Data Protection at Unify

Find out about the Unify approach to Data Protection

Our preparations for Europe’s most significant Data Protection laws

 

At Unify we have a long heritage of keeping our customers data safe. We are trusted the world over to provide secure, reliable communications and collaboration solutions.

This page is designed to help you understand in easy terms how we use your data across our platforms, services and day to day operations.

You can also find out about our commitment to the General Data Protection Regulation, or GDPR as it often known. If you have any questions about the information on this page please contact us here askGDPR@atos.net

Mariana Peycheva
Chief Security Officer – Unify Atos Collaboration Solutions

Related Links

English
Click here to sign the Unify Data Processing Agreement (DPA)
Download Unify Data Processing Agreement

German
Click here to sign the Unify Data Processing Agreement (DPA)
Download Unify Data Processing Agreement

Our Commitment to the General Data Protection Regulation (GDPR)

The most significant change to data protection laws for over 20 years comes into force on 25 May 2018. The GDPR regulates the handling of personal data of European Citizens and residents irrespective of their location and therefore has implications for the handling of personal data globally.

Unify has always been committed to protection of personal data, with accreditations such as ISO 27001, and now as the Unified Communication and Collaboration specialist within Atos, we are fully committed to compliance with both the spirit and detail of The GDPR.

Since we act as both a Data Controller and a Data Processor as defined by The Regulation, we are undertaking a number of activities in preparation of its enactment including:

  • auditing all of our processes and systems that handle personal data to ensure compliance;
  • engaging with partner technology organizations and application providers to ensure that the appropriate data processing agreements exist between us;
  • contacting customers, partners and other parties as necessary to reconfirm their permissions to handle their personal data;
  • updating web & marketing assets, partner and customer tools, to ensure that the capture of personal data captured is explicitly permitted;
    auditing our product portfolio to ensure that the functionality and license terms are compliant and also supportive of GDPR compliance among customers, partners and users;
  • fully leveraging the benefits of cloud to minimize application risk for our customers and partners.
    As a product developer, we want our users, customers and partners to be completely satisfied and to be confident that our products, services and business tools will support their own compliance with GDPR both by design and by default. Additionally, as a division within Atos, we can offer services and expert support in achieving your own GDPR goals.

Atos prides itself as being a trusted partner to its clients, and Unify as part of Atos is fully committed to earning and deserving your trust for years to come.

If you have any queries about our GDPR activities, then please contact us on askGDPR@atos.net

OpenScape GDPR Compliance Statements

OpenScape Voice GDPR White Paper

OpenScape 4000 GDPR White Paper

OpenScape Contact Center GDPR White Paper

OpenScape UC GDPR White Paper

OpenScape Xpert GDPR White Paper

Processing of Personal Data in Centralized Unify Business processes

 

Unify provides Unified Communication and Collaboration products and services directly or via accredited Partners to End -customers and their End-users. There are a number of centralized processes in our B2B relationships, where some of the data processed by Unify is Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

We have categorized such processing in the following 6 processing streams

  • Unify Cloud Services
  • Unify Cloud Services Sign-ups and Commercial Processing
  • Unify Commercial Processing (Book-to-Bill) (except for Cloud)
  • Unify Supply Chain Processes
  • Unify Resale and Co-Delivery Services
  • Unify Marketing Data

As a customer or accredited Sales Partner, you might additionally be involved in processes of Unify or Atos local entities. The processes which we relate to on these webpages are centrally provided by Unify Software and Solutions GmbH & Co. KG.

For each process stream we have identified categories of individuals of whom Personal Date are processed (Data Subjects)

Data Subject Categories Description Affected by Process Streams
Cloud Services Users Registered guest users of Unify Cloud Services
  • Unify Cloud Services
Customer Contacts / Sales Partner Contact Individuals which serve as contact person commercial transactions, services and projects etc. at the Customer or accredited Partner
  • Unify Cloud Services Sign-up  and Commercial Processing
  • Commercial Processing except for cloud)
Billing Contacts Individuals serving as contacts for invoicing or payment follow-up
  • Unify Cloud Services Sign-up  and Commercial Processing
  • Commercial Processing except for cloud
Partner Tool Users Individuals who obtain access to tools Unify provides to partners for commercial processing or service delivery
  • Unify Cloud Services Sign-up  and Commercial Processing
  • Commercial Processing except for cloud
  • Resale and Co-delivery Services
Unify Product User Individuals, who use Unify products and Solutions

 

  • Supply Chain Processes
  • Resale and Co-delivery Services

 

It might well be possible that you fall under both categories of addressees as you might be a user and a contact person at the same time.

If you are a citizen of the European Union the processing of your Personal Data is protected by the General Data Protection Regulation (the“GDPR”), which you can find under http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 in all EU languages.

We are delighted to provide you with this general overview and structure on which Personal Data are being processed, why and how we process Personal data at Unify. If you would like to understand in more details, how this is done in the various Unify processes areas, we are providing you with details in each of the process streams listed above.

For each of the processing streams described above we provide on this web-page a detailed Information of Processing (IoP) document. In general, our offerings are meant for Business – to – Business relationships, to enable sales partners and customers to work with Unify on a daily basis to exercise transactional processes. As a result, not only you, but also the business [Your Company] which gives you access to Unify Processes and Services has rights and obligations in regards to the Personal Data processed by Unify.

On this introductory page, we will show you in which section you can find the relevant information for you when looking at the more detailed Process and Services Websites, like an overview, so you can find your way around much easier.

1 Controller – GDPR (article 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data in the sense of the GDPR. Among other responsibilities, the Controller

  1. Defines the purpose of processing of your personal data
  2. Defines the means of processing of your personal data
  3. Is Responsible for the accuracy of Personal Data provided
  4. Is Responsible for informing you about the processing of your Personal Data and the modalities for the exercise of your rights
  5. Implements measures to secure and protect of your Personal Data
  6. Notifies the competent data protection supervisory authority in case of a data breach.

 

For some processes and services like Unify Cloud Service, Resale and Co-Delivery Services or other off-the – shelf processes, neither Unify nor Your Company can be the sole Controller. Instead we have a Co-Controller situation, which is defined by the GDPR article 26 (joint Controller).

The GDPR requires Co-Controllers to sign an agreement on how to jointly execute controller responsibilities. The responsibility split is described in the respective sections of this Webpage as well as the relevant Data Processing Agreement (DPA). Companies like Your Company, working with Unify in these areas are asked to sign the respective Data Processing Agreement via a click – and- accept mechanism. Unify assumes in addition the role of Processor, meaning the entity that Processes Personal Data on behalf of Customer as contemplated in the respective Agreements and the DPA.

One of the co-controller is always

Unify Software and Solutions GmbH & Co. KG
Mies-van-der-Rohe-Strasse 6
80801 Munich, Germany,

hereunder “Unify” or “we”.

The other Co-controller is Your Company.

2 Data Protection Officer – GDPR (article 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (DPO) who has reviewed transactional processing in regards to data protection. You can reach the data protection officer under the following email address:  dp.it-solutions@atos.net

3 Purpose and Legal Basis for Processing – GDPR (article 13.1c,d / 14.1c / 14.2b)

Depending on the co-controller model for the respective processing stream It is either Unify or Your Company which explains to you the purpose of processing and the legal basis for it.

4 Categories of Personal Data – GDPR (article 14.1d, 14.2(f))

In this section we explain to you what categories of Personal Data are affected by the process stream. The precise meaning of these categories depend on the respective processing stream.

5 Recipients of Personal Data – GDPR (article 13.1e / 14.1e)

Data entered into Unify processes including your Personal Data might be shared with other Data Subjects, within Unify and the wider Atos group or with third parties in order to execute our daily business. For example, when you work with one of our valued accredited Partners. Of course, you have the right to be informed about this and you will find this information in section 5 of each Information of Processing (IoP) document.

6 Sub-Contractors and Transfers or Personal Data to Third Countries and Storage Locations– GDPR (articles 13.1f / 14.1f)

Please see the respective sections, so you know which subcontractors and storage locations support Unify in which processes and services in our joint day to day business.

Please note that Unify belongs to the Atos group. Subcontractors within the Atos group (Unify, Cycos, Atos companies) are subject to Atos Binding Corporate Rules (see https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf) and EU Mandatory Clauses.

7 Data Retention – GDPR (articles 13.2a / 14.2a)

For legal reasons, information on contracts, commercial transactions as well as compliance information of Contact Persons including has to be retained for 10 years after the transaction or the end of the contract. Therefore Unify deletes Data at latest at the end of the 10th year after the last year in which the contract ends.

On other processes, such as system traces pulled in the case of a service delivery for example, we delete your personal data 90 days after the ticket has been closed. As there are different timelines around these retention periods, please consult the respective process section (IoP).

8 Your Rights as a Data Subject and How to Exercise Them

The GDPR gives you powerful rights in regards to your Personal Data. You can exercise your rights, i.e. place your requests with Your Company or with Unify. In the latter case, since your company in general gave you access to Unify processes and services and defines the purpose of its usage, we generally engage with the your Company before executing a request. We therefore recommend that you place your request with your Company, who can give you a profound answer on your requests from the perspective of your business.

You can place requests in regards to your personal data with Unify either via the Data Protection Officer shown in section 2 or via the following functional email address: askGDPR@atos.net

The information below is an overview for your convenience. Please see the relevant process section for more details where required.

  1. Right of Access to Personal Data – GDPR (article 15)
  2. Right to Rectification Personal Data – GDPR (article 16)
  3. Right for Erasure of Personal Data – GDPR (article 17
  4. Right to Restrict Processing – GDPR (article 18)
  5. Right to Object Processing – GDPR (article 21)
  6. Right to Withdraw Your Consent – GDPR (articles 7.3 / 13.2c / 14.2d)
  7. Right to Data Portability – GDPR (article 20)
  8. Right to lodge a complaint with a Data Protection Authority – GDPR (articles 13.2d / 14.2d / 77)

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? –GDPR (article 13.2(e))

The answer to this question depends on on the category of Data Subject you are and the respective Data Processing stream.
As an accredited Sales Partner or End-customer of Unify, you must be identifiable to Unify in order for us to fulfill our contractual obligations with you, whether you are a Partner of Unify or an End-customer.

10 Automated Decision Making

Please see respective Process Information page (IoP)

Unify Cloud Services in the European Union

Information on Processing of Personal Data for Users

(Effective May 15, 2018)

 

If you are, or plan to become, a user of Unify Cloud Services in the European Union (EU), such as Circuit or OpenScape Cloud, this document is meant for you! Some of the data processed by Unify Cloud Services are your Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

If you are a resident in the European Union the processing of your Personal Data is protected by the General Data Protection Regulation (the “GDPR”), which you can find under http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 in all EU languages.

Unify operates multiple Cloud services. This document applies to the EU instance of Unify Cloud Services. You can identify whether you are a user of this instance by the URL https://eu.yourcircuit.com.

How do we apply GDPR to Unify Cloud Services?

  • First, Unify Cloud Services are meant for businesses, to allow employees, suppliers, partners and customers to communicate and collaborate with each other. As a result, not only you, but also the business which gives you access to Unify Cloud Services has rights in regards to the Personal Data processed by Unify Cloud Services.
  • Secondly, Unify Cloud Services are delivered from one SW system via the Internet to 1000s of customers, or “Tenants” (meaning the legal entity you are an employee of and which has contracted for Unify Cloud Services), in exactly the same way. Tenants can set certain parameters or activate features in regards to data processing, but it is essentially the same for all tenants.

