Data Privacy Policy
1. Overview
Data privacy is a critical component of Avtex Solutions, LLC (“Avtex”) operations. Ensuring data protection is the foundation of trustworthy business relationships and to maintaining Avtex’s reputation as an exceptional business partner and employer. Avtex is committed to compliance with national and international data protection laws and this Data Protection Policy is based on globally accepted principles of data protection. The responsibility for the review and revision of this policy is assigned to the Data Privacy Officer.
In line with its commitment to ensuring data privacy, Avtex has adopted the principle of Privacy by Design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more data privacy impact assessments.
2. Purpose
This policy establishes general privacy requirements for information processed or generated by Avtex operations, systems, network devices, or communications. This includes systems and devices involved in the transmission and storage of voice data. The policy further delimits conditions where Personal Data may be disclosed.
3. Scope
This policy applies to all Avtex employees, contractors, vendors and subsidiaries that create, deploy, support or use Personal Data gathered or processed by Avtex.
This policy applies to any form of sensitive data, including paper documents and electronic data stored on any type of media, and any data transmitted over any type of network or telecommunications system. It applies to all of the organization’s employees, as well as to third-party agents authorized to access the data.
4. Policy
4.1 Principles for Processing Personal Data
4.1.1 Fairness and lawfulness
When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
4.1.2 Restriction to a specific purpose
Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
4.1.3 Transparency
The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:
- The identity of the Data Controller
- The purpose of data processing
- Third parties or categories of third parties to whom the data might be transmitted
4.1.4 Data reduction and data economy
Before processing personal data, you must determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken.
Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.
4.1.5 Deletion
Personal data that is no longer needed after the expiration of legal or business process-related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
4.1.6 Factual accuracy; up-to-date data
Personal data on file must be correct, complete, and if necessary, kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
4.1.7 Confidentiality and data security
Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
4.2 Customer and Partner Data
Prior to any engagement or project that includes the processing of Customer or Partner personal data, a Privacy Impact Assessment (PIA) must be completed using the Avtex Privacy Impact Assessment Framework which includes data privacy screening questions and a PIA template. Completing a PIA is a requirement of the EU General Data Protection Regulation (Article 35). The PIA will include:
- Consideration of how personal data will be processed and for what purposes
- Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
- Assessment of the risks to individuals in processing the personal data
- What controls are necessary to address the identified risks and demonstrate compliance with legislation
- Use of techniques such as data minimization and pseudonymization will be considered where applicable and appropriate.
Collecting, processing and using customer or partner personal data is permitted only under the following legal basis. One of these legal bases below is also required if the purpose of collecting, processing and using the personal data is to be changed from the original purpose.
4.2.1 Data processing for a contractual relationship
Personal data of prospects, customers and partners can be processed in order to establish, execute and terminate a contract. This also includes advisory services for the partner under the contract if this is related to the contractual purpose. Prior to a contract – during the contract initiation phase – personal data can be processed to prepare bids or purchase orders or to fulfill other requests of the prospect that relate to contract conclusion. Prospects can be contacted during the contract preparation process using the information that they have provided. Any restrictions requested by the prospects must be complied with. For advertising measures beyond that, you must observe the following requirements under 4.2.2.
4.2.2 Data processing for advertising purposes
If the data subject contacts Avtex to request information (e.g. request to receive information material about a product), data processing to meet this request is permitted.
Customer advertising is subject to further legal requirements. Personal data can be processed for advertising purposes or market and opinion research, if this is consistent with the purpose for which the data was originally collected. The data subject must be informed about the use of his/her data for advertising purposes. If data is collected only for advertising purposes, the disclosure from the data subject is voluntary. The data subject shall be informed that providing data for this purpose is voluntary. When communicating with the data subject, consent shall be obtained from him/her to process the data for advertising purposes. When giving consent, the data subject should be given a choice among available forms of contact such as regular mail, e-mail and phone (Consent, see 4.2.3).
