Privacy Notice for Real Estate Operations

Scope

The purpose of this notice is to provide transparency to employees, contractors, and visitors (current and former) working within Ribbon facilities (hereinafter referred to also as "Personnel") regarding Ribbon's data protection practices as they pertain to processing of personal data within the context of Real Estate operations.

This notice functions alongside the following corporate policies and notices:

  • Ribbon Facility Security Policy
  • Ribbon Employee Privacy Policy
  • Other applicable jurisdiction-specific privacy notices

In addition to the restrictions and obligations described within this notice, Ribbon complies with applicable national laws that protect the privacy of personal information.

This notice is global, applying to all Ribbon facilities. Access to the notice will be enabled at public entrances to Ribbon facilities as well as via Ribbon's intranet. The concepts described in this notice guide Ribbon's selection and expectations of its agents and contractors to whom Ribbon transfers and relies on for processing of personal information.

Ribbon continually monitors employment, data privacy and security laws and regulations as they apply to its Real Estate operations worldwide. In some cases, a country's employment, data privacy and security laws may establish requirements different from our notice. If our notice conflicts with the local legislation, Ribbon will follow the local legislation.

This privacy notice is drafted in such a way as to allow readers to quickly and easily access specific elements of the notice.

Scope

EU GDPR Accountabilities

Information Ribbon Collects and Why

Cross-Border Personal Information Transfers

Transfers of Personal Information from the EEA, UK and Switzerland to Other Jurisdictions

Transfer of Personal Information from to EU, UK and Switzerland to the United States under Privacy Shield

Recipients and Disclosures

Security and Integrity of Personal Information

Retention of Data

Individual Rights

Recourse, Complaints and Enforcement

Revision of Notice

Recent Revisions

Effective Date

EU GDPR Accountabilities

Ribbon processes personal data which is subject to the EU General Data Protection Regulation (EU Regulation 2016/679)("GDPR").

This notice contains information required under GDPR Article 13 ("Information to be provided where personal data are collected from the data subject") and details Ribbon's data controller accountabilities with respect to the above processing. Ribbon is established via entities within several EU Member States – each acting as a data controller as it pertains to respective Personnel personal data. Ribbon's EU entities are subsidiaries of the following entities:

GENBAND Holdings B.V.
Evert van de Beekstraat 1-60
The Base A
4th Floor, Room 60
1118 CL Schiphol
The Netherlands
legal.privacy@rbbn.com

Ribbon Communications International Inc.
4 Technology Park Drive
Westford, MA 01886
United States
legal.privacy@rbbn.com

The Data Protection Officer (DPO) for Ribbon Communications International Inc. can be reached at legal.privacy@rbbn.com.

The Data Protection Officer (DPO) for Ribbon Communications Germany GmbH is the following individual:

Hendrik Muschal
fellaws — Ihr Partner für Arbeitsrecht Datenschutz
T: +49 30 69809060
Columbiadamm 29 I 10965 Berlin
www.fellaws.de

Information Ribbon Collects and Why

Ribbon collects and processes personal information in its Real Estate operations in a reasonable and lawful manner in order to:

  • Prevent and/or detect any unauthorized physical access to Ribbon facilities
  • Respond quickly to security incidents and conduct thorough investigations
  • Protect, and ensure the safety of Personnel working at Ribbon facilities
  • Protect corporate and customer property including data stored or accessible from Ribbon facilities
  • Comply with customer contractual requirements regarding physical security
  • Enforce company policies and procedures
  • Establish, exercise, or defend legal claims

Processing is always undertaken pursuant to a legal basis identified in EU GDPR Article 6 ("Lawfulness of processing") or equivalent local law where the EU GDPR does not apply. When Ribbon collects or processes personal information, it does so in a proportionate and limited manner pursuant to relevant, appropriate, and customary purposes.