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data. Among other responsibilities, the Controller, according to the GDPR,

  1. Defines the purpose of processing of your Personal Data
  2. Defines the means of processing of your Personal Data
  3. Responsible for Accuracy, Quality, Legality, Reliability of Personal Data
  4. Provides information to you about your Personal Data and the modalities for the exercise of their rights
  5. Implements measures to secure and protect of your Personal Data
  6. Notifies the competent data protection supervisory authority in case of a data breach.

 

For Cloud services like Unify Cloud Service, neither Unify nor your tenant can be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

  1. Your Tenant defines the purpose of processing of your Personal Data
  2. Unify defines the means of processing of your personal data
  3. Your Tenant is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify
  4. Your Tenant provides information to you about your Personal Data
  5. Unify implements measures to secure and protect of your Personal Data
  6. Your Tenant notifies the competent data protection supervisory authority in case of a data breach.

 

The GDPR requires Joint Controllers to sign a contract detailing the split of responsibilities as co- controller. This document is called Data Processing Agreement (DPA). You can find it under https://unify.com/en/data-protection. It is also available to you on Unify Cloud Service at any point in time.

Unify as one of the two Co-Controllers is the following legal entity

Unify Software and Solutions GmbH & Co. KG
Mies-van-der-Rohe-Strasse 6
80801 Munich, Germany,

hereunder “Unify” or “we”.

The second Co-Controller is your Tenant. Your tenant is contractually obligated by the DPA to give you access to this document and to provide you will all the information that in its area of responsibilities it has to be provided to you to comply with its obligations under the GDPR and which information we are not able to provide to you for example the purpose of processing (i), i.e. what the Tenant wants you to use Unify Cloud Services for.

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (“DPO”). You can reach the DPO under the following email address:
dp.it-solutions@atos.net

Depending on the size of the business your Tenant might also have a Data Protection Officer. You have the right to get the contact details from your Tenant.

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

You have the right to understand the purpose and legal basis for the processing of your Personal Data in Unify Cloud Services. This is however the responsibility of your Tenant, as explained in section 1. Your Tenant has the contractual obligation by the DPA to provide you with this information. This will also determine which rights your Tenant claims in the data you enter into OpenScape Cloud Services, e.g. in form or work results of employees.

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your Personal Data processed by Unify Cloud Services fall under the following categories:

  • Profile Data: Personal data you create about yourself or are assigned to you by your tenant, in particular name, password, email address, photo, phone numbers, access rights (user vs tenant administrator).
  • Activity Data: Personal data collected by Unify Cloud Services from your use of the services, in particular call journal data, content deletion or change records or data relating to service usage (e.g. used end-points). These data are collected to provide Call Journal functionalities and transparency to conversation members of Unify Cloud Services on who did what in a conversation, and for troubleshooting purposes. These data are also used in strictly anonymized form for usage, adoption, and user experience statistics and reports.
  • Transient and Session Data: Personal Data which are collected but not stored on Unify Cloud Services (such as presence or location information) or which are tied to a log-on session on Unify Cloud Services (e.g. IP addresses). Location information is obtained from your browser or device if activated.

Notes:

  1. Conversation Data, i.e. postings, uploaded documents, and recordings you leave on Unify Cloud Services are generally not considered by Unify to be your personal data, but data for which your tenant has a certain degree of ownership. Please discuss possible concerns with your tenant
  2. Private Address Books may contain Personal Data of your personal contacts. Such Private Address Books are not stored and processed by Unify Cloud Services but reside in your phone. In general, all data you enter in your phone are controlled by yourself and are not subject to data protection by Unify Cloud Services
  3. Statistics and Reporting Data which Unify produces regularly from Activity Data and shares with tenants are strictly anonymized. You should be aware that tenants may ask for non-anonymized reports, which Unify may provide under certain circumstances. The usage of such reports and they compliance which GDPR, other laws, or applicable policies of business is entirely with the tenant. We recommend inquiring with your Tenant if such reports were requested from Unify or used, but you may also inquire with Unify.
  4. Please be aware that if you post information about a third person this might involve Personal Data of that person. Unify Cloud Services cannot recognize such information as Personal Data. We therefore have to exclude such data from our co-controller responsibilities. Please discuss such use cases with your tenant administrator or your DPO.
  5. A conversation with users from multiple tenancies belongs to the tenancy the user is from who created the tenancy in the first place. You can find that user (“Creator”) under Conversation Details and view that user’s profile.
  6. If you join a conversation in a foreign tenant as a cross-tenancy user, your profile data will be shown in that foreign tenant, but remains stored in your home tenancy (the one that gives you access to Unify Cloud Services). Activity Data which are collected by your activities in the foreign tenant are stored in that foreign tenancy and are under the Co-Control of the foreign tenant.

 

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

Data you enter into OpenScape Cloud Services including your Personal Data might be shared with third parties. You have the right to be informed about that:

Unify Cloud Services are all about communication and collaboration between its users. So it naturally shares information among users. Your Personal Data are disclosed to other users in your tenancy, and if you join upon invitation a conversation in a foreign tenancy as a cross-tenancy guest, your Personal Data will be disclosed to the members of that conversation. See also exception 1 in section 11.

Your Profile Data will also be shared with your Tenant Administrators on Unify Cloud Services.

Unify will only share your Personal Data with approved internal or external sub-contractors for the purpose of delivering the service and supporting you as a user. Sub-contractors are listed in section 6.

Unify Cloud Services however have features which, when activated by the tenant administrator or by users, disclose Personal Data, for example

  • Your Tenant might assign tenant administration privileges to the reseller the business purchased the cloud service from
  • You might be invited to conversations in foreign tenancies of Unify Cloud Services as a cross-tenancy guest
  • Unify Cloud Services might be federated with other cloud services or connected to your tenants VoIP system which will transmit some of your personal data

We only provide the technical features. Your tenant administrator or you yourself activate these features and must be aware which personal data will be disclosed to whom under which circumstances.

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name Address Scope of Processing
IBM Deutschland GmbH IBM-Allee 1, 71139 Ehringen, Germany Data Center Services
Unify Service Center EOOD Business park Sofia 1 / building 1B, Mladost IV, 1766 Sofia, Bulgaria Technical Support Services
Atos IT Solutions and Services srl Bulevardul Muncii nr. 22A, 500281 Brasov, Romania Technical Support Services
Unify Communications S.A. Paseo Doce Estrellas, 2. CP, 28042 Madrid, Spain Technical Support Services
Unify Communications and Collaboration GmbH & Co. KG Wohlrabedamm 32, 13629 Berlin, Germany Technical Support Services
Unify Enteprise Communications A.E 455 Irakliou Ave, Iraklio, 14122 Athens, Greece Technical Support Services
Atos IT&Telecommunications Services SA 455 Irakliou Ave, Iraklio, 14122 Athens, Greece Technical Support Services
Cycos AG Niederlassung Alsdorf Joseph-von-Fraunhofer-Str. 7, 52477 Alsdorf, Germany Technical Support Services
Unify Service Centre SRL Bdul Muncii nr. 22A, 500281 Brasov, Romania Technical Support Services
Atos IT Solutions and Services Inc. 1630 Corporate Court, 75038 Irving, TX, U.S.A Technical Support Services
Unify Inc. 2650 N. Military Trail, Suites 100 and 250, 33431 Boca Raton, U,S.A Technical Support Services
Atos India Private Limited 10th Floor, Tower-B, Hcc-247 Park, Lal Bahadur Shastri Marg, Vikhroli (W), Mumbai 400083 Maharashtra, India Technical Support Services

 

Note that Unify belongs to the Atos group. Subcontractors within the Atos group (Unify, Cycos, Atos companies) are subject to Atos Binding Corporate Rules (see https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf) and EU Mandatory Clauses.

Storage Locations Provider
Amsterdam, Netherlands IBM Deutschland
Frankfurt a. M., Germany IBM Deutschland

 

7 Data Retention – GDPR (articles 13.2a / 14.2a)

Retention of Personal Data, and the deletion of Personal Data, is managed in Unify Cloud Services on three levels

  • Retention managed by Unify
  • Retention managed by Tenant
  • Retention you can manage

7.1 Data Retention Managed by Unify

We don’t delete data of Unify Cloud Services tenants on our own as long as the Cloud services agreement with the Tenant is in effect. Upon termination of the Unify Cloud Services agreement with your tenant, we delete all tenancy data at the end of the month following the effectiveness of the termination. As an example: if we receive a termination notice from the tenant or a reseller on April 14 with a notice period of three (3) months the termination goes into effect on July 15. At this point all access to the tenancy is suspended. We retain the tenancy with its data until end of August, in case the tenant wants to reverse cancellation or download data.

After this retention period after termination all tenancy data are deleted from the production system of Unify Cloud Services. They are still available in the automatic data-base back-ups we take to ensure high service availability. Back-ups still containing data of the terminated tenancy are finally deleted after 4 weeks. At this point tenancy data including your Personal Data are irreversibly deleted.

Profile, Activity, Transient and Session Data are included in client logs, which your Unify Cloud Services Client Software will collect if you use the “Report an Issue” feature on Unify Cloud Service Circuit. This data is transmitted to technical support centers of Unify Cloud Services listed in section 5 to allow support staff to conduct trouble shooting of the issue you reported. Such log data have a retention period of 6 months. Logging and tracing data which may be provided to software suppliers are anonymized.

Notes

  1. Termination notice period and retention after termination might be different for specific customer arrangements. Please inquire with your tenant if there are different arrangements agreed with Unify.
  2. Conversation and Activity Data you leave as a cross-tenancy guest in foreign tenancies are not affected by the termination of your Tenant (i.e. the one that gives you access to Circuit), but are still controlled by the foreign tenant. Please inquire with the foreign tenant on deletion.

7.2 Data Retention Managed by Tenant

Unify Cloud Services allow tenants to set a specific retention period (e.g. 24 months) for conversation data, i.e. postings, uploaded documents or recordings, counting from the day the data were entered by the user. Data which have aged beyond that retention period are automatically deleted with a 4 weeks delay for deletion in back-ups. This retention mechanism affects all users of the tenant.

If the Tenant removes you as a user of Unify Cloud Services, e.g. because you are leaving the company, the following will happen:

  • Your Profile Data (see section 4) are deleted, except for your name
  • Your Conversation Data (see section 4) are not deleted, nor are your Activity data, and they are still related to your name. We honor the right of Tenants in these data, since they might be important and valuable work results of your work for the business.
  • For 4 weeks after deletion from the production data base deleted data will remain available in back-ups.
    The tenant has however the following additional option (again with 4 weeks availability in back-ups):

The tenant administrator can anonymize your name by a code name, while still retaining your Conversation Data, which are then not shown under your name any more but the code name. See exception 2 in section 11.

The decision, which deletion method to apply, is with the Tenant. Please contact the tenant administrator or your DPO for questions.

