Data Protection at Unify

Find out about the Unify approach to Data Protection

Our preparations for Europe’s most significant Data Protection laws

 

At Unify we have a long heritage of keeping our customers data safe. We are trusted the world over to provide secure, reliable communications and collaboration solutions.

This page is designed to help you understand in easy terms how we use your data across our platforms, services and day to day operations.

You can also find out about our commitment to the General Data Protection Regulation, or GDPR as it often known. If you have any questions about the information on this page please contact us here askGDPR@atos.net

Mariana Peycheva
Chief Security Officer – Unify Atos Collaboration Solutions

Related Links

English
Click here to sign the Unify Data Protection Agreement (DPA)
Download Unify Data Protection Agreement

German
Click here to sign the Unify Data Protection Agreement (DPA)
Download Unify Data Protection Agreement

Our Commitment to the General Data Protection Regulation (GDPR)

The most significant change to data protection laws for over 20 years comes into force on 25 May 2018. The GDPR regulates the handling of personal data of European Citizens and residents irrespective of their location and therefore has implications for the handling of personal data globally.

Unify has always been committed to protection of personal data, with accreditations such as ISO 27001, and now as the Unified Communication and Collaboration specialist within Atos, we are fully committed to compliance with both the spirit and detail of The GDPR.

Since we act as both a Data Controller and a Data Processor as defined by The Regulation, we are undertaking a number of activities in preparation of its enactment including:

  • auditing all of our processes and systems that handle personal data to ensure compliance;
  • engaging with partner technology organizations and application providers to ensure that the appropriate data processing agreements exist between us;
  • contacting customers, partners and other parties as necessary to reconfirm their permissions to handle their personal data;
  • updating web & marketing assets, partner and customer tools, to ensure that the capture of personal data captured is explicitly permitted;
    auditing our product portfolio to ensure that the functionality and license terms are compliant and also supportive of GDPR compliance among customers, partners and users;
  • fully leveraging the benefits of cloud to minimize application risk for our customers and partners.
    As a product developer, we want our users, customers and partners to be completely satisfied and to be confident that our products, services and business tools will support their own compliance with GDPR both by design and by default. Additionally, as a division within Atos, we can offer services and expert support in achieving your own GDPR goals.

Atos prides itself as being a trusted partner to its clients, and Unify as part of Atos is fully committed to earning and deserving your trust for years to come.

If you have any queries about our GDPR activities, then please contact us on askGDPR@atos.net

OpenScape GDPR Compliance Statements

OpenScape Voice WhitePaper - Processing of Personal Data

OpenScape 4000 WhitePaper - Processing of Personal Data

OpenScape Contact Center WhitePaper - Processing of Personal Data

OpenScape UC WhitePaper - Processing of Personal Data

OpenScape Xpert WhitePaper - Processing of Personal Data

OpenScape Xpressions White Paper - Processing of Personal Data

OpenScape Business WhitePaper - Processing of Personal Data

Processing of Personal Data in Centralized Unify Business processes

 

Unify provides Unified Communication and Collaboration products and services directly or via accredited Partners to End -customers and their End-users. There are a number of centralized processes in our B2B relationships, where some of the data processed by Unify is Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

We have categorized such processing in the following 6 processing streams

  • Unify Cloud Services
  • Unify Cloud Services Sign-ups and Commercial Processing
  • Unify Commercial Processing (Book-to-Bill) (except for Cloud)
  • Unify Supply Chain Processes
  • Unify Resale and Co-Delivery Services
  • Unify Marketing Data

As a customer or accredited Sales Partner, you might additionally be involved in processes of Unify or Atos local entities. The processes which we relate to on these webpages are centrally provided by Unify Software and Solutions GmbH & Co. KG.

For each process stream we have identified categories of individuals of whom Personal Date are processed (Data Subjects)

Data Subject Categories Description Affected by Process Streams
Cloud Services Users Registered guest users of Unify Cloud Services
  • Unify Cloud Services
Customer Contacts / Sales Partner Contact Individuals which serve as contact person commercial transactions, services and projects etc. at the Customer or accredited Partner
  • Unify Cloud Services Sign-up and Commercial Processing
  • Commercial Processing except for cloud)
Billing Contacts Individuals serving as contacts for invoicing or payment follow-up
  • Unify Cloud Services Sign-up and Commercial Processing
  • Commercial Processing except for cloud
Partner Tool Users Individuals who obtain access to tools Unify provides to partners for commercial processing or service delivery
  • Unify Cloud Services Sign-up and Commercial Processing
  • Commercial Processing except for cloud
  • Resale and Co-delivery Services
Unify Product User Individuals, who use Unify products and Solutions

 

  • Supply Chain Processes
  • Resale and Co-delivery Services

 

It might well be possible that you fall under both categories of addressees as you might be a user and a contact person at the same time.