If the data subject refuses the use of his/her data for advertising purposes, it can no longer be used for these purposes and must be blocked from use for these purposes. Any other restrictions from specific countries regarding the use of data for advertising purposes must be observed.
4.2.3 Consent to data processing
Data can be processed following consent by the data subject. Before giving consent, the data subject must be informed in accordance with 4.1.3. of this Data Protection Policy. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone conversations, consent can be given verbally. The granting of consent must be documented.
4.2.4 Data processing pursuant to legal authorization
The processing of personal data is also permitted if national legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions.
4.2.5 Data processing pursuant to legitimate interest
Personal data can also be processed if it is necessary for a legitimate interest of the Avtex. Legitimate interests are generally of a legal (e.g. collection of outstanding receivables) or commercial nature (e.g. avoiding breaches of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection.
4.2.6 Processing of highly sensitive data
Highly sensitive personal data can be processed only if the law requires this or the data subject has given express consent. This data can also be processed if it is mandatory for asserting, exercising or defending legal claims regarding the data subject. If there are plans to process highly sensitive data, the Data Protection Officer must be informed in advance.
4.2.7 Automated individual decisions
Automated processing of personal data that is used to evaluate certain aspects (e.g. credit- worthiness) cannot be the sole basis for decisions that have negative legal consequences or could significantly impair the data subject. The data subject must be informed of the facts and results of automated individual decisions and the possibility to respond. To avoid erroneous decisions, a test and plausibility check must be made by an employee.
4.2.8 User data and internet
If personal data is collected, processed and used on websites or in apps, the data subjects must be informed of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the data subjects.
If use profiles (tracking) are created to evaluate the use of websites and apps, the data subjects must always be informed accordingly in the privacy statement. Personal tracking may only be affected if it is permitted under national law or upon consent of the data subject. If tracking uses a pseudonym, the data subject should be given the chance to opt out in the privacy statement.
If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the data subject must offer sufficient protection during access.
4.3 Employee Data
Prior to any engagement or project that includes the processing of Employee personal data, a Privacy Impact Assessment (PIA) must be completed using the Avtex Privacy Impact Assessment Framework which includes data privacy screening questions and a PIA template.
- Consideration of how personal data will be processed and for what purposes
- Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
- Assessment of the risks to individuals in processing the personal data
- What controls are necessary to address the identified risks and demonstrate compliance with legislation
- Use of techniques such as data minimization and pseudonymization will be considered where applicable and appropriate.
Collecting, processing and using customer or partner Employee personal data is permitted only under the following legal basis. One of these legal bases below is also required if the purpose of collecting, processing and using the personal data is to be changed from the original purpose.
4.3.1 Data processing for the employment relationship
In employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicants’ personal data can be processed. If the candidate is rejected, his/her data must be deleted in observance of the required retention period, unless the applicant has agreed to remain on file for a future selection process. Consent is also needed to use the data for further application processes.
In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorized data processing apply.
If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws must be observed. In cases of doubt, consent must be obtained from the data subject.
There must be legal authorization to process personal data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, consent of the employee, or the legitimate interest of the company.
4.3.2 Data processing pursuant to legal authorization
The processing of personal employee data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the employee that merit protection must be taken into consideration.
4.3.3 Collective agreements on data processing
If a data processing activity exceeds the purposes of fulfilling a contract, it may be permissible if authorized through a collective agreement. Collective agreements are pay scale agreements or agreements between employers and employee representatives, within the scope allowed
under the relevant employment law. The agreements must cover the specific purpose of the intended data processing activity and must be drawn up within the parameters of national data protection legislation.
4.3.4 Consent to data processing
Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Involuntary consent is void. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In certain circumstances, consent may be given verbally, in which case it must be properly documented. In the event of informed, voluntary provision of data by the relevant party, consent can be assumed if national laws do not require express consent.
