Processing of Personal Information

Processing of Personal Data in Centralized Unify Business processes

Unify provides Unified Communication and Collaboration products and services directly or via accredited Partners to End -customers and their End-users. There are a number of centralized processes in our B2B relationships, where some of the data processed by Unify is Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

We have categorized such processing in the following 6 processing streams

Unify Cloud Services
Unify Cloud Services Sign-ups and Commercial Processing
Unify Commercial Processing (Book-to-Bill) (except for Cloud)
Unify Supply Chain Processes
Unify Resale and Co-Delivery Services
Unify Marketing Data

As a customer or accredited Sales Partner, you might additionally be involved in processes of Unify or Atos local entities. The processes which we relate to on these webpages are centrally provided by Unify Software and Solutions GmbH & Co. KG.

For each process stream we have identified categories of individuals of whom Personal Date are processed (Data Subjects)

Data Subject Categories	Description	Affected by Process Streams
Cloud Services Users	Registered guest users of Unify Cloud Services	Unify Cloud Services
Customer Contacts / Sales Partner Contact	Individuals which serve as contact person commercial transactions, services and projects etc. at the Customer or accredited Partner	Unify Cloud Services Sign-up and Commercial Processing Commercial Processing except for cloud)
Billing Contacts	Individuals serving as contacts for invoicing or payment follow-up	Unify Cloud Services Sign-up and Commercial Processing Commercial Processing except for cloud
Partner Tool Users	Individuals who obtain access to tools Unify provides to partners for commercial processing or service delivery	Unify Cloud Services Sign-up and Commercial Processing Commercial Processing except for cloud Resale and Co-delivery Services
Unify Product User	Individuals, who use Unify products and Solutions	Supply Chain Processes Resale and Co-delivery Services

It might well be possible that you fall under both categories of addressees as you might be a user and a contact person at the same time.

The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behaviour that takes place within the EU.

Link to GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

We are delighted to provide you with this general overview and structure on which Personal Data are being processed, why and how we process Personal data at Unify. If you would like to understand in more details, how this is done in the various Unify processes areas, we are providing you with details in each of the process streams listed above.

For each of the processing streams described above we provide on this web-page a detailed Information of Processing (IoP) document. In general, our offerings are meant for Business – to – Business relationships, to enable sales partners and customers to work with Unify on a daily basis to exercise transactional processes. As a result, not only you, but also the business [Your Company] which gives you access to Unify Processes and Services has rights and obligations in regards to the Personal Data processed by Unify.

On this introductory page, we will show you in which section you can find the relevant information for you when looking at the more detailed Process and Services Websites, like an overview, so you can find your way around much easier.

1 Controller – GDPR (article 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data in the sense of the GDPR. Among other responsibilities, the Controller

Defines the purpose of processing of your personal data
Defines the means of processing of your personal data
Is Responsible for the accuracy of Personal Data provided
Is Responsible for informing you about the processing of your Personal Data and the modalities for the exercise of your rights
Implements measures to secure and protect of your Personal Data
Notifies the competent data protection supervisory authority in case of a data breach.

For some processes and services like Unify Cloud Service, Resale and Co-Delivery Services or other off-the – shelf processes, neither Unify nor Your Company can be the sole Controller. Instead we have a Co-Controller situation, which is defined by the GDPR article 26 (joint Controller).

The GDPR requires Co-Controllers to sign an agreement on how to jointly execute controller responsibilities. The responsibility split is described in the respective sections of this Webpage as well as the relevant Data Processing Agreement (DPA). Companies like Your Company, working with Unify in these areas are asked to sign the respective Data Processing Agreement via a click – and- accept mechanism. Unify assumes in addition the role of Processor, meaning the entity that Processes Personal Data on behalf of Customer as contemplated in the respective Agreements and the DPA.

One of the co-controller is always

Unify Software and Solutions GmbH & Co. KG
Otto-Hahn-Ring 6
81739 München,

hereunder “Unify” or “we”.

The other Co-controller is Your Company.

2 Data Protection Officer – GDPR (article 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (DPO) who has reviewed transactional processing in regards to data protection. You can reach the data protection officer under the following email address: dp.it-solutions@atos.net

3 Purpose and Legal Basis for Processing – GDPR (article 13.1c,d / 14.1c / 14.2b)

Depending on the co-controller model for the respective processing stream It is either Unify or Your Company which explains to you the purpose of processing and the legal basis for it.

4 Categories of Personal Data – GDPR (article 14.1d, 14.2(f))

In this section we explain to you what categories of Personal Data are affected by the process stream. The precise meaning of these categories depend on the respective processing stream.

5 Recipients of Personal Data – GDPR (article 13.1e / 14.1e)

Data entered into Unify processes including your Personal Data might be shared with other Data Subjects, within Unify and the wider Atos group or with third parties in order to execute our daily business. For example, when you work with one of our valued accredited Partners. Of course, you have the right to be informed about this and you will find this information in section 5 of each Information of Processing (IoP) document.

6 Sub-Contractors and Transfers or Personal Data to Third Countries and Storage Locations– GDPR (articles 13.1f / 14.1f)

Please see the respective sections, so you know which subcontractors and storage locations support Unify in which processes and services in our joint day to day business.

Please note that Unify belongs to the Atos group. Subcontractors within the Atos group (Unify, Cycos, Atos companies) are subject to Atos Binding Corporate Rules (see https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf) and EU Mandatory Clauses.

7 Data Retention – GDPR (articles 13.2a / 14.2a)

For legal reasons, information on contracts, commercial transactions as well as compliance information of Contact Persons including has to be retained for 10 years after the transaction or the end of the contract. Therefore Unify deletes Data at latest at the end of the 10th year after the last year in which the contract ends.

On other processes, such as system traces pulled in the case of a service delivery for example, we delete your personal data 90 days after the ticket has been closed. As there are different timelines around these retention periods, please consult the respective process section (IoP).

8 Your Rights as a Data Subject and How to Exercise Them

The GDPR gives you powerful rights in regards to your Personal Data. You can exercise your rights, i.e. place your requests with Your Company or with Unify. In the latter case, since your company in general gave you access to Unify processes and services and defines the purpose of its usage, we generally engage with the your Company before executing a request. We therefore recommend that you place your request with your Company, who can give you a profound answer on your requests from the perspective of your business.

If you have any queries about our GDPR activities, then please be so kind and complete the online form.

The information below is an overview for your convenience. Please see the relevant process section for more details where required.

Right of Access to Personal Data – GDPR (article 15)
Right to Rectification Personal Data – GDPR (article 16)
Right for Erasure of Personal Data – GDPR (article 17
Right to Restrict Processing – GDPR (article 18)
Right to Object Processing – GDPR (article 21)
Right to Withdraw Your Consent – GDPR (articles 7.3 / 13.2c / 14.2d)
Right to Data Portability – GDPR (article 20)
Right to lodge a complaint with a Data Protection Authority – GDPR (articles 13.2d / 14.2d / 77)

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? –GDPR (article 13.2(e))

The answer to this question depends on on the category of Data Subject you are and the respective Data Processing stream.
As an accredited Sales Partner or End-customer of Unify, you must be identifiable to Unify in order for us to fulfill our contractual obligations with you, whether you are a Partner of Unify or an End-customer.

10 Automated Decision Making

Please see respective Process Information page (IoP)

Cloud Services

Unify Cloud Services

Information on Processing of Personal Data for Users

Effective November 21, 2019

If you are, or plan to become, a user of Unify Cloud Services, such as Circuit or OpenScape Cloud, this document is meant for you! Some of the data processed by Unify Cloud Services are your Personal Data (“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. (‘Data Subject’);

The processing of your Personal Data is protected by the Applicable Data Protection Law, which shall mean the laws and regulations relating to the processing and protection of Personal Data applicable in the country where Unify is established. In particular, Applicable Law means (a) EU Regulation 2016/679 (General Data Protection Regulation; ‘GDPR’) (b) Member State laws or regulations relating to the processing and protection of Personal Data implementing or complementing GDPR; and (c) any other applicable laws or regulations relating to the processing and protection of Personal Data.

Unify operates multiple Cloud services. You can identify whether you are a user of

The EU instance by the URL https://eu.yourcircuit.com.
The US instance by the URL https://na.yourcircuit.com.

How do we apply GDPR to Unify Cloud Services?

First, Unify Cloud Services are meant for businesses, to allow employees, suppliers, partners and customers to communicate and collaborate with each other. As a result, not only you, but also the business which gives you access to Unify Cloud Services has rights with regard to the Personal Data processed by Unify Cloud Services.
Secondly, Unify Cloud Services are delivered from one SW system via the Internet to 1000s of customers, or “Tenants” (meaning the legal entity you are an employee of and which has contracted for Unify Cloud Services), in exactly the same way. Tenants can set certain parameters or activate features in regards to data processing, but it is essentially the same for all tenants.
Unify applies GDPR to both, the EU and the US instances of Unify Cloud Services

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data. Among other responsibilities, the Controller, according to the GDPR,

Defines the purpose of processing of your Personal Data
Defines the means of processing of your Personal Data
Responsible for Accuracy, Quality, Legality, Reliability of Personal Data
Provides information to you about your Personal Data and the modalities for the exercise of their rights
Implements measures to secure and protect of your Personal Data
Notifies the competent data protection supervisory authority in case of a data breach.

For Cloud services like Unify Cloud Service, neither Unify nor your tenant can be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

Your Tenant defines the purpose of processing of your Personal Data
Unify defines the means of processing of your Personal Data
Your Tenant is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify
Your Tenant provides information to you about your Personal Data
Unify implements measures to secure and protect of your Personal Data
Your Tenant notifies the competent data protection supervisory authority in case of a data breach.

The GDPR requires Joint Controllers to sign a contract detailing the split of responsibilities. This document is called a Data Protection Agreement (DPA). You can find it under unify.com/en/legal-information/dpa-for-unify-cloud-services. You also have access to the DPA within Unify Cloud Service (Circuit / About) at any point in time.

The Unify entity identified as a joint Controller with Your Tenant is:

Unify Software and Solutions GmbH & Co. KG
Otto-Hahn-Ring 6
81739 München,

hereunder “Unify” or “we”.

The second joint Controller is your Tenant. Your tenant is contractually obligated by the DPA to give you access to this document and to provide you will all the information that in its area of responsibilities it has to provide to you to comply with its obligations under the GDPR and which information we are not able to provide to you: for example the purpose of processing (i), i.e. what the Tenant wants to use Unify Cloud Services for.