Notes:

Session Data are only stored as long as the session is active. Transient Data are not stored at all.
Conversation and Activity Data you leave as a cross-tenancy guest in foreign tenancies are not affected by data retention managed by your home tenant (i.e. the one that gives you access to Circuit), but by the foreign tenant Please inquire with the foreign tenant on deletion

7.3 Data Retention You Can Manage

Unify Cloud Services give the following options to you as a user

  • You can delete most of your Profile Data. If a data field cannot be deleted then it is because the data field was provisioned and is controlled by the tenant. Please inquire with your tenant about deletion.
  • You can delete Conversation Data, but be advised that, if you do so, it creates an Activity log on the conversation that you deleted the post. This is because you shared your post with conversation members, and they should be able to know that you deleted the post.
  • You can disable transient data, such as location and presence

What you cannot delete

  • Your name from your conversation data, since this would affect other conversation members. However, unless provisioned by the Tenant, you make change your name for anonymization, if required.
  • Activity Data, since this would also affect other conversation members and our ability to trouble shoot a technical problem which you might report to us
  • Session Data during the session, since this would destroy the session.

8 Your Rights as a Data Subject and How to Exercise Them

The GDPR gives you powerful rights in regards to your personal data. You can exercise your rights, i.e. place your requests with both Controllers, i.e. your Tenant and Unify. Since your Tenant gives you access to Unify Cloud Services, and defines the purpose of its usage, we generally engage with the Tenant before executing a request. We therefore recommend that you place your request with the Tenant, who can give you a profound answer on your requests from the perspective of your business and execute most of your requests on the Tenant Administration for Unify Cloud Services. We have reserved the right from our tenants in the Data Processing Agreement that in case of a conflict between you and your Tenant, we may, after due consideration of the legal circumstances with the tenant, execute your request against the advice of the tenant, if required.

You can place requests in regards to your Personal Data with Unify either via the DPO shown in section 2 or via the following functional email address: askGDPR@atos.net

  1. Right of Access to Personal Data – GDPR (article 15)
    You can access all Personal Data directly on Unify Cloud Services. Your Profile Data are shown under Profile on Unify Cloud Services. For OpenScape Cloud (VoIP) your Circuit name is synchronized to the included with the VoIP back-end systems at Unify and with deployed phones. Your Activity Data are shown in the conversations you were active in, including the phone call conversation and depending on configuration also on phone devices. If you have been offline and e.g. missed calls this information will be shown on your Unify Cloud Services client.
  2. Right to Rectification Personal Data – GDPR (article 16)
    You can rectify most of all Profile Data yourself on Unify Cloud Services unless provisioned by your tenant, e.g. from a directory system of your business. Please contact your Tenant for rectification. If Activity, Transient or Session Data are incorrect, it is most likely because of a SW defect. Please use the mechanisms offered by your Tenant of Unify Cloud Services to open a trouble ticket.
  3. Right for Erasure of Personal Data – GDPR (article 17)
    Please see section 6 on Data Retention on details how to delete (erase) Personal Data. We recommend placing a request with your Tenant, but you can also place the request with Unify, in which case we would follow up with your tenant.
  4. Right to Restrict Processing – GDPR (article 18)
    Under specific circumstances, e.g. if you consider processing of your personal data inaccurate, unlawful, or no longer required, or if there is a pending objection from

    • your side to the processing, you have the right to request a restriction of processing. We recommend placing a request with your Tenant, but you can also place the request with Unify, in which case we would follow up with your tenant. In case we restrict processing upon your request the following will happen:
    • Your Profile Data will be deleted, and your name will be anonymized (service request)
    • We keep your account in Unify Cloud Services including all conversation data accessible to conversation members, but not any longer under your name. Same with Activity Data
    • You lose access to your account
    • You can give your tenant or us instructions on further processing If you decide to lift the restriction again and resume your account on Unify Cloud Services, your account will be unsuspended. You and your Tenant can re-enter your profile data, your conversation data will appear again under your name.
  5. Right to Object Processing – GDPR (article 21)
    You have the right to object processing of personal data under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). Since these establishing these criteria are with the tenant we recommend placing a request with your tenant, but you can also place the request with Unify, in which case we would follow up with your tenant.
  6. Right to Withdraw Your Consent – GDPR (article 7.3 / 13.2c / 14.2d)
    We do not collect consent from you in the sense of GDPR (6-7) as a legal basis for processing your Personal Data. Establishing that legal basis is the responsibility of your Tenant. In case your tenant collects your consent, you would have to withdraw that consent with your Tenant.
  7. Right to Data Portability – GDPR (article 20)
    You can cut and paste your profile data from Unify Cloud Services. There is no use of porting Activity Data. We do not allow users to download conversation data since we respect the rights your Tenant might have in your Conversation Data. Yet Unify Cloud Services give tenants the option to download the complete data stored in the tenancy or the data of a specific user only. We recommend placing a request with your Tenant, but you can also place the request with Unify, in which case we would follow up with your Tenant.
  8. Right to lodge a complaint with a Data Protection Authority – GDPR (article 13.2d / 14.2d / 77)
    You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2(e))

Yes. As a user of Unify Cloud Services you must be identifiable to Unify and the tenant at least by your name and email address. Depending on the services you need to provide your business phone number. Beyond that Unify has no more requirements for you to provide your personal data, but your tenant might have. Please inquire with your Tenant in case of concerns.

10 Automated Decision Making

There is no automated individual decision making and profiling about you on Unify Cloud Services.

11 Known Exceptions

The table below provides a list of know exceptions which Unify is committed to resolve in short timeframe. Once an exception is resolved we will update this document

Nr Exception Impact to you Unify Resolution Plan Resolution Timeframe
1. Users of Unify Cloud Services in foreign tenants can invite you into a conversation via your email address as unique identifier on Unify Cloud Services. By doing so, such users can see your Profile Data before you actually join the conversation you are invited to. Unify will fi Users of foreign tenancies can query your Profile Data if they know your email address.

If you are concerned you can delete elements of your Profile Data which you don’t want to share outside your tenancy until the issue is resolved by Unify

User can chose if they want to share profile information with external users or not End of June 2018
2. Tenant administrators cannot anonymize of a deleted user from Unify Cloud Services Tenant Administration. Instead a service request has to be placed to Unify As long as you are an active user you can anonymize your name unless your name has been provisioned by a directory system outside Unify Cloud Services. As soon as you are deleted as a user your name cannot be anonymized Administrator can place a service request on us to change a deleted users name so their name in historic posts End of June 2018

Unify Cloud Services Sign-up and Commercial Processing

Information on Processing of Personal Data for Customer and Billing Contacts

(Effective May 15, 2018)

 

If you sign-up for Unify Cloud Services as a Customer Contact or serve as a Billing Contact, or if you are a Partner Tool User for Unify Cloud Services, this document is for meant you ! Some of the data processed in the Sign-up and Commercial Processing for Unify Cloud Services are your Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

If you are a citizen of the European Union the processing of your Personal Data is protected by the General Data Protection Regulation (the “GDPR”), which you can find under http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 in all EU languages.

Unify operates multiple cloud services. This document applies to the public instances of Unify Cloud Services. You can identify public instances by the URLs https://eu.yourcircuit.com and https://na.yourcircuit.com.

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data in the sense of GDPR. Among other responsibilities, the Controller, according to the GDPR,

  1. Defines the purpose of processing of your Personal Data
  2. Defines the means of processing of your Personal Data
  3. Responsible for Accuracy, Quality, Legality, Reliability of Personal Data
  4. Provides information to you about your Personal Data and the modalities for the exercise of their rights
  5. Implements measures to secure and protect of your Personal Data
  6. Notifies the competent data protection supervisory authority in case of a data breach.

 

For cloud services like Unify Cloud Service, neither Unify nor the business you represent can be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

  1. Unify defines the purpose of processing of your Personal Data
  2. Unify defines the means of processing of your Personal Data
  3. Your business is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify
  4. Your business is responsible to provide information to you about your Personal Data
  5. Unify implements measures to secure and protect of your Personal Data
  6. Unify is responsible to notify the competent data protection supervisory authority in case of a data breach.

 

The GDPR requires Joint Controllers to sign a contract on how to jointly execute controller responsibilities. This document is called Data Processing Agreement (DPA). You can find it under https://unify.com/en/data-protection. It is also available to you on Unify Cloud Service at any point in time.

Unify as one of the two Co-Controllers is the following legal entity:

Unify Software and Solutions GmbH & Co. KG
Mies-van-der-Rohe-Strasse 6
80801 Munich, Germany,

hereunder “Unify” or “we”.

The second Co-Controller is the business you represent. Your business is contractually obligated by the DPA to you give you access to this document and to provide you will all the information we cannot provide you with, since we are not the sole Controller.

Note that you are or will most likely also be a user of Unify Cloud Services, which is a separate processing stream of your Personal Data covered by separate Data Processing Agreement (DPA) (https://unify.com/en/data-protection) you close on behalf of your company with Unify when you sign-up for Unify Cloud Services. This processing stream also has separate Information on Processing (https://unify.com/en/data-protection).

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (“DPO”) who has reviewed Unify Cloud Services Sign-up and Commercial Processing in regards to data protection. You can reach the DPO under the following email address: dp.it-solutions@atos.net

Depending on the size of the business your Tenant might also have a Data Protection Officer. You have the right to get the contact details from your Tenant.

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

If you sign-up for Unify Cloud Services you sign up on behalf of your business, not as an individual. With your sign-up you accept

  1. A Cloud services agreement on behalf of your business with your Unify Cloud Services Provider which may be Unify, a Unify or Atos local legal entity, or a reseller accredited by Unify.
  2. Two Data Processing Agreements (DPA) for Unify Cloud Services on behalf of your business directly with Unify as your Cloud Services Producer: One DPA for the processing of Personal Data of users of Unify Cloud Services and another DPA for Sign-up and Commercial Processing

 

In that process your business becomes a tenant of Unify Cloud Services with you being the representative of that tenant to Unify. Tenants of Unify Cloud Services must comply with the Terms of Service Production (TOSP) issued by Unify for Unify Cloud Services (https://unify.com/en/data-protection) , and with applicable laws, such as export control regulations. Tenants must not engage in unlawful activities on Unify Cloud Services.

If you obtain access to a partner tool for Unify Cloud Services your business as a Unify-accredited sales partner must have accepted the DPA for Resale and Co-Delivery Services / Commercial Processing (https://unify.com/en/data-protection)

In Sign-up and Commercial Processing for Unify Cloud Services we process your Personal Data for the following purposes:

  1. To be able to contact your business as a tenant of Unify Cloud Services through you (Customer Contacts)
    1. in regards to compliance to the TOSP and applicable laws,
    2. in case we need to notify your tenant on events or changes to the cloud service
  2. For export control compliance checks (Customer Contact)
  3. For ordering, billing and payment processes in case you decide for a paid subscription and have a direct cloud services agreement with Unify (Customer and Billing Contact)
  4. For reporting your sign-up and commercial transactions in regards to Unify Cloud Services to the Unify or Atos legal entity, or Unify-accredited reseller, if applicable (Customer Contact)
  5. To occasionally collect feedback from you on Unify Cloud Services and point you to additional offerings (Customer Contact)
  6. To give you a unique account on Unify’s Partner Tools for Unify Cloud Services, to manage your access rights, to provide technical support to you, and to provide audit trails where required (Partner Tool User).

