Partner Service Privacy Policy

Updated: MAY 28, 2018

This Partner Service Privacy Policy (“Policy”) is offered by Teleopti to all Partners which are not subject to the EU General Data Protection Regulation 2016/679 (the “GDPR”), and forms an integral part of the Teleopti Partner Agreement.
All defined terms shall have the meaning assigned in section 1 below or in the  Partner Agreement.

1 DEFINITIONS

1.1 “Customer” means Partner’s customers as such term is defined in the PA.

1.2 “Data Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data according to Data Protection Laws.

1.3 “Data Protection Laws" means the laws and regulations applicable to Teleopti.

1.4 “Data Subject” means the natural person who is identified by the Personal Data. 

1.5 “Data Subject Request” means the Data Subject's request for its rights regarding information and access to its Personal Data pursuant to the Privacy Laws.

1.6 “Partner Agreement” or “PA” shall mean the Partner Agreement entered into by Partner and Teleopti.

1.7 “Personal Data” means any information relating to an identified or identifiable natural person, an identifiable natural person is one who can be identified, directly or indirectly, such as for example a name, an identification number, location data.

1.8 “Policy” means this Partner Service Privacy Policy.

1.9 “Processing” or “to Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.10 “Service(s)” means the services performed by Teleopti as sub-contractor to Partner under the PA.

1.11 “Sub-processor” means any Processor engaged by Teleopti or a member of the Teleopti Group to Process Personal Data as sub-contractor to Teleopti.

1.12 "Supervisory Authority" means any public body under the Data Protection Laws and/or Privacy Laws that has the authority to impose legal sanctions on Teleopti or Partner.

1.13 “Privacy Laws” means any law or regulation concerning data protection and privacy applicable to Partner and Customers.

2 DATA PROCESSING

2.1 Scope

2.1.1 Teleopti agree to comply with and abide by the Data Protection Laws and Partner shall comply with and abide by the Privacy Laws.

2.1.2 Teleopti is entitled to enforce this Policy on behalf of Teleopti and also on behalf of any of the Teleopti Affiliates. 

2.1.3 Partner acknowledges and agrees that if Partner elects to agree to terms and conditions in addition to the terms and conditions of this Policy, with the Customers regarding the Processing of Personal Data or any other issue under Privacy Laws, such terms and conditions shall not apply to Teleopti without the prior written consent of Teleopti. Teleopti shall be under no obligation to agree to any such additional terms and conditions unless required to so under the Data Protection Laws.

2.2 Partner Obligations

2.2.1 Partner shall, and shall ensure that Customers shall, in their use of the Services, Process Personal Data in accordance with the requirements of the Privacy Laws. Partner’s instructions to Teleopti for the Processing of Personal Data, if any, shall comply with Privacy Laws and Partner shall ensure that the Customers shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data. Teleopti will comply with such instructions provided they are not in contradiction with Data Protection Law.

2.2.2 Partner and Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Partner in Partner’s sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: (i) Customers employees, agents, advisors and freelancers (who are natural persons), (ii) employees of Customers business partners and vendors, and (iii) Users.

2.2.3 The type of Personal Data Partner and Customers can store and use in the Service, may include, but is not limited to the following categories of Personal Data: (i) Employee ID or another identifier, (ii) first and last name, (iii) title, position, and organizational belonging, (iv) competence, (v) data related to scheduling and reporting, and (vi) contact information (company, email, phone, physical business address).

2.2.4 The Services offers flexibility as to what type of Personal Data Partner and Customers can store and use in the Service and instruct Teleopti to process in the Services. If Partner’s or Customer’s use of Personal Data is likely to pose a high risk to the privacy and integrity of a person for example use of sensitive Personal Data, it is Partner’s obligation to ensure that Partner and Customer make a balanced decision for what purpose and which legal grounds there are for such Processing. It is Partner’s obligation to ensure that the use of Personal Data does not violate Privacy Laws or any other legal or ethical rules applicable to Partner and Customer and Teleopti or any Teleopti Affiliate shall have no liability for Partner’s decision in this context.

2.3 Teleopti Obligations

2.3.1 Teleopti shall only Process Personal Data on behalf of and in accordance with Partner’s documented instructions solely as necessary to supply, maintain and support the Services pursuant to the PA, the duration of the Processing will be for the duration of the PA.

2.3.2 All Processing of Personal Data pursuant to this Policy shall be subject to the Non-Disclosure provisions of the PA.

3 TELEOPTI PERSONNEL

3.1 Teleopti will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Teleopti will also ensure that such confidentiality obligations survive the termination of the personnel engagement.

3.2 Teleopti will take commercially reasonable steps to ensure the reliability of any of Teleopti personnel engaged in the Processing of Personal Data and that access to Personal Data is limited to those personnel performing Services in accordance with the PA.

4 SECURITY

4.1 Teleopti have implemented and will continue to improve and implement appropriate technical and organizational security measures to protect the Personal Data in accordance with the provisions of the PA and Data Protection Laws.

4.2 Partner confirms and shall ensure that the Customer confirms that the security measures, as described in the Teleopti Information Security Overview meets Partner’s and the Customer’s obligations under Privacy Laws for the actual Processing of the Personal Data performed through the Services.