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (“DPO”). You can reach the DPO at the following email address:
dp.it-solutions@atos.net

Depending on the size of the business your Tenant might also have a Data Protection Officer. You have the right to get the contact details from your Tenant.

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

You have the right to understand the purpose and legal basis for the processing of your Personal Data in Unify Cloud Services. This is however the responsibility of your Tenant, as explained in section 1. Your Tenant has the obligation to provide You with this information. This will also determine which rights your Tenant claims in the data you enter into OpenScape Cloud Services, e.g. in form or work results of employees.

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your Personal Data processed by Unify Cloud Services fall under the following categories:

Profile Data: Personal data you create about yourself or are assigned to you by your tenant, in particular name, password, email address, photo, phone numbers, access rights (user vs tenant administrator).
Activity Data: Personal data collected by Unify Cloud Services from your use of the services, in particular call journal data, content deletion or change records or data relating to service usage (e.g. used end-points). These data are collected to provide Call Journal functionalities and transparency to conversation members of Unify Cloud Services on who did what in a conversation, and for troubleshooting purposes. These data are also used in strictly anonymized form for usage, adoption, and user experience statistics and reports.
Transient and Session Data: Personal Data which are collected but not stored on Unify Cloud Services (such as presence or location information) or which are tied to a log-on session on Unify Cloud Services (e.g. IP addresses). Location information is obtained from your browser or device if activated.

Notes:

a) Conversation Data, i.e. postings, uploaded documents, and recordings you leave on Unify Cloud Services are generally not considered by Unify to be your personal data, but data for which your tenant has a certain degree of ownership. Please discuss possible concerns with your tenant

b) Private Address Books may contain Personal Data of your personal contacts. Such Private Address Books are not stored and processed by Unify Cloud Services but reside in your phone. In general, all data you enter in your phone are controlled by yourself and are not subject to data protection by Unify Cloud Services

c) Statistics and Reporting Data which Unify produces regularly from Activity Data and shares with tenants are strictly anonymized. You should be aware that tenants may ask for non-anonymized reports, which Unify may provide under certain circumstances. The usage of such reports and they compliance which GDPR, other laws, or applicable policies of business is entirely with the tenant. We recommend inquiring with your Tenant if such reports were requested from Unify or used, but you may also inquire with Unify.

d) Please be aware that if you post information about a third person this might involve Personal Data of that person. Unify Cloud Services cannot recognize such information as Personal Data. We therefore have to exclude such data from our co-controller responsibilities. Please discuss such use cases with your tenant administrator or your DPO.

e) A conversation with users from multiple tenancies belongs to the tenancy the user is from who created the conversation in the first place. You can find that user (“Creator”) under Conversation Details and view that user’s profile.

f) If you join a conversation in a foreign tenant as a cross-tenancy user, your profile data will be shown in that foreign tenant, but remains stored in your home tenancy (the one that gives you access to Unify Cloud Services). Activity Data which are collected by your activities in the foreign tenant are stored in that foreign tenancy and are under the Co-Control of the foreign tenant.

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

Data you enter into OpenScape Cloud Services including your Personal Data might be shared with third parties. You have the right to be informed about that:

Unify Cloud Services are all about communication and collaboration between its users. So it naturally shares information among users. Your Personal Data are disclosed to other users in your tenancy, and if you join upon invitation a conversation in a foreign tenancy as a cross-tenancy guest, your Personal Data will be disclosed to the members of that conversation unless you disable profile sharing with users of foreign tenancies (externals) under Circuit / Settings., Your Tenant Administrator can enable and disable that setting.

Your Profile Data will also be shared with your Tenant Administrators on Unify Cloud Services.

Unify will only share your Personal Data with approved internal or external sub-contractors for the purpose of delivering the service and supporting you as a user. Sub-contractors are listed in section 6.

Unify Cloud Services however have features which, when activated by the tenant administrator or by users, disclose Personal Data, for example

Your Tenant might assign tenant administration privileges to the reseller the business purchased the cloud service from
You might be invited to conversations in foreign tenancies of Unify Cloud Services as a cross-tenancy guest
Unify Cloud Services might be federated with other cloud services or connected to your tenants VoIP system which will transmit some of your personal data. For more details see section 5.1 below on Cloud Service Integration

We only provide the technical features. You or Your tenant administrator activate these features and must be aware of which Personal Data will be disclosed and to whom and under which circumstances.

5.1 Out-of-the-Box Cloud Service Integration

For a number of popular cloud services, Unify offers an out-of-the-box integration with Circuit, which does not require any customization. This section describes how Personal Data are exchanged between Circuit and these cloud services:

Zapier

Cloud Service	Zapier	Flow of Personal Data
Provider	Zapier Inc.	Zapier is a workflow integration tool which allows connecting different apps to workflows. With the Circuit-Zapier integration, Circuit users can set-up Circuit as “trigger” for so-called “zaps”. In that mode, Circuit content (such as messages, message author names) can be pushed to third apps which are connected with Circuit in a work flow. Where the data is sent to is outside of Circuit’s control. With the Circuit-Zapier integration, users can also publish content from other cloud apps to Circuit. When this is done, Circuit only stores the content sent (and published to it). This content can be edited at any time within Circuit. No other data about the source of the content or credentials on external services is stored.
Account required	User Account
URL	zapier.com
Integration Authorization	by Tenant Administrator
Integration Activation	by User
Link to Data Protection Statements		https://zapier.com/privacy/

Oauth based integrations such as Jenkins , Jira, Salesforce

Cloud Service	Jenkins Jira, Salesforce,…	Flow of Personal Data
Provider	jenkins.io Atlassian Corporation Llc salesforce.com Inc.	Oauth is an open standard for access delegation which allows cloud services like Circuit to obtain access to other cloud services. For all Oauth based integrations, the authentication is performed by the user on the third-party cloud service provider (Jira, Jenkins, …) Circuit does not transmit nor stores the login / password of the user for that third party service. The only information Circuit holds is the access token for that user for that service. This token can be revoked by the user at any time, in his account management on the third party service platform. Information can then be pushed to Circuit from the other cloud platform, Circuit will store this information in the posted messages. These messages can be edited by the user at any time.
Account required	User Account
URL	jenkins.io atlassian.com salesforce.com
Integration Authorization	by Tenant Administrator
Integration Activation	by User
Link to Data Protection Statements		jenkins.io/security/

Cloud Storage Integration: Google Drive / Microsoft OneDrive / Box

Cloud Service	Google Drive Microsoft OneDrive Box	Flow of Personal Data
Provider	Google Inc. Mircosoft Inc. Box Inc.	Circuit does not store any of your data on Google Drive. Conversely, Google Drive does not obtain Personal Data (see Section 4) from Circuit. When you authenticate on Google Drive from within Circuit, you authenticate directly against Google Drive. Circuit does not process or store your login / password. Google Drive returns to Circuit an access token which is stored in Circuit alongside your user data. The Access Token can be revoked by you at any time (from the Google Drive account management). When you use the integration to browse your Google Drive, Circuit does not store nor caches the file list of your drive. When you share a file from your Google Drive using the integration, Circuit does not download, nor read or index the file. However, Circuit uses the Google API to make the file public and shares that link and the filename in the Circuit message. You may edit your message to remove the name and link to your file at any time.
Account required	User Account
URL	drive.google.com onedrive.live.com box.com
Integration Authorization	by Tenant Administrator
Integration Activation	by User
Link to Data Protection Statements		policies.google.com/privacy privacy.microsoft.com/en-us/privacystatement www.box.com/en-gb/legal/privacypolicy

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name	Address	Scope of Processing
Google Ireland Limited	Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland	Data Center Services
Atos IT Solutions and Services EOOD	Business park Sofia 1 / building 1B, Mladost IV, 1766 Sofia, Bulgaria	Technical Support Services
Atos IT Solutions and Services srl	Calea Floreasca nr.169A, Et. 2, Sector 1014459 Bucureşti, Romania	Technical Support Services
Unify Communications S.A.	Paseo Doce Estrellas, 2. CP, 28042 Madrid, Spain	Technical Support Services
Unify Communications and Collaboration GmbH & Co. KG	Otto-Hahn-Ring 6 81739 München	Technical Support Services
Unify Enteprise Communications A.E	455 Irakliou Ave, Iraklio, 14122 Athens, Greece	Technical Support Services
Atos IT&Telecommunications Services SA	455 Irakliou Ave, Iraklio, 14122 Athens, Greece	Technical Support Services
Cycos AG Niederlassung Alsdorf	Joseph-von-Fraunhofer-Str. 7, 52477 Alsdorf, Germany	Technical Support Services
Atos IT Solutions and Services Inc.	1630 Corporate Court, 75038 Irving, TX, U.S.A	Technical Support Services
Unify Inc.	2650 N. Military Trail, Suites 100 and 250, 33431 Boca Raton, U,S.A	Technical Support Services
Unify – Soluções em Tecnologia da Informação Ltda	Rua Werner Siemens, 111, Prédio 20 05069-010 – Lapa – São Paulo – SP – Brazil	Technical Support Services
Atos India Private Limited	10th Floor, Tower-B, Hcc-247 Park, Lal Bahadur Shastri Marg, Vikhroli (W), Mumbai 400083 Maharashtra, India	Technical Support Services

Note that technical support services can be provided by Atos Group Companies located in India, United States of America, or Brazil to support different languages and time-zones. Unify belongs to the Atos group. Subcontractors within the Atos group (Unify, Cycos, Atos companies) are subject to Atos Binding Corporate Rules (see https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf) and EU Mandatory Clauses.