 

The legal basis for this processing are

  • Legal and regulatory requirements to Unify as a Cloud Service Producer (purpose a) and b)),
  • Legitimate interest of your Unify Cloud Services Provider to conduct commercial transaction with your business, and to do so in an efficient, transparent and audit proof way (purpose c) and d))
  • Legitimate interest of Unify and accredited sales partners to support partners in selling Unify Cloud Services and to support customers

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your Personal Data processed by Unify Cloud Services fall under the following categories:

  1. Profile Data: Personal Data you create about yourself or are entered by Customer Contact about you in our Processing frontends (see note a)), such as name, company, phone number, email address, business or billing address, passwords, etc.
  2. Activity Data: Data which are collected in relation to you as you use our frontends for processing (see note a)), such as log-on times, transaction records
    Compliance Check Data: Results of legally required compliance checks (Customer Contact)
  3. Payment Card Data: In case you use credit card payment
  4. Session Data: Personal Data are tied to a log-on session on our sign-up and commercial transaction tools (e.g. IP addresses).

 

Notes:

  1. Processing Front-ends: Unify uses the following front-end pages to process your data:
    • Sign-up to Circuit for customers with Unify: circuit.com/register (Customer Contact)
    • Sign-up for Circuit for customers of partners: A customized front-end page for each of Unify’s accredited partner (Customer Contact)
    • Portal shop: circuit.com/unifyportalshop (Customer Contact, Billing Contact)
    • Circuit Statistics: https://stats.circuit.com (Partner Tool User)
  2. We execute legally required compliance checks on Customer Contacts. If you get access to Unify Cloud Services when you sign-up the compliance checks have turned out a negative result (i.e. no compliance concerns). In case these checks turn out a positive result, you will not obtain access to Unify Cloud Services or not be able to perform a commercial transaction.
  3. In case you (Customer or Billing Contact) use Credit Card for payment, your payment card information is exclusively processed by two sub-contractors of Unify listed in section 6 (Zuora, Worldpay), both of which maintain proper PCI DSS certification. Only in case of a technical failure of the automated online payment processing, Unify will process your payment card information manually, for which Unify maintains a Self-assessment PCI DSS Questionnaire A and Attestation of Compliance.

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

The recipients of your Personal Data are

  1. Unify as your Cloud Services Producer (Order Management, Billing, Sales, Technical Support)
  2. Unify sub-contractors involved in sign-up and commercial processing as listed in section 6
  3. The Unify or Atos legal entity, or the accredited reseller of Unify who you entered into a cloud services agreement with on Unify Cloud Services, i.e. your Unify Cloud Services Provider

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name Country Address Scope of Processing Data Protection Safeguards
IBM Deutschland GmbH Germany IBM-Allee 1, 71139 Ehringen Data Center Services EU-US-Privacy Shield
Amber Road Inc. USA 1 Meadowlands Plaza, East Rutherford, NJ, 07073 Global Trade Management Services EU-US-Privacy Shield
Zuora Inc. USA 3050 South Delaware Street,  Suite 301, San Mateo, CA 94403 Subscription Account Management and Billing Software Services, including payment capture via credit card EU Mandatory Clauses,
PCI DSS
Worldpay Limited U.K. 3 Hardman Square, M3 3EB Manchester Credit Card Payment Provider Services for customers in EU, Norway and Switzerland GDPR, PCI DSS
Atos Information Technology GmbH Germany Otto-Hahn-Ring 6, 81739 Munich, Germany Data Center Services Atos
Binding Corporate Rules
Unify Service Center EOOD Bulgaria Business park Sofia 1 / building 1B,  Mladost IV, 1766 Sofia Order and billing processing Atos
Binding Corporate Rules
TATA Consultancy Services Deutschland GmbH Germany/India Messe Turm Friedrich-Ebert-Anlage 49 60308 Frankfurt / Main Technicalsupport and operation of the Cloud Portal shop Under Review

 

The Atos Binding Corporate Rules are available under
https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf

IBM’s Privacy Shield Privacy Policy can be found under: https://www.ibm.com/privacy/details/us/en/privacy_shield.html.

Personal Data are stored in several IT systems which are located in the following data center facilities

Storage Locations

Provider

Amsterdam, Netherlands IBM Deutschland
Frankfurt a. M., Germany IBM Deutschland
Washington, DC, U.S IBM Deutschland
San Mateo, USA Zuora Inc
Munich, Germany Unify
Munich, Germany Atos Information Technology GmbH
Ireland, Germany Amber Road Inc.

 

7 Data Retention Period – GDPR (articles 13.2a / 14.2a)

For legal reasons contractual and compliance information on your subscription of Unify Cloud Services including your Personal Data has to be retained for 10 years after the termination of your subscription becomes effective. Your Personal Data will be deleted in December of the calendar year where the legal retention period ends.

8 Your Rights as a Data Subject

You are aware that the GDPR gives you the rights listed below. You can place requests in regards to your Personal Data with Unify either via the Data Protection Officer shown in section 2 or via the following functional email address: GDPR@atos.net

  1. Right to Access Personal Data – GDPR (article 15)
    • Customer Contact: Profile, Payment Card, and most Activity Data are accessible to you on Portal shop (section 4, note a)). All other data, including the results of legally required compliance checks can be obtained from Unify upon request (GDPR@atos.net)
    • Billing Contact: Profile Data can be obtained from your Customer Contact or upon request from Unify (askGDPR@atos.net).
    • Partner Tool User: Profile Data can be obtained from your Partner Tool Administrator (an employee of your company) or upon request from Unify (ssc-circuitusersupport@atos.net).
  2. Right to Rectify Personal Data – GDPR (article 16)
    • Customer and Billing Contacts: You can correct all Personal Data and Payment Card Data you entered at sign-up on Portal shop (section 4, note a)) if you are one of the tenant administrators of your Unify Cloud Services tenancy. If you find a mistake on a transaction record (Activity Data), please let us know via ssc-circuitusersupport@unify.com.
    • Partner Tool User: You can correct all Personal Data within the Partner Tool.
  3. Right for Erasure of Personal Data – GDPR (article 17)
    • Customer and Billing Contacts :You may chose not to act as Customer or Billing Contact for Unify Cloud Services on behalf of your business any longer and assign a new Customer or Billing Contact on Portal shop (section 4, note a)). Your profile data will then be deleted and replaced by the profile data of the new Customer or Billing Contact. Yet transaction records (Activity Data) will still be shown under your name for transparency reasons until finally deleted at the end of the retention period. Please contact Unify using the contacts described above in case of questions, concerns, or additional request (askGDPR@atos.net).
    • Partner Tool User: You may choose not to act as a customer care representative of your business. Your Profile Data (and access to the Partner Tool) can be removed by your Partner Tool Administrator or upon request to Unify via ssc-circuitusersupport@unify.com.
  4. Right to Restrict Processing – GDPR (article 18)
    • Customer and Billing Contacts : Under the GDPR you have, under certain circumstances, the right to restrict processing, e.g. if you consider processing by Unify to be inaccurate, unlawful, or no longer required, or if there is a pending objection from your side to the processing. You can request such restriction with indication of the reason from Unify using the contacts given above. Should the restriction prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify Cloud Service in compliance with applicable law, Unify will suspend Unify Cloud Services to you and your business, but this will not free your business from the obligation to pay for the Cloud services. Both parties. Unify and you work faithfully together to resolve the restriction so that processing can resume.
    • Partner Tool User: You can request restricted processing from Unify via ssc-circuitusersupport@unify.com. Your accounts on Unify partner tools for Unify Cloud Services will then be temporarily closed, but you ran resume at any time.
  5. Right to Object Processing – GDPR (article 21)
    • Customer and Billing Contacts: You have the right to object processing of Personal Data under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). Should the objection prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify Cloud Service in compliance with applicable law, Unify will suspend Unify Cloud Services to you and your business, but this will not free your business from the obligation to pay for the cloud services. Both parties. Unify and you work faithfully together to resolve the objection so that processing can resume.
    • Partner Tool User: You can object processing at Unify via askGDPR@atos.net. Your accounts on Unify partner tools for Unify Cloud Services will then be temporaily closed, but you ran resume at any time
  6. Right to Withdraw Your Consent– GDPR (articles 7.3 / 13.2c / 14.2d)
    We do not collect consent from you in the sense of GDPR (6-7) as a legal basis for processing your Personal Data.
  7. Right to Data Portability – GDPR (article 20)
    Since most Profile Data and Payment Card Data are accessible to you at any time (see under a), you can take copies of your Personal Data at any time. Activity and Compliance Check Data can be obtained upon request to the contacts given above. Given the nature of the data we see no actual use case of porting the data to another Controller as intended by the GDPR (article 20)
  8. Right to lodge a complaint with a Data Protection Authority – GDPR (articles 13.2d / 14.2d / 77)
    You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2(e))

We will not provide Unify Cloud Services to a tenant without valid Customer Contact and we will not maintain a direct billing relationship with a tenant without valid Billing Contact. The reasons are explained in section 3. Having said that, there is no reason why you in particular must be Customer or Billing Contact, and you can assign other representatives of our business as Customer or Billing Contacts.

10 Automated Decision Making

Compliance checks as a legal requirement to give you access to Circuit may be performed by Unify automatically. Any positive results of such automated checks will be reviewed by trained Unify personnel before a decision is made to reject your sign-up or a commercial transaction, if necessary.

Marketing Data

Information on the Processing of Personal Data for Users

Effective as of April 30th 2018

 

Marketing data can be collected when you visit our website, when you complete an online form, over the telephone, in person, and can include Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

If you are a citizen of the European Union the processing of your Personal Data is protected by the General Data Protection Regulation, (The “GDPR”), which you can find under http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 in all EU languages.

The Personal Data you may share with Unify can be

  • your name and social media accounts (if personal accounts are provided),
  • Business details such as your work address, country, email, company name, job title, telephone number, existing providers, technology platforms
  • anonymized automatically generated identifiers such as device types, browser types, operating systems, screen ratios, IP addresses

When you visit one of our websites, download and install one of our apps, visit a building with active beacon technology or participate in a demonstration, we may use tracking identifiers to monitor the performance of these technologies: these are called cookies. These identifiers are normally anonymized except where you provide enriching data that can link the anonymized activity to you. You can disable cookies used in web tracking by blocking them in your browser settings. Every Unify and Atos app will provide detailed information on data collection before use. You can disable beaconing technology such as Bluetooth and NFC in your device settings and, during demonstrations you will be strongly advised to provide pseudononmised information.

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is important for you: the controller is directly accountable to you for the protection of your Personal. Among other responsibilities, the Controller

  1. Defines the purpose of processing of your personal data
  2. Defines the means of processing of your personal data
  • Is responsible for the Accuracy, Quality, Legality, Reliability of Personal Data
  1. Provides information to you about your Personal Data and the modalities for the exercise of your rights
  2. Implements measures to secure and protect your Personal Data
  3. Notifies the competent data protection supervisory authority in case of a data breach.

