Scope

The purpose of this notice is to provide transparency to employees, contractors, and visitors (current and former) working within Ribbon facilities (hereinafter referred to also as "Personnel") regarding Ribbon's data protection practices as they pertain to processing of personal data within the context of Real Estate operations.

This notice functions alongside the following corporate policies and notices:

  • Ribbon Facility Security Policy
  • Ribbon Employee Privacy Policy
  • Other applicable jurisdiction-specific privacy notices

In addition to the restrictions and obligations described within this notice, Ribbon complies with applicable national laws that protect the privacy of personal information.

This notice is global, applying to all Ribbon facilities. Access to the notice will be enabled at public entrances to Ribbon facilities as well as via Ribbon's intranet. The concepts described in this notice guide Ribbon's selection and expectations of its agents and contractors to whom Ribbon transfers and relies on for processing of personal information.

Ribbon continually monitors employment, data privacy and security laws and regulations as they apply to its Real Estate operations worldwide. In some cases, a country's employment, data privacy and security laws may establish requirements different from our notice. If our notice conflicts with the local legislation, Ribbon will follow the local legislation.

This privacy notice is drafted in such a way as to allow readers to quickly and easily access specific elements of the notice.

Scope

Accountabilities

Information Ribbon Collects and Why

Cross-Border Personal Information Transfers

Transfers of Personal Information from the EU, UK and Switzerland to Other Jurisdictions

The Swiss-U.S., the EU-U.S., and the UK Extension of the EU-U.S. Data Privacy Framework

Recipients and Disclosures

Security and Integrity of Personal Information

Retention of Data

Individual Rights

Recourse, Complaints and Enforcement

Revision of Notice

Recent Revisions

Effective Date

Accountabilities

Ribbon processes personal data through its entities which are subject to data protection laws including but not limited to the EU General Data Protection Regulation (EU Regulation 2016/679)(“EU GDPR”), the UK General Data Protection Regulation as implemented under the UK Data Protection Act 2018 (collectively the “UK GDPR”) as well as applicable US, Israeli, Indian, Australian and Canadian law.

References within this notice to simply the “GDPR” should be interpreted to mean the EU GDPR or the UK GDPR insofar as either is applicable.

European Union and Switzerland

This notice contains information required under GDPR Article 13 and 14, and details Ribbon’s data controller accountabilities with respect to the above processing.  Ribbon is established via entities within several EU Member States and Switzerland – each acting as a data controller as it pertains to respective Personnel personal data.  Ribbon’s EU and Swiss entities are subsidiaries of the following entity:

Ribbon Networks B.V.
Evert van de Beekstraat 1-60
The Base A
4th Floor, Room 60
1118 CL Schiphol
The Netherlands
legal.privacy@rbbn.com

The Ribbon Data Protection Officers can be contacted as follows:

 

Country Entity Contact

Ireland

Ribbon Communications International Limited

EU Data Protection Officer
The Multis Building
Parkmore West Business Park
Parkmore, Co. Galway H91 X7Y3, Ireland
legal.privacy@rbbn.com

Germany

Ribbon Communications Germany GmbH

Germany Data Protection Officer
Hendrik Muschal
fellaws Muschal Brachmann PartG mbB
Meinekestraße 27
10719 Berlin
www.fellaws.de

 

United Kingdom

This notice contains information required under UK GDPR Articles 13 and 14 and details Ribbon’s data controller accountabilities with respect to the above processing.  Ribbon is established in the UK.  Ribbon’s Data Protection Officer can be contacted as follows:

Country Entity Contact

United Kingdom

Ribbon Communications UK Limited

UK Data Protection Officer

Bray House
4 Maidenhead Office Park
Maidenhead
Berkshire SL6 3QH
legal.privacy@rbbn.com

 

California

Ribbon collects and uses personal information which is subject to the California Consumer Privacy Act (“CCPA”).  This notice contains information required by the CCPA.