Storage Locations:

Storage Locations	Provider
OS Cloud EU Instance & Circuit EU Instance (https://eu.yourcircuit.com)
Saint Ghislain, Belgium Frankfurt a. M., Germany	Google Ireland Google Ireland
OS Cloud US Instance & Circuit US Instance (https://na.yourcircuit.com)
Council Bluffs, Iowa, US Berkeley County, South Carolina, US	Google Ireland Google Ireland

Notes:

a) Unify Cloud Services tenancies are provisioned either on the EU instance or the US instance You can verify the instance by the URL you use to access Unify Cloud Services

b) Tenancies of EU tenants are generally provisioned on the EU instance, unless requested otherwise by the tenant

c) Both instances are completely separated; there is no data flow between them.

d) For the EU instance a local media and access node is deployed in the Sydney (Australia) data center contracted from Google Ireland, which gives access to users in the Asia-Pacific region and local conferencing capabilities. There is no persistent storage or personal data in this data center

7 Data Retention – GDPR (articles 13.2a / 14.2a)

Retention of Personal Data, and the deletion of Personal Data, is managed in Unify Cloud Services on three levels

Retention managed by Unify
Retention managed by Tenant
Retention you can manage

7.1 Data Retention Managed by Unify

We don’t delete data of Unify Cloud Services tenants on our own as long as the Cloud services agreement with the Tenant is in effect. Upon termination of the Unify Cloud Services agreement with your tenant, we delete all tenancy data at the end of the month following the effectiveness of the termination. As an example: if we receive a termination notice from the tenant or a reseller on April 14 with a notice period of three (3) months the termination goes into effect on July 15. At this point all access to the tenancy is suspended. We retain the tenancy with its data until end of August, in case the tenant wants to reverse cancellation or download data.

After this retention period after termination all tenancy data are deleted from the production system of Unify Cloud Services. They are still available in the automatic data-base back-ups we take to ensure high service availability. Back-ups still containing data of the terminated tenancy are finally deleted after 4 weeks. At this point tenancy data including your Personal Data are irreversibly deleted.

Profile, Activity, Transient and Session Data are included in client logs, which your Unify Cloud Services Client Software will collect if you use the “Report an Issue” feature on Unify Cloud Service Circuit. This data is transmitted to technical support centers of Unify Cloud Services listed in section 5 to allow support staff to conduct trouble shooting of the issue you reported. Such log data have a retention period of 6 months. Logging and tracing data which may be provided to software suppliers are anonymized.

Notes:

a) Termination notice period and retention after termination might be different for specific customer arrangements. Please inquire with your tenant if there are different arrangements agreed with Unify.

b) Conversation and Activity Data you leave as a cross-tenancy guest in foreign tenancies are not affected by the termination of your Tenant (i.e. the one that gives you access to Circuit), but are still controlled by the foreign tenant. Please inquire with the foreign tenant on deletion.

7.2 Data Retention Managed by Tenant

Unify Cloud Services allow tenants to set a specific retention period (e.g. 24 months) for conversation data, i.e. postings, uploaded documents or recordings, counting from the day the data were entered by the user. Data which have aged beyond that retention period are automatically deleted with a 4 weeks delay for deletion in back-ups. This retention mechanism affects all users of the tenant.

If the Tenant removes you as a user of Unify Cloud Services, e.g. because you are leaving the company, the following will happen:

Your Profile Data (see section 4) are deleted, except for your name
Your Conversation Data (see section 4) are not deleted, nor are your Activity data, and they are still related to your name. We honor the right of Tenants in these data, since they might be important and valuable work results of your work for the business.
For 4 weeks after deletion from the production data base deleted data will remain available in back-ups.

The tenant has however the following additional option (again with 4 weeks delay in back-ups):

The tenant administrator can anonymize your name (or request anonymization from Unify) by a code name, while still retaining your Conversation Data, which are then not shown under your name any more but the code name.

The decision, which deletion method to apply, is with the Tenant. Please contact the tenant administrator or your DPO for questions.

Notes:

Session Data are only stored as long as the session is active. Transient Data are not stored at all.

Conversation and Activity Data you leave as a cross-tenancy guest in foreign tenancies are not affected by data retention managed by your home tenant (i.e. the one that gives you access to Circuit), but by the foreign tenant Please inquire with the foreign tenant on deletion

7.3 Data Retention You Can Manage

Unify Cloud Services give the following options to you as a user

You can delete most of your Profile Data. If a data field cannot be deleted then it is because the data field was provisioned and is controlled by the tenant. Please inquire with your tenant about deletion.
You can delete Conversation Data, but be advised that, if you do so, it creates an Activity log on the conversation that you deleted the post. This is because you shared your post with conversation members, and they should be able to know that you deleted the post.
You can disable transient data, such as location and presence

What you cannot delete

Your name from your conversation data, since this would affect other conversation members. However, unless provisioned by the Tenant, you make change your name for anonymization, if required.
Activity Data, since this would also affect other conversation members and our ability to trouble shoot a technical problem which you might report to us
Session Data during the session, since this would destroy the session.

8 Your Rights as a Data Subject and How to Exercise Them

Since your Tenant gives you access to Unify Cloud Services, and defines the purpose of its usage, we generally engage with the Tenant before executing a request. We therefore recommend that you place your request with the Tenant, who can give you an answer on your requests from the perspective of your business and execute most of your requests on the Tenant Administration for Unify Cloud Services. We have reserved the right from our tenants in the Data Processing Agreement that we may, after due consideration of the legal circumstances with the tenant, execute your request automatically, if required.

If you have any queries about our GDPR activities, then please be so kind and complete the online form.

a) Right of Access to Personal Data – GDPR (article 15)
You can access all Personal Data directly on Unify Cloud Services. Your Profile Data are shown under Profile on Unify Cloud Services. For OpenScape Cloud (VoIP) your Circuit name is synchronized to the included with the VoIP back-end systems at Unify and with deployed phones. Your Activity Data are shown in the conversations you were active in, including the phone call conversation and depending on configuration also on phone devices. If you have been offline and e.g. missed calls this information will be shown on your Unify Cloud Services client.

b) Right to Rectification Personal Data – GDPR (article 16)
You can rectify most of all Profile Data yourself on Unify Cloud Services unless provisioned by your tenant, e.g. from a directory system of your business. Please contact your Tenant for rectification. If Activity, Transient or Session Data are incorrect, it is most likely because of a SW defect. Please use the mechanisms offered by your Tenant of Unify Cloud Services to open a trouble ticket.

c) Right for Erasure of Personal Data – GDPR (article 17)
Please see section 6 on Data Retention on details how to delete (erase) Personal Data. We recommend placing a request with your Tenant, but you can also place the request with Unify, in which case we would follow up with your tenant.

d) Right to Restrict Processing – GDPR (article 18)
Under specific circumstances, e.g. if you consider processing of your personal data inaccurate, unlawful, or no longer required, or if there is a pending objection from your side to the processing, you have the right to request a restriction of processing. We recommend placing a request with your Tenant, but you can also place the request with Unify, in which case we would follow up with your tenant. In case we restrict processing upon your request the following will happen:

Your Profile Data will be deleted, and your name will be anonymized (service request)
We keep your account in Unify Cloud Services including all conversation data accessible to conversation members, but not any longer under your name. Same with Activity Data
You lose access to your account
You can give your tenant or us instructions on further processing

If you decide to lift the restriction again and resume your account on Unify Cloud Services, your account will be unsuspended. You and your Tenant can re-enter your profile data, your conversation data will appear again under your name.

e) Right to Object Processing – GDPR (article 21)
You have the right to object processing of personal data under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). Since these establishing these criteria are with the tenant we recommend placing a request with your tenant, but you can also place the request with Unify, in which case we would follow up with your tenant.

f) Right to Withdraw Your Consent – GDPR (article 7.3 / 13.2c / 14.2d)
We do not collect consent from you in the sense of GDPR (6-7) as a legal basis for processing your Personal Data. Establishing that legal basis is the responsibility of your Tenant. In case your tenant collects your consent, you would have to withdraw that consent with your Tenant.

g) Right to Data Portability – GDPR (article 20)
You can cut and paste your profile data from Unify Cloud Services. There is no use of porting Activity Data. We do not allow users to download conversation data since we respect the rights your Tenant might have in your Conversation Data. Yet Unify Cloud Services give tenants the option to download the complete data stored in the tenancy or the data of a specific user only. We recommend placing a request with your Tenant, but you can also place the request with Unify, in which case we would follow up with your Tenant.

h) Right to lodge a complaint with a Data Protection Authority – GDPR (article 13.2d / 14.2d / 77)
You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2(e))

Yes. As a user of Unify Cloud Services you must be identifiable to Unify and the tenant at least by your name and email address. Depending on the services you need to provide your business phone number. Beyond that Unify has no more requirements for you to provide your personal data, but your tenant might have. Please inquire with your Tenant in case of concerns.

10 Automated Decision Making

There is no automated individual decision making and profiling about you on Unify Cloud Services.

Cloud - Commercial processing

Unify Cloud Services Sign-up and Commercial Processing

Information on Processing of Personal Data for Customer and Billing Contacts

(Effective May 15, 2018)

If you sign-up for Unify Cloud Services as a Customer Contact or serve as a Billing Contact, or if you are a Partner Tool User for Unify Cloud Services, this document is for meant you ! Some of the data processed in the Sign-up and Commercial Processing for Unify Cloud Services are your Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

Link to GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

Unify operates multiple cloud services. This document applies to the public instances of Unify Cloud Services. You can identify public instances by the URLs https://eu.yourcircuit.com and https://na.yourcircuit.com.

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data in the sense of GDPR. Among other responsibilities, the Controller, according to the GDPR,

Defines the purpose of processing of your Personal Data
Defines the means of processing of your Personal Data
Responsible for Accuracy, Quality, Legality, Reliability of Personal Data
Provides information to you about your Personal Data and the modalities for the exercise of their rights
Implements measures to secure and protect of your Personal Data
Notifies the competent data protection supervisory authority in case of a data breach.

For cloud services like Unify Cloud Service, neither Unify nor the business you represent can be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

Unify defines the purpose of processing of your Personal Data
Unify defines the means of processing of your Personal Data
Your business is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify
Your business is responsible to provide information to you about your Personal Data
Unify implements measures to secure and protect of your Personal Data
Unify is responsible to notify the competent data protection supervisory authority in case of a data breach.

The GDPR requires Joint Controllers to sign a contract on how to jointly execute controller responsibilities. This document is called Data Processing Agreement (DPA). You can find it under https://unify.com/en/data-protection. It is also available to you on Unify Cloud Service at any point in time.

Unify as one of the two Co-Controllers is the following legal entity:

Unify Software and Solutions GmbH & Co. KG
Otto-Hahn-Ring 6
81739 München,

hereunder “Unify” or “we”.

The second Co-Controller is the business you represent. Your business is contractually obligated by the DPA to you give you access to this document and to provide you will all the information we cannot provide you with, since we are not the sole Controller.