4.3.5 Data processing pursuant to legitimate interest
Personal data can also be processed if it is necessary to enforce a legitimate interest of the Avtex. Legitimate interests are generally of a legal (e.g. filing, enforcing or defending against legal claims) or financial (e.g. valuation of companies) nature.
Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the employee merit protection. Before data is processed, it must be determined whether there are interests that merit protection.
Control measures that require processing of employee data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The legitimate interest of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken.
4.3.6 Processing of highly sensitive data
Highly sensitive personal data can be processed only under certain conditions. Highly sensitive data is data about racial and ethnic origin, political beliefs, religious or philosophical beliefs, union membership, and the health and sexual life of the data subject. Under national law, further data categories can be considered highly sensitive or the content of the data categories can be filled out differently. Moreover, data that relates to a crime can often be processed only under special requirements under national law.
The processing must be expressly permitted or prescribed under national law. Additionally, processing can be permitted if it is necessary for the responsible authority to fulfill its rights and duties in the area of employment law. The employee can also expressly consent to processing.
If there are plans to process highly sensitive data, the Data Protection Officer, privacy@avtex.com, must be informed in advance.
4.3.7 Automated decisions
If personal data is processed automatically as part of the employment relationship, and specific personal details are evaluated (e.g. as part of personnel selection or the evaluation of skills profiles), this automatic processing cannot be the sole basis for decisions that would have negative consequences or significant problems for the affected employee. To avoid erroneous decisions, the automated process must ensure that a natural person evaluates the content of the situation, and that this evaluation is the basis for the decision. The data subject must also be informed of the facts and results of automated individual decisions and the possibility to respond.
4.3.8 Telecommunications and internet
Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by Avtex primarily for work-related assignments. They are a tool and a company resource. They can be used within the applicable legal regulations and internal company policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.
There will be no general monitoring of individual telephone and e-mail communications or intranet/ internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented that block technically harmful content or that analyze attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be logged. Evaluations of this data for a specific person can be made only in a concrete, justified case of suspected violations of laws or policies of the company. The evaluations can be conducted only by investigating departments (e.g. Human Resources, Legal, Information Security) while ensuring that the principle of proportionality is met. The relevant national laws must be observed.
4.4 Transmission of Personal Data
Transmission of personal data to recipients outside or inside the company is subject to the authorization requirements for processing personal data under Sections 4.2 and 4.3. The data recipient must use the data only for the defined purposes.
If personal data is transmitted to a recipient outside of Avtex, the recipient must agree to maintain a data protection level equivalent to this Data Protection Policy. This does not apply if transmission is based on a legal obligation.
If data is transmitted by a third party to Avtex, both parties must ensure that the data can be used for the intended purpose.
If personal data is transferred from a company with its registered office in the European Union/European Economic Area, Avtex is obligated to cooperate with any inquiries made by the relevant supervisory authority in the country in which the party exporting the data has its registered office, and to comply with any observations made by the supervisory authority with regard to the processing of the transmitted data.
4.5 Data Processing Contracts
Data processing on Behalf means that a third party is hired to process personal data, without being assigned responsibility for the related business process. In these cases, a Data Processing Agreement must be created between external providers and Avtex. Avtex retains full responsibility for correct performance of data processing. The third party can process personal data only as instructed by Avtex. When issuing an order for a third-party processor, the following requirements must be met:
- The third party must be chosen based on its ability to meet the required technical and organizational protective measures.
- The order must be placed in writing. The instructions on data processing and the responsibilities of Avtex and the third party must be documented.
- The contractual standards for data protection provided by the Data Protection Officer must be considered.
- Before data processing begins, Avtex must be confident that the provider will comply with the duties. A provider can document its compliance with data security requirements by presenting suitable certification. Depending on the risk of data processing, reviews of third parties must be repeated on a regular basis during the term of the contract.
