Message-ID: <649905511.10603.1711727039569.JavaMail.confluence1@kb0.noctel.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_10602_511107357.1711727039512" ------=_Part_10602_511107357.1711727039512 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html GDPR Reference

GDPR Reference

This article helps define in simpler language the most common GD= PR terms and general provisions of the law to provide clearer understanding= of the relationships between end users, customer organizations, and NocTel= . Please carefully note there is no standard interpretation of terms and provisions of GDPR law, so the information captured her= e may change frequently after May 25th, 2018. When ch= anges occur, generally expect to see changes elsewhere such as NocTel's Ter= ms of Service and Privacy Policy.

This article does not constitute legal advice nor seeks to encourage or = discourage customers and end users from seeking appropriate legal counsel. = The information provided here is intended to build a basic understanding of= GDPR law and is not comprehensive nor conclusive.



GDPR Law Summary

GDPR - or the General Data Protection Regulation -= is an EU law that will become enforceable worldwide as of May= 25th, 2018. Its basic intent is to provide personal data protecti= ons and fundamental rights for end users who provide personal data to servi= ces, applications, and companies whether they are aware of the data collect= ion and processing or not.

Key Terms

Data Subject

A data subject is an identifiable or identified natural person<= /em>. A natural person here means an actual existing or having existed huma= n being. It does not adopt the definition of "person" in the business law s= ense, so corporations are not qualified as data subjects under GDPR.

Personal Data

"Personal data" under GDPR is defined as:

"any informatio= n relating to an identified or identifiable natural person (=E2=80=98data subject=E2=80=99); an id= entifiable natural person is one who can be identified, directly or indirec= tly, in particular by reference to an identifier such as a name, an identif= ication number, location data, an online identifier or to one or more facto= rs specific to the physical, physiological, genetic, mental, economic, cult= ural or social identity of that natural person;"

In other words, it's almost anything relating to a natural pers= on (see above) that can be used to identify them uniquely.

Personal data also defines a more restricted sub-classification known as=  sensitive personal data. Sensitive personal data is generall= y limited to one's biometric and genetic information as well as very person= al details such as sexual orientation, political sentiment, and religious a= ssociation.

Data Controller

Data controllers are defined as "<= em>the natural or legal person, public authority, agency or any other body = which alone or jointly with others determines the purposes and means of the= processing of personal data."

In other words, they are usually e= ntities that are requesting personal data but may not be performing any of = the collection, storage, or processing of the data. Data controllers will t= ypically have some access to personal data that is collected, stored, and p= rocessed.

Data Processor

Following off the definition of a data controller, a data processor is d= efined as "natural or legal perso= n, public authority, agency or any other body which processes personal data= on behalf of the controller."

In many cases, a data processor is a third party service provider of som= e variety to another company, service, or application. If your company uses=

Data Protection Officer= (DPO)

The ICO recognizes that some companies may be prone to misreport complia= nce activities if left to self-implement. To counteract this potential, the= ICO introduces the station of Data Protection Officer who is generally res= ponsible for the following:

Not every organization that acts as a data controller and/or data proces= sor needs to instate a DPO, but generally these are the guidelines for when= a DPO is necessary:

Unfortunately, where the line is drawn on what volume of processing of p= ersonal data constitutes "large scale" is highly subjective, but should be = erred on the side of caution.

Data Rights

GDPR defines the following broad data rights of data subjects:

Bear in mind that while complaints and requests made invoking personal d= ata rights under GDPR are generally accommodated, there do exist certain ci= rcumstances in which a data controller or processor can legitimately deny t= he complaint or request.

Quick Bits and Questions

Who is covered u= nder GDPR law?

EU residents. Some contention in interpretation exists as to whether thi= s means individuals physically residing in the EU or the individual in ques= tion is just an EU resident. This means the latter interpretation would req= uire GDPR compliance by foreign companies who do any sort of business with = EU residents, typically during travel or vacation. It's the safer bet to us= e the latter interpretation.

When the law talks of "EU residents" it means individuals and by "indivi= dual" that is restricted to natural persons. In other words, = a real, live human being and not a "person" in the business law definition.= This means corporations are not considered protected under GDPR.

What is "personal data" under GDPR? Is it different fro= m PII?

Personal data in GDPR compared to PII (Personally Identifiable = Information) is much more broad and includes types of data such as geo-coor= dinates provided by GPS and IP address. Personally Identifiable Information= is generally a US-specific term and should not be thought of as equivalent= to personal data in the context of GDPR.

Do all requests invoking personal data rights need to be accommo= dated?

Yes and no. It depends.

The ICO sets forth some guidelines of reasons why a company may decline = to accommodate a request involving personal data rights. The most common re= ason is legitimate use, which can take precedence in = retaining and otherwise processing personal data over some requests. Legiti= mate use also covers obligations to other compliances and protocols the com= pany must observe. A less often feasible reason the ICO recognizes is if ac= commodation of the request shows a demonstrated exorbitant time, effort, an= d financial cost to service.

For example, if an employee is fired from a company after making repeate= d verbal threats to coworkers, the company may reasonably decline the forme= r employee's request to the right to be forgotten. The company may partiall= y accommodate this request by agreeing to not share the conditions of the e= mployee's departure with others, but the company itself for its own records= maintains the right to keep that data as it may include relevant informati= on such as if the employee is eligible for rehire and what position they he= ld prior to departure.

With few reasonable exceptions, companies are otherwise expected to acco= mmodate personal data right requests from data subjects. Additionally, depe= ndent on the type of request the company in question must accommodate the r= equest with all reasonable haste.