Canada

This notice contains information required under certain provincial privacy laws.  Ribbon’s Privacy Officer can be contacted as follows:

Country Entity Contact

Canada

Ribbon Communications Canada ULC

Ribbon Communications Canada ULC
Ribbon Legal Department
500 Palladium Drive
Suite 2100
Ottawa, Ontario
K2V 1C2
legal.privacy@rbbn.com

Australia

This notice contains information required under Australia’s Privacy Act 1988 (Cth) including the Australian Privacy Principles (“APPs”).  The APPs govern the way in which Ribbon collects, holds, uses and discloses Australian personal information.  A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at https://www.oaic.gov.au/. Ribbon is established in Australia and can be contacted as follows:

Country Entity Contact

Australia

Ribbon Communications Australia Pty Ltd

Ribbon Legal Department
c/o Baker & McKenzie
Level 19
181 William Street
Melbourne, Victoria 3000
Australia
legal.privacy@rbbn.com

India

This notice contains information required under India’s Digital Personal Data Protection Act (DPDPA).  Ribbon is established in India and can be contacted as follows:

Country Entity Contact

India

Ribbon Communication Pvt. Ltd.

Ribbon Legal Department
c/o Data Protection
2nd Floor, Delta Block, Embassy Tech Square, Kadubeesanahalli Village, Outer Ring Road, Varthur Hobli, Bangalore – 560103 India

legal.privacy@rbbn.com

 

India

ECI Telecom India Private Limited

Ribbon Legal Department
c/o Data Protection
7th Floor, North Side,
Empire Plaza I, Lal Bahadur Shastri Marg,
Vikhroli West, Mumbai – 400 083

legal.privacy@rbbn.com

India

GENBAND Telecommunications Private Limited

Ribbon Legal Department
c/o Data Protection
2nd Floor, Delta Block, Embassy Tech Square, Kadubeesanahalli Village, Outer Ring Road, Varthur Hobli, Bangalore – 560103 India

legal.privacy@rbbn.com

Information Ribbon Collects and Why

Ribbon collects and processes and retains personal information in its Real Estate operations in a reasonable and lawful manner in order to:

  • Prevent and/or detect any unauthorized physical access to Ribbon facilities
  • Respond quickly to security incidents and conduct thorough investigations
  • Protect, and ensure the safety of Personnel working at or visiting Ribbon facilities
  • Protect corporate and customer property including data stored or accessible from Ribbon facilities
  • Comply with customer contractual requirements regarding physical security
  • Enforce company policies and procedures
  • Establish, exercise, or defend legal claims

Processing is always undertaken pursuant to a legal basis identified in GDPR Article 6 ("Lawfulness of processing") or equivalent local law where the GDPR does not apply. When Ribbon collects or processes personal information, it does so in a proportionate and limited manner pursuant to relevant, appropriate, and customary purposes.

For the purposes described above and subject to applicable law, Ribbon collects and processes the following Personnel information:

Category Description Retention Source of Collection CCPA Categories

Visitor Access Log Information

Name, telephone number (business or personal), company, signature, access history (ingress/egress times)

Typically 90 days

Personnel

Professional or employment-related information.

 

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

 

Electronic Access Records

ID card swipe access events (ingress/egress times), CCTV video (at select facilities ingress/egress points and restricted areas)

 

Typically 90 days

Personnel activity as collected via the Ribbon access control system generated

Audio, electronic, visual, thermal, olfactory, or similar information

 

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

 

Sensitive

Health data in the event of a medical emergency involving Personnel

Retention period subject to applicable law

Personnel

 

Ribbon health and safety personnel

Characteristics of protected classifications under California or federal law

 

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers

 

Pandemic Data

(May Include Sensitive Data)

Personal data for purposes of compliance with local pandemic regulations.  This may include the following: biometric temperature reading including location and time of reading, Personnel health conditions, family health conditions, recent travel history and vaccination information.  The precise personal data will be determined by the applicable government regulations in each instance.