For the purposes described above and subject to applicable law, Ribbon collects and processes the following Personnel information:

Grouping

Type

Visitor Access Log

Name

Telephone Number (Business or Personal)

Company

Signature

Access History (ingress/egress times)

Electronic Access Records

ID Card Swipe Access Events (ingress/egress times)

CCTV Video (at select facilities ingress/egress points and restricted areas)

Sensitive

Health data in the event of a medical emergency involving Personnel. 

Cross-Border Personal Information Transfers

The presence of Ribbon facilities and Personnel across the globe coupled with centralization of many Real Estate management tasks and functions makes it necessary to transmit Personnel data within the group by means of IT systems and processes.

Ribbon shall comply with applicable laws governing cross border transfers of personal information and, where required, shall ensure that such transfers are made to countries where the data protection regime provides a comparable standard of protection with that of the originating jurisdiction.

Transfers of Personal Information from the EEA, UK and Switzerland to Other Jurisdictions

Ribbon employs the following transfer mechanisms for transfers of EEA and Swiss personal information in accordance with transfer restrictions imposed under the EU General Data Protection Regulation (GDPR) or the Swiss Federal Act on Data Protection (FADP).

  • GDPR Article 45 Adequacy decisions issued by the European Commission (EC) including the Privacy Shield Framework; and/or
  • Standard data protection clauses adopted by the EC under GDPR Article 46 ("Transfers subject to appropriate safeguards.").

The transfer of personal information pertaining to UK data subjects will be transferred in accordance with the GDPR and the UK Data Protection Act (2018).

Transfer of Personal Information from the EU, UK and Switzerland to the United States under Privacy Shield

The presence of Ribbon facilities and Personnel in the European Union (EU), UK and Switzerland coupled with centralization of many tasks and functions within Ribbon makes it necessary to transmit Personnel personal data from the EU, UK and Switzerland to the United States.  Ribbon Communications Inc. and its U.S. subsidiaries Ribbon Communications Operating Company, Inc., GENBAND US LLC, Edgewater Networks, Inc. and Ribbon Communications Federal Inc. ("Ribbon Privacy Shield Companies") comply with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of human resources personal information transferred to the U.S. from the European Union, United Kingdom and Switzerland, respectively.   The Ribbon Privacy Shield Companies have certified to the Department of Commerce that they adhere to the Privacy Shield Principles.  If there is any conflict between the terms in this Real Estate Operations Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

To learn more about the Privacy Shield program, please visit http://www.privacyshield.gov.  To view the Ribbon Privacy Shield Companies' certification under Privacy Shield, please visit http://www.privacyshield.gov/list.

In addition to the protections provided under other sections of this Real Estate Operations Privacy Policy, the Ribbon Privacy Shield Companies and all EU, UK and Swiss Ribbon entities will provide the following protections for human resources personal data transferred from the EU, UK or Switzerland to the U.S.

Choice

Individuals will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether their personal information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of Ribbon) or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.

Additionally, individuals will be offered a similar choice mechanism to give affirmative or explicit (opt in) choice whether their sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice.  However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of the individual or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization's obligations in the field of employment law, or (5) related to personal information that is manifestly made public by the individual.

Transfer of Personal Data from the EU, UK or Switzerland to Processors in the United States

Ribbon's EU, UK and Swiss entities may transfer personal information to a processor in the United States solely for processing purposes.  A "processor" is a third party who processes personal information on behalf of and in accordance with the instructions of Ribbon's EU, UK and/or Swiss entities.  When personal information is transferred from the EU, UK and/or Switzerland to the United States solely for processing purposes, Ribbon's EU, UK and/or  Swiss entities will comply with the applicable data protection laws including the EU General Data Protection Regulation (GDPR), the UK Data Protection Act (2018) and the Swiss Federal Act on Data Protection (FADP), respectively and will enter into a contract with the processor to ensure that the processor (1) acts only on instructions of Ribbon's EU, UK and/or  Swiss entities; (2) provides appropriate technical and organizational measures to protect the personal information against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; and understands whether onward transfers are allowed; and (3) assists Ribbon's EU, UK and/or  Swiss entities in responding to individuals exercising their rights under the Privacy Shield principles, taking into account the nature of the processing.

