Privacy | Policy
Ribbon Communications Policy
Introduction
Ribbon recognizes and supports the privacy rights of all persons, and we respect these rights when we collect and process personal information. Ribbon has developed and adopted this Privacy Policy to describe and guide our processing of personal information.
In addition to the restrictions and obligations of this Policy, we always comply with the letter and spirit of applicable laws that protect the privacy of personal information.
The obligations and responsibilities set out in this Privacy Policy are applicable to the Ribbon group and its personnel and will be made available on Ribbon’s intranet and external website. The obligations and responsibilities set out in the Privacy Policy are in addition to any other applicable policies or agreements entered into with Ribbon and any applicable laws and regulations. We continually monitor privacy, data protection and security laws and regulations as they apply to our operations and services worldwide. In some cases, a territory’s data privacy and security laws may establish requirements which may diverge from our Privacy Policy. If any such laws conflict with our Privacy Policy, we will comply with the applicable law.
This privacy policy has been layered and linked as shown below in order to allow readers to easily access specific elements of the policy.
The Information We Collect or Process
Third Party Web Sites, Plugins or Widgets
Cross-Border Personal Information Transfers
Transfers of Personal Information from the EU, UK and Switzerland to Other Jurisdictions
The Swiss-U.S., the EU-U.S., and the UK Extension of the EU-U.S., Data Privacy Framework
Security and Integrity of Personal Information
Recourse, Complaints and Enforcement
Scope
This policy is global, applying to all Ribbon collection and processing of personal information within the Ribbon group of companies. It applies to personal information regardless of format. For example, the policy applies to computerized records and electronic information as well as paper-based files.
The concepts enumerated in this policy guide Ribbon's selection and expectations of its agents and subcontractors and other recipients to whom Ribbon transfers and relies on for processing of personal information.
Accountabilities
Ribbon provides certain services through its entities which are subject to data protection laws including but not limited to the EU General Data Protection Regulation (EU Regulation 2016/679), the UK GDPR as implemented under the UK Data Protection Act 2018 as well as US, Canadian, Australian and Indian law.
Data Processor
Ribbon provides several business-to-business (B2B) services including those shown below.
Service |
Description |
Ribbon Connect Services |
Secure cloud-based connection services for enterprises and service providers. |
Ribbon Identity Assurance Services |
Cloud-based services that securely provides call origination identity assurance services including STIR/SHAKEN services. |
Technical Support and Professional Services |
Services provided to network operators which includes post-sales product technical issue resolution, installation and upgrade services. |
Personal information processed in the context of these services is typically controlled by or originated from other companies, such as our customers, subscribers or other business partners. While Ribbon does process data in its role of providing the above services and underlying technology platforms, it does not own, control or direct the use of any of the personal information stored or processed by the above parties.
Accordingly, Ribbon’s accountabilities insofar as such processing is subject to the GDPR correspond to those of a data processor as provided for under Chapter IV of the regulation. Ribbon relies on guidance and direction of the applicable data controller(s), who determine the purposes and generally the means of processing such personal information.
Data Controller
In some cases, Ribbon may collect and process personal information for our own legitimate business purposes including:
- Management of business relationships with current or prospective customers, vendors, independent contractors, suppliers, resellers or partners
- Direct marketing of Ribbon products and services
- Employee recruiting and hiring
- Provision of training services
European Economic Area and Switzerland
This notice contains information required under GDPR Articles 13 and 14 and details Ribbon’s data controller accountabilities with respect to the above processing. Ribbon is established in the EU Member States and Switzerland under several entities. Ribbon’s EU and Swiss entities are subsidiaries of the following entity:
Ribbon Networks B.V.
Evert van de Beekstraat 1-60
The Base A
4th Floor, Room 60
1118 CL Schiphol
The Netherlands
legal.privacy@rbbn.com
Ribbon’s Data Protection Officers can be contacted as follows:
Country |
Entity |
Contact |
Ireland |
Ribbon Communications International Limited |
EU Data Protection Officer The Multis Building Parkmore West Business Park Parkmore, Co. Galway H91 X7Y3, Ireland |
Germany |
Ribbon Communications Germany GmbH |
Germany Data Protection Officer Hendrik Muschal fellaws Muschal Brachmann PartG mbB Meinekestraße 27 10719 Berlin |
United Kingdom
This notice contains information required under UK GDPR Articles 13 and 14 and details Ribbon’s data controller accountabilities with respect to the above processing. Ribbon is established in the UK. Ribbon’s Data Protection Officer can be contacted as follows:
Country |
Entity |
Contact |
United Kingdom |
Ribbon Communications UK Limited |
UK Data Protection Officer Bray House |
California
Ribbon collects, uses and discloses personal information which is subject to the California Consumer Privacy Act (“CCPA”). This notice contains information required by the CCPA. Ribbon is committed to complying with the CCPA.