 

Retention period subject to applicable law

Personnel

Characteristics of protected classifications under California or federal law

 

Audio, electronic, visual, thermal, olfactory, or similar information

 

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers

Cross-Border Personal Information Transfers

The presence of Ribbon facilities and Personnel across the globe coupled with centralization of many Real Estate management tasks and functions makes it necessary to transmit Personnel personal data within the group by means of IT systems and processes.

Ribbon shall comply with applicable laws governing cross border transfers of personal information and, where required, shall ensure that such transfers are made to countries where the data protection regime provides a comparable standard of protection with that of the originating jurisdiction.

Transfers of Personal Information from the EU, UK and Switzerland to Other Jurisdictions

The presence of Ribbon facilities and Personnel in the European Union (EU), UK and Switzerland coupled with centralization of many tasks and functions makes it necessary to transmit Personnel personal data from the EU, UK and Switzerland to the United States and Canada.

Ribbon employs the following transfer mechanisms for transfers of EU, UK and Swiss personal information in accordance with transfer restrictions imposed under the EU GDPR, the UK GDPR and the Swiss Federal Act on Data Protection (FADP) as applicable:

  • Adequacy decisions issued by the European Commission (EC) or the competent UK authority under GDPR Article 45 and as similarly recognized by the Swiss authority as applicable; and/or
  • Standard contract clauses adopted by the EC or the competent UK authority under GDPR Article 46 and any such clauses as approved by the Swiss Federal Data Protection and Information Commissioner.

The Swiss-U.S., the EU-U.S., and the UK Extension of the EU-U.S. Data Privacy Framework

Ribbon Communications Inc. and its U.S. subsidiaries Ribbon Communications Operating Company, Inc. and Ribbon Communications Federal Inc (“Ribbon DPF Companies”) rely on and comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information.   The Ribbon DPF Companies have certified to the Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework (DPF) program, and to view Ribbon’s certification, please visit https://www.dataprivacyframework.gov/.  To view the Ribbon DPF Companies’ certification under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, please visit https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt00000008RT8AAM.

In addition to the protections provided under other sections of this Privacy Policy, the Ribbon DPF Companies will provide the following protections for personal data previously transferred from the EU, UK of Switzerland to the US.

Ribbon relies upon the DPF certification for cross-border transfers of personal data, but takes additional steps to protect personal data.  The standard data protection clauses, adopted by the EC under GDPR Article 46 and approved by the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland, are a valid mechanism to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States.  Ribbon has implemented the standard contractual clauses.

Choice

Individuals will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether their personal information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of Ribbon) or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.

Additionally, individuals will be offered a similar choice mechanism to give affirmative or explicit (opt in) choice whether their sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice. However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of the individual or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization's obligations in the field of employment law, or (5) related to personal information that is manifestly made public by the individual.

Transfer of Personal Data from the EU, UK or Switzerland to Processors in the United States

Please refer to section entitled “Transfers of Personal Information from the EU, UK and Switzerland to Other Jurisdictions” for transparency regarding transfers of personal information from the EU, UK and Switzerland to other jurisdictions.

Onward Transfers to Third Party Agents

The Ribbon DPF Companies may transfer personal information to third parties acting as controllers as described in the section entitled “Third Party Suppliers and EU, UK and Swiss Personal Information”.

Verification

The Ribbon DPF Companies have verified and will verify annually through self-assessment that the attestations and assertions made about its DPF privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles. This verification has been and will be signed by an officer of the Ribbon DPF Companies or other authorized representative of the Ribbon DPF Companies at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance. The verification includes the following:

  • That the notice is accurate, comprehensive, prominently displayed, completely implemented and accessible;
  • That the notice conforms to the DPF Principles;
  • That individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
  • That the Ribbon DPF Companies have in place procedures for training employees in the implementation of this notice and disciplining them for failure to follow it;
  • That the Ribbon DPF Companies have in place internal procedures for periodically conducting objective reviews of compliance with the above.