Onward Transfers to Third Party Agents

After personal information is transferred from the EU, UK and/or Switzerland to the Ribbon Privacy Shield Companies in the United States, the Ribbon Privacy Shield Companies may thereafter transfer the personal information to third parties acting as controllers.  A "controller" is a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal information.  Examples of third party controllers may include banks and healthcare providers, or management personnel in other Ribbon Privacy Shield Companies offices outside of the U.S.  When the Ribbon Privacy Shield Companies make such onward transfers to third party controllers, the Ribbon Privacy Shield Companies will comply with the Privacy Shield notice and choice principles and enter into a contract with the third party controller that provides that (1) such personal information may be processed only for limited and specified purposes consistent with the consent provided by the individual; (2) the third party controller will provide the same level of protections as the Privacy Shield principles; (3) the third party controller will notify the Ribbon Privacy Shield Companies if the third party can no longer meet its obligation to provide the same level of protection for the personal information as required by the Privacy Shield principles; and (4) upon such notice by the third party controller, the third party controller will cease processing the personal information and/or take reasonable and appropriate steps to remediate any unauthorized processing.

Verification

The Ribbon Privacy Shield Companies have verified and will verify annually through self-assessment that the attestations and assertions made about its Privacy Shield privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the Privacy Shield principles.  This verification has been and will be signed by an officer of the Ribbon Privacy Shield Companies or other authorized representative of the Ribbon Privacy Shield Companies at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance.  The verification includes the following:

  • That the notice is accurate, comprehensive, prominently displayed, completely implemented and accessible;
  • That the notice conforms to the Privacy Shield Principles;
  • That individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
  • That it has in place procedures for training employees in the implementation of this notice and disciplining them for failure to follow it;
  • That it has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Recourse Mechanisms For Personal Data Transferred Under Privacy Shield

Inquiries or complaints regarding transfers of personal data from the EU, UK or Switzerland to the US pursuant to Privacy Shield should be directed to the Ribbon Human Resources department.  Additionally, complaints may be submitted pursuant to grievance procedures under applicable trade union contracts.  If the inquiry cannot be answered or the complaint is not resolved locally, the matter should be directed to:

Deputy General Counsel
5927 South Miami Blvd, Suite 150

Morrisville, NC 27560 USA

Email:  legal.privacy@rbbn.com

Fax:  (919) 457-9621

If a complaint remains unresolved, individuals in the EU should contact the state or national data protection or labor authority in the jurisdiction where the individual works for resolution.  A listing of the EU Data Protection Authorities (DPAs) is located at:  http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.  Individuals in the UK should contact the UK ICO at: https://ico.org.uk/.  Individuals in Switzerland should contact the Swiss Federal Data Protection and Information Commissioner (the Commissioner) for resolution.  Information regarding the Commissioner is located at:  https://www.edoeb.admin.ch/?lang=en

The Ribbon Privacy Shield Companies will cooperate with the DPAs and/or the Commissioner and comply with the advice of the DPAs and/or Commissioner.  In the event that the DPAs and/or the Commissioner determines that the Ribbon Privacy Shield Companies did not comply with this Policy or Privacy Shield principles, the Ribbon Privacy Shield Companies will take appropriate steps to address any adverse effects and to promote future compliance, comply with any advice given by the DPAs and/or the Commissioner where the DPAs and/or the Commissioner has determined that the Ribbon Privacy Shield Companies needs to take specific remedial or compensatory measures for the benefit of individuals affected by any non-compliance with this Policy or the Privacy Shield principles, and provide the DPAs and/or the Commissioner with written confirmation that such action has been taken.

