Introduction

Ribbon recognizes and supports the privacy rights of all persons, and we respect these rights when we collect and process personal information.  Ribbon has developed and adopted this Privacy Policy to describe and guide our processing of personal information.


In addition to the restrictions and obligations of this Policy, we always comply with the letter and spirit of applicable laws that protect the privacy of personal information.


The obligations and responsibilities set out in this Privacy Policy are applicable to the Ribbon group and its personnel and will be made available on Ribbon’s intranet and external website. The obligations and responsibilities set out in the Privacy Policy are in addition to any other applicable policies or agreements entered into with Ribbon and any applicable laws and regulations.  We continually monitor privacy, data protection and security laws and regulations as they apply to our operations and services worldwide.  In some cases, a territory’s data privacy and security laws may establish requirements which may diverge from our Privacy Policy.  If any such laws conflict with our Privacy Policy, we will comply with the applicable law.
This privacy policy has been layered and linked as shown below in order to allow readers to easily access specific elements of the policy.

 

Scope

Accountabilities

The Information We Collect or Process

Third Party Web Sites, Plugins or Widgets

Cross-Border Personal Information Transfers

Transfers of Personal Information from the EU, UK and Switzerland to Other Jurisdictions

The Swiss-U.S., the EU-U.S., and the UK Extension of the EU-U.S., Data Privacy Framework

Recipients and Disclosures

Security and Integrity of Personal Information

Retention of Data

Choices and Accommodation

Data Subject Rights

Recourse, Complaints and Enforcement

Revision of Policy

Recent Revisions

Effective Date

Contact

 

Scope

This policy is global, applying to all Ribbon collection and processing of personal information within the Ribbon group of companies. It applies to personal information regardless of format.  For example, the policy applies to computerized records and electronic information as well as paper-based files.

The concepts enumerated in this policy guide Ribbon's selection and expectations of its agents and subcontractors and other recipients to whom Ribbon transfers and relies on for processing of personal information.

Accountabilities

Ribbon provides certain services through its entities which are subject to data protection laws including but not limited to the EU General Data Protection Regulation (EU Regulation 2016/679), the UK GDPR as implemented under the UK Data Protection Act 2018 as well as US, Canadian, Australian and Indian law.

Data Processor

Ribbon provides several business-to-business (B2B) services including those shown below.

Service

Description

Ribbon Connect Services

Secure cloud-based connection services for enterprises and service providers.

Ribbon Identity Assurance Services

Cloud-based services that securely provides call origination identity assurance services including STIR/SHAKEN services.

Technical Support and Professional Services

Services provided to network operators which includes post-sales product technical issue resolution, installation and upgrade services.

Personal information processed in the context of these services is typically controlled by or originated from other companies, such as our customers, subscribers or other business partners. While Ribbon does process data in its role of providing the above services and underlying technology platforms, it does not own, control or direct the use of any of the personal information stored or processed by the above parties.

Accordingly, Ribbon’s accountabilities insofar as such processing is subject to the GDPR correspond to those of a data processor as provided for under Chapter IV of the regulation.   Ribbon relies on guidance and direction of the applicable data controller(s), who determine the purposes and generally the means of processing such personal information.

Data Controller

In some cases, Ribbon may collect and process personal information for our own legitimate business purposes including:

  • Management of business relationships with current or prospective customers, vendors, independent contractors, suppliers, resellers or partners
  • Direct marketing of Ribbon products and services
  • Employee recruiting and hiring
  • Provision of training services

European Economic Area and Switzerland

This notice contains information required under GDPR Articles 13 and 14 and details Ribbon’s data controller accountabilities with respect to the above processing.  Ribbon is established in the EU Member States and Switzerland under several entities.  Ribbon’s EU and Swiss entities are subsidiaries of the following entity:


Ribbon Networks B.V.
Evert van de Beekstraat 1-60
The Base A
4th Floor, Room 60
1118 CL Schiphol
The Netherlands
legal.privacy@rbbn.com

Ribbon’s Data Protection Officers can be contacted as follows:

Country

Entity

Contact

Ireland

Ribbon Communications International Limited

EU Data Protection Officer

The Multis Building

Parkmore West Business Park

Parkmore, Co. Galway H91 X7Y3, Ireland

legal.privacy@rbbn.com

Germany

Ribbon Communications Germany GmbH

Germany Data Protection Officer

Hendrik Muschal

fellaws Muschal Brachmann PartG mbB

Meinekestraße 27

10719 Berlin

www.fellaws.de

 

United Kingdom

This notice contains information required under UK GDPR Articles 13 and 14 and details Ribbon’s data controller accountabilities with respect to the above processing.  Ribbon is established in the UK.  Ribbon’s Data Protection Officer can be contacted as follows:

Country

Entity

Contact

United Kingdom

Ribbon Communications UK Limited

UK Data Protection Officer

Bray House
4 Maidenhead Office Park
Maidenhead
Berkshire SL6 3QH

legal.privacy@rbbn.com

California

Ribbon collects, uses and discloses personal information which is subject to the California Consumer Privacy Act (“CCPA”).  This notice contains information required by the CCPA.  Ribbon is committed to complying with the CCPA.