 

For Marketing Data, Unify cannot be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

  1. You define the purpose of processing of your Personal Data
  2. Unify defines the means of processing of your Personal Data
  • Your are responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify
  1. Your provide information to us about your Personal Data
  2. Unify implements measures to secure and protect of the Personal Data you provide to us
  3. Unify notifies the competent data protection supervisory authority in case of a data breach.
  • You can notify the competent data protection supervisory authorities in the case you believe a data breach has occurred.

The GDPR requires Joint Controllers to agree the details on how to jointly execute controller responsibilities. This document is called Data Processing Agreement (DPA). You can find it under https://unify.com/en/data-protection. It is also available to you on The Unify Data Protection Website at any point in time.

Unify as one of the two Co-Controllers is the following legal entity

Unify Software and Solutions GmbH & Co. KG
Mies-van-der-Rohe-Strasse 6
80801 Munich, Germany

The second Co-Controller is you as described in the responsibility split above.

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

Unify has appointed a Data Protection Officer (“DPO”) who has reviewed Marketing Data with regards to Personal Data protection. You can reach the DPO at the following email address: dp.it-solutions@atos.net

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

Marketing data is used for the purposes of Marketing Unify and Atos solutions. This marketing can be broadly categorized intotwo distinct buckets.

  • Traditional Marketing: which can include Magazine Advertisements, Direct mailers, telephone calls, events.
  • Digital Marketing, which can include Search Engine Optimization, Search Advertisements, Display Advertisements, Social Media Content, Emails, Microsites. We use the marketing contact data that users provide directly to us for the purpose for which it was collected: to send requested content, schedule product demos, respond to questions, or to any other purpose as defined prior to collection. All users must opt in before we use their information for such marketing purposes.

We use marketing data to assess the effectiveness of various marketing initiatives.

We process marketing data based on our legitimate interest in direct marketing of our products and services. We also process marketing data based on consent given by individuals who opt in, where required, to our communications.

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

We share marketing data with three different groups.

  • Atos Group Companies. Unify is owned by Atos SE and marketing data may be shared within the Group in order to better serve your interests. You will be asked to Opt-In to marketing from Atos Group Companies.
  • Unify Partners. To reach global scale Unify uses a network of distribution and resale partners. These partners are accredited to sell, deliver and service Unify products. By opting into Unify Marketing Data, you opt into the sharing of information with your local Unify Partner who will have agreed a Data Processing Agreement with Unify.
  • Service Providers. Unify uses third party service providers for marketing tooling across the full scope of marketing. Third parties are required to agree to a Data Processing Agreement with Unify. By opting into Unify Marketing Data you opt into sharing your information with these Service providers. Please see below for a list of our Service Providers. In some cases these Third parties may ask you to agree to their own Data Policies.

Unify is Headquartered in Germany and operates Binding Corporate Rules: Unify is part of Atos Group. Atos is the first IT company to have obtained approval of its Binding Corporate Rules (BCRs) by European data protection authorities both as a data controller and a processor. This approval evidences Atos’ commitment to the protection not only of its own data but also that of its clients: all Atos entities provide a very strong level of protection to Personal Data, regardless of their location in the world. The BCR are a commitment whereby the Atos Group Companies undertake to process Personal Data in accordance with a stringent level of protection to Personal Data it processes for its own needs (employee data, etc.) but also for the needs of its customers.

When Personal Data is transferred from within the European Economic Area or Switzerland to an area outside, we will ensure appropriate safeguards, consistent with the EU-US Privacy Shield and the Swiss-US Privacy Shield are followed.

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name Address Scope of Processing
Oracle Marketing Cloud – Eloqua
ORACLE Deutschland B.V. & Co. KG

Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Umsatzsteuer-Identifikationsnummer: DE129430206

Marketing Automation Platform
Unify Enterprise Communications LTD Second Floor, Mid City Place, 71 High Holborn, London, WC1V 6EA, United Kingdom Marketing Services
Tegrita Tegrita Consulting Group, First Canadian Place, 100 King Street West, Suite 5700, Toronto, ON, M5X 1C7 Marketing Automation Support Services
Tie Kinetix De Corridor 5d, 3rd Floor, Breukelen, 3621 ZA, Netherlands Through Partner Marketing Automation
Unify Inc 2650 N. Military Trail, Suites 100 and 250, 33431 Boca Raton, U,S.A Technical Support Services
Atos India Private Limited 10th Floor, Tower-B, Hcc-247 Park, Lal Bahadur Shastri Marg, Vikhroli (W), Mumbai 400083 Maharashtra, India Technical Support Services

 

7 Data Retention – GDPR (articles 13.2a / 14.2a)

7.1 Data Retention Managed by Unify

We will retain your Personal Data for no more than two (2) years from your last activity. Activity means you have taken an action that indicates you are still interested in receiving communications from Unify. That can include filling out a new webform, opening an email, responding to a social media post, or other actions that represent active participation.In all cases you are can opt out or unsubscribe from further marketing communications at any point in time.

7.2 Data Retention You Can Manage

Data such as Cookies can be managed by yourself in your browser settings.

8 Your Rights as a Data Subject and How to Exercise Them

You have the right to contact us to review, correct or delete Personal Data that you previously provided to us or that we collect about you. Please visit askGDPR@atos.net to make your request. We will respond to your request within a reasonable amount of time.

You have the right to lodge a complaint with the appropriate data protection authority.

You can place requests with regard to your Personal Data with Unify either via the DPO or via the following functional email address: askGDPR@atos.net

  1. Right of Access to Personal Data – GDPR (15)
    You can access all Personal Data directly held in Unify Marketing Data by contacting askGDPR@atos.net
  2. Right to Rectification Personal Data – GDPR (16)
    You can rectify most Personal Data held in Marketing Preference Center here http://go.unify.com/preferences-en
  3. Right for Erasure of Personal Data – GDPR (17)
    Please see section 6 on Data Retention on details how to delete (erase) personal data. We recommend placing a request with Marketing Data controller askGDPR@atos.net
  4. Right to Restrict Processing – GDPR (18)
    Under specific circumstances, e.g. if you consider processing of your personal data inaccurate, unlawful, or no longer required, or if there is a pending objection from your side to the processing, you have the right to request a restriction of processing. To do this here askGDPR@atos.net
  5. Right to Object Processing – GDPR (21)
    You have the right to object processing of personal data under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). To this email askGDPR@atos.net
  6. Right to Withdraw Your Consent – GDPR (7.3 / 13.2c / 14.2d)
    You have the right to withdraw your consent at any time you can do this by emailing askGDPR@atos.net Managing your preferences here http://go.unify.com/preferences-en or unsubscribing from any marketing email.
  7. Right to lodge a complaint with a Data Protection Authority – GDPR (13.2d / 14.2d / 77)
    You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Automated Decision Making

There is no automated individual decision making and profiling about you on Unify Cloud Services.

Unify Centralized Business & Commercial Processing

(Except for Unify Cloud Services)

Information on Processing of Personal Data for Partner / Customer and Billing Contacts and Partner / Customer Tool Users

(Effective May 15, 2018)

 

If you serve as a Customer / Partner or Billing Contact in commercial transactions of a Customer or a Sales Partner with Unify, or if obtain access to a tool Unify provides to Sales Partners for commercial transactions with their Customers this document is meant for you ! Unify operates business and commercial processes and provides access to various tools to accredited Sales Partners and Customers to facilitate the business-to-business relationship from quotation to billing for Unify’s products, solutions and services. Some of the data processed by Unify throughout its operational model is your Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity)..

This document addresses all individuals (known as “Data Subjects”) whose Personal Data is processed for these purposes, which are:

  1. “Customer Tool Users”: Individuals who use Unify-provided tools for commercial transactions
  2. “Partner Tool Users”: Individuals who participate in the buying, procurement, implementation or support of Unify solutions and who interact with Unify tools to support those functions
  3. “Customer / Partner and Billing Contacts” Individuals designated by the Customer or Sales Partner to interact with Unify in regards to offering, contracting, ordering and billing, payments, respectively..
    These individuals are jointly addressed by “you.” It is very possible that you could fall under both categories of ”Data Subject.” The business you represent is referred to as “Your Company”.

If you are a citizen of the European Union the processing of your personal data is protected by the General Data Protection Regulation, or GDPR, which you can find under http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 in all EU languages.

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data in the sense of GDPR. Among other responsibilities, the Controller, according to the GDPR,

  1. Defines the purpose of processing of your Personal Data
  2. Defines the means of processing of your Personal Data
  • Responsible for Accuracy, Quality, Legality, Reliability of Personal Data
  1. Provides information to you about your Personal Data and the modalities for the exercise of their rights
  2. Implements measures to secure and protect of your Personal Data
  3. Notifies the competent data protection supervisory authority in case of a data breach.

In our global, standard business model with and via accredited Sales Partners neither Unify nor Your Company is the sole Controller for Business and Commercial Processing. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

  1. Unify defines the purpose of processing of your Personal Data
  2. Unify defines the means of processing of your Personal Data
  • Your Company is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify
  1. Your Company is responsible to provide information to you about your Personal Data
  2. Unify implements measures to secure and protect of your Personal Data
  3. Unify is responsible to notify the competent data protection supervisory authority in case of a data breach.

The GDPR requires Joint Controllers to sign a contract on how to jointly execute controller responsibilities. This document is called Data Processing Agreement (DPA). You can find it under https://unify.com/en/data-protection.

Unify as one of the two Co-Controllers is the following legal entity:

Unify Software and Solutions GmbH & Co. KG
Mies-van-der-Rohe-Strasse 6
80801 Munich, Germany,

hereunder “Unify”, or “we”

The second Co-Controller is Your Company, which is contractually obligated by the DPA to give you access to this document and to provide you will all information we cannot provide you with since we are not the sole controller.

Note that direct business with Customers is in the responsibility of Unify or Atos local legal entities and is governed by individual Data Processing Agreements which might assign the sole Controller role to the Customer and the Processor role to Unify. In this case, Your Company has the sole responsibility to interact with you in regards to the protection of your Personal Data.

2 Data Protection Officer – GDPR (articles 13.1b / 14.1b)

Unify has appointed a Data Protection Officer. You can reach the data protection officer under the following email address: dp.it-solutions@atos.net

Depending on the size of the business Your Company might also have a Data Protection Officer. You have the right to get the contact details from Your Company.

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

In Business & Commercial Processing (Unify Cloud Services excepted) we process your Personal Data for the following purposes:

  1. To be able to contact Your Company as a contract holder for a Unify product, service and solution (Customer Contact), or of a Sales Partner relationship (Partner Contact)
    1. In regards to the understanding, fulfilment, change or termination of the contract
    2. In case we need to notify you or Your Company about events that might impact the Unify product, service, or solution that you’ve contracted Unify to provide or that you are already operating
  2. For export control compliance checks (Customer Contact, Partner Contact)
  3. For ordering, billing and payment processes in case of order delays, delivery questions or billing/payment inquiries (Customer and Billing Contact)
  4. For reporting commercial transactions to the Unify or Atos legal entity, or Unify-accredited reseller, if applicable (Customer and Partner Contact)
  5. To give you access to Unify tools supporting Business and Commercial processes, to manage you access rights, to monitor tool usage according to the applicable Unify-released terms and conditions, to support you in case of technical issues (Customer or Partner Tool User).