Under certain conditions specified by the Privacy Shield Privacy Principles, individuals may also be able to invoke binding arbitration to resolve their complaints.

Enforcement

The Ribbon Privacy Shield Companies are also subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Liability

In the context of an onward transfer of personal information, the Ribbon Privacy Shield Companies have responsibility for the processing of personal information they receive under the Privacy Shield and subsequently transfer to a third party agent.  The Ribbon Privacy Shield Companies will remain liable under the Privacy Shield principles if their third party agent processes such personal information in a manner inconsistent with the Privacy Shield principles, unless the Ribbon Privacy Shield Companies prove that they are not responsible for the event giving rise to the damage.

Training

All employees who handle personal data transferred from the EU, UK or Switzerland to the U.S. will receive training regarding the data privacy principles and procedures under Privacy Shield Principles and this notice.

Recipients and Disclosures

Within Ribbon

In general, Personnel information may be shared within Ribbon in support of legitimate business interests.  These transfers are subject to the transfer mechanism controls described within the above section on Cross-Border Personal Information Transfers.

Ribbon restricts access to personal information to those employees or contractors who require such access in order to carry out their assigned functions.

Third Party Suppliers

Ribbon will only transfer or provide direct access to Personnel information covered by this notice to vendors that have contractually agreed to:

  • respect the privacy rights of Personnel;
  • limit processing of such information in strict compliance with Ribbon's specific instructions;
  • provide at least the same level of privacy protection as is required by applicable privacy laws;
  • take reasonable and appropriate steps to stop and remediate unauthorized processing; and
  • provide notification to Ribbon if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles.

Ribbon utilizes the following categories of third party suppliers in order to deliver the services shown below.

Supplier Categories

Services

Supplier Locations

Security software providers

Provides security control management software

United States, Canada

Security equipment service providers

Furnishes, installs and maintains security cameras and access badge readers

Local to Facility

Security guard service providers

Provides on-site after hours security guards

Local to Facility

Third Party Suppliers and EEA, UK and Swiss Personal Information

Additionally, Ribbon will only transfer or provide direct access to personal information pertaining to EEA, UK or Swiss data subjects covered by this notice to third parties that:

  • are located in a jurisdiction subject to the EU GDPR or privacy laws designated to be adequate by the European Commission under GDPR Article 45; or
  • have committed to the Privacy Shield Principles as demonstrated by maintenance of certification within the Privacy Shield program; and/or
  • have provided Ribbon contractual assurances that transferred personal information will be subject to appropriate safeguards by way of standard data protection clauses adopted by the European Commission under GDPR Article 46 ("Transfers subject to appropriate safeguards."). 

Other External Disclosures

Ribbon may disclose personal information in certain circumstances, such as:

  • to comply with valid legal process including, but not limited to, government audit requests, subpoenas, court orders or search warrants; to defend or respond to legal actions; and, to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements;
  • to protect the vital interests of Personnel;
  • important reasons of public interest.

If Ribbon enters into a merger, acquisition or sale of all or a portion of its assets or business, personal information may be transferred as part of or in connection with the transaction in accordance with applicable law and/or a non-disclosure agreement between the parties to the transaction.

Security and Integrity of Personal Information

To help protect the confidentiality of personal information, Ribbon employs security safeguards appropriate to the sensitivity of the information. These safeguards take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks to individuals posed by any unauthorized disclosure of the information.

These safeguards include reasonable administrative, technical and physical measures to safeguard the confidentiality and security of personal information against anticipated threats and unauthorized access to the personal information.

Ribbon imposes safeguard obligations on our vendors who receive personal information from or on behalf of Ribbon in the course of their relationship with our organization as described above in the Recipients and Disclosures section.

Ribbon employs reasonable means to keep personal information accurate, complete, and current, as needed for the purposes for which it was collected.

