How we comply with EU data protection laws

INTRODUCTION

VoicePro Plus provides this information to answer the most frequently asked questions that our customers ask about the General Data Protection Regulation (GDPR). It does not, and is not intended to, confer legal advice. You should always speak to your own, independent legal advisers to understand your legal responsibilities under the GDPR.
This information is organised in two sections. The first section provides an overview of the data protection law that applies to VoicePro Plus, and the second provides a description of VoicePro Plus’s data processing operations and how the company complies with applicable data protection law.

DATA PROTECTION LAW
What are data protection laws?
Data protection laws govern the way businesses collect, use, and share personal data about individuals. Among other things, they require businesses

• To process individuals’ personal data fairly and lawfully
• To allow individuals to exercise legal rights with respect to their personal data (e.g., to access, correct or delete their personal data)
• To have in place appropriate security protections in order to protect the personal data that they process

WHAT LAWS IN THE EUROPEAN UNION GOVERN DATA PROTECTION ?
In the European Union, data protection rules are set out in a data protection law called the General Data Protection Regulation.

WHAT IS THE GENERAL DATA PROTECTION REGULATION ?
The General Data Protection Regulation (or “GDPR“) (Regulation (EU) 2016/679) is Europe’s data protection law that became effective on May 25, 2018. The GDPR is a major overhaul of the data protection rules, and VoicePro Plus, like many organisations, has taken steps to ensure that it is compliant with GDPR from the time the new law took effect.

GDPR aims to update Europe’s existing data protection rules to make sure they are fit for the 21st century. Among other things, it harmonises data protection rules throughout European Union member states, introduces new requirements for data processors (the original directive applied only to data controllers), enhances individual’s privacy rights (introducing new rights to be forgotten and to data portability), and creates significant penalties for non-compliance (including potential fines of up to 4% annual worldwide revenue).

WHO DOES THE GDPR APPLY TO ?
The GDPR applies to any organisation which is established within the European Union (e.g., has a subsidiary or branch in the EU). It also applies to any non-EU organisation which either:

• Offers goods or services to individuals in the EU (including free goods and services); or
• Monitors the behaviour of individuals in the EU (for example, through the use of advertising or analytics technologies).

DOES EUROPEAN DATA PROTECTION LAW APPLY ONLY TO DATA CONTROLLERS ?
No. One of the significant changes brought in by the GDPR is that it applies to both data controllers and to data processors. There are, however, more obligations imposed on data controllers under the GDPR than on data processors.

What is a data controller and a data processor?
A data controller is the entity that determines the “purposes and means of the processing” of data – in other words, how and why personal data will be processed.
A data processor processes personal data only on behalf of, and under the instruction of, a data controller.

VoicePro Plus’s Approach to Data Protection Law
Does VoicePro Plus comply with the GDPR?
Like any responsible organisation, VoicePro Plus aims to comply with the data protection laws that apply to it. Because VoicePro Plus has an EU establishment, the company is directly subject to GDPR (see our FAQ above “Who does the GDPR apply to?“).

What types of products and services does VoicePro Plus provide?
VoicePro Plus processes transactions that include the authorization and delivery of end-user traffic, clearing of billing records and settlement of payments. VoicePro Plus also offers a unique portfolio of intelligent policy and charging tools that enable its customers to use the real-time data generated by these transactions to deliver customised services and choices to their end users.

What type of personal data is VoicePro Plus collecting?
The types of personal data VoicePro Plus will process as part of its normal business include device data, such as device identifiers and similar device-related information (e.g. IMSI, sender ID, destination MSISDN), as well as IP addresses, and billing data (e.g., TAP files under GSMA rules).
In addition, VoicePro Plus processes personal data about our employees and business contact data relating to our customers, suppliers and other individuals with whom we have a business relationship. We also gather personal information through our website.

VoicePro Plus does not generally process sensitive personal data, other than personal data of our employees. VoicePro Plus takes care to protect all the personal information that we hold in accordance with law.

VoicePro Plus has invested considerable effort as part of its GDPR preparations to have a robust record of data that it processes – both as a data processor for customers and as a data controller – to have a clear understanding of the legal basis under which we process that data.

Is VoicePro Plus a controller or processor?
When providing its services to customers, VoicePro Plus is generally a data processor processing personal data at the instruction of its customers, the controller.