Couldn't companies and services just block anyone from the EU= from access?

Technically yes, but it's generally agreed this is not an effective solu= tion to sidestep the need for GDPR compliance. The reason blocking access f= rom the EU would be ineffective is it does not account for the use of VPNs = and/or proxy servers to reach otherwise blocked sites and services. Additio= nally, with the vague interpretation in the law itself of what constitutes = an EU resident, the case of EU residents traveling abroad and utilizing ser= vices in person such as banks, transportation services, lodging, etc. circu= mvents the "protection" of blocking outside access as the EU residents are = physically located outside the EU.

Currently, there is no provision in the GDPR law which recognizes simply= denying or blocking services to EU residents as a legitimate means of resp= ecting and protecting personal data. Given this, it also does not recognize= the case where an EU resident falsifies point of access and other personal= data to access and utilize services that otherwise explicitly want to avoi= d EU residents.

 


GDPR Related No= cTel Specific Questions

Is NocTel seeking GDPR compliance?

It's something that's very much on the radar, but various internal chall= enges exist that have caused efforts toward legitimate GDPR compliance to b= e slower than would be preferred. Until NocTel is able to attain GDPR compl= iance, we intend to make operations in relation to personal data and privac= y as transparent and straightforward as possible so you know we're on the r= ight track.

Given the size of NocTel and the vast majority of customer organizations= not having normal contact with EU residents, NocTel at this time has deter= mined it is not reasonable to instate a DPO.

Will NocTel process personal data requests that come from non-EU= residents?

NocTel will do its best to treat all personal data requests equally as G= DPR represents valuing and respecting personal data.

Can NocTel accommodate my personal data request directly?

While NocTel will exert due diligence to honor personal data requests th= at are determined to be valid, it is not recommended to submit these reques= ts directly to NocTel. Our basis is our customers are organizations and sub= scribe to NocTel for business services. Accommodating any data requests wit= hout the awareness and agreement of the organization the requesting data su= bject is part of may cause disruption of services and manageability of the = data subject by account administrators.

NocTel recommends that any personal data right related requests be submi= tted to your organization first and then is received by NocTel with the aff= irmation that some features and manageability could possibly change in rela= tion to you.

What are examples of personal data requests NocTel will not acco= mmodate?

Here are some examples and the reasoning why the request will not be acc= ommodated:

  • Request to delete IP addresses and device MAC addresses associated = with a data subject (exercising right to be forgotten, right to restri= ct processing): Without the ability to collect and store hardware IP addres= s and MAC address, NocTel's system has no way of accurately identifying or = integrating the device. Accommodating this request would effectively cause = all services to cease functioning for the data subject. This is additionall= y not tenable as the hardware and addresses in question typically are owned= by the data subject's organization, not to the data subject themselves. Wh= ile this is qualifies as personal data, the data subject is associated by v= irtue the resources have been assigned with the express purpose the data su= bject can fulfill their responsibilities to their organization.

 

  • Request to exclude data subject's handset usage and activities from= logging and audit reports (exercising right to restrict processing): = NocTel cannot accommodate this request as the data subject in almost all ca= ses uses NocTel's VoIP services to serve the interests of their organizatio= n. Therefore, activities performed within the system and in regard to usage= are legitimate data NocTel has an obligation to provide to the customer or= ganization.

 

  • Request access to data subject's personal data on record within Noc= Tel's systems (exercising right of access): This request should be sub= mitted through the data subject's associated organization. NocTel's end use= r management via control panel can be setup such that a custo= mer account's users all have access to their own extension and data. In man= y cases, customer organizations choose to only have NocTel control panel us= er accounts for IT technical and administrative staff who then manage all o= ther end users in the organization. The relevant data in the request is rea= sonably accommodated through audit reports for the particular data subject.=

 

  • Request to port all personal data out of NocTel with the intent to = seek services with a different provider (exercising right of portabili= ty): This request is something NocTel can only at best partially accom= modate. Telecommunications is an industry in where the process of porting n= umbers between providers tends to be an extremely tedious process. For the = act of porting numbers out of NocTel, the porting request needs to submitte= d to the new service provider who then submits the associated porting reque= st information. If the porting request information is accurate, the number(= s) are ported. If it's incorrect, the port will not occur. This porting pro= cess takes precedence over GDPR's right of portability as this process is s= tandard in telecommunications. For portability, NocTel can provide a list o= f extensions and phone numbers, but cannot reasonably provide personal voic= emails or faxes in a correlated output for what voicemail and fax data stil= l exists in NocTel's system.


  • Request to restore deleted data: In most cases this variety of= request comes when an end user (data subject) deletes data such as voicema= il recordings or received faxes. NocTel processes deletion of this data as = absolute and cannot be undone. When a deletion occurs as triggered by an en= d user or automatic retention policy, there is no delay in the deletion of = the data in question across the entire system. This means there is no windo= w for recovery, so this particular request cannot be accommodated.

What is NocTel's policy for storing and processing personal data= ?

See our Privacy Policy for information on personal data ret= ention.

Generally, NocTel only keeps personal data for as long as it's valid and= needed. For example, a setting that stores personal data for a feature wil= l overwrite and consequently forget the previous value if it changed. Likew= ise, for personal data such as voicemail, NocTel implements an automatic da= ta retention policy that will delete old voicemails that have not already b= een deleted by the end user themselves.

 

------=_Part_10602_511107357.1711727039512--