Recourse Mechanism Under the DPF

Inquiries or complaints regarding processing of personal data pursuant to the DPF should be directed to the Ribbon Human Resources department. Additionally, complaints may be submitted pursuant to grievance procedures under applicable trade union contracts. If the inquiry cannot be answered or the complaint is not resolved locally, the matter should be directed to:

Ribbon Legal Department
6500 Chase Oaks Blvd.
Suite 100
Plano, TX 75023
United States
Email:  legal.privacy@rbbn.com

If a complaint remains unresolved, individuals in the EU should contact the state or national data protection or labor authority in the jurisdiction where the individual works for resolution. A listing of the EU Data Protection Authorities (DPAs) is located at: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm. Individuals in the UK should contact the UK ICO at: https://ico.org.uk/. Individuals in Switzerland should contact the Swiss Federal Data Protection and Information Commissioner (the Commissioner) for resolution. Information regarding the Commissioner is located at: https://www.edoeb.admin.ch/?lang=en.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, the Ribbon DPF Companies will cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.  In the event that the DPAs and/or the Commissioner determines that the Ribbon DPF Companies did not comply with this Policy or DPF Principles, the Ribbon DPF Companies will take appropriate steps to address any adverse effects and to promote future compliance, comply with any advice given by the DPAs and/or the Commissioner where the DPAs and/or the Commissioner has determined that the Ribbon DPF Companies needs to take specific remedial or compensatory measures for the benefit of individuals affected by any non-compliance with this Policy or the DPF Principles, and provide the DPAs and/or the Commissioner with written confirmation that such action has been taken.

Under certain conditions specified by the DPF Principles, individuals may also be able to invoke binding arbitration to resolve their complaints.

Enforcement

The Ribbon DPF Companies are also subject to the investigatory and enforcement powers of the United States Federal Trade Commission, which has jurisdiction over the Ribbon DPF Companies’ compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

Liability

In the context of an onward transfer of personal information, the Ribbon DPF Companies have responsibility for the processing of personal information they receive under the DPF and subsequently transfer to a third party agent.  The Ribbon DPF Companies will remain liable under the DPF Principles if their third party agent processes such personal information in a manner inconsistent with the DPF Principles, unless the Ribbon DPF Companies prove that they are not responsible for the event giving rise to the damage.

Training

All employees who process personal data will receive training regarding the data privacy principles and procedures under DPF Principles and this notice.

Recipients and Disclosures

Within Ribbon

In general, Personnel information may be shared within Ribbon in support of legitimate business interests. These transfers are subject to the transfer mechanism controls described within the above section on Cross-Border Personal Information Transfers.

Ribbon restricts access to personal information to those employees or contractors who require such access in order to carry out their assigned functions.

Third Party Suppliers or Service Providers

Ribbon will only transfer or provide direct access to Personnel information covered by this notice to service providers that have contractually agreed to:

  • respect the privacy rights of Personnel;
  • limit processing of such information in strict compliance with Ribbon's specific instructions;
  • provide at least the same level of privacy protection as is required by applicable privacy laws;
  • take reasonable and appropriate steps to stop and remediate unauthorized processing; and
  • provide notification to Ribbon if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles.

Ribbon utilizes the following categories of third party suppliers in order to deliver the services shown below.

Category Supplier Locations

Security system software providers

United States, Canada, Israel

Security equipment providers - including provision, installation and maintenance of security cameras and access badge readers

Local to Facility

On-site security guard service providers

Local to Facility

Third Party Suppliers and EU, UK and Swiss Personal Information

Additionally, for personal information pertaining to EU, UK and Swiss data subjects, Ribbon will only transfer or provide direct access to personal information covered by this notice to third parties that:

  • are located in a jurisdiction subject to the EU GDPR or privacy laws designated to be adequate by the European Commission or the competent UK authority under GDPR Article 45, or similarly recognized by the Swiss authority as applicable; and/or
  • have provided Ribbon contractual assurances that transferred personal information will be subject to appropriate safeguards by way of standard contractual clauses adopted by the European Commission or the competent UK authority under GDPR Article 46 and such clauses as approved by the Swiss Federal Data Protection and Information Commissioner

Other External Disclosures

Ribbon may disclose personal information in certain circumstances, such as:

  • to comply with valid legal process including government audit requests, subpoenas, court orders or search warrants; to defend or respond to legal actions; and, to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements;
  • to protect the vital interests of Personnel;
  • important reasons of public interest.