However, in some circumstances VoicePro Plus may be a data controller, such as when we collect business contact data relating to our customers, suppliers and other individuals with whom we have a business relationship and where we provide business analysis tools through various VoicePro Plus hosted portals to customer employees or gather personal information through our website.

VoicePro Plus also considers itself a controller of communications metadata (i.e. data processed for the conveyance of (or billing of) any electronic communication or communication on an electronic communications network, including connection and records, routing information, tracking information), where VoicePro Plus uses this data for its own billing and tracking purposes and is determining the routing for a message (e.g., which text message aggregators and operators to use to route the messages). VoicePro Plus is also a controller of its own employees’ personal data.

What is VoicePro Plus’s lawful basis for processing personal data?
VoicePro Plus will only be able to process personal data if it can demonstrate it has a lawful processing ground – such as performance of a contract, reliance on its legitimate interests – where processing is to comply with a legal obligation or with consent from the individual whose personal information is processed. As part of our data mapping exercise VoicePro Plus confirmed and recorded the legal basis for processing for each type of process or application.

How does VoicePro Plus provide transparency to data subjects?
VoicePro Plus provides clear high-level descriptions of the data it processes in its privacy policies and internal notices, which it has reviewed, updated and published on the company’s intranet (for internal policies) and external website, www.voicepro.plus.

What data protection rights do data subjects have?
Under the GDPR, individuals can exercise the following rights against data controllers:

• A right to request access to, and a copy of, personal information processed about them
• A right to correct any inaccurate or outdated personal information processed about them
• A right to object to processing of their personal information
• A right to request erasure of their personal information (e.g., end users may want that their data gets deleted)
• A right to request that processing of their personal information be restricted (e.g., this can be supported with the “do not track” option in the browser)
• A right not to be subject to automated decisions that significantly or legally affect them

VoicePro Plus has put in place procedures to ensure that it handles all such requests made to it as a controller in compliance with the GDPR. For data where VoicePro Plus is a processor, VoicePro Plus also has processes in place to ensure it forwards any such requests it receives to the relevant customer for response and will assist the controller in responding as required by the GDPR.

Will customer personal data ever be transferred outside Europe?
If our customers are located outside of Europe, yes.
Otherwise, please note that VoicePro Plus is a UK-headquartered company and we enable individual subscribers to make calls or send messages. VoicePro Plus operates on a global basis in support of its customers.

Customer personal data may be transferred outside Europe, including to the US. With certain products and internal applications, we also work with international service providers who help us to manage and deliver our services. However, they do so under strict contractual terms to ensure they protect the privacy and security of customer personal information.

What data transfer solution does VoicePro Plus have in place?
VoicePro Plus has put in place a revised global data transfer agreement based on the EU model clauses.

What other steps has VoicePro Plus taken to be compliant with GDPR requirements?
We understand the single biggest novelty of the GDPR is the introduction of requirements intended to make businesses more accountable for their data practices. We realise that it is important for VoicePro Plus to document its activities, so the company can demonstrate compliance to a customer or competent authority. VoicePro Plus has taken steps to adopt and enforce policies and procedures, including those regarding data retention, data privacy impact assessments, and data security policies and incident response plans.
VoicePro Plus has provided documented training for all staff around the globe on the basic elements of GDPR. Further courses and individual training will be rolled out as the VoicePro Plus privacy curriculum evolves.
Given the scale and nature of data processing VoicePro Plus undertakes on a global basis, the company has appointed a Data Protection Officer, for whom contact details are listed below.

What security measures does VoicePro Plus apply to protect personal data?
VoicePro Plus is committed to ensuring that personal data is secure. VoicePro Plus implements appropriate technical and organisational security measures to protect personal data against: (i) accidental or unlawful destruction; and (ii) loss, alteration, unauthorised disclosure or access. For more information concerning the technical and organisation measures taken by VoicePro Plus please refer to the Data Protection Officer contact information below.

Will VoicePro Plus update its terms for GDPR compliance?
Yes. VoicePro Plus has reviewed its website privacy policy, internal notices and developed data processing agreements both for vendors and customers. If you require a data processing agreement, please refer to the Data Protection Officer contact information below.

Who do I contact if I have further questions?
If you have any further questions about VoicePro Plus’s compliance with EU data protection requirements or GDPR, please contact the VoicePro Plus Data Protection Officer at:

FAO: Global Data Protection Officer
VoicePro Plus Limited
128 City Road
London
EC1V 2NX
United Kingdom