Canada
This notice contains information required under Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) and certain provincial privacy laws including the Quebec Act Respecting the Protection of Personal Information in the Private Sector. Ribbon’s Privacy Officer can be contacted as follows:
Country |
Entity |
Contact |
Canada |
Ribbon Communications Canada ULC |
Ribbon Legal Department c/o Data Protection |
Australia
This notice contains information required under Australia’s Privacy Act 1988 (Cth) including the Australian Privacy Principles (“APPs”). The APPs govern the way in which Ribbon collects, holds, uses and discloses Australian personal information. A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at https://www.oaic.gov.au/. Ribbon is established in Australia and can be contacted as follows:
Country |
Entity |
Contact |
Australia |
Ribbon Communications Australia Pty Ltd |
Ribbon Legal Department
|
India
This notice contains information required under India’s Digital Personal Data Protection Act (DPDPA). Ribbon is established in India and can be contacted as follows:
Country |
Entity |
Contact |
India |
Ribbon Communications Pvt Ltd |
Ribbon Legal Department |
India | ECI Telecom India Private Limited |
Ribbon Legal Department |
India | GENBAND Telecommunications Private Limited |
Ribbon Legal Department |
The Information We Collect or Process
Ribbon processes and in certain situations collects personal information as needed to deliver its products and services and manage its business. When collecting or processing personal information, Ribbon does so in a lawful, fair and transparent manner.
Ribbon must have a legal basis to process personal information. In most cases the legal basis for processing will be one of the following:
- where Ribbon is the data processor, the legal basis identified by Ribbon's customers or partners acting in their role as individual data controllers
- where Ribbon is subject to a mandatory legal obligation
- where Ribbon is permitted to carry out the processing under applicable law
- performance of a contract or when preparing to enter into a contract
- where Ribbon has a legitimate business interest which does not override the interests or fundamental rights and freedoms of individuals
When Ribbon collects or processes personal information, it does so in a proportionate and limited manner pursuant to relevant, appropriate, and customary purposes. Ribbon will not share or disclose personal information for purposes other than as described herein.
The categories of information and the purposes for which Ribbon collects or processes personal information may include the following.
For Customers & Resellers
Category |
Description & Purpose(s) |
Retention |
Source of Collection |
Share Entity |
Sell Entity |
Categories |
Business Contact and Service Portal Account Information (Controller) |
Ribbon may collect and use personal information about individual business contacts of customers and prospective customers. Such information may include customer account information, account identifiers, first/last name, company name, job title and responsibilities, email address, business mailing address, telephone numbers, as well as additional information received by Ribbon in the course of providing products or services. We will use such information for the purposes of establish and maintain business relationship, providing and improving services, authorizing and extending credit, and providing requested or supplemental information regarding Ribbon products or services.
|
Duration of customer agreement |
You Your Employer Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f)
|
Service Providers Ribbon Group Affiliates
|
None |
Professional or employment-related information. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
|
Ribbon Connect for Microsoft Teams Direct Routing Service – Meta Data (Processor) |
Ribbon collects and uses personal information about individuals using Ribbon Connect direct routing services. This may include but is not limited to the phone numbers that you call (or the phone numbers that you receive these calls from) through our Ribbon Connect direct routing services. The date, time, location and duration of the calls may also be collected as well as other networking or device identifiers such as IP and SIP addressing sufficient to identify an individual end user. This data is used for service delivery, service level assurance and compliance with applicable regulatory obligations.Ribbon provides Ribbon Connect direct routing services primarily for the benefit of organizations and subscribers in that the services transmit or route information on their behalf. These services often merely serve as conduits for data transmitted by third parties and subscribers. Ribbon does not determine the purposes and means of processing of this personal information. |
Typically Less Than 7 Days and Subject to Rotating Buffer Overwrite Control |
Generated Within Service Platform Where GDPR is applicable, Ribbon is processing on the direction of a controller who has determined the legal basis for processing under Article 6(1) |
Service Providers Ribbon Group Affiliates
|
None | Traffic data (CPNI) including telephone number. |
Ribbon Connect for Operator Connect Service – Meta Data and Admin Portal Data (Processor)
|
Ribbon collects and uses personal information about individuals using Ribbon Connect for operator connect services.