Note that you are or will most likely also be a user of Unify Cloud Services, which is a separate processing stream of your Personal Data covered by separate Data Processing Agreement (DPA) (https://unify.com/en/data-protection) you close on behalf of your company with Unify when you sign-up for Unify Cloud Services. This processing stream also has separate Information on Processing (https://unify.com/en/data-protection).

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (“DPO”) who has reviewed Unify Cloud Services Sign-up and Commercial Processing in regards to data protection. You can reach the DPO under the following email address: dp.it-solutions@atos.net

Depending on the size of the business your Tenant might also have a Data Protection Officer. You have the right to get the contact details from your Tenant.

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

If you sign-up for Unify Cloud Services you sign up on behalf of your business, not as an individual. With your sign-up you accept

A Cloud services agreement on behalf of your business with your Unify Cloud Services Provider which may be Unify, a Unify or Atos local legal entity, or a reseller accredited by Unify.
Two Data Processing Agreements (DPA) for Unify Cloud Services on behalf of your business directly with Unify as your Cloud Services Producer: One DPA for the processing of Personal Data of users of Unify Cloud Services and another DPA for Sign-up and Commercial Processing

In that process your business becomes a tenant of Unify Cloud Services with you being the representative of that tenant to Unify. Tenants of Unify Cloud Services must comply with the Terms of Service Production (TOSP) issued by Unify for Unify Cloud Services (https://unify.com/en/data-protection) , and with applicable laws, such as export control regulations. Tenants must not engage in unlawful activities on Unify Cloud Services.

If you obtain access to a partner tool for Unify Cloud Services your business as a Unify-accredited sales partner must have accepted the DPA for Resale and Co-Delivery Services / Commercial Processing (https://unify.com/en/data-protection)

In Sign-up and Commercial Processing for Unify Cloud Services we process your Personal Data for the following purposes:

To be able to contact your business as a tenant of Unify Cloud Services through you (Customer Contacts)
1. in regards to compliance to the TOSP and applicable laws,
2. in case we need to notify your tenant on events or changes to the cloud service
For export control compliance checks (Customer Contact)
For ordering, billing and payment processes in case you decide for a paid subscription and have a direct cloud services agreement with Unify (Customer and Billing Contact)
For reporting your sign-up and commercial transactions in regards to Unify Cloud Services to the Unify or Atos legal entity, or Unify-accredited reseller, if applicable (Customer Contact)
To occasionally collect feedback from you on Unify Cloud Services and point you to additional offerings (Customer Contact)
To give you a unique account on Unify’s Partner Tools for Unify Cloud Services, to manage your access rights, to provide technical support to you, and to provide audit trails where required (Partner Tool User).

The legal basis for this processing are

Legal and regulatory requirements to Unify as a Cloud Service Producer (purpose a) and b)),
Legitimate interest of your Unify Cloud Services Provider to conduct commercial transaction with your business, and to do so in an efficient, transparent and audit proof way (purpose c) and d))
Legitimate interest of Unify and accredited sales partners to support partners in selling Unify Cloud Services and to support customers

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your Personal Data processed by Unify Cloud Services fall under the following categories:

Profile Data: Personal Data you create about yourself or are entered by Customer Contact about you in our Processing frontends (see note a)), such as name, company, phone number, email address, business or billing address, passwords, etc.
Activity Data: Data which are collected in relation to you as you use our frontends for processing (see note a)), such as log-on times, transaction records
Compliance Check Data: Results of legally required compliance checks (Customer Contact)
Payment Card Data: In case you use credit card payment
Session Data: Personal Data are tied to a log-on session on our sign-up and commercial transaction tools (e.g. IP addresses).

Notes:

Processing Front-ends: Unify uses the following front-end pages to process your data:
- Sign-up to Circuit for customers with Unify: circuit.com/register (Customer Contact)
- Sign-up for Circuit for customers of partners: A customized front-end page for each of Unify’s accredited partner (Customer Contact)
- Portal shop: circuit.com/unifyportalshop (Customer Contact, Billing Contact)
- Circuit Statistics: https://stats.circuit.com (Partner Tool User)
We execute legally required compliance checks on Customer Contacts. If you get access to Unify Cloud Services when you sign-up the compliance checks have turned out a negative result (i.e. no compliance concerns). In case these checks turn out a positive result, you will not obtain access to Unify Cloud Services or not be able to perform a commercial transaction.
In case you (Customer or Billing Contact) use Credit Card for payment, your payment card information is exclusively processed by two sub-contractors of Unify listed in section 6 (Zuora, Worldpay), both of which maintain proper PCI DSS certification. Only in case of a technical failure of the automated online payment processing, Unify will process your payment card information manually, for which Unify maintains a Self-assessment PCI DSS Questionnaire A and Attestation of Compliance.

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

The recipients of your Personal Data are

Unify as your Cloud Services Producer (Order Management, Billing, Sales, Technical Support)
Unify sub-contractors involved in sign-up and commercial processing as listed in section 6
The Unify or Atos legal entity, or the accredited reseller of Unify who you entered into a cloud services agreement with on Unify Cloud Services, i.e. your Unify Cloud Services Provider

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name	Country	Address	Scope of Processing	Data Protection Safeguards
IBM Deutschland GmbH	Germany	IBM-Allee 1, 71139 Ehringen	Data Center Services	EU-US-Privacy Shield
Amber Road Inc.	USA	1 Meadowlands Plaza, East Rutherford, NJ, 07073	Global Trade Management Services	EU-US-Privacy Shield
Zuora Inc.	USA	3050 South Delaware Street, Suite 301, San Mateo, CA 94403	Subscription Account Management and Billing Software Services, including payment capture via credit card	EU Mandatory Clauses, PCI DSS
Worldpay Limited	U.K.	3 Hardman Square, M3 3EB Manchester	Credit Card Payment Provider Services for customers in EU, Norway and Switzerland	GDPR, PCI DSS
Atos Information Technology GmbH	Germany	Otto-Hahn-Ring 6, 81739 Munich, Germany	Data Center Services	Atos Binding Corporate Rules
Unify Service Center EOOD	Bulgaria	Business park Sofia 1 / building 1B, Mladost IV, 1766 Sofia	Order and billing processing	Atos Binding Corporate Rules
TATA Consultancy Services Deutschland GmbH	Germany/India	Messe Turm Friedrich-Ebert-Anlage 49 60308 Frankfurt / Main	Technicalsupport and operation of the Cloud Portal shop	Under Review

The Atos Binding Corporate Rules are available under
https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf

IBM’s Privacy Shield Privacy Policy can be found under: https://www.ibm.com/privacy/details/us/en/privacy_shield.html.

Personal Data are stored in several IT systems which are located in the following data center facilities

Storage Locations	Provider
Amsterdam, Netherlands	IBM Deutschland
Frankfurt a. M., Germany	IBM Deutschland
Washington, DC, U.S	IBM Deutschland
San Mateo, USA	Zuora Inc
Munich, Germany	Unify
Munich, Germany	Atos Information Technology GmbH
Ireland, Germany	Amber Road Inc.

7 Data Retention Period – GDPR (articles 13.2a / 14.2a)

For legal reasons contractual and compliance information on your subscription of Unify Cloud Services including your Personal Data has to be retained for 10 years after the termination of your subscription becomes effective. Your Personal Data will be deleted in December of the calendar year where the legal retention period ends.

8 Your Rights as a Data Subject

You are aware that the GDPR gives you the rights listed below. You can place requests in regards to your Personal Data with Unify either via the Data Protection Officer shown in section 2 or via the following functional email address: GDPR@atos.net

Right to Access Personal Data – GDPR (article 15)
- Customer Contact: Profile, Payment Card, and most Activity Data are accessible to you on Portal shop (section 4, note a)). All other data, including the results of legally required compliance checks can be obtained from Unify upon request (GDPR@atos.net)
- Billing Contact: Profile Data can be obtained from your Customer Contact or upon request from Unify ( dp.it-solutions@atos.net).
- Partner Tool User: Profile Data can be obtained from your Partner Tool Administrator (an employee of your company) or upon request from Unify (ssc-circuitusersupport@atos.net).
Right to Rectify Personal Data – GDPR (article 16)
- Customer and Billing Contacts: You can correct all Personal Data and Payment Card Data you entered at sign-up on Portal shop (section 4, note a)) if you are one of the tenant administrators of your Unify Cloud Services tenancy. If you find a mistake on a transaction record (Activity Data), please let us know via ssc-circuitusersupport@atos.net.
- Partner Tool User: You can correct all Personal Data within the Partner Tool.
Right for Erasure of Personal Data – GDPR (article 17)
- Customer and Billing Contacts :You may chose not to act as Customer or Billing Contact for Unify Cloud Services on behalf of your business any longer and assign a new Customer or Billing Contact on Portal shop (section 4, note a)). Your profile data will then be deleted and replaced by the profile data of the new Customer or Billing Contact. Yet transaction records (Activity Data) will still be shown under your name for transparency reasons until finally deleted at the end of the retention period. Please contact Unify using the contacts described above in case of questions, concerns, or additional request ( dp.it-solutions@atos.net).
- Partner Tool User: You may choose not to act as a customer care representative of your business. Your Profile Data (and access to the Partner Tool) can be removed by your Partner Tool Administrator or upon request to Unify via ssc-circuitusersupport@atos.net.
Right to Restrict Processing – GDPR (article 18)
- Customer and Billing Contacts : Under the GDPR you have, under certain circumstances, the right to restrict processing, e.g. if you consider processing by Unify to be inaccurate, unlawful, or no longer required, or if there is a pending objection from your side to the processing. You can request such restriction with indication of the reason from Unify using the contacts given above. Should the restriction prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify Cloud Service in compliance with applicable law, Unify will suspend Unify Cloud Services to you and your business, but this will not free your business from the obligation to pay for the Cloud services. Both parties. Unify and you work faithfully together to resolve the restriction so that processing can resume.
- Partner Tool User: You can request restricted processing from Unify via ssc-circuitusersupport@atos.net. Your accounts on Unify partner tools for Unify Cloud Services will then be temporarily closed, but you ran resume at any time.
Right to Object Processing – GDPR (article 21)
- Customer and Billing Contacts: You have the right to object processing of Personal Data under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). Should the objection prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify Cloud Service in compliance with applicable law, Unify will suspend Unify Cloud Services to you and your business, but this will not free your business from the obligation to pay for the cloud services. Both parties. Unify and you work faithfully together to resolve the objection so that processing can resume.
- Partner Tool User: You can object processing at Unify via dp.it-solutions@atos.net. Your accounts on Unify partner tools for Unify Cloud Services will then be temporaily closed, but you ran resume at any time
Right to Withdraw Your Consent– GDPR (articles 7.3 / 13.2c / 14.2d)
We do not collect consent from you in the sense of GDPR (6-7) as a legal basis for processing your Personal Data.
Right to Data Portability – GDPR (article 20)
Since most Profile Data and Payment Card Data are accessible to you at any time (see under a), you can take copies of your Personal Data at any time. Activity and Compliance Check Data can be obtained upon request to the contacts given above. Given the nature of the data we see no actual use case of porting the data to another Controller as intended by the GDPR (article 20)
Right to lodge a complaint with a Data Protection Authority – GDPR (articles 13.2d / 14.2d / 77)
You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2(e))

We will not provide Unify Cloud Services to a tenant without valid Customer Contact and we will not maintain a direct billing relationship with a tenant without valid Billing Contact. The reasons are explained in section 3. Having said that, there is no reason why you in particular must be Customer or Billing Contact, and you can assign other representatives of our business as Customer or Billing Contacts.