The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behaviour that takes place within the EU.

Link to GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

We are delighted to provide you with this general overview and structure on which Personal Data are being processed, why and how we process Personal data at Unify. If you would like to understand in more details, how this is done in the various Unify processes areas, we are providing you with details in each of the process streams listed above.

For each of the processing streams described above we provide on this web-page a detailed Information of Processing (IoP) document. In general, our offerings are meant for Business – to – Business relationships, to enable sales partners and customers to work with Unify on a daily basis to exercise transactional processes. As a result, not only you, but also the business [Your Company] which gives you access to Unify Processes and Services has rights and obligations in regards to the Personal Data processed by Unify.

On this introductory page, we will show you in which section you can find the relevant information for you when looking at the more detailed Process and Services Websites, like an overview, so you can find your way around much easier.

1 Controller – GDPR (article 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data in the sense of the GDPR. Among other responsibilities, the Controller

  1. Defines the purpose of processing of your personal data
  2. Defines the means of processing of your personal data
  3. Is Responsible for the accuracy of Personal Data provided
  4. Is Responsible for informing you about the processing of your Personal Data and the modalities for the exercise of your rights
  5. Implements measures to secure and protect of your Personal Data
  6. Notifies the competent data protection supervisory authority in case of a data breach.

 

For some processes and services like Unify Cloud Service, Resale and Co-Delivery Services or other off-the – shelf processes, neither Unify nor Your Company can be the sole Controller. Instead we have a Co-Controller situation, which is defined by the GDPR article 26 (joint Controller).

The GDPR requires Co-Controllers to sign an agreement on how to jointly execute controller responsibilities. The responsibility split is described in the respective sections of this Webpage as well as the relevant Data Processing Agreement (DPA). Companies like Your Company, working with Unify in these areas are asked to sign the respective Data Processing Agreement via a click – and- accept mechanism. Unify assumes in addition the role of Processor, meaning the entity that Processes Personal Data on behalf of Customer as contemplated in the respective Agreements and the DPA.

One of the co-controller is always

Unify Software and Solutions GmbH & Co. KG
Mies-van-der-Rohe-Strasse 6
80801 Munich, Germany,

hereunder “Unify” or “we”.

The other Co-controller is Your Company.

2 Data Protection Officer – GDPR (article 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (DPO) who has reviewed transactional processing in regards to data protection. You can reach the data protection officer under the following email address: dp.it-solutions@atos.net

3 Purpose and Legal Basis for Processing – GDPR (article 13.1c,d / 14.1c / 14.2b)

Depending on the co-controller model for the respective processing stream It is either Unify or Your Company which explains to you the purpose of processing and the legal basis for it.

4 Categories of Personal Data – GDPR (article 14.1d, 14.2(f))

In this section we explain to you what categories of Personal Data are affected by the process stream. The precise meaning of these categories depend on the respective processing stream.

5 Recipients of Personal Data – GDPR (article 13.1e / 14.1e)

Data entered into Unify processes including your Personal Data might be shared with other Data Subjects, within Unify and the wider Atos group or with third parties in order to execute our daily business. For example, when you work with one of our valued accredited Partners. Of course, you have the right to be informed about this and you will find this information in section 5 of each Information of Processing (IoP) document.

6 Sub-Contractors and Transfers or Personal Data to Third Countries and Storage Locations– GDPR (articles 13.1f / 14.1f)

Please see the respective sections, so you know which subcontractors and storage locations support Unify in which processes and services in our joint day to day business.

Please note that Unify belongs to the Atos group. Subcontractors within the Atos group (Unify, Cycos, Atos companies) are subject to Atos Binding Corporate Rules (see https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf) and EU Mandatory Clauses.

7 Data Retention – GDPR (articles 13.2a / 14.2a)

For legal reasons, information on contracts, commercial transactions as well as compliance information of Contact Persons including has to be retained for 10 years after the transaction or the end of the contract. Therefore Unify deletes Data at latest at the end of the 10th year after the last year in which the contract ends.