|
Service Meta Data:
|
Generated Within Service Platform
Your Employer Where GDPR is applicable, Ribbon is processing on the direction of a controller who has determined the legal basis for processing under Article 6(1)
|
Service Providers Ribbon Group Affiliates
|
None |
Traffic data (CPNI) including telephone number. Professional or employment-related information. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. |
Ribbon Identity Assurance Service Data (Processor)
|
Ribbon’s Identity Assurance solution provides call origination identity assurance services including STIR/SHAKEN. Service data includes personal data including caller and called party telephone numbers and caller ID (TDRs) as well as certain third party databases utilized to implement identity assurance within the above framework. This data is used for service delivery, billing, service level assurance and compliance with applicable regulatory obligations. Ribbon provides Ribbon Identity Assurance services primarily for the benefit of organizations and subscribers in that the services cache information and provide identity scoring on their behalf. Ribbon does not determine the purposes and means of processing of this personal information. |
TDRs: Maximum 15 months Third Party DBs: Subject to third party database provider update frequency and retention controls |
Generated Within Service Platform Where GDPR is applicable, Ribbon is processing on the direction of a controller who has determined the legal basis for processing under Article 6(1) |
Service Providers Ribbon Group Affiliates |
None |
Traffic data (CPNI) including telephone number. Inferences drawn from CCPA PI to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
Ribbon Identity Assurance – Analytics Data (US and Canada) (Controller) |
Ribbon collects and analyzes call audio recordings originated by individual parties originating calls to Ribbon’s Identity Assurance analytics aggregation system. Analysis of captured audio and meta data associated with calls originated to the aggregation system is used to (i) risk-score calling party phone numbers for the purpose of improving the algorithmic reliability of the Ribbon Identity Assurance service described above, and (ii) in compliance with applicable communications services regulator mandated analytics associated with delivery of STIR/SHAKEN framework related services. Personally-identifiable data includes voice call recordings, transcripts thereof, and other call meta data including caller party telephone number, caller ID and time of call.
|
Maximum 12 months |
Aggregation System Platform Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f) |
Service Providers Ribbon Group Affiliates
|
None |
Traffic data (CPNI) including telephone number. Audio, electronic, visual, thermal, olfactory, or similar information. Inferences drawn from CCPA PI to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
|
Technical Support and Professional Services Data (Processor)
|
Ribbon provides technical support and professional services to network operators which includes post-sales product technical issue resolution, installation and upgrade services. Certain technical issue resolution processing will include sample data required to provide the above services including CPNI and traffic data (see above) as well as other information sufficient to identify an individual.
|
Technical Support Case attachments:
|
Technical Support Process Including CRM Platform Where GDPR is applicable, Ribbon is processing on the direction of a controller who has determined the legal basis for processing under Article 6(1) |
Service Providers Ribbon Group Affiliates
|
None | Sample traffic data (CPNI) including telephone number. |
Credit Card Information (Controller) |
Ribbon only collects credit card information in order to bill for subscribed services or in support of entering a contract. Ribbon utilizes credit card payment processing agents solely for the purpose of authenticating and securely processing payment for the services you receive. We require these agents to take reasonable and appropriate measures to protect this information from loss or misuse.
|
Subject to credit card payment agent retention controls |
You Where GDPR is applicable, Ribbon is a controller undertaking processing necessary for the performance of a contract with the data subject under Article 6(1)(b) |
Service Providers | None | Credit card number |
Ribbon Training Services Data (Controller)
|
Ribbon provides product and solutions training services to individuals that may be delivered to students in an online, in-person as well as self-paced training format depending on the offering. Ribbon may collect, generate and/or process certain personal data for the purposes of (i) student registration, communication and billing, (ii) delivery of training content, (iii) maintenance of student online training profile/transcript, and (iv) maintenance of service consumption metrics. | Anonymized after 10 years of student service inactivity |
You Generated Within Training Services Platform Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f)
|
Service Providers Ribbon Group Affiliates |
None |
Professional or employment-related information. Education information |
For Suppliers
Category |
Description & Purpose(s) |
Retention |
Source of Collection |
Share Entity |
Sell Entity |
Categories |
Business Contact and Service Portal Account Information (Controller) |
Ribbon may collect personal information about individuals who are employed by our suppliers. This information is strictly used to administer existing and future business arrangements as well as to establish appropriate and secure access to Ribbon's network where required. This information may include name and contact information, employer information, due diligence information, electronic communications (email, voicemail) and networking communications data.