10 Automated Decision Making

Compliance checks as a legal requirement to give you access to Circuit may be performed by Unify automatically. Any positive results of such automated checks will be reviewed by trained Unify personnel before a decision is made to reject your sign-up or a commercial transaction, if necessary.

Marketing Data

Information on the Processing of Personal Data for Users

Effective as of April 30th 2018

Marketing data can be collected when you visit our website, when you complete an online form, over the telephone, in person, and can include Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

Link to GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

The Personal Data you may share with Unify can be

your name and social media accounts (if personal accounts are provided),
Business details such as your work address, country, email, company name, job title, telephone number, existing providers, technology platforms
anonymized automatically generated identifiers such as device types, browser types, operating systems, screen ratios, IP addresses

When you visit one of our websites, download and install one of our apps, visit a building with active beacon technology or participate in a demonstration, we may use tracking identifiers to monitor the performance of these technologies: these are called cookies. These identifiers are normally anonymized except where you provide enriching data that can link the anonymized activity to you. You can disable cookies used in web tracking by blocking them in your browser settings. Every Unify and Atos app will provide detailed information on data collection before use. You can disable beaconing technology such as Bluetooth and NFC in your device settings and, during demonstrations you will be strongly advised to provide pseudononmised information.

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is important for you: the controller is directly accountable to you for the protection of your Personal. Among other responsibilities, the Controller

Defines the purpose of processing of your personal data
Defines the means of processing of your personal data

Is responsible for the Accuracy, Quality, Legality, Reliability of Personal Data

Provides information to you about your Personal Data and the modalities for the exercise of your rights
Implements measures to secure and protect your Personal Data
Notifies the competent data protection supervisory authority in case of a data breach.

For Marketing Data, Unify cannot be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

You define the purpose of processing of your Personal Data
Unify defines the means of processing of your Personal Data

Your are responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify

Your provide information to us about your Personal Data
Unify implements measures to secure and protect of the Personal Data you provide to us
Unify notifies the competent data protection supervisory authority in case of a data breach.

You can notify the competent data protection supervisory authorities in the case you believe a data breach has occurred.

The GDPR requires Joint Controllers to agree the details on how to jointly execute controller responsibilities. This document is called Data Processing Agreement (DPA). You can find it under https://unify.com/en/data-protection. It is also available to you on The Unify Data Protection Website at any point in time.

Unify as one of the two Co-Controllers is the following legal entity

Unify Software and Solutions GmbH & Co. KG
Otto-Hahn-Ring 6
81739 München

The second Co-Controller is you as described in the responsibility split above.

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (“DPO”) who has reviewed Marketing Data with regards to Personal Data protection. You can reach the DPO at the following email address: dp.it-solutions@atos.net

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

Marketing data is used for the purposes of Marketing Unify and Atos solutions. This marketing can be broadly categorized intotwo distinct buckets.

Traditional Marketing: which can include Magazine Advertisements, Direct mailers, telephone calls, events.
Digital Marketing, which can include Search Engine Optimization, Search Advertisements, Display Advertisements, Social Media Content, Emails, Microsites. We use the marketing contact data that users provide directly to us for the purpose for which it was collected: to send requested content, schedule product demos, respond to questions, or to any other purpose as defined prior to collection. All users must opt in before we use their information for such marketing purposes.

We use marketing data to assess the effectiveness of various marketing initiatives.

We process marketing data based on our legitimate interest in direct marketing of our products and services. We also process marketing data based on consent given by individuals who opt in, where required, to our communications.

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

We share marketing data with three different groups.

Atos Group Companies. Unify is owned by Atos SE and marketing data may be shared within the Group in order to better serve your interests. You will be asked to Opt-In to marketing from Atos Group Companies.
Unify Partners. To reach global scale Unify uses a network of distribution and resale partners. These partners are accredited to sell, deliver and service Unify products. By opting into Unify Marketing Data, you opt into the sharing of information with your local Unify Partner who will have agreed a Data Processing Agreement with Unify.
Service Providers. Unify uses third party service providers for marketing tooling across the full scope of marketing. Third parties are required to agree to a Data Processing Agreement with Unify. By opting into Unify Marketing Data you opt into sharing your information with these Service providers. Please see below for a list of our Service Providers. In some cases these Third parties may ask you to agree to their own Data Policies.

Unify is Headquartered in Germany and operates Binding Corporate Rules: Unify is part of Atos Group. Atos is the first IT company to have obtained approval of its Binding Corporate Rules (BCRs) by European data protection authorities both as a data controller and a processor. This approval evidences Atos’ commitment to the protection not only of its own data but also that of its clients: all Atos entities provide a very strong level of protection to Personal Data, regardless of their location in the world. The BCR are a commitment whereby the Atos Group Companies undertake to process Personal Data in accordance with a stringent level of protection to Personal Data it processes for its own needs (employee data, etc.) but also for the needs of its customers.

When Personal Data is transferred from within the European Economic Area or Switzerland to an area outside, we will ensure appropriate safeguards, consistent with the EU-US Privacy Shield and the Swiss-US Privacy Shield are followed.

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name	Address	Scope of Processing
Oracle Marketing Cloud – Eloqua	ORACLE Deutschland B.V. & Co. KG Hauptverwaltung: Riesstraße 25, D-80992 München Registergericht: Amtsgericht München, HRA 95603 Umsatzsteuer-Identifikationsnummer: DE129430206	Marketing Automation Platform
Unify Enterprise Communications LTD	Second Floor, Mid City Place, 71 High Holborn, London, WC1V 6EA, United Kingdom	Marketing Services
Tegrita	Tegrita Consulting Group, First Canadian Place, 100 King Street West, Suite 5700, Toronto, ON, M5X 1C7	Marketing Automation Support Services
Tie Kinetix	De Corridor 5d, 3rd Floor, Breukelen, 3621 ZA, Netherlands	Through Partner Marketing Automation
Unify Inc	2650 N. Military Trail, Suites 100 and 250, 33431 Boca Raton, U,S.A	Technical Support Services
Atos India Private Limited	10th Floor, Tower-B, Hcc-247 Park, Lal Bahadur Shastri Marg, Vikhroli (W), Mumbai 400083 Maharashtra, India	Technical Support Services

7 Data Retention – GDPR (articles 13.2a / 14.2a)

7.1 Data Retention Managed by Unify

We will retain your Personal Data for no more than two (2) years from your last activity. Activity means you have taken an action that indicates you are still interested in receiving communications from Unify. That can include filling out a new webform, opening an email, responding to a social media post, or other actions that represent active participation.In all cases you are can opt out or unsubscribe from further marketing communications at any point in time.

7.2 Data Retention You Can Manage

Data such as Cookies can be managed by yourself in your browser settings.

8 Your Rights as a Data Subject and How to Exercise Them

You have the right to contact us to review, correct or delete Personal Data that you previously provided to us or that we collect about you. If you have any queries about our GDPR activities, then please be so kind and complete the online form.

You have the right to lodge a complaint with the appropriate data protection authority.

You can place requests with regard to your Personal Data with Unify either via the DPO or via the following functional email address: dp.it-solutions@atos.net

Right of Access to Personal Data – GDPR (15)
You can access all Personal Data directly held in Unify Marketing Data by contacting dp.it-solutions@atos.net
Right to Rectification Personal Data – GDPR (16)
You can rectify most Personal Data held in Marketing Preference Center here http://go.unify.com/preferences-en
Right for Erasure of Personal Data – GDPR (17)
Please see section 6 on Data Retention on details how to delete (erase) personal data. We recommend placing a request with Marketing Data controller dp.it-solutions@atos.net
Right to Restrict Processing – GDPR (18)
Under specific circumstances, e.g. if you consider processing of your personal data inaccurate, unlawful, or no longer required, or if there is a pending objection from your side to the processing, you have the right to request a restriction of processing. To do this here dp.it-solutions@atos.net
Right to Object Processing – GDPR (21)
You have the right to object processing of personal data under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). To this email dp.it-solutions@atos.net
Right to Withdraw Your Consent – GDPR (7.3 / 13.2c / 14.2d)
You have the right to withdraw your consent at any time you can do this by emailing dp.it-solutions@atos.net Managing your preferences here http://go.unify.com/preferences-en or unsubscribing from any marketing email.
Right to lodge a complaint with a Data Protection Authority – GDPR (13.2d / 14.2d / 77)
You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Automated Decision Making

There is no automated individual decision making and profiling about you on Unify Cloud Services.

Commercial Processing

Unify Centralized Business & Commercial Processing

(Except for Unify Cloud Services)

Information on Processing of Personal Data for Partner / Customer and Billing Contacts and Partner / Customer Tool Users

(Effective May 15, 2018)

If you serve as a Customer / Partner or Billing Contact in commercial transactions of a Customer or a Sales Partner with Unify, or if obtain access to a tool Unify provides to Sales Partners for commercial transactions with their Customers this document is meant for you ! Unify operates business and commercial processes and provides access to various tools to accredited Sales Partners and Customers to facilitate the business-to-business relationship from quotation to billing for Unify’s products, solutions and services. Some of the data processed by Unify throughout its operational model is your Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity)..

