes personal data
including caller and called party telephone numbers and caller ID (TDRs) as
well as certain third party databases utilized to
implement identity assurance within the above framework. This data is
used for service delivery, billing, service level assurance and compliance
with applicable regulatory obligations. Ribbon
provides Ribbon Identity Assurance services primarily for the benefit of
organizations and subscribers in that the services cache information and
provide identity scoring on their behalf. Ribbon does not determine the
purposes and means of processing of this personal information. |
TDRs: Maximum 15 months Third Party DBs: Subject to third party database
provider update frequency and retention controls |
Generated
Within Service Platform Where
GDPR is applicable, Ribbon is processing on the direction of a controller who
has determined the legal basis for processing under Article 6(1) |
Service Providers Ribbon Group Affiliates |
None |
Traffic data (CPNI) including telephone number. Inferences drawn from CCPA PI to create a profile about a
consumer reflecting the consumer’s preferences, characteristics,
psychological trends, predispositions, behavior,
attitudes, intelligence, abilities, and aptitudes. |
|
Ribbon Identity Assurance –
Analytics Data (US and Canada) (Controller) |
Ribbon
collects and analyzes call audio recordings
originated by individual parties originating calls to Ribbon’s Identity
Assurance analytics aggregation system. Analysis of captured audio and
meta data associated with calls originated to the aggregation system is used
to (i) risk-score calling party phone numbers for
the purpose of improving the algorithmic reliability of the Ribbon Identity
Assurance service described above, and (ii) in compliance with applicable
communications services regulator mandated analytics associated with delivery
of STIR/SHAKEN framework related services. Personally-identifiable
data includes voice call recordings, transcripts thereof, and other call meta
data including caller party telephone number, caller ID and time of call. |
Maximum 12 months |
Aggregation
System Platform Where
GDPR is applicable, Ribbon is a controller processing on the basis of
legitimate interests under Article 6(1)(f) |
Service Providers Ribbon Group Affiliates |
None |
Traffic data (CPNI) including telephone number. Audio, electronic, visual, thermal, olfactory, or similar
information. Inferences drawn from CCPA PI to create a profile about a
consumer reflecting the consumer’s preferences, characteristics,
psychological trends, predispositions, behavior,
attitudes, intelligence, abilities, and aptitudes. |
|
Technical Support and Professional Services Data (Processor) |
Ribbon
provides technical support and professional services to network operators
which includes post-sales product technical issue resolution, installation
and upgrade services. Certain technical issue resolution processing
will include sample data required to provide the above services including
CPNI and traffic data (see above) as well as other information sufficient to
identify an individual. |
Technical Support Case attachments: |
Technical
Support Process Including CRM Platform Where
GDPR is applicable, Ribbon is processing on the direction of a controller who
has determined the legal basis for processing under Article 6(1) |
Service Providers Ribbon Group Affiliates |
None |
Sample traffic data (CPNI)
including telephone number. |
|
Credit Card Information (Controller) |
Ribbon
only collects credit card information in order to bill for subscribed
services or in support of entering a contract. Ribbon utilizes credit
card payment processing agents solely for the purpose of authenticating and
securely processing payment for the services you receive. We
require these agents to take reasonable and appropriate measures to protect
this information from loss or misuse. |
Subject to credit card payment agent retention controls |
You Where
GDPR is applicable, Ribbon is a controller undertaking processing necessary
for the performance of a contract with the data subject under Article 6(1)(b) |
Service Providers |
None |
Credit card number |
|
Ribbon Training Services Data (Controller) |
Ribbon
provides product and solutions training services to individuals that may be
delivered to students in an online, in-person as well as self-paced training
format depending on the offering. Ribbon may collect, generate and/or
process certain personal data for the purposes of (i)
student registration, communication and billing, (ii) delivery of training
content, (iii) arrangement of proctored testing, (iv) accreditation, (v)
maintenance of student online training profile/transcript, (vi) maintenance
of service consumption metrics, and (vii) undertaking certain student
surveys. |
Anonymized after 10 years of student service inactivity |
You Generated
Within Training Services Platform Where
GDPR is applicable, Ribbon is a controller processing on the basis of
legitimate interests under Article 6(1)(f) |