Canada

This notice contains information required under Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) and certain provincial privacy laws including the Quebec Act Respecting the Protection of Personal Information in the Private Sector. Ribbon’s Privacy Officer can be contacted as follows:

Country

Entity

Contact

Canada

Ribbon Communications Canada ULC

Ribbon Legal Department

c/o Data Protection
500 Palladium Drive
Suite 2100
Ottawa, Ontario
K2V 1C2

legal.privacy@rbbn.com

Australia

This notice contains information required under Australia’s Privacy Act 1988 (Cth) including the Australian Privacy Principles (“APPs”).  The APPs govern the way in which Ribbon collects, holds, uses and discloses Australian personal information.  A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at  https://www.oaic.gov.au/.  Ribbon is established in Australia and can be contacted as follows:

Country

Entity

Contact

Australia

Ribbon Communications Australia Pty Ltd

Ribbon Legal Department
c/o Baker & McKenzie
Level 19
181 William Street
Melbourne, Victoria 3000
Australia

legal.privacy@rbbn.com

 

India

This notice contains information required under India’s Digital Personal Data Protection Act (DPDPA). Ribbon is established in India and can be contacted as follows:

Country

Entity

Contact

India

Ribbon Communications Pvt Ltd

Ribbon Legal Department
c/o Data Protection
2nd Floor, Delta Block, Embassy Tech Square, Kadubeesanahalli Village, Outer Ring Road, Varthur Hobli, Bangalore – 560103 India

legal.privacy@rbbn.com

India ECI Telecom India Private Limited

Ribbon Legal Department
c/o Data Protection
7th Floor, North Side,
Empire Plaza I, Lal Bahadur Shastri Marg,
Vikhroli West, Mumbai – 400 083

legal.privacy@rbbn.com

India GENBAND Telecommunications Private Limited

Ribbon Legal Department
c/o Data Protection
2nd Floor, Delta Block, Embassy Tech Square, Kadubeesanahalli Village, Outer Ring Road, Varthur Hobli, Bangalore – 560103 India

legal.privacy@rbbn.com

The Information We Collect or Process

Ribbon processes and in certain situations collects personal information as needed to deliver its products and services and manage its business. When collecting or processing personal information, Ribbon does so in a lawful, fair and transparent manner.

Ribbon must have a legal basis to process personal information. In most cases the legal basis for processing will be one of the following:

  • where Ribbon is the data processor, the legal basis identified by Ribbon's customers or partners acting in their role as individual data controllers
  • where Ribbon is subject to a mandatory legal obligation
  • where Ribbon is permitted to carry out the processing under applicable law
  • performance of a contract or when preparing to enter into a contract
  • where Ribbon has a legitimate business interest which does not override the interests or fundamental rights and freedoms of individuals

When Ribbon collects or processes personal information, it does so in a proportionate and limited manner pursuant to relevant, appropriate, and customary purposes. Ribbon will not share or disclose personal information for purposes other than as described herein.

The categories of information and the purposes for which Ribbon collects or processes personal information may include the following.

For Customers & Resellers

Category

Description & Purpose(s)

Retention

Source of Collection

Share Entity
Categories

Sell Entity
Categories

Categories

Business Contact and Service Portal Account Information

(Controller)

Ribbon may collect and use personal information about individual business contacts of customers and prospective customers. Such information may include customer account information, account identifiers, first/last name, company name, job title and responsibilities, email address, business mailing address, telephone numbers, as well as additional information received by Ribbon in the course of providing products or services.  We will use such information for the purposes of establish and maintain business relationship, providing and improving services, authorizing and extending credit, and providing requested or supplemental information regarding Ribbon products or services.

 

Duration of customer agreement
-or- Customer prompted deletion event

You
(in the context of your employment)

Your Employer

Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f)

 

Service Providers

Ribbon Group Affiliates

 

None

Professional or employment-related information.

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

 

Ribbon Connect for Microsoft Teams Direct Routing Service – Meta Data

(Processor)

Ribbon collects and uses personal information about individuals using Ribbon Connect direct routing services. This may include but is not limited to the phone numbers that you call (or the phone numbers that you receive these calls from) through our Ribbon Connect direct routing services.  The date, time, location and duration of the calls may also be collected as well as other networking or device identifiers such as IP and SIP addressing sufficient to identify an individual end user.  This data is used for service delivery, service level assurance and compliance with applicable regulatory obligations.Ribbon provides Ribbon Connect direct routing services primarily for the benefit of organizations and subscribers in that the services transmit or route information on their behalf.   These services often merely serve as conduits for data transmitted by third parties and subscribers.  Ribbon does not determine the purposes and means of processing of this personal information.

