FAQ
1. What is GDPR?
The GDPR is a new European law that comes into effect on May 25, 2018 (repealing the current data protection Directive 95/46/EC). It applies to the processing of personal data in the European Union (EU) and as well as the processing of personal data belonging to European citizens outside of the EU when performed as part of a good or service offered in the EU, or where EU citizens’ activities within the EU are monitored.
GDPR regulates two types of entities that process personal data: (1) controllers, who collect personal data and determine the purpose for which the data will be processed, and (2) processors, who perform specific processing activities on behalf of a controller.
2. Is Mitel a data processor or controller?
Mitel is both processor and controller. A controller collects personal data and determines the purpose for which such data will be processed. A processor performs specific processing activities on behalf of a controller. Mitel is a controller in its human resources, sales, and marketing functions. Alternately, Mitel is a processor in its handling of personal data on behalf of a third party, such as during the provision of cloud services, managed services, and L3 support.
3. What has Mitel done to become compliant as both data controller and data processor?
- Mitel has created a detailed inventory of what personal data each functional area within the company (HR, Sales, Marketing, Finance, Marketing, etc.) collects, what they do with the data (how they work with, transfer, data, process data, etc.), and how the data is protected.
- Mitel has identified and made a list of suppliers/service providers who process personal data on Mitel’s behalf. Mitel is in the process of having these suppliers sign an addendum confirming that they will process any such personal data in compliance with GDPR.
- Mitel has updated its external Privacy Policy to be GDPR-compliant. Mitel is also updating its internal human resources and other internal policies to ensure GDPR compliance.
- Mitel is ensuring that the consents it obtains for its marketing efforts are GDPR-compliant.
- Mitel makes a Data Processing Addendum (DPA) available to enterprise customers whose personal data Mitel processes upon written request to [email protected]
- Mitel has created intercompany agreements between Mitel entities which permit them to share personal information required to run Mitel’s business, including internal functions, in a GDPR-compliant manner.
- Mitel is rolling out GDPR training.
- Mitel has reviewed the internal security measures/processes it has in place around personal data to ensure all personal data stored by Mitel is kept safe and is only accessed by the appropriate people.
4. What about Mitel products?
Cloud: Where Mitel processes personal data on behalf of its cloud customers (e.g., during the provision of cloud services), we will comply with the obligations that GDPR places on data processors, including the following:
- Take appropriate technical and organizational measures to secure customer personal data
- Report personal data breaches to the customer
- Assist the customer in responding to data subject requests received by its customers
On-Site: When Mitel provides on-site products that do not send personal data back to Mitel, Mitel is not regulated by GDPR, as it is the customer (and not Mitel) who processes the personal data. In this case, the GDPR compliance obligations fall on Mitel customers who may use the technical and organizational measures of Mitel’s product within their own compliance initiatives.
5. How does GDPR affect Mitel customers?
Under GDPR, where a controller entrusts personal data to a processor for handling data on its behalf, GDPR requires that the controller ensure the data will be handled in a GDPR-compliant manner. Where Mitel processes personal data on behalf of its enterprise customers (e.g., during the provision of cloud services, managed services, and support services), we will comply with the obligations that GDPR places on data processors, including the following:
- Take appropriate technical and organizational measures to secure customer personal data
- Report personal data breaches to the customer
- Assist the customer in responding to data subject requests received by its customers
Mitel is pleased to provide all customers upon written request to [email protected] with a DPA outlining our commitments to customers. Mitel’s DPA meets the requirements of GDPR Article 28.
6. Do partners or distributors who resell licenses to Mitel on-site products need a DPA, and is one available?
If you resell licenses to Mitel on-site products, unless Mitel assists in your provision of managed services or maintenance services, you do not need a DPA from Mitel, as Mitel does not have access to personal data held within the Mitel on-site product. Where Mitel assists you in your provision of managed services or maintenance services, Mitel may process personal data held in the on-site product and you can download Mitel’s pre-signed DPA covering such data processing.
7. Does Mitel process the personal data of partners and distributors who resell Mitel on-site product licenses?
Where partners or distributors have provided Mitel with personal data belonging to the contacts in their organization (e.g., sales professionals), Mitel acts as a data controller and will treat such personal data in accordance with our Privacy Policy.
8. What categories of personal data are processed by Mitel?
The categories of personal data Mitel processes when providing cloud services, managed services, and L3 support Mitel are outlined in Annex 1 of Mitel’s DPA, which is available upon written request to [email protected]. Mitel acts as a controller for both internal employee information (i.e., Human Resources functions) and in its marketing and sales activities. Details of the marketing and sales categories can be found in Section 6 of the Privacy Policy on Mitel.com.
9. Who authorizes access to personal information within Mitel?
Access to personal information is defined by the role of the individual and follows Mitel internal security requirements for access control.
10. Does Mitel have defined and documented policies and procedures for governing personal data, including a statement of commitment to data protection and/or privacy?
Yes. Mitel maintains an up-to-date Privacy Policy available on Mitel.com. We also maintain internal privacy-related notices, processes, and procedures.
11. How does Mitel communicate any changes to its method for processing a partner’s or customer’s personal data?
In Mitel’s function as controller, we commit to updating our Privacy Policy to inform our customers of any changes to the way we handle their personal data. The Mitel Privacy Policy is publicly available on our website.
As a data processor, we make a DPA available upon written request to [email protected] that outlines how we process data in systems within our control.
12. How does Mitel handle subcontractor agreements/contracts, with regards to the GDPR?
Mitel subcontractor contracts must comply with Article 28 of the GDPR and, as such, place appropriate obligations on subcontractors as outlined in the Mitel DPA.
13. Who do I contact if I have questions not addressed here?
Some of the most common customer questions are listed in this FAQ as well as within the updated Mitel Privacy Policy on Mitel.com. You can send all queries to [email protected] for any GDPR-related questions not listed here.
THIS FAQ IS PROVIDED “AS IS” AND WITHOUT WARRANTY. IN NO EVENT WILL MITEL NETWORKS CORPORATION OR ITS AFFILIATES HAVE ANY LIABILITY WHATSOEVER ARISING FROM IN CONNECTION WITH THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS NOT, AND SHOULD NOT BE CONSTRUED AS, LEGAL ADVICE. SHOULD FURTHER ANALYSIS OR EXPLANATION OF THE SUBJECT MATTER BE REQUIRED, PLEASE CONTACT AN ATTORNEY.