This document addresses all individuals (known as “Data Subjects”) whose Personal Data is processed for these purposes, which are:

“Customer Tool Users”: Individuals who use Unify-provided tools for commercial transactions
“Partner Tool Users”: Individuals who participate in the buying, procurement, implementation or support of Unify solutions and who interact with Unify tools to support those functions
“Customer / Partner and Billing Contacts” Individuals designated by the Customer or Sales Partner to interact with Unify in regards to offering, contracting, ordering and billing, payments, respectively..
These individuals are jointly addressed by “you.” It is very possible that you could fall under both categories of ”Data Subject.” The business you represent is referred to as “Your Company”.

Link to GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data in the sense of GDPR. Among other responsibilities, the Controller, according to the GDPR,

Defines the purpose of processing of your Personal Data
Defines the means of processing of your Personal Data

Responsible for Accuracy, Quality, Legality, Reliability of Personal Data

Provides information to you about your Personal Data and the modalities for the exercise of their rights
Implements measures to secure and protect of your Personal Data
Notifies the competent data protection supervisory authority in case of a data breach.

In our global, standard business model with and via accredited Sales Partners neither Unify nor Your Company is the sole Controller for Business and Commercial Processing. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

Unify defines the purpose of processing of your Personal Data
Unify defines the means of processing of your Personal Data

Your Company is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify

Your Company is responsible to provide information to you about your Personal Data
Unify implements measures to secure and protect of your Personal Data
Unify is responsible to notify the competent data protection supervisory authority in case of a data breach.

Unify as one of the two Co-Controllers is the following legal entity:

Unify Software and Solutions GmbH & Co. KG
Otto-Hahn-Ring 6
81739 München,

hereunder “Unify”, or “we”

The second Co-Controller is Your Company, which is contractually obligated by the DPA to give you access to this document and to provide you will all information we cannot provide you with since we are not the sole controller.

Note that direct business with Customers is in the responsibility of Unify or Atos local legal entities and is governed by individual Data Processing Agreements which might assign the sole Controller role to the Customer and the Processor role to Unify. In this case, Your Company has the sole responsibility to interact with you in regards to the protection of your Personal Data.

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

Unify has appointed a Data Protection Officer. You can reach the data protection officer under the following email address: dp.it-solutions@atos.net

Depending on the size of the business Your Company might also have a Data Protection Officer. You have the right to get the contact details from Your Company.

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

In Business & Commercial Processing (Unify Cloud Services excepted) we process your Personal Data for the following purposes:

To be able to contact Your Company as a contract holder for a Unify product, service and solution (Customer Contact), or of a Sales Partner relationship (Partner Contact)
1. In regards to the understanding, fulfilment, change or termination of the contract
2. In case we need to notify you or Your Company about events that might impact the Unify product, service, or solution that you’ve contracted Unify to provide or that you are already operating
For export control compliance checks (Customer Contact, Partner Contact)
For ordering, billing and payment processes in case of order delays, delivery questions or billing/payment inquiries (Customer and Billing Contact)
For reporting commercial transactions to the Unify or Atos legal entity, or Unify-accredited reseller, if applicable (Customer and Partner Contact)
To give you access to Unify tools supporting Business and Commercial processes, to manage you access rights, to monitor tool usage according to the applicable Unify-released terms and conditions, to support you in case of technical issues (Customer or Partner Tool User).

The legal basis for this processing are:

Legal and regulatory requirements to Unify as manufacturer of products and solutions and provider of services (purpose a) and b)),
Legitimate interest of your Unify to conduct commercial transaction with Your Company, and to do so in an efficient, transparent and legally complaint way (purpose c) and d))
Legitimate interest of Unify and accredited sales partners to support partners in selling Unify Cloud Services and to support customers (purpose e)).

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your personal data processed by Business & Commercial Processing (Unify Cloud Services excepted)fall under the following categories:

Profile Data: Personal Data which you enter yourself, or personnel of Unify or Sales Partner obtain from you and enter into our processing systems, such as name, company, phone number, email address, business, shipping or billing address, passwords, etc. (Partner / Customer Contact, Billing Contact, Partner Tool User)
Activity Data: Data which are collected in relation to you as you use Unify provided tools , such as log-on times, transaction records (Partner Tool User)
Compliance Check Data: Results of legally required compliance checks (Customer and Partner Contact)
Session Data: Personal Data are tied to a log-on session on our sign-up and commercial transaction tools (e.g. IP addresses). (Partner Tool User)

Notes:

We execute legally required compliance checks. If you are able to purchase a Unify products, solutions and services then the compliance checks have turned out a negative result. In case these checks turn out a positive result, you will not be able to perform the transactions required to acquire a Unify product, solution, or services. Legally required compliance checks are executed against sanctioned party lists published by applicable government authorities.

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

The recipients of your Personal Data are

Unify as your supplier for products, solutions and services (Order Management, Billing, Sales, Technical Support)
Unify sub-contractors involved in Business and Commercial Processing (except for Unify Cloud Services) as listed in section 6
The Unify or Atos local legal entity, or the accredited reseller of Unify who you entered into a purchase, service or reseller agreement with

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name	Country	Address	Scope of Processing	Data Protection Safeguards
Salesforce.com	Germany	Erika-Mann-Str. 31 80636 München, Germany	Customer Relationship Management Software as a Service	EU Mandatory Clauses
Callidus Software Inc.	USA	4140 Dublin Blvd #400, Dublin, CA 94568, USA	Configuration, Pricing, Quoting Software as a Service, for Unify Products, Solutions and Services	EU Mandatory Clauses
Zyme Solutions Inc.	USA	9600 Great Hills Trail, Suite 300E Austin, TX 78759	Channel data management services	EU-US Privacy Shield
Eloqua	Germany	ORACLE Deutschland B.V. & Co. KG, Riesstraße 25 80992 München, Germany	Marketing Automation Software as a Service	EU Mandatory Clauses
factory42	Germany	Rosenheimer Straße 145 81671 München, Germany	Salesforce.com Customization for Unify	GDPR, DPA
Menticorp AG	Switzerland	Ronis 5 CH-9050 Appenzell	Salesforce.com SAP integration	EU Adequacy Decision
Atos India Private Limited	India	Plot 8B, RMZ Centennial, Campus-B, 5th Floor, ITPL Main Road, Whitefield, Bangalore 560048 Karnataka, India	Operation and Technical Support Infrastructure & Data Management	Atos Binding Corporate Rules
Unify Service Center EOOD	Bulgaria	Business park Sofia 1 / building 1B, Mladost IV, 1766 Sofia	Order and billing processing	Atos Binding Corporate Rules
	Germany / India/Hungary	Messeturm 60308 Frankfurt	Technical Support of Portal and Back-End Systems	In Review

The Atos Binding Corporate Rules are available under
https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf

EU Adequacy Decisions: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

EU-US Privacy Shield Policies:

Zyme: http://www.zyme.com/privacy-policy

Personal Data are stored in several IT systems which are located in the following data center facilities

Storage Locations	Provider
Frankfurt, Germany	Salesforce.com
Frankfurt, Germany	Callidus Cloud
Munich, Germany	Unify
Munich, Germany	Atos Information Technology GmbH
In Review	Eloqua
USA	Zyme

7 Data Retention Period – GDPR (articles 13.2a / 14.2a)

7.1 Retention Managed by Partner or Customer

Unify employs a central entitlement management system for Partner / Customer Tool Users which allows a Partner / Customer Account Administrator to create and delete users and to manage their access rights. If a Tool User is deleted Profile Data are deleted, but Activity Data related to transactions the Too User performed on these tools are retained as legally required to provide proof of the transaction. See also section 7.2.

7.2 Retention Managed by Unify

Customer and Billing Contacts: For legal reasons contractual and compliance information on your subscription of Unify Cloud Services including your Personal Data has to be retained for 10 years after the termination of your subscription becomes effective. Your Personal Data will be deleted in December of the calendar year where the legal retention period ends.

Partner Tool Users: Partner Tool users are given access by Partner Account Administrators who are also supposed to delete users which don’t need access any more (e.g. because they have left the company). In addition, Unify performs every year in January and activity review: Partner Tool Users who have not been active in the fourth calendar quarter of the previous year will receive an email notice from Unify requesting confirmation whether access to Partner Tools is still required. In case you as a Partner Tool User

Confirm before end of March that access is not no longer Unify will terminate your access and delete your Profile Data
Confirm before end of March that access continues to be required, Unify will leave your access and Profile Data untouched
Do not respond before end of March Unify will suspend your account until end of June and terminate your access and delete your Profile Data in July unless you request account re-activation before end of June.

Hence, if you are not using your access your Personal Data will be “forgotten” the latest 19 months after you stopped using the partner tool.

8 Your Rights as a Data Subject

You are aware that GDPR gives you the rights listed below. You can place requests in regards to your personal data with Unify either via the Data Protection Officer shown in section 2 or via the following functional email address: dp.it-solutions@atos.net