Typically Less Than 7 Days and Subject to Rotating Buffer Overwrite Control

Generated Within Service Platform

Where GDPR is applicable, Ribbon is processing on the direction of a controller who has determined the legal basis for processing under Article 6(1)

Service Providers

Ribbon Group Affiliates

 

None Traffic data (CPNI) including telephone number.

Ribbon Connect for Operator Connect Service – Meta Data and Admin Portal Data

(Processor)

 

Ribbon collects and uses personal information about individuals using Ribbon Connect for operator connect services.  
Service Meta Data: This may include but is not limited to the phone numbers that you call (or the phone numbers that you receive these calls from) through our Ribbon Connect for operator connect services.  The date, time, location and duration of the calls may also be collected as well as other networking or device identifiers such as IP and SIP addressing sufficient to identify an individual end user.  This data is used for service delivery, service level assurance and compliance with applicable regulatory obligations.
Operator Admin User Portal Data: Including first and last names, company, email address and optionally business telephone number and physical address.  This data enables operator administrator to securely manage their service.
Ribbon provides Ribbon Connect for operator connect services primarily for the benefit of organizations and subscribers in that the services transmit or route information on their behalf.   These services often merely serve as conduits for data transmitted by third parties and subscribers.  Ribbon does not determine the purposes and means of processing of this personal information.

 

Service Meta Data:
Maximum 120 days


Admin Portal Data:
Duration of customer agreement
-or- Customer prompted deletion event

 

Generated Within Service Platform


You
(in the context of your employment)

Your Employer

Where GDPR is applicable, Ribbon is processing on the direction of a controller who has determined the legal basis for processing under Article 6(1)

 

Service Providers

Ribbon Group Affiliates

 

None

Traffic data (CPNI) including telephone number.

Professional or employment-related information.

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

Ribbon Identity Assurance Service Data

(Processor)

 

Ribbon’s Identity Assurance solution provides call origination identity assurance services including STIR/SHAKEN.  Service data includes personal data including caller and called party telephone numbers and caller ID (TDRs) as well as certain third party databases utilized to implement identity assurance within the above framework.  This data is used for service delivery, billing, service level assurance and compliance with applicable regulatory obligations.

Ribbon provides Ribbon Identity Assurance services primarily for the benefit of organizations and subscribers in that the services cache information and provide identity scoring on their behalf.  Ribbon does not determine the purposes and means of processing of this personal information.

TDRs: Maximum 15 months

Third Party DBs:  Subject to third party database provider update frequency and retention controls

Generated Within Service Platform

Where GDPR is applicable, Ribbon is processing on the direction of a controller who has determined the legal basis for processing under Article 6(1)

Service Providers

Ribbon Group Affiliates

None

Traffic data (CPNI) including telephone number.

Inferences drawn from CCPA PI to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Ribbon Identity Assurance –  Analytics Data (US and Canada)

(Controller)

Ribbon collects and analyzes call audio recordings originated by individual parties originating calls to Ribbon’s Identity Assurance analytics aggregation system.  Analysis of captured audio and meta data associated with calls originated to the aggregation system is used to (i) risk-score calling party phone numbers for the purpose of improving the algorithmic reliability of the Ribbon Identity Assurance service described above, and (ii) in compliance with applicable communications services regulator mandated analytics associated with delivery of STIR/SHAKEN framework related services.  

Personally-identifiable data includes voice call recordings, transcripts thereof, and other call meta data including caller party telephone number, caller ID and time of call.

 

Maximum 12 months

Aggregation System Platform

Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f)

Service Providers

Ribbon Group Affiliates

 

None

Traffic data (CPNI) including telephone number.

Audio, electronic, visual, thermal, olfactory, or similar information.

Inferences drawn from CCPA PI to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

 

Technical Support and Professional Services Data

(Processor)

 

Ribbon provides technical support and professional services to network operators which includes post-sales product technical issue resolution, installation and upgrade services.  Certain technical issue resolution processing will include sample data required to provide the above services including CPNI and traffic data (see above) as well as other information sufficient to identify an individual.

 

Technical Support Case attachments:
Maximum 12 months

 

Technical Support Process Including CRM Platform

Where GDPR is applicable, Ribbon is processing on the direction of a controller who has determined the legal basis for processing under Article 6(1)

Service Providers

Ribbon Group Affiliates

 

None Sample  traffic data (CPNI) including telephone number.

Credit Card Information

(Controller)

Ribbon only collects credit card information in order to bill for subscribed services or in support of entering a contract.  Ribbon utilizes credit card payment processing agents solely for the purpose of authenticating and securely processing payment for the services you receive.   We require these agents to take reasonable and appropriate measures to protect this information from loss or misuse.