Service Providers Ribbon Group Affiliates |
None |
Professional or employment-related information. Education information Identifiers such as a real name, alias, postal address,
unique personal identifier, online identifier, internet protocol address,
email address, account name, social security number, driver’s license number,
passport number, or other similar identifiers. |
For Suppliers
|
Category |
Description
& Purpose(s) |
Retention |
Source
of Collection |
Share Entity |
Sell
Entity |
Categories |
|
Business Contact and Service Portal Account Information (Controller) |
Ribbon
may collect personal information about individuals who are employed by our
suppliers. This information is strictly used to administer existing and
future business arrangements as well as to establish appropriate and secure
access to Ribbon's network where required. This information may include name
and contact information, employer information, due diligence information,
electronic communications (email, voicemail) and networking communications
data. |
Duration of supplier Certain corporate network
access data will be retained for up to 18-24 months for security audit trail
purposes. |
You Your
Employer Generated
Within Corporate Network Platforms Where
GDPR is applicable, Ribbon is a controller processing on the basis of
legitimate interests under Article 6(1)(f) |
Service Providers Ribbon Group Affiliates |
None |
Professional or employment-related information. Identifiers such as a real name, alias, postal address,
unique personal identifier, online identifier, internet protocol address,
email address, account name, social security number, driver’s license number,
passport number, or other similar identifiers. |
For Independent Contractors
|
Category |
Description
& Purpose(s) |
Retention |
Source
of Collection |
Share Entity |
Sell
Entity |
Categories |
|
Business Contact Data Administrative and Onboarding Data Qualifications & Experience Information (Controller) |
Ribbon
may collect personal information about our independent contractors. This
information is strictly used to administer existing and future business
arrangements as well as to establish appropriate and secure access to
Ribbon's network where required. This information may include name and
contact information, employer identification information, qualifications,
licenses and experience, reference, background checks and due diligence
information, services provided, billing, payment, expenses and financial information,
insurance and bonding information, electronic communications (email,
voicemail) and networking communications data. |
Duration of contracting agreement Certain corporate network access data will be retained for
up to 18-24 months for security audit trail purposes. |
You Generated
Within Corporate Network Platforms Where
GDPR is applicable, Ribbon is a controller processing on the basis of
legitimate interests under Article 6(1)(f) |
Service Providers Ribbon Group Affiliates |
None |
Professional or employment-related information. Education information. Identifiers such as a real name, alias, postal address,
unique personal identifier, online identifier, internet protocol address,
email address, account name, social security number, driver’s license number,
passport number, or other similar identifiers. Signature, address, telephone number, education, bank
account number, other financial information and gender. |
For Job Applicants
Ribbon collects personal information of job applicants in
connection with its recruitment and hiring activities. Job applicants should
refer to Ribbon's Privacy Notice for Job Applicants
For Marketing Leads and Website Visitors
Ribbon is the data controller of marketing data we
collect. We collect marketing data when you visit our websites, when you
provide it to us (by phone, in person or by webform), when you register for or
attend an event, when you request information regarding Ribbon,
when we collect it from public databases, partners, social media
sites or other third parties.
|
Category |
Description
& Purpose(s) |
Retention |
Source
of Collection |
Share Entity |
Sell
Entity |
Categories |
|
Marketing Data (Controller) |
Marketing
data includes your contact details such as name, physical address, country,
email, company name, job title and business telephone number (collectively
“Marketing Data”). When you visit a Ribbon website, Ribbon collects
associated website visitor information such as IP address, geographic
location, browser type, operating system, screen size and company
(collectively “Website Visitor Information”). Website Visitor
Information shall not be linked to your Marketing Data unless you provide
additional information to us (such as by filling out a form on our website)
that connects the information to you. For more information on the above
and choices available to website visitors please refer to Ribbon’s Cookie Policy and Ribbon’s
Cookie Preference Center accessible via the
website. Ribbon
uses this data for direct marketing of Ribbon products and services.