Right to Access Personal Data – GDPR (article 15)
- Partner / Customer Tool User: Profile Data and Activity Data can be obtained from your Partner /Customer Account Administrator or upon request from Unify ( dp.it-solutions@atos.net).
- Partner / Customer Contacts and Billing Contacts: If you are also a Partner / Customer Tool user you can see Activity data on your respective tool account. Otherwise please contact dp.it-solutions@atos.net.
Right to Rectify Personal Data – GDPR (article 16)
- Partner / Customer Tool User: You can correct Profile Data on your Unify Tool account or have your Partner / Customer Account Administrator do that. I addition, you can request rectification from Unify via dp.it-solutions@atos.net.
- Partner / Customer Contacts and Billing Contacts: If find incorrect Profile or Activity Data please contact Unify via dp.it-solutions@atos.net for rectification.
Right for Erasure of Personal Data – GDPR (article 17)
- Partner / Customer Tool User: See section 7, or contact dp.it-solutions@atos.net.Partner / Customer Contacts and Billing Contacts: You may chose not to act as
- Partner / Customer Contacts and Billing Contacts for Unify Business & Commercial Processing (Non-Cloud)on behalf of Your Company any longer and assign a new Partner / Customer Contacts and Billing Contact by contacting your Unify account team or dp.it-solutions@atos.net. Your profile data will then be deleted and replaced by the profile data of the new Partner / Customer Contacts and Billing Contact. Transaction records (Activity Data) will still be shown under your name for transparency reasons until finally deleted at the end of the retention period. Please contact Unify using the contacts described above in case or questions, concerns, or additional requests).
Right to Restrict Processing – GDPR (article 18)
- Partner / Customer Tool User: You can request restricted processing from dp.it-solutions@atos.net. Your accounts on Unify Partner / Customer Tools will then be temporarily closed, but you can resume at any time.
- Partner / Customer Contacts and Billing Contacts: Under GDPR you have, under certain circumstances, the right to restrict processing, e.g. if you consider processing by Unify inaccurate, unlawful, or no longer required, or if there is a pending objection from your side to the processing. You can request such restriction with indication of the reason from Unify ( dp.it-solutions@atos.net). Should the restriction prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify Business & Commercial Processing (Non-Cloud) in compliance with applicable law, Unify will suspend all pending business and commercial transactions to you and Your Company, but this will not free your business from the obligation to pay for Unify products, solutions, and services that have already purchased. Both parties, Unify and you, will work faithfully together to resolve the restriction so that processing can resume.
Right to Object Processing – GDPR (article 21)
- Partner / Customer Tool User: You can request object processing from dp.it-solutions@atos.net. Your accounts on Unify Partner / Customer Tools will then be closed, but you can resume at any time.
- Partner / Customer Contacts and Billing Contacts: You have the right to object processing of personal data from Unify ( dp.it-solutions@atos.net) under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). Should the objection prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify communication and collaboration solution in compliance with applicable law, Unify will suspend all pending business and commercial transactions to you and your business, but this will not free your business from the obligation to pay for Unify communication and collaboration solutions that have already purchased. Both parties, Unify and you, will work faithfully together to resolve the objection so that processing can resume.
Right to Withdraw Your Consent– GDPR (articles 7.3 / 13.2c / 14.2d)
We do not collect consent from you in the sense of GDPR (6-7) as a legal basis for processing your personal data.
Right to Data Portability – GDPR (article 20)
- Partner / Customer Tool User: Since most Profile Data are accessible to you at any time (see under a), you can take copies of your Personal Data at any time. Activity and Compliance Check Data can be obtained upon request to the contacts given above.
- All data subjects: Given the nature of the data we see no actual use case of porting the data to another Controller as intended by GDPR (20)
Right to lodge a complaint with a Data Protection Authority – GDPR (articles 13.2d / 14.2d / 77)
You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2e)

We will not provide Unify products, solutions, and services or access to Unify’s commercial and business tools without valid Customer Contact, and we will not maintain a direct billing relationship with a customer without a valid Billing Contact. The reasons are explained in section 3. Having said that, there is no reason why you in particular must be Customer or Billing Contact, and you can assign other representatives of our business as Customer or Billing Contacts.

10 Automated Decision Making – GDPR (articles 13.2f, 14.2g, 22)

Supply Chain

Unify Centralized Supply Chain

Information on Processing of Personal Data for Customer and Sales Partner Contacts, Partner Tool Users and Unify Device Users

Unify provides Unified Communication and Collaboration product s and services directly or via partners to customers and users, which necessitates data processing at Unify, enabling portfolio ordering, billing and delivery through Supply chain processes which may contain your Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

Link to GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

This document addresses all individuals whose personal data are processed (“Data Subjects”) for these purposes, which in general are

“Partner / Customer Tool Users”: Individuals who participate in the ordering , payment and technical support of Unify solutions and who interact with Unify tools to support those functions
“Customer / Partner Contacts”: Individuals designated by the Customer or Partner to interact with Unify in regards to offering, contracting, ordering and billing, payments, respectively..
“Unify Device Users” are individuals who use product from Unify, such as phones, which may be subject to repair processes.
These individuals are jointly addressed by “you” in this document. With “Your Company” we mean the business you represent as a Customer or Partner Contact. Note, this document excludes users of Unify Cloud Services, for which separate processes exists which are covered by a separate Information on Processing document.

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data. Among other responsibilities, the Controller, according to the GDPR,

Defines the purpose of processing of your Personal Data
Defines the means of processing of your Personal Data

Responsible for Accuracy, Quality, Legality, Reliability of Personal Data

Provides information to you about your Personal Data and the modalities for the exercise of their rights
Implements measures to secure and protect of your Personal Data
Notifies the competent data protection supervisory authority in case of a data breach.
For Unify Supply Chain processes, neither Unify nor Your Company can be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The general responsibility split is as follows

Unify defines the purpose of processing of your Personal Data
Unify defines the means of processing of your personal data

Your Company is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify

Your Company provides information to you about Personal Data
Unify implements measures to secure and protect of your Personal Data
Unify notify the competent data protection supervisory authority in case of a data breach.

The GDPR requires Joint Controllers to sign a contract detailing the split of responsibilities as co- controller. This document is called Data Processing Agreement (DPA). You can find it under https://go.unify.com/Dataprotection. Your Company needs to have such an agreement in place with Unify or a Unify Local Company in order to execute supply chain processes.

Unify as one of the two Co-Controllers is the following legal entity

Unify Software and Solutions GmbH & Co. KG
Otto-Hahn-Ring 6
81739 München,

hereunder “Unify” or “we”.

The second Co-Controller is Your Company. Your Company is contractually obligated by the DPA to give you access to this document and to provide you with all the information that in its area of responsibilities it has to be provided to you to comply with its obligations under the GDPR and which information we are not able to provide to you.

2 Data Protection Officer

Unify has appointed a Data Protection Officer who has reviewed Unify’s Supply chain processing in regards to data protection. You can reach the data protection officer under the following email address: dp.it-solutions@atos.net

The second Co-Controller is Your Company. Your Company is contractually obligated by the DPA to you give you access to this document and to provide you will all the information we cannot provide you with, since we are not the sole Controller.

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

You have the right to understand the purpose and legal basis for the processing of your Personal Data in Unify Supply Chain processes. There are various for purposes for processing your Personal Data in Unify Supply Chain processes

Ability to contact you, to notify you, or to ask you about matters related to your business with Unify in the areas of order, delivery and billing of Unify Portfolio.
For compliance with export control regulations, sanction party screening or other applicable legislation
The ability to accept and process order and to address and follow-up on commercial documents
To manage, track and control (incl. Proof of ownership) usage of SW licenses granted to your company by Unify
Deletion of Personal Data of Unify Device Users on devices sent to Unify for repair or replacement prior to shipping to the manufacturer who might be located outside the European Economic Area (EEA) (Unify Device User)

The legal basis for this processing are

Legal and regulatory requirements to Unify as a manufacturer ( a,b c,e ),
Legitimate interest of Unify to conduct commercial transaction with your business, and to do so in an efficient, transparent and audit-proof way (a,c,d,)
Legitimate interest of Your Company (a,c,d)
Protection of your Personal Data as per GDPR (see above: purpose e))

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your Personal Data processed by Unify Supply Chain processes fall under the following categories:

Profile Data: Personal data you create about yourself or are assigned to you by Your Company, in particular salutation, name, surname, Job title, Postal Address, email address, username, password, phone/fax numbers, user role*, language and department.
Activity Data: Personal data collected by Supply Chain/Entitlement system from your use of our Supply Chain processes, in particular Login Date / Log out (Logfiles), Password failure / new PW creation, Transaction Records, and Cookies
Note: Personal Data of users of Unify devices will be deleted directly before any repair activities take place. This includes private address books of you as Unify Device Users, which contain Personal Data of your contacts.

*Not changeable by data subject

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

Personal Data entered into Unify Supply Chain processes might be shared with third parties. You have the right to be informed about that. Unify will only share your Personal Data with approved internal or external sub-contractors for the purpose of executing Supply Chain processes. Sub-contractors are listed in section 6. Recipients of your data are:

Unify (Finance, Supply Chain, Sales, Service, IT)
Unify sub-contractors involved in sign-up and Supply Chain processing as listed in section 6
The company who has purchased Unify products and services and has given you access to these systems as a Contact Person (“Your Company”)
The Unify or Atos legal entity or their approved sub-contractors, or the accredited partner of Unify who has sold/maintains Unify portfolio to Your Company (“Involved Partner”)
In case of Tier 2 Business, involved Unify Accredited Distributor, displayed upon request
Administrators of accredited Partners for their employees

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name	Address	Scope of Processing	Data Protection Safeguards
ICTERRA Bilgi ve Iletisim Teknolojileri San.Tic.A.S.	Galyum Blok Kat:2, No:3 ODTU-Teknokent 06531 Ankara, Turkey	Supply Chain tool development, system operation as well as support and maintenance for both	Under review
Atos Information Technology GmbH	Otto-Hahn-Ring 6 81739 München, Germany	Application Hosting / Operation and Technical Support Infrastructure & Data Management	Binding Corporate Rules
Nagarro GmbH	Aidenbachstr. 42 81379 München, Germany	Technical User Support	GDPR
Geis Industrie-Service GmbH	Kraftwerkstraße 25, 91056 Erlangen-Frauenaurach, Germany		GDPR
Leesys – Leipzig Electronic Systems GmbH	Hertzstraße 2, 04329 Leipzig Germany		GDPR
Fideltronik S.A.	Cystersów 19 31-553 KRAKÓW, Poland		GDPR
Grossenbacher Systeme AG	Spinnereistrasse 10 CH-9008 St. Gallen, Switzerland		EU Adequacy Decision
BHDS GmbH	Inh. Ralf Bender Rotwandweg 3 82024 Taufkirchen, Germany
Gigaset Communications GmbH	Frankenstr. 2a 46395 Bocholt, Germany
Media5 Corporation	4229 Garlock Street SHERBROOKE – QC QC J1L 2C8, Canada		EU Adequacy Decision
GE Intelligent Platforms GmbH & Co. KG	Memminger Str. 14 86159 Augsburg, Germany

The Atos Binding Corporate Rules are available under
https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf

EU Adequacy Decisions: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

Personal Data are stored in several IT systems which are located in the following data center facilities

Storage Locations	Provider
München, Germany	Atos Information Technology GmbH)

7.Data Retention Period

7.1 Retention Managed by Partner or Customer

7.2 Retention Managed by Unify

Confirm before end of March that access is not no longer Unify will terminate your access and delete your Profile Data
Confirm before end of March that access continues to be required, Unify will leave your access and Profile Data untouched
Do not respond before end of March Unify will suspend your account until end of June and terminate your access and delete your Profile Data in July unless you request account re-activation before end of June.