If Ribbon enters into a merger, acquisition or sale of all or a portion of its assets or business, personal information may be transferred as part of or in connection with the transaction in accordance with applicable law and/or a non-disclosure agreement.

Security and Integrity of Personal Information

To help protect the confidentiality of personal information, Ribbon employs security safeguards appropriate to the sensitivity of the information. These safeguards take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks to individuals posed by any unauthorized disclosure of the information.

These safeguards include reasonable administrative, technical and physical measures to safeguard the confidentiality and security of personal information against anticipated threats and unauthorized access to the personal information.

Ribbon imposes safeguard obligations on our service providers who receive personal information from or on behalf of Ribbon in the course of their relationship with our organization as described above in the Recipients and Disclosures section.

Ribbon employs reasonable means to keep personal information accurate, complete, and current, as needed for the purposes for which it was collected.

Retention of Data

Personal information collected by Ribbon will be retained for as long as (1) necessary and legally permitted for the purposes for which it was collected, (2) required by applicable law including record retention laws, or (3) necessary to establish, exercise, or defend legal claims.

Additional information regarding retention of data is available within the table in the section entitled “Information Ribbon Collects and Why”.

Individual Rights

Ribbon supports Personnel’s data protection rights as provided for by applicable data protection law.  These may include individual rights of access, rectification, erasure, restriction or objection to processing, and portability.  This section contains supplemental information for individuals in certain jurisdictions.  If Ribbon is relying on your consent to process your personal data, you have the right to withdraw your consent at any time.

EEA, UK and Swiss Data Subject Rights

Personnel having rights governed by EU or UK data protection law may exercise the following rights as data subjects.

Right GDPR Article Summary

Access

15

Right to request access to and obtain a copy of your personal data.

 

Rectification

16

Right to request rectification (or correction) of personal data that is inaccurate.

 

Erasure (“Right to be Forgotten”)

 

17

Right to request erasure (or deletion) of personal data that is no longer necessary to fulfil the purposes for which it was collected or does not need to be retained by Ribbon for other legitimate purposes.  Ribbon will review and act upon requests by individuals for the erasure of personal data to the extent required under applicable law.  Generally, individuals have the right to have their personal information erased when it is no longer necessary for the purposes for which it was collected or otherwise processed or the legal basis on which the data processing was based (e.g. consent) no longer applies.

 

Restriction of Processing

18

 

Right to require Ribbon to restrict the processing of your personal data under certain circumstances.  Ribbon will review and act upon requests to restrict processing of personal data of individuals to the extent required under applicable law. 

 

Portability

20

If applicable, the right to request your personal data be ported (transferred) to another controller.  Under certain conditions individuals have the right to receive their personal data which they have provided to Ribbon in a structured, commonly used and machine-readable format. Individuals also have the right to transmit such data to another controller.

 

Objection to Processing

21

Right to object to the processing of your personal data.  Ribbon will review and act upon requests by individuals to object to the processing of personal data to the extent required under applicable law.  Generally, an individual has the right to object to the processing of his or her personal data, and Ribbon should no longer process the data where it is unable to demonstrate compelling legitimate grounds for the processing.

 

 

In addition to the rights shown above, individuals in the EU and UK have the right under GDPR Article 77 to lodge a complaint with a supervisory authority, in particular in the UK or EU Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

California Privacy Rights

California Personnel have a number of California Privacy Rights including those shown below.