Unless expressly requested by Ribbon and consented by you, Ribbon will not
share or disclose or sell personal information to third parties for the
purpose of their own marketing or resale activities. |
Marketing Contact Data: Maximum 24 months after last
marketing service interaction Cookies: Please see Ribbon Cookie Policy for specific information
regarding cookies |
You Your
Browser Where
GDPR is applicable, Ribbon is a controller processing on the basis of consent
under Article 6(1)(a) |
Service Providers Ribbon Group Affiliates |
None |
Identifiers such as a real name, alias, postal address,
unique personal identifier, online identifier, internet protocol address,
email address, account name, social security number, driver’s license number,
passport number, or other similar identifiers. Professional or employment-related information Internet or other electronic network activity information,
including, but not limited to, browsing history, search history, and
information regarding a consumer’s interaction with an internet website,
application, or advertisement. |
Other Collection or Processing
Additional personal information may be collected, processed
and disclosed for the purposes for which it was collected and for legal
compliance purposes, including regulatory reporting, investigation of
allegations of wrongdoing, and the management and defense
of legal claims and actions, and compliance with subpoenas, court orders and
other legal obligations.
Third Party Web Sites,
Plugins or Widgets
Ribbon websites and services may include social network or
other third-party plugins and widgets. Accessing these links is done at your
option. Please review the sponsor's privacy policy provided at the respective
site.
Cross-Border
Personal Information Transfers
Where feasible Ribbon utilizes geographically aligned
resources for primary data processing in order to reduce the complexity and
volume of cross-border personal information transfer.
Ribbon shall comply with the applicable laws governing
international transfers of personal information, including by implementing the
safeguards described in ” Transfers of Personal
Information from the EU, EEA, UK and Switzerland to Other Jurisdictions”, below
and where required shall ensure that such transfers are made to countries where
the data protection regime is compatible with that of the originating jurisdiction.
Transfers of
Personal Information from the EU, EEA, UK and Switzerland to Other
Jurisdictions
Ribbon relies upon the DPF certification for cross-border
transfers of personal information, but takes additional steps to protect
personal information, including by employing the following transfer mechanisms
for transfers of EU, EEA, UK and Swiss personal information in accordance with
transfer restrictions imposed under the EU General Data Protection Regulation
(GDPR), the UK GDPR or the Swiss Federal Act on Data Protection (FADP) as
applicable.
The Swiss-U.S., the EU-U.S., and the UK Extension of the
EU-U.S., Data Privacy Framework
Ribbon Communications Inc. and its U.S. subsidiaries Ribbon
Communications Operating Company, Inc. and Ribbon Communications Federal Inc
(“Ribbon DPF Companies”) rely on and comply with the EU-U.S. Data Privacy
Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the
Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S.
Department of Commerce regarding the collection, use and retention of personal
information. The Ribbon DPF Companies have certified to the Department of Commerce
that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF
Principles) with regard to the processing of personal data received from the
European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and
Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and from
Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between
the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the
Swiss-U.S. DPF Principles, the Principles shall govern.
To learn more about the Data Privacy Framework (DPF)
program, and to view Ribbon’s certification, please visit https://www.dataprivacyframework.gov/.
To view the Ribbon DPF Companies’ certification under the EU-U.S. DPF, the UK
Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, please visit https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt00000008RT8AAM&status=Active
In addition to the protections provided under other sections
of this Privacy Policy, the Ribbon DPF Companies will provide the following
protections for personal data previously transferred from the EU, UK of
Switzerland to the US.