- In the event of cross-border contract data processing, the relevant national requirements for disclosing personal data abroad must be met. Personal data from the European Economic Area can be processed in a third country only if the provider can prove that it has a data protection standard equivalent to this Data Protection Policy. Suitable tools can be:
- Agreement on EU standard contract clauses for contract data processing in third countries with the provider and any subcontractors.
- Participation of the provider in a certification system accredited by the EU for the provision of a sufficient data protection level.
- Acknowledgment of binding corporate rules of the provider to create a suitable level of data protection by the responsible supervisory authorities for data protection.
4.6 Rights of the Data Subject
Every data subject has the following rights:
- The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected.
- If personal data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients.
- If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
- The data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use.
- The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
- The data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the Avtex. This does not apply if a legal provision requires the data to be processed.
4.7 Confidentiality of Processing
Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies. Employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Avtex must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.
4.8 Processing Security
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the accepted international standards, the risks of processing, and the need to protect the data (determined by the process for information classification).
The responsible department can consult with the Information Security Officer (ISO) and Data Protection Officer. The technical and organizational measures for protecting personal data are part of Avtex information security management and must be adjusted continuously for technical developments and organizational changes
4.9 Data Protection Control
Compliance with the Data Protection Policy and the applicable data protection laws is checked regularly with data protection audits and other controls. The performance of these controls is the responsibility of the Data Protection Officer, the data protection coordinators, and other company units with audit rights or via external auditors. The results of the data protection controls must be reported to the Data Protection Officer and the Information Security Officer. The Avtex Senior Leadership Team (SLT) must be informed of the primary results as part of the related reporting duties. On request, the results of data protection controls will be made available to the responsible data protection authority.
4.10 Data Breach Incidents
All employees must inform their supervisor, Data Protection Officer and the Information Security Officer immediately of violations of this Data Protection Policy or other policies for the protection of personal data. The manager or supervisor of the appropriate department, team, or employee in which the data breach occurred is required to inform the Data Protection Officer and the Information Security Officer immediately at privacy@avtex.com and the Avtex internal HelpDesk about data protection breach incidents including:
- Improper transmission of personal data to third parties,
- Improper access by third parties to personal data, or
- Loss of personal data
These notifications must be made immediately, and the Avtex Security Incident Management process invoked, so that any data subjects, controllers, and protection authorities can be notified as required by state, national and international law\regulation.
4.11 Data Protection Officer (DPO)
The Data Protection Officer works towards compliance with national and international data protection regulations. The DPO is responsible for the Data Protection Policy and supervises compliance with the policy. The DPO is appointed by the Avtex Senior Leadership Team.
Avtex employees shall promptly inform the DPO of any data protection risks by telephone or by emailing privacy@avtex.com.
Any data subject may approach the DPO at any time to raise concerns, ask questions, request information or make complaints relating to data protection or data security issues. If requested, concerns and complaints will be handled confidentially and/or referred to Human Resources where appropriate.
Decisions made by the DPO to remedy data protection breaches must be upheld by the management of the company. Inquiries by supervisory authorities must always be reported to the Data Protection Officer, Information Security Officer and the Senior Leadership Team.
Contact details for the Data Protection Officer are as follows:
Brian Vinson
3500 American Blvd W. Suite 300
Bloomington, MN 55431 USA
Telephone: +1 800-323-3639
E-mail: bvinson@avtex.com
or privacy@avtex.com
5. Policy Compliance
5.1 Compliance Measurement
The Data Protection Officer will verify compliance to this policy through various methods, including but not limited to, business tool reports, audits, and feedback to the policy owner.
5.2 Exceptions
Any exceptions to the policy must be approved, in writing, by the Senior Leadership Team in advance.
5.3 Non-Compliance
An employee found to have intentionally violated this policy or found to be non-compliant in a negligent manner, may be subject to disciplinary action, up to and including termination of employment.
6. Related Standards, Policies and Procedures
Avtex Data Classification Policy
7. Definitions and Terms
None.