 

Subject to credit card payment agent retention controls

You
(in the context of your employment)

Where GDPR is applicable, Ribbon is a controller undertaking processing necessary for the performance of a contract with the data subject under Article 6(1)(b)

Service Providers None Credit card number

Ribbon Training Services Data

(Controller)

 

Ribbon provides product and solutions training services to individuals that may be delivered to students in an online, in-person as well as self-paced training format depending on the offering.  Ribbon may collect, generate and/or process certain personal data for the purposes of (i) student registration, communication and billing, (ii) delivery of training content, (iii) maintenance of student online training profile/transcript, and (iv) maintenance of service consumption metrics. Anonymized after 10 years of student service inactivity

You
(in the context of your employment)

Generated Within Training Services Platform

Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f)

 

Service Providers

Ribbon Group Affiliates

None

Professional or employment-related information.

Education information

 

For Suppliers

 

Category

Description & Purpose(s)

Retention

Source of Collection

Share Entity
Categories

Sell Entity
Categories

Categories

Business Contact and Service Portal Account Information

(Controller)

Ribbon may collect personal information about individuals who are employed by our suppliers. This information is strictly used to administer existing and future business arrangements as well as to establish appropriate and secure access to Ribbon's network where required. This information may include name and contact information, employer information, due diligence information, electronic communications (email, voicemail) and networking communications data.

 

Duration of supplier
agreement
-or-
Supplier prompted deletion event

Certain corporate  network access data will be retained for up to 18-24 months for security audit trail purposes.

You
(in the context of your employment)

Your Employer

Generated Within Corporate Network Platforms

Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f)

 

Service Providers

Ribbon Group Affiliates

 

None

Professional or employment-related information.

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

 

 

For Independent Contractors

Category

Description & Purpose(s)

Retention

Source of Collection

Share Entity
Categories

Sell Entity
Categories

Categories

Business Contact Data

Administrative and Onboarding Data

Qualifications & Experience Information

(Controller)

Ribbon may collect personal information about our independent contractors. This information is strictly used to administer existing and future business arrangements as well as to establish appropriate and secure access to Ribbon's network where required. This information may include name and contact information, employer identification information, qualifications, licenses and experience, reference, background checks and due diligence information, services provided, billing, payment, expenses and financial information, insurance and bonding information, electronic communications (email, voicemail) and networking communications data.

 

Duration of contracting agreement
-or-
Contractor prompted deletion event
-and-
Subject to any applicable statutory minimum retention periods

Certain corporate network access data will be retained for up to 18-24 months for security audit trail purposes.

You

Generated Within Corporate Network Platforms

Where GDPR is applicable, Ribbon is a controller processing on the basis of legitimate interests under Article 6(1)(f)

 

Service Providers

Ribbon Group Affiliates

 

None

Professional or employment-related information.

Education information.

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

Signature, address, telephone number, education, bank account number, other financial information and gender.

 

For Job Applicants

Ribbon collects personal information of job applicants in connection with its recruitment and hiring activities. Job applicants should refer to Ribbon's Privacy Notice for Job Applicants

For Marketing Leads and Website Visitors

Ribbon is the data controller of marketing data we collect.  We collect marketing data when you visit our websites, when you provide it to us (by phone, in person or by webform), when you register for or attend an event, when you request information regarding Ribbon,  when we collect it from public databases, partners, social media sites or other third parties. 

Category

Description & Purpose(s)

Retention

Source of Collection

Share Entity
Categories

Sell Entity
Categories

Categories

Marketing Data

(Controller)

 

Marketing data includes your contact details such as name, physical address, country, email, company name, job title and business telephone number (collectively “Marketing Data”).  When you visit a Ribbon website, Ribbon collects associated website visitor information such as IP address, geographic location, browser type, operating system, screen size and company (collectively “Website Visitor Information”).  Website Visitor Information shall not be linked to your Marketing Data unless you provide additional information to us (such as by filling out a form on our website) that connects the information to you.  For more information on the above and choices available to website visitors please refer to Ribbon’s Cookie Policy and Ribbon’s Cookie Preference Center accessible via the website.

Ribbon uses this data for direct marketing of Ribbon products and services.  Unless expressly requested by Ribbon and consented by you, Ribbon will not share or disclose or sell personal information to third parties for the purpose of their own marketing or resale activities.

 

Marketing Contact Data: Maximum 24 months after last marketing service interaction

Cookies: Please see Ribbon Cookie Policy for specific information regarding cookies

You

Your Browser

Where GDPR is applicable, Ribbon is a controller processing on the basis of consent under Article 6(1)(a)

 

Service Providers

Ribbon Group Affiliates

 

None

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

Professional or employment-related information

Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.

 

Other Collection or Processing

Additional personal information may be collected, processed and disclosed for the purposes for which it was collected and for legal compliance purposes, including regulatory reporting, investigation of allegations of wrongdoing, and the management and defense of legal claims and actions, and compliance with subpoenas, court orders and other legal obligations.