Choice
Individuals who are residents of the EEA, UK or Switzerland
will be offered a clear, conspicuous, and readily available mechanism to choose
(opt out) whether their personal information is (1) to be disclosed to a third
party other than a third party acting as an agent to perform tasks on behalf of
and under the instruction of Ribbon or (2) to be used for a purpose that is
materially different than or incompatible with the purpose for which it was
originally utilized or subsequently authorized by the individual.
Additionally, such individuals will be offered a similar
choice mechanism to give affirmative or explicit (opt in) choice whether their
sensitive personal information is to be disclosed to a third party or used for
a purpose other than the purposes for which it was originally collected or
subsequently authorized by the individual by opt-in choice. However,
explicit (opt in) choice is not required when the disclosure of the sensitive
personal information is (1) in the vital interests of the individual or another
person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or
diagnosis; (4) necessary to carry out the organization’s obligations in the
field of employment law, or (5) related to personal information that is
manifestly made public by the individual.
Transfer of Personal Information from the UK, EEA, or
Switzerland to Processors in the U.S.
Ribbon’s EEA, UK and Swiss entities may transfer personal
information to a processor in the United States solely for processing purposes.
A “processor” is a third party who processes personal information on behalf of
and in accordance with the instructions of Ribbon’s EEA, UK and/or Swiss
entities. When personal information is transferred from the EEA, UK and/or
Switzerland to the United States solely for processing purposes, the Ribbon’s
EEA, UK and/or Swiss entities will comply with the applicable data protection
laws, including the GDPR, UK GDPR, UK Data Protection Act 2018, and/or FADP,
respectively, and enter into a contract with the processor to ensure that the
processor (1) acts only on instructions of Ribbon’s EEA, UK and/or Swiss
entities; (2) provides appropriate technical and organizational measures to
protect the personal information against unlawful destruction or accidental
loss, alteration, unauthorized disclosure or access; and understands whether
onward transfers are allowed; and (3) assists the Ribbon’s EEA, UK and/or Swiss
entities in responding to individuals exercising their rights under the DPF
principles, taking into account the nature of the processing.
Onward Transfers to Third Party Agents and/or
Public Authorities
The Ribbon DPF Companies may transfer personal information
to third parties acting as controllers as described in “Third Party Suppliers
and EU, EEA, UK and Swiss Personal Information”, below. The Ribbon DPF
Companies may transfer personal information in response to public authorities
to comply with national security or law enforcement requirements, including as
described in “Other External Disclosures”, below.
Verification
The Ribbon DPF Companies have verified and will verify
annually through self-assessment that the attestations and assertions made
about its DPF privacy practices are true and that those privacy practices have
been implemented as represented and in accordance with the EU-U.S. DPF, the UK
Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles. This
verification has been and will be signed by an officer of the Ribbon DPF
Companies or other authorized representative of the Ribbon DPF Companies at least
once a year and is available upon request by individuals or in the context of
an investigation or a complaint about non-compliance. The verification includes
the following:
Recourse Mechanisms Under the DPF
Inquiries or complaints regarding transfers of personal data
from the EEA, UK or Switzerland to the U.S. pursuant to the DPF should be
directed to:
Ribbon Legal Department
6500 Chase Oaks Blvd.
Suite 100
Plano, TX 75023
United States
Email: legal.privacy@rbbn.com
If a complaint remains unresolved, it will be resolved
through alternative dispute resolution. Ribbon has selected JAMS Mediation,
Arbitration and ADR Services (JAMS) as the administrator of Ribbon's
independent recourse mechanism for DPF disputes. Ribbon has committed to refer
such unresolved DPF complaints to JAMS in the United States. You may find more
information about dispute resolution and how to file a claim with JAMS at https://www.jamsadr.com/dpf-dispute-resolution.
Individuals have the possibility, under certain conditions,
to invoke binding arbitration for complaints regarding DPF compliance not
resolved by any of the other DPF mechanisms. Please visit Annex I for
additional information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
Enforcement
The Ribbon DPF Companies are also subject to the
investigatory and enforcement powers of the United States Federal Trade
Commission, which has jurisdiction over Ribbon’s compliance with the EU-U.S.
DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
Liability
In the context of an onward transfer of personal
information, the Ribbon DPF Companies have responsibility for the processing of
personal information they receive under the DPF and subsequently transfers to a
third party agent. The Ribbon DPF Companies will
remain liable under the DPF Principles if their third party
agent processes such personal information in a manner inconsistent with the DPF
Principles, unless the Ribbon DPF Companies prove that they are not responsible
for the event giving rise to the damage.
Training
All employees who process personal data will receive
training regarding the data privacy principles and procedures under DPF
Principles and this Policy. Individuals whose roles require regular
access to personal information, or who are responsible for implementing this
policy or responding to subject access requests under this policy, will receive
additional training to help them understand their duties and how to comply with
them.
Within the Ribbon Group
In general, personal information may be shared within Ribbon
in order to fulfill service commitments to our
customers and in support of legitimate business interests. These transfers are
subject to the transfer mechanism controls described within the above section
on Cross-Border Personal Information Transfers.
Ribbon restricts access to personal information to those
employees, agents, or contractors who require access in order to carry out
their assigned functions.
A list of Ribbon corporate locations is available here. Processing locations will vary by service provided.
Third Party Suppliers
Ribbon uses vendors and partners for a variety of business
purposes in order to help us fulfil the services we provide. We share
information with those vendors and partners when it is beneficial for them to
perform work on our behalf.
Ribbon will only transfer or provide direct access to
personal information covered by this policy to third parties which have:
Ribbon employs the following categories of third party suppliers in order to deliver the services shown
below.
Ribbon Connect for Microsoft Teams Direct Routing
Services
|
Service Region |
Third
Party Category |
Locations |
|
EU/UK |
Cloud
Hosting and Platform Providers |
Ireland, Netherlands, United Kingdom |
|
NA |
Cloud
Hosting and Platform Providers |
United States |
|
APAC |
Cloud
Hosting and Platform Providers |
Australia, Singapore, Japan |
Ribbon Connect for Operator Connect Services
|
Service Region |
Third
Party Category |
Locations |
|
Global |
Cloud
Hosting Providers |
United States |
|
EU/UK |
Cloud
Hosting and Platform Providers |
Ireland, Netherlands, United Kingdom |
|
NA |
Cloud
Hosting and Platform Providers |
United States. Canada |
|
APAC |
Cloud
Hosting and Platform Providers |
Australia, Singapore, Japan |
Ribbon Identity Assurance Services
|
Service Region |
Third
Party Category |
Locations |
|
EU |
Cloud
Hosting Providers |
France |
|
NA |
Cloud
Hosting Providers |
United States, Canada |
|
NA |
CRM
Technology Providers |
United States |
|
NA |
Technology
Service Partners |
United States |
Technical Support and Professional Services
|
Service Region |
Third
Party Category |
Locations |
|
Global |
Cloud
Hosting Providers |
United States |
|
Global |
CRM
Technology Providers |
United States |
|
Global |
Technology
Service Partners |
United States, Turkey, India, Vietnam |
Marketing
|
Service Region |
Third
Party Category |
Locations |
|
Global |
CRM
Providers |
United States |
|
Global |
Web
Hosting Providers |
United States |
|
Global |
Web
Analytics Providers |
United States |
|
Global |
Marketing
Automation Providers |
United States |
Ribbon Training Services
|
Service Region |
Third
Party Category |
Locations |
|
Global |
CRM
Providers |
United States |
|
Global |
Hosted
Online Training Services Provider |
United States, Belgium |
|
Global |
Payment
Gateway Providers |
United States |
|
Global |
Digital
Adoption Platform Providers |
United States |
|
Global |
Examination
Proctoring Providers |
United States |
|
Global |
Accreditation
Providers |
United States |
Third Party Suppliers and EU, EEA, UK and Swiss Personal
Information
Additionally, for personal information pertaining to EU,
EEA, UK or Swiss data subjects Ribbon will only transfer or provide direct
access to personal information covered by this policy to third parties that:
Where transfers are made pursuant to the DPF, Ribbon will
further comply with the DPF notice and choice principles and, where required,
enter into a contract with the third party that provides that: (1) such
personal information may be processed only for limited and specified purposes
consistent with the consent provided by the individual, (2) the third party
will provide the same level of protections as the DPF principles, (3) the third
party will notify Ribbon if it can no longer meet its obligation to provide the
same level of protection for personal information as is required by the DPF
principles, and (4) upon such notice by the third party, the third party will
cease processing the personal information and/or take reasonable and
appropriate steps to remediate any unauthorized processing.