The legal basis for this processing are:

  • Legal and regulatory requirements to Unify as manufacturer of products and solutions and provider of services (purpose a) and b)),
  • Legitimate interest of your Unify to conduct commercial transaction with Your Company, and to do so in an efficient, transparent and legally complaint way (purpose c) and d))
  • Legitimate interest of Unify and accredited sales partners to support partners in selling Unify Cloud Services and to support customers (purpose e)).

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your personal data processed by Business & Commercial Processing (Unify Cloud Services excepted)fall under the following categories:

  1. Profile Data: Personal Data which you enter yourself, or personnel of Unify or Sales Partner obtain from you and enter into our processing systems, such as name, company, phone number, email address, business, shipping or billing address, passwords, etc. (Partner / Customer Contact, Billing Contact, Partner Tool User)
  2. Activity Data: Data which are collected in relation to you as you use Unify provided tools , such as log-on times, transaction records (Partner Tool User)
  3. Compliance Check Data: Results of legally required compliance checks (Customer and Partner Contact)
  4. Session Data: Personal Data are tied to a log-on session on our sign-up and commercial transaction tools (e.g. IP addresses). (Partner Tool User)

 

Notes:

  1. We execute legally required compliance checks. If you are able to purchase a Unify products, solutions and services then the compliance checks have turned out a negative result. In case these checks turn out a positive result, you will not be able to perform the transactions required to acquire a Unify product, solution, or services. Legally required compliance checks are executed against sanctioned party lists published by applicable government authorities.

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

The recipients of your Personal Data are

  1. Unify as your supplier for products, solutions and services (Order Management, Billing, Sales, Technical Support)
  2. Unify sub-contractors involved in Business and Commercial Processing (except for Unify Cloud Services) as listed in section 6
  3. The Unify or Atos local legal entity, or the accredited reseller of Unify who you entered into a purchase, service or reseller agreement with

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

 

Name Country Address Scope of Processing Data Protection Safeguards
Salesforce.com Germany Erika-Mann-Str. 31 80636 München, Germany Customer Relationship Management Software as a Service EU Mandatory Clauses
Callidus Software Inc. USA 4140 Dublin Blvd #400, Dublin, CA 94568, USA Configuration, Pricing, Quoting Software as a Service, for Unify Products, Solutions and Services EU Mandatory Clauses
Zyme Solutions Inc. USA 9600 Great Hills Trail, Suite 300E Austin, TX 78759 Channel data management services EU-US Privacy Shield
Eloqua Germany ORACLE Deutschland B.V. & Co. KG, Riesstraße 25

80992 München, Germany

Marketing Automation Software as a Service EU Mandatory Clauses
factory42 Germany Rosenheimer Straße 145

81671 München, Germany

Salesforce.com Customization for Unify GDPR, DPA
Menticorp AG Switzerland Ronis 5
CH-9050 Appenzell
Salesforce.com SAP integration EU Adequacy Decision
Atos India Private Limited India Plot 8B, RMZ Centennial,
Campus-B, 5th Floor,
ITPL Main Road, Whitefield,
Bangalore 560048
Karnataka, India
Operation and Technical Support Infrastructure & Data Management Atos
Binding Corporate Rules
Unify Service Center EOOD Bulgaria Business park Sofia 1 / building 1B,  Mladost IV, 1766 Sofia Order and billing processing Atos
Binding Corporate Rules
Germany / India/Hungary Messeturm
60308 Frankfurt
Technical Support of Portal and Back-End Systems In Review

 

The Atos Binding Corporate Rules are available under
https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf

EU Adequacy Decisions: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

EU-US Privacy Shield Policies:

Personal Data are stored in several IT systems which are located in the following data center facilities

Storage Locations

Provider

Frankfurt, Germany Salesforce.com
Frankfurt, Germany Callidus Cloud
Munich, Germany Unify
Munich, Germany Atos Information Technology GmbH
In Review Eloqua
USA Zyme

 

7 Data Retention Period – GDPR (articles 13.2a / 14.2a)

7.1 Retention Managed by Partner or Customer

Unify employs a central entitlement management system for Partner / Customer Tool Users which allows a Partner / Customer Account Administrator to create and delete users and to manage their access rights. If a Tool User is deleted Profile Data are deleted, but Activity Data related to transactions the Too User performed on these tools are retained as legally required to provide proof of the transaction. See also section 7.2.

7.2 Retention Managed by Unify

Customer and Billing Contacts: For legal reasons contractual and compliance information on your subscription of Unify Cloud Services including your Personal Data has to be retained for 10 years after the termination of your subscription becomes effective. Your Personal Data will be deleted in December of the calendar year where the legal retention period ends.

Partner Tool Users: Partner Tool users are given access by Partner Account Administrators who are also supposed to delete users which don’t need access any more (e.g. because they have left the company). In addition, Unify performs every year in January and activity review: Partner Tool Users who have not been active in the fourth calendar quarter of the previous year will receive an email notice from Unify requesting confirmation whether access to Partner Tools is still required. In case you as a Partner Tool User

  • Confirm before end of March that access is not no longer Unify will terminate your access and delete your Profile Data
  • Confirm before end of March that access continues to be required, Unify will leave your access and Profile Data untouched
  • Do not respond before end of March Unify will suspend your account until end of June and terminate your access and delete your Profile Data in July unless you request account re-activation before end of June.

Hence, if you are not using your access your Personal Data will be “forgotten” the latest 19 months after you stopped using the partner tool.

8 Your Rights as a Data Subject

You are aware that GDPR gives you the rights listed below. You can place requests in regards to your personal data with Unify either via the Data Protection Officer shown in section 2 or via the following functional email address: askGDPR@atos.net

  1. Right to Access Personal Data – GDPR (article 15)
    • Partner / Customer Tool User: Profile Data and Activity Data can be obtained from your Partner /Customer Account Administrator or upon request from Unify (askGDPR@atos.net).
    • Partner / Customer Contacts and Billing Contacts: If you are also a Partner / Customer Tool user you can see Activity data on your respective tool account. Otherwise please contact askGDPR@atos.net.
  2. Right to Rectify Personal Data – GDPR (article 16)
    • Partner / Customer Tool User: You can correct Profile Data on your Unify Tool account or have your Partner / Customer Account Administrator do that. I addition, you can request rectification from Unify via askGDPR@atos.net.
    • Partner / Customer Contacts and Billing Contacts: If find incorrect Profile or Activity Data please contact Unify via askGDPR@atos.net for rectification.
  3. Right for Erasure of Personal Data – GDPR (article 17)
    • Partner / Customer Tool User: See section 7, or contact askGDPR@atos.net.Partner / Customer Contacts and Billing Contacts: You may chose not to act as
    • Partner / Customer Contacts and Billing Contacts for Unify Business & Commercial Processing (Non-Cloud)on behalf of Your Company any longer and assign a new Partner / Customer Contacts and Billing Contact by contacting your Unify account team or askGDPR@atos.net. Your profile data will then be deleted and replaced by the profile data of the new Partner / Customer Contacts and Billing Contact. Transaction records (Activity Data) will still be shown under your name for transparency reasons until finally deleted at the end of the retention period. Please contact Unify using the contacts described above in case or questions, concerns, or additional requests).
  4. Right to Restrict Processing – GDPR (article 18)
    • Partner / Customer Tool User: You can request restricted processing from askGDPR@atos.net. Your accounts on Unify Partner / Customer Tools will then be temporarily closed, but you can resume at any time.
    • Partner / Customer Contacts and Billing Contacts: Under GDPR you have, under certain circumstances, the right to restrict processing, e.g. if you consider processing by Unify inaccurate, unlawful, or no longer required, or if there is a pending objection from your side to the processing. You can request such restriction with indication of the reason from Unify (askGDPR@atos.net). Should the restriction prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify Business & Commercial Processing (Non-Cloud) in compliance with applicable law, Unify will suspend all pending business and commercial transactions to you and Your Company, but this will not free your business from the obligation to pay for Unify products, solutions, and services that have already purchased. Both parties, Unify and you, will work faithfully together to resolve the restriction so that processing can resume.
  5. Right to Object Processing – GDPR (article 21)
    • Partner / Customer Tool User: You can request object processing from askGDPR@atos.net. Your accounts on Unify Partner / Customer Tools will then be closed, but you can resume at any time.
    • Partner / Customer Contacts and Billing Contacts: You have the right to object processing of personal data from Unify (askGDPR@atos.net) under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). Should the objection prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify communication and collaboration solution in compliance with applicable law, Unify will suspend all pending business and commercial transactions to you and your business, but this will not free your business from the obligation to pay for Unify communication and collaboration solutions that have already purchased. Both parties, Unify and you, will work faithfully together to resolve the objection so that processing can resume.
  6. Right to Withdraw Your Consent– GDPR (articles 7.3 / 13.2c / 14.2d)
    We do not collect consent from you in the sense of GDPR (6-7) as a legal basis for processing your personal data.
  7. Right to Data Portability – GDPR (article 20)
    • Partner / Customer Tool User: Since most Profile Data are accessible to you at any time (see under a), you can take copies of your Personal Data at any time. Activity and Compliance Check Data can be obtained upon request to the contacts given above.
    • All data subjects: Given the nature of the data we see no actual use case of porting the data to another Controller as intended by GDPR (20)
  8. Right to lodge a complaint with a Data Protection Authority – GDPR (articles 13.2d / 14.2d / 77)
    You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2e)

We will not provide Unify products, solutions, and services or access to Unify’s commercial and business tools without valid Customer Contact, and we will not maintain a direct billing relationship with a customer without a valid Billing Contact. The reasons are explained in section 3. Having said that, there is no reason why you in particular must be Customer or Billing Contact, and you can assign other representatives of our business as Customer or Billing Contacts.

10 Automated Decision Making – GDPR (articles 13.2f, 14.2g, 22)

Compliance checks as a legal requirement to give you access to Circuit may be performed by Unify automatically. Any positive results of such automated checks will be reviewed by trained Unify personnel before a decision is made to reject your sign-up or a commercial transaction, if necessary.

Unify Centralized Supply Chain

Information on Processing of Personal Data for Customer and Sales Partner Contacts, Partner Tool Users and Unify Device Users

 

Unify provides Unified Communication and Collaboration product s and services directly or via partners to customers and users, which necessitates data processing at Unify, enabling portfolio ordering, billing and delivery through Supply chain processes which may contain your Personal Data (“Personal Data” is defined as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity).

If you are a citizen of the European Union the processing of your Personal Data is protected by the General Data Protection Regulation, or short GDPR, which you can find under http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 in all EU languages.

This document addresses all individuals whose personal data are processed (“Data Subjects”) for these purposes, which in general are

  • “Partner / Customer Tool Users”: Individuals who participate in the ordering , payment and technical support of Unify solutions and who interact with Unify tools to support those functions
  • “Customer / Partner Contacts”: Individuals designated by the Customer or Partner to interact with Unify in regards to offering, contracting, ordering and billing, payments, respectively..
  • “Unify Device Users” are individuals who use product from Unify, such as phones, which may be subject to repair processes.
    These individuals are jointly addressed by “you” in this document. With “Your Company” we mean the business you represent as a Customer or Partner Contact. Note, this document excludes users of Unify Cloud Services, for which separate processes exists which are covered by a separate Information on Processing document.