|
Duration of supplier Certain corporate network access data will be retained for up to 18-24 months for security audit trail purposes. |
You Your Employer Generated Within Corporate Network Platforms Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f)
|
Service Providers Ribbon Group Affiliates
|
None |
Professional or employment-related information. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
|
For Independent Contractors
Category |
Description & Purpose(s) |
Retention |
Source of Collection |
Share Entity |
Sell Entity |
Categories |
Business Contact Data Administrative and Onboarding Data Qualifications & Experience Information (Controller) |
Ribbon may collect personal information about our independent contractors. This information is strictly used to administer existing and future business arrangements as well as to establish appropriate and secure access to Ribbon's network where required. This information may include name and contact information, employer identification information, qualifications, licenses and experience, reference, background checks and due diligence information, services provided, billing, payment, expenses and financial information, insurance and bonding information, electronic communications (email, voicemail) and networking communications data.
|
Duration of contracting agreement Certain corporate network access data will be retained for up to 18-24 months for security audit trail purposes. |
You Generated Within Corporate Network Platforms Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f)
|
Service Providers Ribbon Group Affiliates
|
None |
Professional or employment-related information. Education information. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Signature, address, telephone number, education, bank account number, other financial information and gender.
|
For Job Applicants
Ribbon collects personal information of job applicants in connection with its recruitment and hiring activities. Job applicants should refer to Ribbon's Privacy Notice for Job Applicants
For Marketing Leads and Website Visitors
Ribbon is the data controller of marketing data we collect. We collect marketing data when you visit our websites, when you provide it to us (by phone, in person or by webform), when you register for or attend an event, when you request information regarding Ribbon, when we collect it from public databases, partners, social media sites or other third parties.
Category |
Description & Purpose(s) |
Retention |
Source of Collection |
Share Entity |
Sell Entity |
Categories |
Marketing Data (Controller)
|
Marketing data includes your contact details such as name, physical address, country, email, company name, job title and business telephone number (collectively “Marketing Data”). When you visit a Ribbon website, Ribbon collects associated website visitor information such as IP address, geographic location, browser type, operating system, screen size and company (collectively “Website Visitor Information”). Website Visitor Information shall not be linked to your Marketing Data unless you provide additional information to us (such as by filling out a form on our website) that connects the information to you. For more information on the above and choices available to website visitors please refer to Ribbon’s Cookie Policy and Ribbon’s Cookie Preference Center accessible via the website. Ribbon uses this data for direct marketing of Ribbon products and services. Unless expressly requested by Ribbon and consented by you, Ribbon will not share or disclose or sell personal information to third parties for the purpose of their own marketing or resale activities.
|
Marketing Contact Data: Maximum 24 months after last marketing service interaction Cookies: Please see Ribbon Cookie Policy for specific information regarding cookies |
You Your Browser Where GDPR is applicable, Ribbon is a controller processing on the basis of consent under Article 6(1)(a)
|
Service Providers Ribbon Group Affiliates
|
None |
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Professional or employment-related information Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
|
Other Collection or Processing
Additional personal information may be collected, processed and disclosed for the purposes for which it was collected and for legal compliance purposes, including regulatory reporting, investigation of allegations of wrongdoing, and the management and defense of legal claims and actions, and compliance with subpoenas, court orders and other legal obligations.
Third Party Web Sites, Plugins or Widgets
Ribbon websites and services may include social network or other third-party plugins and widgets. Accessing these links is done at your option. Please review the sponsor's privacy policy provided at the respective site.
Cross-Border Personal Information Transfers
Where feasible Ribbon utilizes geographically aligned resources for primary data processing in order to reduce the complexity and volume of cross-border personal information transfer.
Ribbon shall comply with the applicable laws governing international transfers of personal information and where required shall ensure that such transfers are made to countries where the data protection regime is compatible with that of the originating jurisdiction.
Transfers of Personal Information from the EU, UK and Switzerland to Other Jurisdictions
Ribbon employs the following transfer mechanisms for transfers of EU, UK and Swiss personal information in accordance with transfer restrictions imposed under the EU General Data Protection Regulation (GDPR), the UK GDPR or the Swiss Federal Act on Data Protection (FADP) as applicable.
- GDPR Article 45 Adequacy decisions issued by the European Commission (EC) or the competent UK authority under GDPR Article 45 and as similarly recognized by the Swiss authority as applicable; and/or
- Standard contractual clauses adopted by the EC or the competent UK authority under GDPR Article 46 and any such clauses approved by the competent Swiss authority.