Other External Disclosures
Ribbon may disclose information that individually identifies
our customers, subscribers or identifies their devices in certain
circumstances, such as:
If Ribbon enters into a merger, acquisition or sale of all
or a portion of its assets or business, customer information will also be
transferred as part of or in connection with the transaction as per local law
and/or non-disclosure agreement.
Security and
Integrity of Personal Information
To help protect the confidentiality of personal information,
Ribbon employs appropriate information security safeguards. These
safeguards take into account the state of the art, the cost of implementation
and the nature, scope, context and purposes of processing as well as the risks
to individuals posed by any unauthorized disclosure of the information.
These safeguards include reasonable administrative,
technical and physical measures to safeguard the confidentiality, integrity and
availability of personal information against anticipated threats and
unauthorized access to such personal information.
Ribbon conveys safeguard obligations to our third parties
who receive personal information from or on behalf of Ribbon in the course of
their relationship with our organization as described above in the
"Recipients and Disclosures" section.
Ribbon employs reasonable means to keep personal information
accurate, complete, and current, as needed for the purposes for which it was
collected.
Ribbon understands the data minimization and storage
limitation principles within the GDPR and other data protection laws which
require that data be deleted when its retention is no longer required to
satisfy the purposes for which it was collected, generated or provided to
Ribbon by a data controller. Ribbon complies with all applicable information
retention laws and regulations including those associated with electronic
communication service provider requirements.
Additional information regarding retention of data is
available within the tables in the section above entitled “The Information We
Collect or Process”
The data Ribbon processes is described in further detail in
“The Information We Collect or Process” section above.
Service Portals
If you have created a user profile on any Ribbon service
portal (eg: Ribbon Technical Support Portal), you may
access and revise the personal information in your user profile when you log
into your account. In general, these portals will only require minimal personal
information that is necessary to provide and administer the service.
Marketing Materials
If you provide us with your email address or other contact
information to enable us to provide current communications and information to
you, we may use the information for providing such communications including
delivery of press releases and other Ribbon marketing materials. You may
request to no longer receive Ribbon marketing communications by following the
"unsubscribe" instructions in emails from Ribbon or by sending a
request to the Contact identified below.
In the rare and unlikely event that Ribbon wishes to use an
individual's personal information for a purpose that is materially different
from the purpose(s) for which it was originally collected or subsequently
authorized by the individuals, Ribbon will seek consent in advance as required
by law.
Cookie Preferences
Ribbon websites may use cookies to collect certain kinds of
personal information about subscribers or users. For more information on how
Ribbon uses cookies and choices available to website visitors please refer
to Ribbon's
Cookie Policy and Ribbon's Cookie Preference Center
accessible via the website.
Sensitive Information
Ribbon recognizes that for some sensitive information,
affirmative express consent from individuals may be required and must be
obtained if such information is to be (i) disclosed
to a third party or (ii) processed for a purpose other than those for which it
was originally collected or subsequently authorized by the individuals through
the exercise of opt-in choice. In addition, Ribbon shall treat as sensitive any
personal information received from a third party where the third party
identifies and treats it as sensitive.