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data. Among other responsibilities, the Controller, according to the GDPR,

  1. Defines the purpose of processing of your Personal Data
  2. Defines the means of processing of your Personal Data
  • Responsible for Accuracy, Quality, Legality, Reliability of Personal Data
  1. Provides information to you about your Personal Data and the modalities for the exercise of their rights
  2. Implements measures to secure and protect of your Personal Data
  3. Notifies the competent data protection supervisory authority in case of a data breach.
    For Unify Supply Chain processes, neither Unify nor Your Company can be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

 

The general responsibility split is as follows

  1. Unify defines the purpose of processing of your Personal Data
  2. Unify defines the means of processing of your personal data
  • Your Company is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify
  1. Your Company provides information to you about Personal Data
  2. Unify implements measures to secure and protect of your Personal Data
  3. Unify notify the competent data protection supervisory authority in case of a data breach.

 

The GDPR requires Joint Controllers to sign a contract detailing the split of responsibilities as co- controller. This document is called Data Processing Agreement (DPA). You can find it under https://go.unify.com/Dataprotection. Your Company needs to have such an agreement in place with Unify or a Unify Local Company in order to execute supply chain processes.

Unify as one of the two Co-Controllers is the following legal entity

Unify Software and Solutions GmbH & Co. KG
Mies-van-der-Rohe-Strasse 6
80801 Munich, Germany,

hereunder “Unify” or “we”.

The second Co-Controller is Your Company. Your Company is contractually obligated by the DPA to give you access to this document and to provide you with all the information that in its area of responsibilities it has to be provided to you to comply with its obligations under the GDPR and which information we are not able to provide to you.

2 Data Protection Officer

Unify has appointed a Data Protection Officer who has reviewed Unify’s Supply chain processing in regards to data protection. You can reach the data protection officer under the following email address:  dp.it-solutions@atos.net

The second Co-Controller is Your Company. Your Company is contractually obligated by the DPA to you give you access to this document and to provide you will all the information we cannot provide you with, since we are not the sole Controller.

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

You have the right to understand the purpose and legal basis for the processing of your Personal Data in Unify Supply Chain processes. There are various for purposes for processing your Personal Data in Unify Supply Chain processes

  1. Ability to contact you, to notify you, or to ask you about matters related to your business with Unify in the areas of order, delivery and billing of Unify Portfolio.
  2. For compliance with export control regulations, sanction party screening or other applicable legislation
  3. The ability to accept and process order and to address and follow-up on commercial documents
  4. To manage, track and control (incl. Proof of ownership) usage of SW licenses granted to your company by Unify
  5. Deletion of Personal Data of Unify Device Users on devices sent to Unify for repair or replacement prior to shipping to the manufacturer who might be located outside the European Economic Area (EEA) (Unify Device User)

 

The legal basis for this processing are

  • Legal and regulatory requirements to Unify as a manufacturer ( a,b c,e ),
  • Legitimate interest of Unify to conduct commercial transaction with your business, and to do so in an efficient, transparent and audit-proof way (a,c,d,)
  • Legitimate interest of Your Company (a,c,d)
  • Protection of your Personal Data as per GDPR (see above: purpose e))

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your Personal Data processed by Unify Supply Chain processes fall under the following categories:

  • Profile Data: Personal data you create about yourself or are assigned to you by Your Company, in particular salutation, name, surname, Job title, Postal Address, email address, username, password, phone/fax numbers, user role*, language and department.
  • Activity Data: Personal data collected by Supply Chain/Entitlement system from your use of our Supply Chain processes, in particular Login Date / Log out (Logfiles), Password failure / new PW creation, Transaction Records, and Cookies
    Note: Personal Data of users of Unify devices will be deleted directly before any repair activities take place. This includes private address books of you as Unify Device Users, which contain Personal Data of your contacts.

*Not changeable by data subject

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

Personal Data entered into Unify Supply Chain processes might be shared with third parties. You have the right to be informed about that. Unify will only share your Personal Data with approved internal or external sub-contractors for the purpose of executing Supply Chain processes. Sub-contractors are listed in section 6. Recipients of your data are:

  1. Unify (Finance, Supply Chain, Sales, Service, IT)
  2. Unify sub-contractors involved in sign-up and Supply Chain processing as listed in section 6
  3. The company who has purchased Unify products and services and has given you access to these systems as a Contact Person (“Your Company”)
  4. The Unify or Atos legal entity or their approved sub-contractors, or the accredited partner of Unify who has sold/maintains Unify portfolio to Your Company (“Involved Partner”)
  5. In case of Tier 2 Business, involved Unify Accredited Distributor, displayed upon request
  6. Administrators of accredited Partners for their employees

6 Sub-Contractors and Transfers or Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

Name Address Scope of Processing Data Protection Safeguards
ICTERRA Bilgi ve Iletisim Teknolojileri San.Tic.A.S. Galyum Blok Kat:2, No:3 ODTU-Teknokent  06531 Ankara, Turkey Supply Chain tool  development, system operation as well as support and maintenance for both Under review
Atos Information Technology  GmbH Otto-Hahn-Ring 6
81739 München, Germany
Application Hosting / Operation and Technical Support Infrastructure & Data Management Binding Corporate Rules
Nagarro GmbH Aidenbachstr. 42
81379 München, Germany
Technical User Support GDPR
Geis Industrie-Service GmbH Kraftwerkstraße 25, 91056 Erlangen-Frauenaurach, Germany GDPR
Leesys – Leipzig Electronic Systems GmbH Hertzstraße 2, 04329 Leipzig Germany GDPR
Fideltronik S.A. Cystersów 19
31-553 KRAKÓW, Poland
GDPR
Grossenbacher Systeme AG Spinnereistrasse 10
CH-9008 St. Gallen, Switzerland
EU Adequacy Decision
BHDS GmbH Inh. Ralf Bender Rotwandweg 3
82024 Taufkirchen, Germany
Gigaset Communications GmbH Frankenstr. 2a
46395 Bocholt, Germany
Media5 Corporation
4229 Garlock Street
SHERBROOKE – QC QC J1L 2C8, Canada
EU Adequacy Decision
GE Intelligent Platforms
GmbH & Co. KG
Memminger Str. 14
86159 Augsburg, Germany

 

The Atos Binding Corporate Rules are available under
https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf

EU Adequacy Decisions: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

Personal Data are stored in several IT systems which are located in the following data center facilities

Storage Locations

Provider

München, Germany Atos Information Technology  GmbH)

 

7.Data Retention Period

7.1 Retention Managed by Partner or Customer

Unify employs a central entitlement management system for Partner / Customer Tool Users which allows a Partner / Customer Account Administrator to create and delete users and to manage their access rights. If a Tool User is deleted Profile Data are deleted, but Activity Data related to transactions the Too User performed on these tools are retained as legally required to provide proof of the transaction. See also section 7.2.

7.2 Retention Managed by Unify

Customer and Billing Contacts: For legal reasons contractual and compliance information on your subscription of Unify Cloud Services including your Personal Data has to be retained for 10 years after the termination of your subscription becomes effective. Your Personal Data will be deleted in December of the calendar year where the legal retention period ends.

Partner Tool Users: Partner Tool users are given access by Partner Account Administrators who are also supposed to delete users which don’t need access any more (e.g. because they have left the company). In addition, Unify performs every year in January and activity review: Partner Tool Users who have not been active in the fourth calendar quarter of the previous year will receive an email notice from Unify requesting confirmation whether access to Partner Tools is still required. In case you as a Partner Tool User

  • Confirm before end of March that access is not no longer Unify will terminate your access and delete your Profile Data
  • Confirm before end of March that access continues to be required, Unify will leave your access and Profile Data untouched
  • Do not respond before end of March Unify will suspend your account until end of June and terminate your access and delete your Profile Data in July unless you request account re-activation before end of June.

Hence, if you are not using your access your Personal Data will be “forgotten” the latest 19 months after you stopped using the partner tool.

8 Your Rights as a Data Subject and how to exercise them

You are aware that GDPR gives you the rights listed below. You can place requests in regards to your personal data with Unify either via the Data Protection Officer shown in section 2 or via the following functional email address: askGDPR@atos.net

  1. Right of Access to Personal Data – GDPR (article 15)
    • Partner / Customer Tool User: Profile Data and Activity Data can be obtained from your Partner /Customer Account Administrator or upon request from Unify (askGDPR@atos.net).
    • Partner / Customer Contacts: If you are also a Partner / Customer Tool user you can see Activity data on your respective tool account. Otherwise please contact askGDPR@atos.net.
  2. Right to Rectification Personal Data – GDPR (article 16)
    • Partner / Customer Tool User: You can correct Profile Data on your Unify Tool account or have your Partner / Customer Account Administrator do that. I addition, you can request rectification from Unify via askGDPR@atos.net .
    • Partner / Customer Contacts : If find incorrect Profile or Activity Data please contact Unify via askGDPR@atos.net for rectification.
  3. Right for Erasure of Personal Data – GDPR (article 17)
    • Partner / Customer Tool User: See section 7, or contact askGDPR@atos.net.
    • Partner / Customer Contacts: You may chose not to act as Partner / Customer Contacts and Billing Contacts for Unify Business & Commercial Processing (Non-Cloud)on behalf of Your Company any longer and assign a new Partner / Customer Contacts and Billing Contact by contacting your Unify account team or askGDPR@atos.net. Your profile data will then be deleted and replaced by the profile data of the new Partner / Customer Contacts and Billing Contact. Transaction records (Activity Data) will still be shown under your name for transparency reasons until finally deleted at the end of the retention period. Please contact Unify using the contacts described above in case or questions, concerns, or additional requests).
  4. Right to Restrict Processing – GDPR (article 18)
    • Partner / Customer Tool User: You can request restricted processing from askGDPR@atos.net. Your accounts on Unify Partner / Customer Tools will then be temporarily closed, but you can resume at any time.
    • Partner / Customer Contacts: Under GDPR you have, under certain circumstances, the right to restrict processing, e.g. if you consider processing by Unify inaccurate, unlawful, or no longer required, or if there is a pending objection from your side to the processing. You can request such restriction with indication of the reason from Unify (askGDPR@atos.net). Should the restriction prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify Business & Commercial Processing (Non-Cloud) in compliance with applicable law, Unify will suspend all pending business and commercial transactions to you and Your Company, but this will not free your business from the obligation to pay for Unify products, solutions, and services that have already purchased. Both parties, Unify and you, will work faithfully together to resolve the restriction so that processing can resume.
  5. Right to Object Processing – GDPR (article 21)
    • Partner / Customer Tool User: You can request object processing from askGDPR@atos.net. Your accounts on Unify Partner / Customer Tools will then be closed, but you can resume at any time.
    • Partner / Customer Contacts and Billing Contacts: You have the right to object processing of personal data from Unify (askGDPR@atos.net) under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). Should the objection prevent Unify from executing commercial processes (e.g. billing or payment collection) or from providing the Unify communication and collaboration solution in compliance with applicable law, Unify will suspend all pending business and commercial transactions to you and your business, but this will not free your business from the obligation to pay for Unify communication and collaboration solutions that have already purchased. Both parties, Unify and you, will work faithfully together to resolve the objection so that processing can resume.
  6. Right to Withdraw Your Consent – GDPR (article 7.3 / 13.2c / 14.2d)
    • We do not collect consent from you in the sense of GDPR (6-7) as a legal basis for processing your personal data.
  7. Right to Data Portability – GDPR (article 20)
    1. Partner / Customer Tool User: Since most Profile Data are accessible to you at any time (see under a), you can take copies of your Personal Data at any time.
    2. Activity and Compliance Check Data can be obtained upon request to the contacts given above.
    3. All data subjects: Given the nature of the data we see no actual use case of porting the data to another Controller as intended by GDPR (20)
  8. Right to lodge a complaint with a Data Protection Authority – GDPR (article 13.2d / 14.2d / 77)
    You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2(e))

As a contact person for Unify Supply Chain processes, you must be identifiable to Unify and Your Company. Otherwise no Supply chain transactions such as orders, deliver and billing are possible. Please inquire with Your Company in case of concerns

10 Automated Decision Making

There is no automated individual decision making and profiling about you on Unify Supply Chain Processes.