The Swiss-U.S., the EU-U.S., and the UK Extension of the EU-U.S., Data Privacy Framework
Ribbon Communications Inc. and its U.S. subsidiaries Ribbon Communications Operating Company, Inc. and Ribbon Communications Federal Inc (“Ribbon DPF Companies”) rely on and comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information. The Ribbon DPF Companies have certified to the Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
To learn more about the Data Privacy Framework (DPF) program, and to view Ribbon’s certification, please visit https://www.dataprivacyframework.gov/. To view the Ribbon DPF Companies’ certification under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, please visit https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt00000008RT8AAM&status=Active
In addition to the protections provided under other sections of this Privacy Policy, the Ribbon DPF Companies will provide the following protections for personal data previously transferred from the EU, UK of Switzerland to the US
Ribbon relies upon the DPF certification for cross-border transfers of personal data, but takes additional steps to protect personal data. The standard data protection clauses, adopted by the EC under GDPR Article 46 and approved by the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland, are a valid mechanism to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States. Ribbon has implemented the standard contractual clauses.
Choice
Individuals will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether their personal information is (1) to be disclosed to a third party other than a third party acting as an agent to perform tasks on behalf of and under the instruction of Ribbon or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.
Additionally, individuals will be offered a similar choice mechanism to give affirmative or explicit (opt in) choice whether their sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice. However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of the individual or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or (5) related to personal information that is manifestly made public by the individual.
Onward Transfers to Third Party Agents
The Ribbon DPF Companies may transfer personal information to third parties acting as controllers as described in the section entitled “Third Party Suppliers and EU, UK and Swiss Personal Information”.
Verification
The Ribbon DPF Companies have verified and will verify annually through self-assessment that the attestations and assertions made about its DPF privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles. This verification has been and will be signed by an officer of the Ribbon DPF Companies or other authorized representative of the Ribbon DPF Companies at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance. The verification includes the following:
- That the Privacy Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible;
- That the Policy conforms to the DPF Principles;
- That individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
- That the Ribbon DPF Companies have in place procedures for training employees in the implementation of this Policy and disciplining them for failure to follow it;
- That the Ribbon DPF Companies have in place internal procedures for periodically conducting objective reviews of compliance with the above.
Recourse Mechanisms Under the DPF
Inquiries or complaints regarding processing of personal data pursuant to DPF should be directed to:
Ribbon Legal Department
6500 Chase Oaks Blvd.
Suite 100
Plano, TX 75023
United States
Email: legal.privacy@rbbn.com
If a complaint remains unresolved, it will be resolved through alternative dispute resolution. Ribbon has selected JAMS Mediation, Arbitration and ADR Services (JAMS) as the administrator of Ribbon's independent recourse mechanism for DPF disputes. Ribbon has committed to refer such unresolved DPF complaints to JAMS in the United States. You may find more information about dispute resolution and how to file a claim with JAMS at https://www.jamsadr.com/dpf-dispute-resolution.
Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. Please visit Annex I for additional information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
Enforcement
The Ribbon DPF Companies are also subject to the investigatory and enforcement powers of the United States Federal Trade Commission, which has jurisdiction over Ribbon’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
Liability
In the context of an onward transfer of personal information, the Ribbon DPF Companies have responsibility for the processing of personal information they receive under the DPF and subsequently transfers to a third party agent. The Ribbon DPF Companies will remain liable under the DPF Principles if their third party agent processes such personal information in a manner inconsistent with the DPF Principles, unless the Ribbon DPF Companies prove that they are not responsible for the event giving rise to the damage.
Training
All employees who process personal data will receive training regarding the data privacy principles and procedures under DPF Principles and this Policy.
Recipients and Disclosures
Within the Ribbon Group
In general, personal information may be shared within Ribbon in order to fulfill service commitments to our customers and in support of legitimate business interests. These transfers are subject to the transfer mechanism controls described within the above section on Cross-Border Personal Information Transfers.
Ribbon restricts access to personal information to those employees, agents, or contractors who require access in order to carry out their assigned functions.
A list of Ribbon corporate locations is available here. Processing locations will vary by service provided.
Third Party Suppliers
Ribbon uses vendors and partners for a variety of business purposes in order to help us fulfil the services we provide. We share information with those vendors and partners when it is beneficial for them to perform work on our behalf.