Ribbon supports individual's data protection rights as
provided for by applicable data protection laws. These may include
individual rights of access, rectification, erasure, restriction or objection
to processing, and portability. This section contains supplemental
information for individuals in certain jurisdictions. If Ribbon is
relying on your consent to process your personal data, you have the right to
withdraw your consent at any time.
Service Portals
If you have created a user profile on any Ribbon service
portal (eg: Ribbon Technical Support Portal), you may
access, examine, revise or delete the personal information in your user profile
when you log into your account. In general, these portals will only require
minimal personal information that is necessary to provide and administer the
service. Ribbon employs reasonable means to keep its individuals' personal
information accurate, complete, and current.
EU and UK Data Subject Rights
Individuals having rights governed by EU or UK data
protection law may exercise the following rights as data subjects.
|
Right |
GDPR
Article |
Summary |
|
Access |
15 |
Right to request access to and obtain a copy of your
personal data. In certain service contexts, individuals are provided
with credentialized access to much of their own
personal information that Ribbon collects and maintains through various
service portals (please see Service Portals above). This enables
individuals to access, review, export, and in many instances enter or certify
their personal information. |
|
Rectification |
16 |
Right to request rectification (or correction) of personal
data that is inaccurate. In certain service contexts, individuals are
provided with credentialized access to much of
their own personal information that Ribbon collects and maintains through
various service portals (please see Service Portals above). This
enables individuals to access, review, export, and in many instances enter or
certify their personal information. |
|
Erasure (Right to be Forgotten) |
17 |
Right to request erasure (or deletion) of personal data
that is no longer necessary to fulfil the purposes for which it was collected
or does not need to be retained by Ribbon for other legitimate
purposes. Ribbon will review and act upon requests by individuals for
the erasure of personal data to the extent required under applicable
law. Generally, individuals have the right to have their personal
information erased when it is no longer necessary for the purposes for which
it was collected or otherwise processed or the legal basis on which the data
processing was based (e.g. consent) no longer applies. |
|
Restriction of Processing |
18 |
Right to require Ribbon to restrict the processing of your
personal data under certain circumstances. Ribbon will review and act
upon requests to restrict processing of personal data of individuals to the
extent required under applicable law. |
|
Portability |
20 |
If applicable, the right to request your personal data be
ported (transferred) to another controller. Under certain conditions
individuals have the right to receive their personal data which they have
provided to Ribbon in a structured, commonly used and machine-readable
format. Individuals also have the right to transmit such data to another
controller. |
|
Objection to Processing |
21 |
Right to object to the processing of your personal
data. Ribbon will review and act upon requests by individuals to object
to the processing of personal data to the extent required under applicable
law. Generally, an individual has the right to object to the processing
of his or her personal data, and Ribbon should no longer process the data
where it is unable to demonstrate compelling legitimate grounds for the
processing. |
If Ribbon is relying on your consent to process your
personal data, you have the right to withdraw your consent at any time.
In addition to the rights shown above, individuals have the
right under GDPR Article 77 to lodge a complaint with a supervisory authority,
in particular in the UK or EU Member State of his or her habitual residence,
place of work or place of the alleged infringement if the data subject
considers that the processing of personal data relating to him or her infringes
this regulation.
California Privacy Rights
Individuals having rights governed by the CCPA may exercise
the following rights as data subjects.