5 CHANGE REQUESTS

5.1 Any request made by Partner for change to the instructions stated in Section 2.3 “Teleopti Obligations” or request  for change in Teleopti’s security measures described in Section 4, “Security” above, due to changes in the Privacy Laws or otherwise, shall be made in writing by Partner and shall require the written consent by Teleopti.

5.2 If Teleopti informs Partner that Teleopti cannot meet Partner’s amended instructions or request for change and if such amended instructions were reasonably requested by Partner to ensure compliance with Privacy Laws or if such request was based upon a specific Customer’s request Partner shall be entitled to terminate the Order for the affected Service in writing by at least 30 and maximum 60 days’ notice period. Teleopti shall reimburse any pre-paid fees after the expiration of the notice period.

6 DATA INCIDENT MANAGEMENT, NOTIFICATION AND ASSISTANCE

6.1 Teleopti will maintain adequate procedures designed to detect and respond to any Data Incident, including procedures for preventive and corrective actions, and also to avoid recurrence of any Data Incident. These procedures shall be established by Teleopti in such a manner that Teleopti can meet the requirements of the Data Protection Laws. Teleopti will also strive to ensure that Partner and the Customer will be able to meet any notification and documentation requirements in relation to data incidents under Privacy Laws provided Partner notify Teleopti in writing of such requirements.

6.2 Upon discovery or reasonable suspicion of a Data Incident, Teleopti will take adequate recovery measures. Furthermore, Teleopti will provide reasonable or requested feedback to Partner and provide effective support to Partner and (possibly) affected Data Subjects. The feedback and support should include at least:

6.2.1 a description of the nature and the scope of the Data Incident, including an estimation of the number of Data Subjects (possibly) affected, an indication of the types of Personal Data concerned and whether or not such Personal Data are protected by technical measures;

6.2.2 a description of the anticipated consequences of the Data Incident;

6.2.3 a description of the preventive and corrective measures taken and to be taken, planned and recommended to minimize possible harm, and the expected resolution and work-around time.

6.3 Teleopti will implement appropriate technical and organizational measures to assist Partner in the fulfillment of any Data Subject Request. Teleopti obligations in this respect shall apply only to the extent possible and to the extent that the nature of the Processing requires according to Data Protection Laws. With respect to any technical and organizational requirements under Privacy Laws, Teleopti will strive to comply with such requirements provided Partner notifies Teleopti in writing of such requirements.

6.4 Upon Partner’s request, and in addition to the provisions of Section 4, “Security”, Teleopti will provide Partner with reasonable cooperation and assistance needed to fulfil Partner’s obligations under Privacy Laws to carry out any risk assessment related to Customers use of Personal Data in the Services, to the extent Partner do not otherwise have access to the relevant information, and to the extent such information is available to Teleopti. 

7 SUB-PROCESSING

7.1 Appointment of Sub-processors. Partner acknowledge and agrees, and shall ensure that each Customer acknowledges and agrees that Teleopti Affiliates may be retained as Sub-processors; and Teleopti and the Teleopti Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. The Sub-processors engaged by Teleopti with Partner’s consent at the execution of the Policy, the location of the Sub-processor and a description of the Processing carried out by the Sub-processor will be; (i) specified in Partner’s Order or (ii) notified by Teleopti through email to Partner.

7.2 Sub-Processors Protective Terms. Teleopti or the Teleopti Affiliates has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Policy with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. Teleopti will ensure that the Teleopti Sub-processors have an adequate level of protection and that appropriate safeguards have been put in to place fulfilling the requirements of the Data Protection Laws. To the extent that the selected legal ground for processing is declared invalid by a competent court or authority, Teleopti will cooperate with Partner in finding an alternative legal ground for the adequate protection of the Personal Data Processed under the Services.

7.3 General Consent to New Sub-processors. Partner hereby gives Teleopti a general consent to engage Sub-processors for Processing of Personal Data on behalf of Partner. Teleopti Sub-processors are listed below in Section 12, “Sub-processors”. Teleopti will inform Partner before transferring any Personal Data to a new Sub-processor. Following receipt of such information Partner shall notify Teleopti if Partner objects to the new Teleopti Sub-processor. If Partner does not object to the Teleopti Sub-processor within 30 days of receiving the information, Partner shall be deemed to have accepted the Teleopti Sub-processor. If Partner is raising a reasonable objection to the new Teleopti Sub-processor or if Partner’s refusal is based upon a specific Customer’s refusal to accept such a new Teleopti Sub-processor, Partner shall have the right to, within 30 days from receiving notice of information of a new sub-processor, terminate the PA or the specific Order under the PA to such Customer, with a 60 days’ notice period. During the termination period, Teleopti is not allowed to transfer any Personal Data to the Teleopti Sub-processor. If the Order or the PA has not been terminated by Partner within 30 days from receiving notice of the information of the new Teleopti Sub- processor, Personal Data may be transferred to the new Teleopti Sub-processor.