Ribbon will only transfer or provide direct access to personal information covered by this policy to third parties which have:
- made a commitment to respect the privacy rights of individuals;
- limited processing of personal information to comply with customer's and/or data controller instructions; and
- provided Ribbon contractual assurances that they will provide data protection no less stringent than is required by applicable privacy laws. For instance, where a third party engaged by Ribbon processes personal data subject to the GDPR, a data processing agreement reflective of the “processor” obligations within Article 28 of the GDPR is maintained between Ribbon and the third party.
Ribbon employs the following categories of third party suppliers in order to deliver the services shown below.
Ribbon Connect for Microsoft Teams Direct Routing Services
Service Region |
Third Party Category |
Locations |
EU/UK |
Cloud Hosting and Platform Providers |
Ireland, Netherlands, United Kingdom |
NA |
Cloud Hosting and Platform Providers |
United States |
APAC |
Cloud Hosting and Platform Providers |
Australia, Singapore, Japan |
Ribbon Connect for Operator Connect Services
Service Region |
Third Party Category |
Locations |
Global | Cloud Hosting Providers | United States |
EU/UK |
Cloud Hosting and Platform Providers |
Ireland, Netherlands, United Kingdom |
NA |
Cloud Hosting and Platform Providers |
United States |
APAC |
Cloud Hosting and Platform Providers |
Australia, Singapore, Japan |
Ribbon Identity Assurance Services
Service Region |
Third Party Category |
Locations |
EU | Cloud Hosting Providers | France |
NA |
Cloud Hosting Providers |
United States, Canada |
NA |
CRM Technology Providers |
United States |
NA |
Technology Service Partners |
United States |
Technical Support and Professional Services
Service Region |
Third Party Category |
Locations |
Global |
Cloud Hosting Providers |
United States |
Global |
CRM Technology Providers |
United States |
Global |
Technology Service Partners |
United States, Turkey, India, Vietnam |
Marketing
Service Region |
Third Party Category |
Locations |
Global |
CRM Providers |
United States |
Global |
Web Hosting Providers |
United States |
Global | Web Analytics Providers | United States |
Global | Marketing Automation Providers | United States |
Ribbon Training Services
Service Region |
Third Party Category |
Locations |
Global |
CRM Providers |
United States |
Global |
Hosted Online Training Services Provider |
United States, Belgium |
Global |
Payment Gateway Providers |
United States |
Global | Digital Adoption Platform Providers | United States |
Third Party Suppliers and EU, UK and Swiss Personal Information
Additionally, for personal information pertaining to EU, UK or Swiss data subjects Ribbon will only transfer or provide direct access to personal information covered by this policy to third parties that:
- are located in a jurisdiction subject to the GDPR or are subject to privacy laws designated to be adequate by the European Commission or the competent UK authority under GDPR Article 45, or similarly recognized by the Swiss authority as applicable; and/or
- have provided Ribbon contractual assurances that transferred personal information will be subject to appropriate safeguards by way of standard contractual clauses adopted by the European Commission or the competent UK authority as applicable under GDPR Article 46 and such clauses as approved by the competent Swiss authority.
Other External Disclosures
Ribbon may disclose information that individually identifies our customers, subscribers or identifies their devices in certain circumstances, such as:
- to comply with valid legal process including subpoenas, court orders or search warrants, to defend or respond to legal actions, and as otherwise authorized by law, or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements;
- to prevent unauthorized, unlawful or abusive use of our products and services;
- to determine credit risk or obtain payment for Ribbon services or products, such as through credit or collection agencies;
- for other purposes with your consent.
- to protect the vital interests of the individual or another person;
- for other purposes with your consent.
If Ribbon enters into a merger, acquisition or sale of all or a portion of its assets or business, customer information will also be transferred as part of or in connection with the transaction as per local law and/or non-disclosure agreement.
Security and Integrity of Personal Information
To help protect the confidentiality of personal information, Ribbon employs appropriate information security safeguards. These safeguards take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks to individuals posed by any unauthorized disclosure of the information.
These safeguards include reasonable administrative, technical and physical measures to safeguard the confidentiality, integrity and availability of personal information against anticipated threats and unauthorized access to such personal information.
Ribbon conveys safeguard obligations to our third parties who receive personal information from or on behalf of Ribbon in the course of their relationship with our organization as described above in the "Recipients and Disclosures" section.
Ribbon employs reasonable means to keep personal information accurate, complete, and current, as needed for the purposes for which it was collected.
Retention of Data
Ribbon understands the data minimization and storage limitation principles within the GDPR and other data protection laws which require that data be deleted when its retention is no longer required to satisfy the purposes for which it was collected, generated or provided to Ribbon by a data controller. Ribbon complies with all applicable information retention laws and regulations including those associated with electronic communication service provider requirements.