Third Party Web Sites, Plugins or Widgets

Ribbon websites and services may include social network or other third-party plugins and widgets. Accessing these links is done at your option. Please review the sponsor's privacy policy provided at the respective site.

Cross-Border Personal Information Transfers

Where feasible Ribbon utilizes geographically aligned resources for primary data processing in order to reduce the complexity and volume of cross-border personal information transfer.

Ribbon shall comply with the applicable laws governing international transfers of personal information and where required shall ensure that such transfers are made to countries where the data protection regime is compatible with that of the originating jurisdiction.

Transfers of Personal Information from the EU, UK and Switzerland to Other Jurisdictions

Ribbon employs the following transfer mechanisms for transfers of EU, UK and Swiss personal information in accordance with transfer restrictions imposed under the EU General Data Protection Regulation (GDPR), the UK GDPR or the Swiss Federal Act on Data Protection (FADP) as applicable.

  • GDPR Article 45 Adequacy decisions issued by the European Commission (EC) or the competent UK authority under GDPR Article 45 and as similarly recognized by the Swiss authority as applicable; and/or
  • Standard contractual clauses adopted by the EC or the competent UK authority under GDPR Article 46 and any such clauses approved by the competent Swiss authority.

The Swiss-U.S., the EU-U.S., and the UK Extension of the EU-U.S., Data Privacy Framework

Ribbon Communications Inc. and its U.S. subsidiaries Ribbon Communications Operating Company, Inc. and Ribbon Communications Federal Inc (“Ribbon DPF Companies”) rely on and comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information. The Ribbon DPF Companies have certified to the Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework (DPF) program, and to view Ribbon’s certification, please visit https://www.dataprivacyframework.gov/. To view the Ribbon DPF Companies’ certification under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, please visit https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt00000008RT8AAM&status=Active

In addition to the protections provided under other sections of this Privacy Policy, the Ribbon DPF Companies will provide the following protections for personal data previously transferred from the EU, UK of Switzerland to the US

Ribbon relies upon the DPF certification for cross-border transfers of personal data, but takes additional steps to protect personal data. The standard data protection clauses, adopted by the EC under GDPR Article 46 and approved by the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland, are a valid mechanism to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States. Ribbon has implemented the standard contractual clauses.

Choice

Individuals will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether their personal information is (1) to be disclosed to a third party other than a third party acting as an agent to perform tasks on behalf of and under the instruction of Ribbon or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.

Additionally, individuals will be offered a similar choice mechanism to give affirmative or explicit (opt in) choice whether their sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice.  However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of the individual or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or (5) related to personal information that is manifestly made public by the individual.

Onward Transfers to Third Party Agents

The Ribbon DPF Companies may transfer personal information to third parties acting as controllers as described in the section entitled “Third Party Suppliers and EU, UK and Swiss Personal Information”.

Verification

The Ribbon DPF Companies have verified and will verify annually through self-assessment that the attestations and assertions made about its DPF privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles. This verification has been and will be signed by an officer of the Ribbon DPF Companies or other authorized representative of the Ribbon DPF Companies at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance. The verification includes the following:

  • That the Privacy Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible;
  • That the Policy conforms to the DPF Principles;
  • That individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
  • That the Ribbon DPF Companies have in place procedures for training employees in the implementation of this Policy and disciplining them for failure to follow it;
  • That the Ribbon DPF Companies have in place internal procedures for periodically conducting objective reviews of compliance with the above.

Recourse Mechanisms Under the DPF

Inquiries or complaints regarding processing of personal data pursuant to DPF should be directed to:

Ribbon Legal Department
6500 Chase Oaks Blvd.
Suite 100
Plano, TX 75023
United States
Email: legal.privacy@rbbn.com

If a complaint remains unresolved, it will be resolved through alternative dispute resolution. Ribbon has selected JAMS Mediation, Arbitration and ADR Services (JAMS) as the administrator of Ribbon's independent recourse mechanism for DPF disputes. Ribbon has committed to refer such unresolved DPF complaints to JAMS in the United States. You may find more information about dispute resolution and how to file a claim with JAMS at https://www.jamsadr.com/dpf-dispute-resolution.

Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. Please visit Annex I for additional information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

Enforcement

The Ribbon DPF Companies are also subject to the investigatory and enforcement powers of the United States Federal Trade Commission, which has jurisdiction over Ribbon’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

Liability

In the context of an onward transfer of personal information, the Ribbon DPF Companies have responsibility for the processing of personal information they receive under the DPF and subsequently transfers to a third party agent. The Ribbon DPF Companies will remain liable under the DPF Principles if their third party agent processes such personal information in a manner inconsistent with the DPF Principles, unless the Ribbon DPF Companies prove that they are not responsible for the event giving rise to the damage.

Training

All employees who process personal data will receive training regarding the data privacy principles and procedures under DPF Principles and this Policy.