On other processes, such as system traces pulled in the case of a service delivery for example, we delete your personal data 90 days after the ticket has been closed. As there are different timelines around these retention periods, please consult the respective process section (IoP).

8 Your Rights as a Data Subject and How to Exercise Them

The GDPR gives you powerful rights in regards to your Personal Data. You can exercise your rights, i.e. place your requests with Your Company or with Unify. In the latter case, since your company in general gave you access to Unify processes and services and defines the purpose of its usage, we generally engage with the your Company before executing a request. We therefore recommend that you place your request with your Company, who can give you a profound answer on your requests from the perspective of your business.

You can place requests in regards to your personal data with Unify either via the Data Protection Officer shown in section 2 or via the following functional email address: askGDPR@atos.net

The information below is an overview for your convenience. Please see the relevant process section for more details where required.

  1. Right of Access to Personal Data – GDPR (article 15)
  2. Right to Rectification Personal Data – GDPR (article 16)
  3. Right for Erasure of Personal Data – GDPR (article 17
  4. Right to Restrict Processing – GDPR (article 18)
  5. Right to Object Processing – GDPR (article 21)
  6. Right to Withdraw Your Consent – GDPR (articles 7.3 / 13.2c / 14.2d)
  7. Right to Data Portability – GDPR (article 20)
  8. Right to lodge a complaint with a Data Protection Authority – GDPR (articles 13.2d / 14.2d / 77)

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? –GDPR (article 13.2(e))

The answer to this question depends on on the category of Data Subject you are and the respective Data Processing stream.
As an accredited Sales Partner or End-customer of Unify, you must be identifiable to Unify in order for us to fulfill our contractual obligations with you, whether you are a Partner of Unify or an End-customer.

10 Automated Decision Making

Please see respective Process Information page (IoP)

Unify Cloud Services

Information on Processing of Personal Data for Users

Effective March 23, 2019

If you are, or plan to become, a user of Unify Cloud Services, such as Circuit or OpenScape Cloud, this document is meant for you! Some of the data processed by Unify Cloud Services are your Personal Data (“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. (‘Data Subject’);

The processing of your Personal Data is protected by the Applicable Data Protection Law, which shall mean the laws and regulations relating to the processing and protection of Personal Data applicable in the country where Unify is established. In particular, Applicable Law means (a) EU Regulation 2016/679 (General Data Protection Regulation; ‘GDPR’) (b) Member State laws or regulations relating to the processing and protection of Personal Data implementing or complementing GDPR; and (c) any other applicable laws or regulations relating to the processing and protection of Personal Data.

Unify operates multiple Cloud services. You can identify whether you are a user of

How do we apply GDPR to Unify Cloud Services?

  • First, Unify Cloud Services are meant for businesses, to allow employees, suppliers, partners and customers to communicate and collaborate with each other. As a result, not only you, but also the business which gives you access to Unify Cloud Services has rights with regard to the Personal Data processed by Unify Cloud Services.
  • Secondly, Unify Cloud Services are delivered from one SW system via the Internet to 1000s of customers, or “Tenants” (meaning the legal entity you are an employee of and which has contracted for Unify Cloud Services), in exactly the same way. Tenants can set certain parameters or activate features in regards to data processing, but it is essentially the same for all tenants.
  • Unify applies GDPR to both, the EU and the US instances of Unify Cloud Services

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data. Among other responsibilities, the Controller, according to the GDPR,

  1. Defines the purpose of processing of your Personal Data
  2. Defines the means of processing of your Personal Data
  3. Responsible for Accuracy, Quality, Legality, Reliability of Personal Data
  4. Provides information to you about your Personal Data and the modalities for the exercise of their rights
  5. Implements measures to secure and protect of your Personal Data
  6. Notifies the competent data protection supervisory authority in case of a data breach.

For Cloud services like Unify Cloud Service, neither Unify nor your tenant can be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

  1. Your Tenant defines the purpose of processing of your Personal Data
  2. Unify defines the means of processing of your Personal Data
  3. Your Tenant is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify
  4. Your Tenant provides information to you about your Personal Data
  5. Unify implements measures to secure and protect of your Personal Data
  6. Your Tenant notifies the competent data protection supervisory authority in case of a data breach.