Additional information regarding retention of data is available within the tables in the section above entitled “The Information We Collect or Process”
Choices and Accommodation
The data Ribbon processes is described in further detail in “The Information We Collect or Process” section above.
Service Portals
If you have created a user profile on any Ribbon service portal (eg: Ribbon Technical Support Portal), you may access and revise the personal information in your user profile when you log into your account. In general, these portals will only require minimal personal information that is necessary to provide and administer the service.
Marketing Materials
If you provide us with your email address or other contact information to enable us to provide current communications and information to you, we may use the information for providing such communications including delivery of press releases and other Ribbon marketing materials. You may request to no longer receive Ribbon marketing communications by following the "unsubscribe" instructions in emails from Ribbon or by sending a request to the Contact identified below.
In the rare and unlikely event that Ribbon wishes to use an individual's personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals, Ribbon will seek consent in advance as required by law.
Cookie Preferences
Ribbon websites may use cookies to collect certain kinds of personal information about subscribers or users. For more information on how Ribbon uses cookies and choices available to website visitors please refer to Ribbon's Cookie Policy and Ribbon's Cookie Preference Center accessible via the website.
Sensitive Information
Ribbon recognizes that for some sensitive information, affirmative express consent from individuals is required and must be obtained if such information is to be (i) disclosed to a third party or (ii) processed for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, Ribbon shall treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.
Data Subject Rights
Ribbon supports individual's data protection rights as provided for by applicable data protection laws. These may include individual rights of access, rectification, erasure, restriction or objection to processing, and portability. This section contains supplemental information for individuals in certain jurisdictions. If Ribbon is relying on your consent to process your personal data, you have the right to withdraw your consent at any time.
Service Portals
If you have created a user profile on any Ribbon service portal (eg: Ribbon Technical Support Portal), you may access, examine, revise or delete the personal information in your user profile when you log into your account. In general, these portals will only require minimal personal information that is necessary to provide and administer the service. Ribbon employs reasonable means to keep its individuals' personal information accurate, complete, and current.
EU and UK Data Subject Rights
Individuals having rights governed by EU or UK data protection law may exercise the following rights as data subjects.
Right |
GDPR Article |
Summary |
Access |
15 |
Right to request access to and obtain a copy of your personal data. In certain service contexts, individuals are provided with credentialized access to much of their own personal information that Ribbon collects and maintains through various service portals (please see Service Portals above). This enables individuals to access, review, export, and in many instances enter or certify their personal information. |
Rectification |
16 |
Right to request rectification (or correction) of personal data that is inaccurate. In certain service contexts, individuals are provided with credentialized access to much of their own personal information that Ribbon collects and maintains through various service portals (please see Service Portals above). This enables individuals to access, review, export, and in many instances enter or certify their personal information. |
Erasure (Right to be Forgotten) |
17 |
Right to request erasure (or deletion) of personal data that is no longer necessary to fulfil the purposes for which it was collected or does not need to be retained by Ribbon for other legitimate purposes. Ribbon will review and act upon requests by individuals for the erasure of personal data to the extent required under applicable law. Generally, individuals have the right to have their personal information erased when it is no longer necessary for the purposes for which it was collected or otherwise processed or the legal basis on which the data processing was based (e.g. consent) no longer applies. |
Restriction of Processing |
18 |
Right to require Ribbon to restrict the processing of your personal data under certain circumstances. Ribbon will review and act upon requests to restrict processing of personal data of individuals to the extent required under applicable law. |
Portability |
20 |
If applicable, the right to request your personal data be ported (transferred) to another controller. Under certain conditions individuals have the right to receive their personal data which they have provided to Ribbon in a structured, commonly used and machine-readable format. Individuals also have the right to transmit such data to another controller. |
Objection to Processing |
21 |
Right to object to the processing of your personal data. Ribbon will review and act upon requests by individuals to object to the processing of personal data to the extent required under applicable law. Generally, an individual has the right to object to the processing of his or her personal data, and Ribbon should no longer process the data where it is unable to demonstrate compelling legitimate grounds for the processing. |
If Ribbon is relying on your consent to process your personal data, you have the right to withdraw your consent at any time.
In addition to the rights shown above, individuals have the right under GDPR Article 77 to lodge a complaint with a supervisory authority, in particular in the UK or EU Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this regulation.