Recipients and Disclosures

Within the Ribbon Group

In general, personal information may be shared within Ribbon in order to fulfill service commitments to our customers and in support of legitimate business interests. These transfers are subject to the transfer mechanism controls described within the above section on Cross-Border Personal Information Transfers.

Ribbon restricts access to personal information to those employees, agents, or contractors who require access in order to carry out their assigned functions.

A list of Ribbon corporate locations is available here. Processing locations will vary by service provided.

Third Party Suppliers

Ribbon uses vendors and partners for a variety of business purposes in order to help us fulfil the services we provide. We share information with those vendors and partners when it is beneficial for them to perform work on our behalf.

Ribbon will only transfer or provide direct access to personal information covered by this policy to third parties which have:

  • made a commitment to respect the privacy rights of individuals;
  • limited processing of personal information to comply with customer's and/or data controller instructions; and
  • provided Ribbon contractual assurances that they will provide data protection no less stringent than is required by applicable privacy laws. For instance, where a third party engaged by Ribbon processes personal data subject to the GDPR, a data processing agreement reflective of the “processor” obligations within Article 28 of the GDPR is maintained between Ribbon and the third party.

Ribbon employs the following categories of third party suppliers in order to deliver the services shown below.

Ribbon Connect for Microsoft Teams Direct Routing Services

Service Region

Third Party Category

Locations

EU/UK

Cloud Hosting and Platform Providers

Ireland, Netherlands, United Kingdom

NA

Cloud Hosting and Platform Providers

United States

APAC

Cloud Hosting and Platform Providers

Australia, Singapore, Japan

Ribbon Connect for Operator Connect Services

Service Region

Third Party Category

Locations

Global Cloud Hosting Providers United States

EU/UK

Cloud Hosting and Platform Providers

Ireland, Netherlands, United Kingdom

NA

Cloud Hosting and Platform Providers

United States

APAC

Cloud Hosting and Platform Providers

Australia, Singapore, Japan

Ribbon Identity Assurance Services

Service Region

Third Party Category

Locations

EU Cloud Hosting Providers France

NA

Cloud Hosting Providers

United States, Canada

NA

CRM Technology Providers

United States

NA

Technology Service Partners

United States

Technical Support and Professional Services

Service Region

Third Party Category

Locations

Global

Cloud Hosting Providers

United States

Global

CRM Technology Providers

United States

Global

Technology Service Partners

United States, Turkey, India, Vietnam

Marketing

Service Region

Third Party Category

Locations

Global

CRM Providers

United States

Global

Web Hosting Providers

United States

Global Web Analytics Providers United States
Global Marketing Automation Providers United States

Ribbon Training Services

Service Region

Third Party Category

Locations

Global

CRM Providers

United States

Global

Hosted Online Training Services Provider

United States, Belgium

Global

Payment Gateway Providers

United States

Global Digital Adoption Platform Providers United States

 

Third Party Suppliers and EU, UK and Swiss Personal Information

Additionally, for personal information pertaining to EU, UK or Swiss data subjects Ribbon will only transfer or provide direct access to personal information covered by this policy to third parties that:

  • are located in a jurisdiction subject to the GDPR or are subject to privacy laws designated to be adequate by the European Commission or the competent UK authority under GDPR Article 45, or similarly recognized by the Swiss authority as applicable; and/or
  • have provided Ribbon contractual assurances that transferred personal information will be subject to appropriate safeguards by way of standard contractual clauses adopted by the European Commission or the competent UK authority as applicable under GDPR Article 46 and such clauses as approved by the competent Swiss authority. 

Other External Disclosures

Ribbon may disclose information that individually identifies our customers, subscribers or identifies their devices in certain circumstances, such as:

  • to comply with valid legal process including subpoenas, court orders or search warrants, to defend or respond to legal actions, and as otherwise authorized by law, or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements;
  • to prevent unauthorized, unlawful or abusive use of our products and services;
  • to determine credit risk or obtain payment for Ribbon services or products, such as through credit or collection agencies;
  • for other purposes with your consent.
  • to protect the vital interests of the individual or another person;
  • for other purposes with your consent.

If Ribbon enters into a merger, acquisition or sale of all or a portion of its assets or business, customer information will also be transferred as part of or in connection with the transaction as per local law and/or non-disclosure agreement.

Security and Integrity of Personal Information

To help protect the confidentiality of personal information, Ribbon employs appropriate information security safeguards.  These safeguards take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks to individuals posed by any unauthorized disclosure of the information.

These safeguards include reasonable administrative, technical and physical measures to safeguard the confidentiality, integrity and availability of personal information against anticipated threats and unauthorized access to such personal information.

Ribbon conveys safeguard obligations to our third parties who receive personal information from or on behalf of Ribbon in the course of their relationship with our organization as described above in the "Recipients and Disclosures" section.

Ribbon employs reasonable means to keep personal information accurate, complete, and current, as needed for the purposes for which it was collected.