The GDPR requires Joint Controllers to sign a contract detailing the split of responsibilities. This document is called a Data Protection Agreement (DPA). You can find it under unify.com/en/legal-information/dpa-for-unify-cloud-services. You also have access to the DPA within Unify Cloud Service (Circuit / About) at any point in time.

The Unify entity identified as a joint Controller with Your Tenant is:

Unify Software and Solutions GmbH & Co. KG
Mies-van-der-Rohe-Strasse 6
80807 Munich, Germany,

hereunder “Unify” or “we”.

The second joint Controller is your Tenant. Your tenant is contractually obligated by the DPA to give you access to this document and to provide you will all the information that in its area of responsibilities it has to provide to you to comply with its obligations under the GDPR and which information we are not able to provide to you: for example the purpose of processing (i), i.e. what the Tenant wants to use Unify Cloud Services for.

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (“DPO”). You can reach the DPO at the following email address:
dp.it-solutions@atos.net

Depending on the size of the business your Tenant might also have a Data Protection Officer. You have the right to get the contact details from your Tenant.

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

You have the right to understand the purpose and legal basis for the processing of your Personal Data in Unify Cloud Services. This is however the responsibility of your Tenant, as explained in section 1. Your Tenant has the obligation to provide You with this information. This will also determine which rights your Tenant claims in the data you enter into OpenScape Cloud Services, e.g. in form or work results of employees.

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your Personal Data processed by Unify Cloud Services fall under the following categories:

  • Profile Data: Personal data you create about yourself or are assigned to you by your tenant, in particular name, password, email address, photo, phone numbers, access rights (user vs tenant administrator).
  • Activity Data: Personal data collected by Unify Cloud Services from your use of the services, in particular call journal data, content deletion or change records or data relating to service usage (e.g. used end-points). These data are collected to provide Call Journal functionalities and transparency to conversation members of Unify Cloud Services on who did what in a conversation, and for troubleshooting purposes. These data are also used in strictly anonymized form for usage, adoption, and user experience statistics and reports.
  • Transient and Session Data: Personal Data which are collected but not stored on Unify Cloud Services (such as presence or location information) or which are tied to a log-on session on Unify Cloud Services (e.g. IP addresses). Location information is obtained from your browser or device if activated.

Notes:

a) Conversation Data, i.e. postings, uploaded documents, and recordings you leave on Unify Cloud Services are generally not considered by Unify to be your personal data, but data for which your tenant has a certain degree of ownership. Please discuss possible concerns with your tenant

b) Private Address Books may contain Personal Data of your personal contacts. Such Private Address Books are not stored and processed by Unify Cloud Services but reside in your phone. In general, all data you enter in your phone are controlled by yourself and are not subject to data protection by Unify Cloud Services

c) Statistics and Reporting Data which Unify produces regularly from Activity Data and shares with tenants are strictly anonymized. You should be aware that tenants may ask for non-anonymized reports, which Unify may provide under certain circumstances. The usage of such reports and they compliance which GDPR, other laws, or applicable policies of business is entirely with the tenant. We recommend inquiring with your Tenant if such reports were requested from Unify or used, but you may also inquire with Unify.

d) Please be aware that if you post information about a third person this might involve Personal Data of that person. Unify Cloud Services cannot recognize such information as Personal Data. We therefore have to exclude such data from our co-controller responsibilities. Please discuss such use cases with your tenant administrator or your DPO.

e) A conversation with users from multiple tenancies belongs to the tenancy the user is from who created the conversation in the first place. You can find that user (“Creator”) under Conversation Details and view that user’s profile.

f) If you join a conversation in a foreign tenant as a cross-tenancy user, your profile data will be shown in that foreign tenant, but remains stored in your home tenancy (the one that gives you access to Unify Cloud Services). Activity Data which are collected by your activities in the foreign tenant are stored in that foreign tenancy and are under the Co-Control of the foreign tenant.

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

Data you enter into OpenScape Cloud Services including your Personal Data might be shared with third parties. You have the right to be informed about that:

Unify Cloud Services are all about communication and collaboration between its users. So it naturally shares information among users. Your Personal Data are disclosed to other users in your tenancy, and if you join upon invitation a conversation in a foreign tenancy as a cross-tenancy guest, your Personal Data will be disclosed to the members of that conversation unless you disable profile sharing with users of foreign tenancies (externals) under Circuit / Settings., Your Tenant Administrator can enable and disable that setting.