7.4 Liability for Sub-processors. Teleopti will enter into appropriate written agreements with all Teleopti Sub-processors on terms which in all materially respects correspond to the obligations as set out in this Policy. Teleopti will remain fully liable to Partner for the performance or non-performance of the Sub-processor’s obligations, subject to Section 11, “Liability and Limitation of Liability” of the Agreement.

8 DISCLOSURE OF PERSONAL DATA

8.1 Teleopti will not disclose Personal Data covered by this Policy to a Data Subject or third party, unless required by Data Protection Laws. In cases where Teleopti must disclose such information due to law, court- or governmental order, Teleopti shall notify Partner, unless prohibited by Data Protection Laws.
8.2 Teleopti will promptly notify Partner if Teleopti receive a Data Subject Request.

8.3 Teleopti and its representatives, are obliged to cooperate with the Data Protection Authority under the Data Protection Laws in the case of enforcement measures, if requested by such Data Protection Authority. Teleopti undertake to notify Partner without delay of requests from such Data Protection Authority or any other regulatory authority that specifically relates to the Processing of Personal Data under this Policy. Teleopti shall not be entitled to represent Partner or act on behalf of Partner in such requests. 

9 SECURITY REPORTS AND AUDITS

9.1 Upon Partner’s request, and subject to the confidentiality obligations set forth in the PA, Teleopti will make available to Partner, or a third party appointed by Partner that is not a competitor of Teleopti, or Partner’s independent, third-party auditor, information regarding Teleopti compliance with the obligations set forth in this Policy, as described in the then current Teleopti Information Security Overview.

9.2 Partner may contact Teleopti to request an on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. However, Partner acknowledge and agree that certain of Teleopti Sub-processors might have internal restrictions that will not allow such an audit. 

9.3 Before the commencement of any such on-site audit, Teleopti shall mutually agree upon the scope, timing, and duration of the audit and Partner shall promptly notify Teleopti with information regarding any non-compliance discovered during an audit.

10 COMPENSATION

10.1 Teleopti shall have the right to claim compensation for any time expended by the Teleopti Group or its third-party Teleopti Sub-processors for any on-site audit pursuant to section 9.

10.2 In addition hereto, Teleopti shall have the right to claim compensation for any written requests from Partner for activities to be performed under this Policy unless such request falls within the obligations of Teleopti pursuant to the Services to be performed under the PA.

11 LIABILITY AND LIMITATION OF LIABILITY

11.1 If Teleopti Processes Personal Data in breach of Partner’s lawful instructions, this Policy or Data Protection Laws, Teleopti shall indemnify and hold Partner harmless for any loss, cost or damage, including but not limited to claims by a Data Subject and any financial penalties imposed by Supervisory Authorities or other competent authorities, due to Teleopti’s (or Teleopti Sub- processors) Processing of Personal Data.

11.2 If Partner or Customer Processes Personal Data in breach of this Policy or Privacy Laws, Partner shall indemnify and hold Teleopti harmless for any loss, cost or damage, including but not limited to claims by a Data Subject, financial penalties imposed by Supervisory Authorities or other competent authorities, due to Partner and/or Customer’s Processing of Personal Data.

11.3 In case of claims by a Data Subject or financial penalties imposed by Supervisory Authorities or other competent authorities, each party shall: (a) notify the other party promptly in writing of any such potential or pending claims or penalties; (b) use reasonable endeavors to reduce or avoid such claims or penalties; (c) allow the other party to comment on any response, settlement, defense or appeal in relation to such claim; and (d) to a reasonable extent provide the other party with information in relation to the same.

11.4 A Party’s maximum total aggregate liability under this Policy (regardless of the form of action, whether in contract, tort, or otherwise and howsoever caused including by negligence) for;
(i) Partner’s damages caused by damage claims from a Customer; a maximum of one hundred percent (100%) per calendar year of the amount actually paid by Partner to Teleopti under the PA regarding the Customer and the series of related events to which such specific claim relates, during the calendar year.
(ii) Partner’s damage not caused by a damage claim from a Customer; a maximum of one hundred percent (100%) per calendar year of the amount actually paid by Partner to Teleopti under the PA for the Service causing the damage regarding the series of related events to which such specific claim relates, during the calendar year. 
(iii) Teleopti’s damages caused by Partner’s breach of the terms and conditions of this Addendum; a maximum of one hundred percent (100%) per calendar year of the amount actually paid by Partner to Teleopti under the PA during the calendar year.

11.5 For the avoidance of doubt, Teleopti's and the Teleopti Affiliates total liability for all claims from Partner arising out of or related to this Policy shall only be handled under the terms and conditions of this Policy and shall not be considered as a claim under the PA.

12 SUB-PROCESSORS

12.1 Teleopti use the following Sub-processors:

 

Sub-processor

Description of the provided services and Processing activities

Teleopti Inc.(US)

Support and Maintenance

Teleopti China Co. Ltd (China)

Support and Maintenance

Teleopti AB (Sweden)

Support and Maintenance

Microsoft Ireland Operations Ltd (Ireland)

Providing and Supporting Infrastructure as a Service (IaaS)

Microsoft Corporation (US)

Providing and Supporting Infrastructure as a Service (IaaS)


----------------------