California Privacy Rights
Individuals having rights governed by the CCPA may exercise the following rights as data subjects.
Right |
CCPA Section |
Summary |
Access |
1798.110 |
Right to request access to and obtain a copy of personal information, including:
|
Deletion |
1798.105 |
Right to request deletion of personal information that is no longer necessary to fulfil the purposes for which it was collected or does not need to be retained by Ribbon for other legitimate purposes. |
Correction |
1798.106 |
Right to request correction of personal information that is inaccurate taking into account the nature of the personal information and the purposes of the processing of the personal information. |
Limit Use and Disclosure of Sensitive Information | 1798.121 | Right of individual to direct Ribbon to limit its use and disclosure of the individual’s sensitive personal information to those uses(s) which are necessary, and as authorized by applicable regulations adopted pursuant to the CCPA. |
Portability |
1798.130(a) |
Where applicable, right of individual to request provision of specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation. |
If Ribbon is relying on your consent to process your personal data, you have the right to withdraw your consent at any time.
Ribbon does not sell or disclose personal information to third parties for their own direct marketing purposes.
Requests
If you are an individual who wishes to exercise a data protection right as provided for by applicable data protection law, please click here or contact us by telephone at 1-866-750-5040.
The ability of an individual to access, update or delete his or her personal information is not unlimited. An individual's ability to access personal information may be limited, for example, where (a) the burden or expense of providing access would be unreasonable or disproportionate to the risks to the individual's privacy, (b) the information should not be disclosed or deleted due to legal reasons; or (c) providing access would compromise the privacy of another person.
Recourse, Complaints and Enforcement
Individuals who wish to file a complaint or who take issue with Ribbon's policy should direct such communications to Ribbon at:
Ribbon Legal Department
6500 Chase Oaks Blvd.
Suite 100
Plano, TX 75023
United States
legal.privacy@rbbn.com
Ribbon undertakes annual compliance review of our policies, procedures with respect to data privacy to ensure that policy is implemented as presented and, in particular, to address any cases of non-compliance. Ribbon also considers any impact to our policies and procedures as a result of privacy law changes or trends in recurring complaints from individuals.
Revision of Policy
Ribbon reserves the right to change this privacy policy at our discretion subject to business or legal requirements. Please check this privacy policy from time to time and particularly before you provide personal information to Ribbon. The effective date of the newest version of the privacy policy will be posted below, and in the event that we make material changes to this privacy policy, we will notify affected users by making a more prominent notice of the changes.
If we change our policy or use of personal information in such a manner that significantly diverges from the original purposes that we collected the information, we will provide notification as required by applicable law. Your rights to object or obtain further information is as provided for in the Data Subject Rights and Recourse, Complaints and Enforcement sections.
Recent Revisions
Version |
Date |
Change Summary |
1 |
October 2017 |
Significant updates to privacy policy to reflect GDPR preparations |
2 |
March 2018 |
Inclusion of content to reflect Ribbon's EU-US DPF commitments |
3 |
June 2018 |
Inclusion of "Anonymized, Non-Identifying Voice and Traffic Data" within Information We Collect |
4 |
April 2019 |
Further modularization in order to accommodate layering Preparations for UK Brexit Additional uReach transparency for US/Canada subscribers Additional transparency required under GDPR Article 13 |
5 | December 2019 |
Update to address certain CCPA transparency obligations Introduction of data subject portal link Inclusion of RCIL Data Protection Officer contact information |
6 | April 2020 |
Update Contact, Marketing Lead and Service Portal Account Information. Adjust Ribbon entity names to reflect certain 2019 changes |
7 | July 2020 |
Update Ribbon DPF Companies |
8 | November 2020 |
Reflecting CJEU decision in Case-311/18 with regards to DPF |
9 | April 2021 |
Addition of Ribbon Connect and Ribbon Identity Assurance transparency |
10 | June 2022 |
Additional accountability information in support of Canadian law |
11 | June 2023 |
Update Ribbon DPF Companies |
12 | September 2023 |
Modify content to reflect Ribbon’s EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF commitments |
13 | December 2023 | Extending accountabilities portion of policy to more formally reflect applicable Australian privacy law and the APPs as well as the India DPDPA |
Effective Date
December 1, 2023
Contact
If you have any comments or questions regarding this policy or Ribbon’s privacy practices, or if you are an individual with a disability and require access to this policy in an alternative format please contact us at:
Ribbon Privacy
Suite 2100
500 Palladium Drive
Ottawa, Ontario, Canada K2V 1C2
privacy@rbbn.com