Your Profile Data will also be shared with your Tenant Administrators on Unify Cloud Services.

Unify will only share your Personal Data with approved internal or external sub-contractors for the purpose of delivering the service and supporting you as a user. Sub-contractors are listed in section 6.

Unify Cloud Services however have features which, when activated by the tenant administrator or by users, disclose Personal Data, for example

  • Your Tenant might assign tenant administration privileges to the reseller the business purchased the cloud service from
  • You might be invited to conversations in foreign tenancies of Unify Cloud Services as a cross-tenancy guest
  • Unify Cloud Services might be federated with other cloud services or connected to your tenants VoIP system which will transmit some of your personal data. For more details see section 5.1 below on Cloud Service Integration

We only provide the technical features. You or Your tenant administrator activate these features and must be aware of which Personal Data will be disclosed and to whom and under which circumstances.

5.1 Out-of-the-Box Cloud Service Integration

For a number of popular cloud services, Unify offers an out-of-the-box integration with Circuit, which does not require any customization. This section describes how Personal Data are exchanged between Circuit and these cloud services:

Zapier

Cloud Service Zapier Flow of Personal Data
Provider Zapier Inc. Zapier is a workflow integration tool which allows connecting different apps to workflows.
With the Circuit-Zapier integration, Circuit users can set-up Circuit as “trigger” for so-called “zaps”. In that mode, Circuit content (such as messages, message author names) can be pushed to third apps which are connected with Circuit in a work flow. Where the data is sent to is outside of Circuit’s control. With the Circuit-Zapier integration, users can also publish content from other cloud apps to Circuit. When this is done, Circuit only stores the content sent (and published to it). This content can be edited at any time within Circuit. No other data about the source of the content or credentials on external services is stored.
Account required User Account
URL zapier.com
Integration Authorization by Tenant Administrator
Integration Activation by User
Link to Data Protection Statements https://zapier.com/privacy/

Oauth based integrations such as Jenkins , Jira, Salesforce

Cloud Service
  • Jenkins
  • Jira,
  • Salesforce,…
Flow of Personal Data
Provider
  • jenkins.io
  • Atlassian Corporation Llc
  • salesforce.com Inc.
Oauth is an open standard for access delegation which allows cloud services like Circuit to obtain access to other cloud services. For all Oauth based integrations, the authentication is performed by the user on the third-party cloud service provider (Jira, Jenkins, …) Circuit does not transmit nor stores the login / password of the user for that third party service. The only information Circuit holds is the access token for that user for that service. This token can be revoked by the user at any time, in his account management on the third party service platform. Information can then be pushed to Circuit from the other cloud platform, Circuit will store this information in the posted messages. These messages can be edited by the user at any time.
Account required User Account
URL
  • jenkins.io
  • atlassian.com
  • salesforce.com
Integration Authorization by Tenant Administrator
Integration Activation by User
Link to Data Protection Statements

Cloud Storage Integration: Google Drive / Microsoft OneDrive / Box

Cloud Service
  • Google Drive
  • Microsoft OneDrive
  • Box
Flow of Personal Data
Provider
  • Google Inc.
  • Mircosoft Inc.
  • Box Inc.
Circuit does not store any of your data on Google Drive. Conversely, Google Drive does not obtain Personal Data (see Section 4) from Circuit. When you authenticate on Google Drive from within Circuit, you authenticate directly against Google Drive. Circuit does not process or store your login / password. Google Drive returns to Circuit an access token which is stored in Circuit alongside your user data. The Access Token can be revoked by you at any time (from the Google Drive account management). When you use the integration to browse your Google Drive, Circuit does not store nor caches the file list of your drive.  When you share a file from your Google Drive using the integration, Circuit does not download, nor read or index the file. However, Circuit uses the Google API to make the file public and shares that link and the filename in the Circuit message. You may edit your message to remove the name and link to your file at any time.
Account required User Account
URL
Integration Authorization by Tenant Administrator
Integration Activation by User
Link to Data Protection Statements

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name Address Scope of Processing
IBM Deutschland GmbH IBM-Allee 1, 71139 Ehringen,
Germany
Data Center Services
Google Ireland Limited Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland Data Center Services
Atos IT Solutions and Services EOOD Business park Sofia 1 / building 1B,  Mladost IV, 1766 Sofia, Bulgaria Technical Support Services
Atos IT Solutions and Services srl Calea Floreasca nr.169A, Et. 2