Hence, if you are not using your access your Personal Data will be “forgotten” the latest 19 months after you stopped using the partner tool.

8 Your Rights as a Data Subject and how to exercise them

Right of Access to Personal Data – GDPR (article 15)
- Partner / Customer Tool User: Profile Data and Activity Data can be obtained from your Partner /Customer Account Administrator or upon request from Unify ( dp.it-solutions@atos.net).
- Partner / Customer Contacts: If you are also a Partner / Customer Tool user you can see Activity data on your respective tool account. Otherwise please contact dp.it-solutions@atos.net.
Right to Rectification Personal Data – GDPR (article 16)
- Partner / Customer Tool User: You can correct Profile Data on your Unify Tool account or have your Partner / Customer Account Administrator do that. I addition, you can request rectification from Unify via dp.it-solutions@atos.net .
- Partner / Customer Contacts : If find incorrect Profile or Activity Data please contact Unify via dp.it-solutions@atos.net for rectification.
Right for Erasure of Personal Data – GDPR (article 17)
- Partner / Customer Tool User: See section 7, or contact dp.it-solutions@atos.net .
- Partner / Customer Contacts: You may chose not to act as Partner / Customer Contacts and Billing Contacts for Unify Business & Commercial Processing (Non-Cloud)on behalf of Your Company any longer and assign a new Partner / Customer Contacts and Billing Contact by contacting your Unify account team or dp.it-solutions@atos.net. Your profile data will then be deleted and replaced by the profile data of the new Partner / Customer Contacts and Billing Contact. Transaction records (Activity Data) will still be shown under your name for transparency reasons until finally deleted at the end of the retention period. Please contact Unify using the contacts described above in case or questions, concerns, or additional requests).
Right to Restrict Processing – GDPR (article 18)
- Partner / Customer Tool User: You can request restricted processing from dp.it-solutions@atos.net. Your accounts on Unify Partner / Customer Tools will then be temporarily closed, but you can resume at any time.
- Partner / Customer Contacts: Under GDPR you have, under certain circumstances, the right to restrict processing, e.g. if you consider processing by Unify inaccurate, unlawful, or no longer required, or if there is a pending objection from your side to the processing. You can request such restriction with indication of the reason from Unify ( dp.it-solutions@atos.net). Should the restriction prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify Business & Commercial Processing (Non-Cloud) in compliance with applicable law, Unify will suspend all pending business and commercial transactions to you and Your Company, but this will not free your business from the obligation to pay for Unify products, solutions, and services that have already purchased. Both parties, Unify and you, will work faithfully together to resolve the restriction so that processing can resume.
Right to Object Processing – GDPR (article 21)
- Partner / Customer Tool User: You can request object processing from dp.it-solutions@atos.net. Your accounts on Unify Partner / Customer Tools will then be closed, but you can resume at any time.
- Partner / Customer Contacts and Billing Contacts: You have the right to object processing of personal data from Unify ( dp.it-solutions@atos.net) under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). Should the objection prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify communication and collaboration solution in compliance with applicable law, Unify will suspend all pending business and commercial transactions to you and your business, but this will not free your business from the obligation to pay for Unify communication and collaboration solutions that have already purchased. Both parties, Unify and you, will work faithfully together to resolve the objection so that processing can resume.
Right to Withdraw Your Consent – GDPR (article 7.3 / 13.2c / 14.2d)
- We do not collect consent from you in the sense of GDPR (6-7) as a legal basis for processing your personal data.
Right to Data Portability – GDPR (article 20)
1. Partner / Customer Tool User: Since most Profile Data are accessible to you at any time (see under a), you can take copies of your Personal Data at any time.
2. Activity and Compliance Check Data can be obtained upon request to the contacts given above.
3. All data subjects: Given the nature of the data we see no actual use case of porting the data to another Controller as intended by GDPR (20)
Right to lodge a complaint with a Data Protection Authority – GDPR (article 13.2d / 14.2d / 77)
You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2(e))

As a contact person for Unify Supply Chain processes, you must be identifiable to Unify and Your Company. Otherwise no Supply chain transactions such as orders, deliver and billing are possible. Please inquire with Your Company in case of concerns

10 Automated Decision Making

There is no automated individual decision making and profiling about you on Unify Supply Chain Processes.

Name and Address	Scope of Processing
Unify Communications and Collaboration GmbH & Co. KG Otto-Hahn-Ring 6, 81739 München	Service, Client Management & Manager on Duty (MOD)
Atos IT Solution and Service G Siemensstrasse 92, 1210 Vienna / Austria	Atos/Unify Service-Provider for Unify Portfolio
Atos IT & Telecommunication Services S.A Leoforos Irakleiou 455, 14122 Athens / Greece	Atos/Unify Service-Provider for Unify Portfolio and Development
Atos IT Solutions and Services EOOD Sofia 1766, Business Park, 1B, fl.5 / Bulgaria	Atos/Unify Service-Provider for Managed Services
Atos IT Solutions and Services SRL Ionescu Crum Nr.1, et 1 – Brasov Business Park RO500446, Brasov / RomaniaStr.Mihail Kogalniceanu, nr.21, bl.C6 RO500090 Brasov / Romania	Atos/Unify Service-Provider for Unify Portfolio Atos/Unify Service- Provider for Unify Portfolio and Development
Atos IT Services UK Limited Buckinghamshire / Mercury House Brickhill Street Willen, MK15 0DJ Milton Keynes / United Kingdom	Atos/Unify Service-Provider for Unify Portfolio
Atos CCS Accounts: Unify Inc. 2650 North Military Trail, Suite 250 33431 Boca Raton, FL / United Stated of America Unify US GO center, we are located in 2 offices currently. Current Unify Inc., 1630 Corporate Court, Irving, TX 75037 Moving to Atos, 4851 Regent Boulevard, Irving, Texas 75038, United Stated of America	Atos/Unify Service-Provider for Unify Portfolio Development
Unify Sol.Tecnol.Informacao Rua do Semeador, 702, 81270-050 Curitiba / Brazil	Atos/Unify Service-Provider for Unify Portfolio and Development
Atos IT Solutions and Services Sp. z. o.o. Kraszewskiego 1, 85-204 Bydgoszcz / Poland	Atos/Unify Service-Provider for Unify Portfolio and Development
Atos Global IT Solutions and Services Pvt. Ltd. IT Plot No. 5, Airoli Knowledge Park, Airoli, Navi Mumbai, District: Thane, Pin Code 400708 400708 Maharashtra, Mumbai / India	Atos/Unify Service
SPIE Information & Communication Services GmbH Alte Straße 5, 04626 Löbichau, Germany	Atos/Unify Service-Provider for Unify Portfolio
Genesys Telecommunications Lab. GmbH Joseph-Wild-Straße 20, 81829 München / Germany	Atos/Unify Service-Provider for CallCenter Solutions
eTellicom Pty Ltd Level 5/24 Albert Rd, South Melbourne VIC 3205 / Australia	Atos/Unify Service-Provider for Unify Portfolio Development (OS Biz UC-Suite)
ICterra Galyum Blok Kat:2, No:3 ODTÜ-Teknokent, 06531 Ankara, Turkey	Atos/Unify Service-Provider for Unify Portfolio Development (Devices SC development / DLS (Licensing) development)

Data Protection at Unify

Find out about the Unify approach to Data Protection

Our preparations for Europe’s most significant Data Protection laws

Related Links

List of Subcontractors

Our Commitment to the General Data Protection Regulation (GDPR)

OpenScape GDPR Compliance Statements

Processing of Personal Data in Centralized Unify Business processes

1 Controller – GDPR (article 13.1a / 14.1a)

2 Data Protection Officer – GDPR (article 13.1b / 14.1b)

3 Purpose and Legal Basis for Processing – GDPR (article 13.1c,d / 14.1c / 14.2b)

4 Categories of Personal Data – GDPR (article 14.1d, 14.2(f))

5 Recipients of Personal Data – GDPR (article 13.1e / 14.1e)

6 Sub-Contractors and Transfers or Personal Data to Third Countries and Storage Locations– GDPR (articles 13.1f / 14.1f)

7 Data Retention – GDPR (articles 13.2a / 14.2a)

8 Your Rights as a Data Subject and How to Exercise Them

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? –GDPR (article 13.2(e))

10 Automated Decision Making

Unify Cloud Services

Information on Processing of Personal Data for Users

1 Controller – GDPR (articles 13.1a / 14.1a)

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

7 Data Retention – GDPR (articles 13.2a / 14.2a)

8 Your Rights as a Data Subject and How to Exercise Them

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2(e))

10 Automated Decision Making

Unify Cloud Services Sign-up and Commercial Processing

Information on Processing of Personal Data for Customer and Billing Contacts

(Effective May 15, 2018)

1 Controller – GDPR (articles 13.1a / 14.1a)

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

7 Data Retention Period – GDPR (articles 13.2a / 14.2a)

8 Your Rights as a Data Subject

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2(e))

10 Automated Decision Making

Marketing Data

Information on the Processing of Personal Data for Users

Effective as of April 30th 2018

1 Controller – GDPR (articles 13.1a / 14.1a)

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

ORACLE Deutschland B.V. & Co. KG

7 Data Retention – GDPR (articles 13.2a / 14.2a)

7.1 Data Retention Managed by Unify

7.2 Data Retention You Can Manage

8 Your Rights as a Data Subject and How to Exercise Them

9 Automated Decision Making

Unify Centralized Business & Commercial Processing

(Except for Unify Cloud Services)

Information on Processing of Personal Data for Partner / Customer and Billing Contacts and Partner / Customer Tool Users

(Effective May 15, 2018)

1 Controller – GDPR (articles 13.1a / 14.1a)

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

7 Data Retention Period – GDPR (articles 13.2a / 14.2a)

7.1 Retention Managed by Partner or Customer

7.2 Retention Managed by Unify

8 Your Rights as a Data Subject

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2e)

10 Automated Decision Making – GDPR (articles 13.2f, 14.2g, 22)

Unify Centralized Supply Chain

Information on Processing of Personal Data for Customer and Sales Partner Contacts, Partner Tool Users and Unify Device Users

1 Controller – GDPR (articles 13.1a / 14.1a)

2 Data Protection Officer

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)