Retention of Data

Personal information collected by Ribbon will be retained for as long as (1) necessary and legally permitted for the purposes for which it was collected, (2) required by applicable law including record retention laws, or (3) necessary to establish, exercise, or defend legal claims.

Information

Maximum Retention Period

Visitor Log

90 days

ID Card Swipe Access Events

90 days

CCTV Video

90 days

Please refer to Ribbon's Information and Records Retention Policy for specific personal data retention periods as it pertains to personal information not included in the above retention table.

Individual Rights

Ribbon supports individual's data protection rights as provided for by applicable data protection law. If you are a Ribbon employee and have any questions regarding these rights or how to exercise them please contact your regional Human Resources representative.

For individuals who are no longer employed by Ribbon, current or former contractors, and those who were visitors to Ribbon facilities and have any questions regarding these rights or how to exercise them please click here.

EEA, UK and Swiss Data Subject Rights

Ribbon complies with data protection rights including the EU GDPR rights listed below.

Right

Summary

Notice

Ribbon provides required notice to individuals at points where personal information is collected.

Consent

Where consent is required for the collection of personal information, Ribbon will request the individual's consent.

Transparency

Access

Accuracy

Rectification

Ribbon will review and act upon requests by individuals for access or correction of personal data described within this notice to the extent required under applicable law.

Erasure

(Right to be Forgotten)

Ribbon will review and act upon requests by individuals for the erasure of personal data to the extent required under applicable law.  Generally, individuals have the right to have their personal information erased when it is no longer necessary for the purposes for which it was collected or otherwise processed or the legal basis on which the data processing was based (e.g. consent) no longer applies.

Restriction of Processing

Ribbon will review and act upon requests to restrict processing of personal data of individuals to the extent required under applicable law. 

For example, individuals have the right to obtain from Ribbon restriction of processing where he or she contests the accuracy of the personal data.

Objection to Processing

Ribbon will review and act upon requests by individuals to object to the processing of personal data to the extent required under applicable law.  Generally, an individual has the right to object to the processing of his or her personal data, and Ribbon should no longer process the data where it is unable to demonstrate compelling legitimate grounds for the processing. 

Receipt of information

(Right to Information)

Generally individuals have the right to receive information about their personal data which is processed by the company.  Among others, this right to information includes information on the purposes of the processing, the categories of the processed data, the recipients to whom the personal data has been or will be disclosed and the intended storage period.  Upon request, the company will provide the requesting individual with a copy of his/her personal data processed by the company in accordance with applicable law.

Portability

Generally individuals have the right to receive their personal data which they have provided to the company in a structured, commonly used and machine-readable format. Individuals also have the right to transmit such data to another controller if the data processing is based on the consent of the individual and the data is processed by using automated processes.  In this regard, individuals should refer to their Access right described above.

In addition to the rights shown above, individuals in the EU have the right under GDPR Article 77 ("Right to lodge a complaint with a supervisory authority") to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work, or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

Recourse, Complaints and Enforcement

If individuals have questions or concerns about this notice, or believe the notice has been violated, they are encouraged to contact their HR business partner. If an individual does not feel comfortable discussing their concern with HR, they should contact the Legal department.

For individuals who are no longer employed by Ribbon, current or former contractors, and those who were visitors to Ribbon facilities and have any questions regarding these rights or how to exercise them please click here.

Ribbon conducts compliance reviews of this notice and procedures with respect to Personnel data privacy to ensure that it is implemented as presented and, in particular, to address any cases of non-compliance.  Ribbon also considers any impact to this notice and related procedures as a result of privacy law changes.

Revision of Notice

Ribbon reserves the right to change this notice at the company's discretion subject to business or legal requirements.  To the extent required by law or business needs, Ribbon will notify individuals of any changes to this notice by reasonable methods.

Recent Revisions

Version

Date

Change Summary

1

February 2020

Initial version

2

February 2020

Addressing typos in initial version

Effective Date

March 2, 2020