1. What is GDPR?
The GDPR is a new European law that comes into effect on May 25, 2018 (repealing the current data protection Directive 95/46/EC). It applies to the processing of personal data in the European Union (EU) and as well as the processing of personal data belonging to European citizens outside of the EU when performed as part of a good or service offered in the EU, or where EU citizens’ activities within the EU are monitored.
GDPR regulates two types of entities that process personal data: (1) controllers, who collect personal data and determine the purpose for which the data will be processed, and (2) processors, who perform specific processing activities on behalf of a controller.
2. Is Mitel a data processor or controller?
Mitel is both processor and controller. A controller collects personal data and determines the purpose for which such data will be processed. A processor performs specific processing activities on behalf of a controller. Mitel is a controller in its human resources, sales, and marketing functions. Alternately, Mitel is a processor in its handling of personal data on behalf of a third party, such as during the provision of cloud services, managed services, and L3 support.
3. What has Mitel done to become compliant as both data controller and data processor?
4. What about Mitel products?
Cloud: Where Mitel processes personal data on behalf of its cloud customers (e.g., during the provision of cloud services), we will comply with the obligations that GDPR places on data processors, including the following:
On-Site: When Mitel provides on-site products that do not send personal data back to Mitel, Mitel is not regulated by GDPR, as it is the customer (and not Mitel) who processes the personal data. In this case, the GDPR compliance obligations fall on Mitel customers who may use the technical and organizational measures of Mitel’s product within their own compliance initiatives.
5. How does GDPR affect Mitel customers?
Under GDPR, where a controller entrusts personal data to a processor for handling data on its behalf, GDPR requires that the controller ensure the data will be handled in a GDPR-compliant manner. Where Mitel processes personal data on behalf of its enterprise customers (e.g., during the provision of cloud services, managed services, and support services), we will comply with the obligations that GDPR places on data processors, including the following:
Mitel is pleased to provide all customers upon written request to [email protected] with a DPA outlining our commitments to customers. Mitel’s DPA meets the requirements of GDPR Article 28.
6. Do partners or distributors who resell licenses to Mitel on-site products need a DPA, and is one available?
If you resell licenses to Mitel on-site products, unless Mitel assists in your provision of managed services or maintenance services, you do not need a DPA from Mitel, as Mitel does not have access to personal data held within the Mitel on-site product. Where Mitel assists you in your provision of managed services or maintenance services, Mitel may process personal data held in the on-site product and you can download Mitel’s pre-signed DPA covering such data processing.
7. Does Mitel process the personal data of partners and distributors who resell Mitel on-site product licenses?
Where partners or distributors have provided Mitel with personal data belonging to the contacts in their organization (e.g., sales professionals), Mitel acts as a data controller and will treat such personal data in accordance with our Privacy Policy.
8. What categories of personal data are processed by Mitel?
The categories of personal data Mitel processes when providing cloud services, managed services, and L3 support Mitel are outlined in Annex 1 of Mitel’s DPA, which is available upon written request to [email protected]. Mitel acts as a controller for both internal employee information (i.e., Human Resources functions) and in its marketing and sales activities. Details of the marketing and sales categories can be found in Section 6 of the Privacy Policy on Mitel.com.
9. Who authorizes access to personal information within Mitel?
Access to personal information is defined by the role of the individual and follows Mitel internal security requirements for access control.
10. Does Mitel have defined and documented policies and procedures for governing personal data, including a statement of commitment to data protection and/or privacy?
Yes. Mitel maintains an up-to-date Privacy Policy available on Mitel.com. We also maintain internal privacy-related notices, processes, and procedures.
11. How does Mitel communicate any changes to its method for processing a partner’s or customer’s personal data?
In Mitel’s function as controller, we commit to updating our Privacy Policy to inform our customers of any changes to the way we handle their personal data. The Mitel Privacy Policy is publicly available on our website.
As a data processor, we make a DPA available upon written request to [email protected] that outlines how we process data in systems within our control.
12. How does Mitel handle subcontractor agreements/contracts, with regards to the GDPR?
Mitel subcontractor contracts must comply with Article 28 of the GDPR and, as such, place appropriate obligations on subcontractors as outlined in the Mitel DPA.
13. Who do I contact if I have questions not addressed here?
Some of the most common customer questions are listed in this FAQ as well as within the updated Mitel Privacy Policy on Mitel.com. You can send all queries to [email protected] for any GDPR-related questions not listed here.
THIS FAQ IS PROVIDED “AS IS” AND WITHOUT WARRANTY. IN NO EVENT WILL MITEL NETWORKS CORPORATION OR ITS AFFILIATES HAVE ANY LIABILITY WHATSOEVER ARISING FROM IN CONNECTION WITH THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS NOT, AND SHOULD NOT BE CONSTRUED AS, LEGAL ADVICE. SHOULD FURTHER ANALYSIS OR EXPLANATION OF THE SUBJECT MATTER BE REQUIRED, PLEASE CONTACT AN ATTORNEY.