Retention of Data

Ribbon understands the data minimization and storage limitation principles within the GDPR and other data protection laws which require that data be deleted when its retention is no longer required to satisfy the purposes for which it was collected, generated or provided to Ribbon by a data controller. Ribbon complies with all applicable information retention laws and regulations including those associated with electronic communication service provider requirements.

Additional information regarding retention of data is available within the tables in the section above entitled “The Information We Collect or Process”

 

Choices and Accommodation

The data Ribbon processes is described in further detail in “The Information We Collect or Process” section above.

Service Portals

If you have created a user profile on any Ribbon service portal (eg: Ribbon Technical Support Portal), you may access and revise the personal information in your user profile when you log into your account. In general, these portals will only require minimal personal information that is necessary to provide and administer the service.

Marketing Materials

If you provide us with your email address or other contact information to enable us to provide current communications and information to you, we may use the information for providing such communications including delivery of press releases and other Ribbon marketing materials.  You may request to no longer receive Ribbon marketing communications by following the "unsubscribe" instructions in emails from Ribbon or by sending a request to the Contact identified below.

In the rare and unlikely event that Ribbon wishes to use an individual's personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals, Ribbon will seek consent in advance as required by law.

Cookie Preferences

Ribbon websites may use cookies to collect certain kinds of personal information about subscribers or users. For more information on how Ribbon uses cookies and choices available to website visitors please refer to Ribbon's Cookie Policy and Ribbon's Cookie Preference Center accessible via the website.

Sensitive Information

Ribbon recognizes that for some sensitive information, affirmative express consent from individuals is required and must be obtained if such information is to be (i) disclosed to a third party or (ii) processed for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, Ribbon shall treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

Data Subject Rights

Ribbon supports individual's data protection rights as provided for by applicable data protection laws.  These may include individual rights of access, rectification, erasure, restriction or objection to processing, and portability.  This section contains supplemental information for individuals in certain jurisdictions.  If Ribbon is relying on your consent to process your personal data, you have the right to withdraw your consent at any time.

Service Portals

If you have created a user profile on any Ribbon service portal (eg: Ribbon Technical Support Portal), you may access, examine, revise or delete the personal information in your user profile when you log into your account. In general, these portals will only require minimal personal information that is necessary to provide and administer the service. Ribbon employs reasonable means to keep its individuals' personal information accurate, complete, and current.

EU and UK Data Subject Rights

Individuals having rights governed by EU or UK data protection law may exercise the following rights as data subjects.

Right

GDPR Article

Summary

Access

15

Right to request access to and obtain a copy of your personal data.  In certain service contexts, individuals are provided with credentialized access to much of their own personal information that Ribbon collects and maintains through various service portals (please see Service Portals above).  This enables individuals to access, review, export, and in many instances enter or certify their personal information.

Rectification

16

Right to request rectification (or correction) of personal data that is inaccurate.  In certain service contexts, individuals are provided with credentialized access to much of their own personal information that Ribbon collects and maintains through various service portals (please see Service Portals above).  This enables individuals to access, review, export, and in many instances enter or certify their personal information.

Erasure

(Right to be Forgotten)

17

Right to request erasure (or deletion) of personal data that is no longer necessary to fulfil the purposes for which it was collected or does not need to be retained by Ribbon for other legitimate purposes.  Ribbon will review and act upon requests by individuals for the erasure of personal data to the extent required under applicable law.  Generally, individuals have the right to have their personal information erased when it is no longer necessary for the purposes for which it was collected or otherwise processed or the legal basis on which the data processing was based (e.g. consent) no longer applies.

Restriction of Processing

18

Right to require Ribbon to restrict the processing of your personal data under certain circumstances.  Ribbon will review and act upon requests to restrict processing of personal data of individuals to the extent required under applicable law. 

Portability

20

If applicable, the right to request your personal data be ported (transferred) to another controller.  Under certain conditions individuals have the right to receive their personal data which they have provided to Ribbon in a structured, commonly used and machine-readable format. Individuals also have the right to transmit such data to another controller.

Objection to Processing

21

Right to object to the processing of your personal data.  Ribbon will review and act upon requests by individuals to object to the processing of personal data to the extent required under applicable law.  Generally, an individual has the right to object to the processing of his or her personal data, and Ribbon should no longer process the data where it is unable to demonstrate compelling legitimate grounds for the processing.

If Ribbon is relying on your consent to process your personal data, you have the right to withdraw your consent at any time.

In addition to the rights shown above, individuals have the right under GDPR Article 77 to lodge a complaint with a supervisory authority, in particular in the UK or EU Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this regulation.

California Privacy Rights

Individuals having rights governed by the CCPA may exercise the following rights as data subjects.

Right

CCPA  Section

Summary

Access

1798.110

Right to request access to and obtain a copy of personal information, including:

  1. The categories of personal information Ribbon has collected about that individual.
  2. The categories of sources from which the personal information is collected.
  3. The business or commercial purpose for collecting, selling, or sharing personal information.
  4. The categories of third parties to whom Ribbon discloses personal information.
  5. The specific pieces of personal information Ribbon has collected about that individual.