Information on Processing for Resale and Co-Delivery Processes

(Effective May 15, 2018)

 

Unify provides Unified Communication and Collaboration product s and services directly or via partners to customers and users, which necessitates, where required, the processing of personal data in tools and systems at Unify enabling portfolio ordering, billing and delivery through Service processes. This document addresses all individuals whose personal data are processed (“Data Subjects”) for these purposes, which in general are

“Billing Contacts” who are Individuals serving as contacts for invoicing or payment follow-up, either at the end-customer or at the Unify-accredited Partner chosen by the end-customer .

“Partner Tool Users” which means Individuals who obtain access to tools Unify provides to partners for commercial processing or service delivery, at Unify-accredited Partner chosen by the end-customer.

“Customer Tool User” which means Individuals who obtain access to tools Unify provides to end-customers for service delivery.

“Unify Product User” who are Individuals, who use Unify products and Solutions, either at the end-customer or at the Unify-accredited Partner chosen by the end-customer.

These individuals are jointly addressed by “you” in this document. With “Your Company” we mean the business you represent as a Customer or Sales Partner Contact. Note, this document excludes users of Unify Cloud Services, for whom separate information documents are provided.

1 Controller – GDPR (articles 13.1a / 14.1a)

The Controller is directly accountable to you for the protection of your Personal Data. Among other responsibilities, the Controller, according to the GDPR,

  1. Defines the purpose of processing of your Personal Data
  2. Defines the means of processing of your Personal Data
  3. Responsible for Accuracy, Quality, Legality, Reliability of Personal Data
  4. Provides information to you about your Personal Data and the modalities for the exercise of their rights
  5. Implements measures to secure and protect of your Personal Data
  6. Notifies the competent data protection supervisory authority in case of a data breach.

 

For Unify Co-Delivery and Resale processes, neither Unify nor Your Company can be the sole Controller. Instead we have a Joint Controller situation, as defined by the GDPR (article 26).

The responsibility split is as follows

  1. Unify defines the purpose of processing of your Personal Data
  2. Unify defines the means of processing of your personal data
  3. Your Company is responsible for Accuracy, Quality, Legality, Reliability of Personal Data provided to Unify
  4. Your Company provides information to you about Personal Data
  5. Unify implements measures to secure and protect of your Personal Data
  6. Unify notifies the competent data protection supervisory authority in case of a data breach.

 

The GDPR requires Joint Controllers to sign a contract detailing the split of responsibilities as co- controller. This document is called Data Processing Agreement (DPA). You can find it under https://unify.com/en/data-protection. Your Company needs to have such an agreement in place with Unify or a Unify Local Company in order to execute Co-Delivery and Resale Services

Unify as one of the two Co-Controllers is the following legal entity

Unify Software and Solutions GmbH & Co. KG
Mies-van-der-Rohe-Strasse 6
80801 Munich, Germany,

hereunder “Unify” or “we”.

The second Co-Controller is Your Company. Your Company is contractually obligated by the DPA to give you access to this document and to provide you with all the information that in its area of responsibilities it has to be provided to you to comply with its obligations under the GDPR and which information we are not able to provide to you.

2 Data Protection Officer

Unify has appointed a Data Protection Officer who has reviewed Unify’s Service processing in regards to data protection. You can reach the data protection officer under the following email address:  dp.ucc@atos.net

3 Purpose and Legal Basis for Processing – GDPR (articles 13.1c,d / 14.1c / 14.2b)

You have the right to understand the purpose and legal basis for the processing of your Personal Data in Unify Service processes. There are various for purposes for processing your Personal Data in Unify Service processes

  • Ability to contact you, to notify you, or to ask you about matters related to your business with Unify in the areas of order, delivery and billing of Unify Portfolio.
  • For compliance with export control regulations, sanction party screening or other applicable legislation
  • To enable and facilitate the fulfilment of service contracts between customers and Unify or a Partner accredited by Unify

4 Categories of Personal Data – GDPR (articles 14.1d, 14.2(f))

Your Personal Data processed by Unify Service processes fall under the following categories:

  • Profile Data: Personal data you create about yourself or are assigned to you by Your Company, in particular salutation, name, surname, Job title, Postal Address, email address, username, password, phone/fax numbers, user role*, language and department.
  • Activity Data: Personal data collected by Supply Chain/Entitlement system from your use of our Services processes, in particular Login Date / Log out, Password failure / new PW creation, Transaction Records (e.g. service tickets and log data), and Cookies
  • Personal Device Data: such as User MAC Address and IP address of users of Unify portfolio for example in the case of Services Incidents & Tracing

*Not changeable by data subject

5 Recipients of Personal Data – GDPR (articles 13.1e / 14.1e)

Personal Data entered into Unify Co-Delivery and Resale Processes might be shared with third parties. You have the right to be informed about that. Unify will only share your Personal Data with approved internal or external sub-contractors for the purpose of executing Service processes. Sub-contractors are listed in section 6.

Recipients of your data are:

  1. Unify Services Entities in Level 1, Level 2 and Level 3 Support
  2. Unify sub-contractors involved in sign-up, and Co-Delivery and Resale Services as listed in section 6
  3. The company who has purchased Unify products and services and has given you access to these systems as a Contact Person (“Your Company”)
  4. The Unify or Atos legal entity or their approved sub-contractors, or the accredited partner of Unify who has sold/maintains Unify portfolio to Your Company (“Involved Partner”)
  5. In case of Tier 2 Business, involved Unify Accredited Distributor, displayed upon request
  6. Administrators of accredited Partners for their employees

 

Data are provided either by data subject, Your Company (administration), or Involved Partner.

6 Global Sub-Contractors and Transfers of Personal Data to Third Countries – GDPR (articles 13.1f / 14.1f)

The complete list of Unify Global Sub-Contractors for the Co-delivery and Resale services to our End-Customers and Partners is maintained on , that Unify continuously updates.

Note that Unify belongs to the Atos group. Subcontractors within the Atos group (Unify, Cycos, Atos companies) are subject to Atos Binding Corporate Rules (see https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf.

7 Data Retention Period

For legal reasons, information on contracts, commercial transactions as well as compliance information of Contact Persons including has to be retained for 10 years after the transaction or the end of the contract. Therefore Unify deletes Data at latest at the end of the 10th year after the last year in which the contract ends.

Partner Tool Users:

Partner Tool users are given access by Partner Account Administrators who are also supposed to delete users which don’t need access any more (e.g. because they have left the company). In addition, Unify performs every year in January an activity review: Partner Tool Users who have not been active in the fourth calendar quarter of the previous year will receive an email notice from Unify requesting confirmation whether access to Partner Tools is still required. In case you as a Partner Tool User

  • Confirm before end of March that access is not no longer Unify will terminate your access and delete your Profile Data
  • Confirm before end of March that access continues to be required, Unify will leave your access and Profile Data untouched
  • Do not respond before end of March Unify will suspend your account until end of June and terminate your access and delete your Profile Data in July unless you request account re-activation before end of June.

Hence, if you are not using your access your Personal Data will be “forgotten” the latest 19 months after you stopped using the partner tool.

Customer Tool Users:

Customer Tool users are given access by Customer Account Administrators who are also supposed to delete users which don’t need access any more (e.g. because they have left the company).

8 Your Rights as a Data Subject and how to exercise them

You can exercise your rights, i.e. place your requests with both Controllers, i.e. Your Company and Unify. Since Your Company gives you access to Unify Processes for Co-Delivery and Resale Services, we generally engage with Your Company before executing a request. We therefore recommend that you place your request with the Your Company, who can give you a profound answer on your requests from the perspective of your business. We have reserved the right from Your Company in the Data Processing Agreement that in case of a conflict between you and Your Company, we may, after due consideration of the legal circumstances with Your Company, execute your request against the advice of Your Company, if required.

You can place requests in regards to your Personal Data with Unify either via the DPO shown in section 2 or via the following functional email address:askGDPR@atos.net

Requests with request to data subject rights that Unify will accept is limited to the personal data category of Profile Data as described in section 4.

  1. Right of Access to Personal Data – GDPR (article 15)
    You can access your Profile Data either via the Services tool itself or request a screen print from Unify of your personal data in other Systems where no direct access is possible.
  2. Right to Rectification Personal Data – GDPR (article 16)
    You can rectify your Profile Data either via the Services tool itself or request a change from Unify of your personal data in other Systems, despite areas where we need to keep the data for legal reasons.
  3. Right for Erasure of Personal Data – GDPR (article 17)
    You can erase your Profile Data either via the Services tool itself or request a deletion from Unify of your personal data in other Systems, despite areas where we need to keep the data for legal reasons.
  4. Right to Restrict Processing – GDPR (article 18)
    You have the right to restrict processing of personal data under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). However, since this would result in not being able to execute services processes anymore, we would recommend to consult with Your Company first.
  5. Right to Object Processing – GDPR (article 21)
    You have the right to object processing of personal data under certain circumstances related to section 3 of this document (Purpose and Legal Basis for Processing). However, since this would result in not being able to execute services processes anymore, we would recommend to consult with Your Company first.
  6. Right to Withdraw Your Consent – GDPR (article 7.3 / 13.2c / 14.2d)
    We do not collect consent from you in the sense of GDPR (6-7) as a legal basis for processing your Personal Data.
  7. Right to Data Portability – GDPR (article 20)
    Partner / Customer Tool User: Since most Profile Data are accessible to you at any time (see under a), you can take copies of your Personal Data at any time. Activity and Compliance Check Data can be obtained upon request to the contacts given above. All data subjects: Given the nature of the data we see no actual use case of porting the data to another Controller as intended by GDPR (20).
  8. Right to lodge a complaint with a Data Protection Authority – GDPR (article 13.2d / 14.2d / 77)
    You have the right to lodge a complaint about the processing described in this document with the data protection authority of your country or of the Federal Republic of Germany.

9 Is it a Statutory or Contractual Requirement to Provide Personal Data ? – GDPR (article 13.2(e))

Yes. As a contact person for Unify Services processes, you must be identifiable to Unify and Your Company. Otherwise no Service transactions such as opening a ticket, sending Unify a trace, using the Remote Service Platform are possible. Please inquire with Your Company in case of concerns

10 Automated Decision Making

There is no automated individual decision making and profiling about you on Uni