|
Right |
CCPA Section |
Summary |
|
Access |
1798.110 |
Right to request access to and obtain a copy of personal
information, including:
|
|
Deletion |
1798.105 |
Right to request deletion of personal information that is
no longer necessary to fulfil the purposes for which it was collected or does
not need to be retained by Ribbon for other legitimate purposes. |
|
Correction |
1798.106 |
Right to request correction of personal information that
is inaccurate taking into account the nature of the personal information and
the purposes of the processing of the personal information. |
|
Limit Use and Disclosure of Sensitive Information |
1798.121 |
Right of individual to direct Ribbon to limit its use and
disclosure of the individual’s sensitive personal information to those
uses(s) which are necessary, and as authorized by applicable regulations
adopted pursuant to the CCPA. |
|
Portability |
1798.130(a) |
Where applicable, right of individual to request provision
of specific pieces of personal information obtained from the consumer in a
format that is easily understandable to the average consumer, and to the
extent technically feasible, in a structured, commonly used, machine-readable
format that may also be transmitted to another entity at the consumer’s
request without hindrance. “Specific pieces of information” do not include
data generated to help ensure security and integrity or as prescribed by regulation. |
If Ribbon is relying on your consent to process your
personal data, you have the right to withdraw your consent at any time.
Ribbon does not sell or disclose personal information to
third parties for their own direct marketing purposes.
Requests
If you are an individual who wishes to exercise a data
protection right as provided for by applicable data protection law,
please click
here or contact us by telephone at 1-866-750-5040.
The ability of an individual to access, update or delete his
or her personal information is not unlimited. An individual's ability to
access personal information may be limited, for example, where (a) the burden
or expense of providing access would be unreasonable or disproportionate to the
risks to the individual's privacy, (b) the information should not be disclosed
or deleted due to legal reasons; or (c) providing access would compromise the
privacy of another person.
Recourse,
Complaints and Enforcement
Individuals who wish to file a complaint or who take issue
with Ribbon's policy should direct such communications to Ribbon at:
Ribbon Legal Department
6500 Chase Oaks Blvd.
Suite 100
Plano, TX 75023
United States
legal.privacy@rbbn.com
Ribbon undertakes annual compliance review of our policies,
procedures with respect to data privacy to ensure that policy is implemented as
presented and, in particular, to address any cases of non-compliance.
Ribbon also considers any impact to our policies and procedures as a result of
privacy law changes or trends in recurring complaints from individuals.
Ribbon reserves the right to change this privacy policy at
our discretion subject to business or legal requirements. Please check
this privacy policy from time to time and particularly before you provide
personal information to Ribbon. The effective date of the newest version
of the privacy policy will be posted below, and in the event that we make
material changes to this privacy policy, we will notify affected users by
making a more prominent notice of the changes.
If we change our policy or use of personal information in
such a manner that significantly diverges from the original purposes that we
collected the information, we will provide notification as required by
applicable law. Your rights to object or obtain further information is as
provided for in the Data Subject Rights and Recourse, Complaints and
Enforcement sections.
|
Version |
Date |
Change Summary |
|
6 |
April
2020 |
Update Contact, Marketing Lead and Service Portal Account
Information. Adjust Ribbon entity names to reflect certain 2019 changes |
|
7 |
July
2020 |
Update Ribbon DPF Companies |
|
8 |
November
2020 |
Reflecting CJEU decision in Case-311/18 with regards to
DPF |
|
9 |
April
2021 |
Addition of Ribbon Connect and Ribbon Identity Assurance
transparency |
|
10 |
June
2022 |
Additional accountability information in support of
Canadian law |
|
11 |
June
2023 |
Update Ribbon DPF Companies |
|
12 |
September
2023 |
Modify content to reflect Ribbon’s EU-U.S. DPF, the UK
Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF commitments |
|
13 |
December
2023 |
Extending accountabilities portion of policy to more
formally reflect applicable Australian privacy law and the APPs as well as
the India DPDPA |
|
14 |
December
2024 |
Update certain Ribbon affiliate information |
|
15 |
March
2025 |
Update certain content reflecting Ribbon’s DPF
commitments. |
March 26, 2025
If you have any comments or questions regarding this policy
or Ribbon’s privacy practices, or if you are an individual with a disability
and require access to this policy in an alternative format
please contact us at:
Ribbon Privacy
Suite 2100
500 Palladium Drive
Ottawa, Ontario, Canada K2V 1C2
privacy@rbbn.com