Right CPRA Section Summary

Access

1798.110

Right to request access to and obtain a copy of personal information, including:

 

  1. The categories of personal information Ribbon has collected about that individual.
  2. The categories of sources from which the personal information is collected.
  3. The business or commercial purpose for collecting, selling, or sharing personal information.
  4. The categories of third parties to whom Ribbon discloses personal information.
  5. The specific pieces of personal information Ribbon has collected about that individual.

Deletion

 

1798.105

Right to request deletion of personal information that is no longer necessary to fulfil the purposes for which it was collected or does not need to be retained by Ribbon for other legitimate purposes. 

 

Correction

1798.106

Right to request correction of personal information that is inaccurate taking into account the nature of the personal information and the purposes of the processing of the personal information.

 

Limit Use and Disclosure of Sensitive Information

1798.121

Right of individual to direct Ribbon to limit its use and disclosure of the individual’s sensitive personal information to those uses(s) which are necessary, and as authorized by applicable regulations adopted pursuant to the CPRA.

 

Portability

1798.130(a)

(3)(B)(iii)

Where applicable, right of individual to request provision of specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation.

 

If Ribbon is relying on an individual’s consent to process his/her personal information, the individual has the right to withdraw its consent at any time.
Ribbon will not retaliate or discriminate against an individual because s/he exercised a California Privacy Right.

Requests

Employee Personnel having any questions regarding their rights or how to exercise them can contact regional Human Resources representative as reflected on Ribbon HR’s intranet here: https://sonusnetworks.sharepoint.com/sites/hr-global/SitePages/HR-Organization.aspx

Employee Personnel and non-employee Personnel may exercise any of their rights either by telephone at 1-866-750-5040 or by clicking here: https://privacyportal-cdn.onetrust.com/dsarwebform/ecdd9f78-3643-4585-8606-ad896332e9c6/0960dcd9-4aa2-4edb-80cc-01c62f485ff2.html

Recourse, Complaints and Enforcement

If individuals have questions or concerns about this notice, or believe the notice has been violated, they are encouraged to contact their HR business partner. If an individual does not feel comfortable discussing their concern with HR, they should contact the Legal Department at legal.privacy@rbbn.com.

Contact information for HR representatives can be found on Ribbon HR’s intranet site.

For individuals who are no longer employed by Ribbon, current or former contractors, and those who were visitors to Ribbon facilities and have any questions regarding these rights or how to exercise them please see https://privacyportal-cdn.onetrust.com/dsarwebform/ecdd9f78-3643-4585-8606-ad896332e9c6/0960dcd9-4aa2-4edb-80cc-01c62f485ff2.html.

Ribbon conducts compliance reviews of this notice and procedures with respect to Personnel data privacy to ensure that it is implemented as presented and, in particular, to address any cases of non-compliance. Ribbon also considers any impact to this notice and related procedures as a result of privacy law changes.

Revision of Notice

Ribbon reserves the right to change this notice at the company's discretion subject to business or legal requirements. To the extent required by law or business needs, Ribbon will notify individuals of any changes to this notice by reasonable methods.

Recent Revisions

Version Date Change Summary

1

February 2020

Initial version

2

February 2020

Addressing typos in the initial version

3

June 2020

Update Ribbon Privacy Shield Companies

Pandemic data processing transparency

4-6

January 2021

Expanded notice to reflect Ribbon ECI merger

Additional DPO transparency to reflect recent appointments

Reflecting CJEU decision in Case-311/18 with regards to Privacy Shield

Reflecting regulatory changes associated with UK Brexit

Pandemic data processing transparency

7-8

February 2022

Additional de-coupling of EU and UK GDPR transparency

Reflecting certain expanded pandemic processing

Adjusting contact information for Ribbon HR

9-10

February 2023

Additional transparency regarding regional accountabilities

Updated Ribbon Privacy Shield Companies

Reflecting transparency obligations under CCPA/CPRA

11

February 2024

Reflect Ribbon’s EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF commitments

Effective Date

February 9, 2024