Deletion

1798.105

Right to request deletion of personal information that is no longer necessary to fulfil the purposes for which it was collected or does not need to be retained by Ribbon for other legitimate purposes.

Correction

1798.106

Right to request correction of personal information that is inaccurate taking into account the nature of the personal information and the purposes of the processing of the personal information.

Limit Use and Disclosure of Sensitive Information 1798.121 Right of individual to direct Ribbon to limit its use and disclosure of the individual’s sensitive personal information to those uses(s) which are necessary, and as authorized by applicable regulations adopted pursuant to the CCPA.
Portability

1798.130(a)
(3)(B)(iii)

Where applicable, right of individual to request provision of specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation.

If Ribbon is relying on your consent to process your personal data, you have the right to withdraw your consent at any time.

Ribbon does not sell or disclose personal information to third parties for their own direct marketing purposes.

Requests

If you are an individual who wishes to exercise a data protection right as provided for by applicable data protection law, please click here or contact us by telephone at 1-866-750-5040.

The ability of an individual to access, update or delete his or her personal information is not unlimited.  An individual's ability to access personal information may be limited, for example, where (a) the burden or expense of providing access would be unreasonable or disproportionate to the risks to the individual's privacy, (b) the information should not be disclosed or deleted due to legal reasons; or (c) providing access would compromise the privacy of another person.

Recourse, Complaints and Enforcement

Individuals who wish to file a complaint or who take issue with Ribbon's policy should direct such communications to Ribbon at:

Ribbon Legal Department
6500 Chase Oaks Blvd.
Suite 100
Plano, TX 75023
United States
legal.privacy@rbbn.com

 

Ribbon undertakes annual compliance review of our policies, procedures with respect to data privacy to ensure that policy is implemented as presented and, in particular, to address any cases of non-compliance.  Ribbon also considers any impact to our policies and procedures as a result of privacy law changes or trends in recurring complaints from individuals.

Revision of Policy

Ribbon reserves the right to change this privacy policy at our discretion subject to business or legal requirements.  Please check this privacy policy from time to time and particularly before you provide personal information to Ribbon.  The effective date of the newest version of the privacy policy will be posted below, and in the event that we make material changes to this privacy policy, we will notify affected users by making a more prominent notice of the changes.

If we change our policy or use of personal information in such a manner that significantly diverges from the original purposes that we collected the information, we will provide notification as required by applicable law.  Your rights to object or obtain further information is as provided for in the Data Subject Rights and Recourse, Complaints and Enforcement sections.

Recent Revisions

Version

Date

Change Summary

1

October 2017

Significant updates to privacy policy to reflect GDPR preparations

2

March 2018

Inclusion of content to reflect Ribbon's EU-US DPF commitments

3

June 2018

Inclusion of "Anonymized, Non-Identifying Voice and Traffic Data" within Information We Collect

4

April 2019

Further modularization in order to accommodate layering

Preparations for UK Brexit

Additional uReach transparency for US/Canada subscribers

Additional transparency required under GDPR Article 13

5 December 2019

Update to address certain CCPA transparency obligations

Introduction of data subject portal link

Inclusion of RCIL Data Protection Officer contact information

6 April 2020

Update Contact, Marketing Lead and Service Portal Account Information. Adjust Ribbon entity names to reflect certain 2019 changes

7 July 2020

Update Ribbon DPF Companies
Additional Marketing Lead transparency
Additional CCPA-related information

8 November 2020

Reflecting CJEU decision in Case-311/18 with regards to DPF
Expanded policy to reflect Ribbon ECI merger
Additional Training Services transparency

9 April 2021

Addition of Ribbon Connect and Ribbon Identity Assurance transparency
Removal of Kandy and uReach related services
Reflecting UK GDPR regulatory scope distinction from EU GDRP

10 June 2022

Additional accountability information in support of Canadian law
Additional CCPA-related transparency
Additional data retention transparency
Updated third party recipient/disclosure transparency

11 June 2023

Update Ribbon DPF Companies
Additional CCPA-related transparency
Addition of Ribbon Connect for Operator Connect transparency
Update to data retention transparency for certain services
Addition of references to GDPR Article 6 bases for processing

12 September 2023

Modify content to reflect Ribbon’s EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF commitments

13 December 2023 Extending accountabilities portion of policy to more formally reflect applicable Australian privacy law and the APPs as well as the India DPDPA 

Effective Date

December 1, 2023

Contact

If you have any comments or questions regarding this policy or Ribbon’s privacy practices, or if you are an individual with a disability and require access to this policy in an alternative format please contact us at:

Ribbon Privacy
Suite 2100
500 Palladium Drive
Ottawa, Ontario, Canada K2V 1C2
privacy@rbbn.com