Our strangely simple commitment to data protection and security
By now, GDPR (General Data Protection Regulation 2016/679) is probably not a mystery to you, but the effect it will have on businesses still requires some explaining. Our aim here is to provide an overview of what we have done and continue to do at Voxbone to ensure we handle your data safely before, during and after the provision of our services to you.
Businesses are making all sorts of commitments on privacy and security but ours is simple: we will always care. About your data, the trust you place in our services, your belief in our mission to simplify communications, or whatever it is that makes you choose and stick with us. We will continue to care and treat the business relationship between us with the utmost respect.
Where have we focused our efforts so far?
- We have revised and updated our data inventories and mapped our data flows as we believe compliance starts with in-depth knowledge of where your data is at all times.
- We have put together a team of technical experts that meets on a weekly basis to discuss information security matters.
- We have appointed a Data Protection Officer to advise independently on Voxbone current and future practices when processing personal data.
- We have implemented the Privacy by Design principles and privacy is part of early assessment and incorporated into any product or service Voxbone is offering to you. We follow a Privacy Impact Assessment procedure which allows us to thoroughly consider the GDPR principles in the incipient phase of any service we currently propose to you, or that we may further develop.
- We have updated internal policies to ensure that these are aligned with the new requirements under GDPR and we are proud of the work achieved on some of these key policies, such as the Data Subject Request Procedure, Data Breach Policy, Office and IT Security policies, Access Policy, Data Retention and Deletion Policy.
- We have revised the processing terms with our third parties vendors and implemented the appropriate agreements to ensure to a minimum that such third parties provide a similar level of protection such as the one Voxbone maintains. We are proactively applying a Privacy and security questionnaire for vendors.
- We have revised the access rights to your data as to ensure that this is not accessed by any third party within or outside the organisation unless there is a need to know basis and the principles for disclosure of such data are complied with. Every new access request is assessed by the Information Security team prior to granting such access.
- We have provided training to our employees in order to ensure that we raise the appropriate awareness with regards to the GDPR and the impact on the day to day activities within their line of work.
As proof of our commitment to privacy, we have joined the International Association of Privacy Professionals.
How does GDPR fit in with the national data protection laws or telecommunications laws?
GDPR and applicable national data protection laws
Voxbone’s commitment to privacy includes a commitment to always balance the fair processing of your data with any other obligations applicable to the service, as well as with our civic corporate responsibility in the markets in which we are present.
As such, we may be required by other applicable laws to process certain data for sector specific reasons, however we will always strive to minimize any privacy impacts.
Although certain national requirements with regards to processing of personal data due to sector specific legislation may be distinct from GDPR, rest assured as the principles set forward within the GDPR are embedded at the core of those national legislations as well.
For example, as a communications provider though, we are obliged to store certain type of data like traffic data for a longer or shorter period depending on the national retention schemes for traffic data.
And just because Voxbone likes to do things differently, that doesn’t mean that we treat our customers differently. Therefore, Voxbone is applying GDPR standards and key principles to all data and not just data of individuals in the European Union. This is very good news for you, because regardless of where you are located or what the processing activity is about, your data will always be protected under the highest standards.
GDPR and Law Enforcement Authorities’ requests
In the course of our business we will need to offer assistance to law enforcement authorities, however this cooperation is handled under prescribed conditions.
Hence, in some countries we are mandated to offer assistance to law enforcement authorities by local laws, or we need to protect a legitimate business interest such as fighting against fraud that harms our interests.
In relation to the processing of data for the purpose of responding to law enforcement requests of end user data, GDPR sets out the rules as to when this can be processed: processing of data on the basis that it is necessary to fulfill a legal obligation constitutes a lawful basis for processing. In this regard, there are certain national laws, like criminal laws of Member States that fall outside the EU’s legislative competence, and are not governed by the GDPR. Still, we process your data for these purposes with the same level of care as for any other purpose.
Additionally, you must bear in mind that GDPR does not apply to the processing of personal data by competent authorities for the purposes of investigation and prosecution of criminal offences.
All requests for information from Law Enforcement Agencies and National Regulatory Authorities are handled and managed by the Voxbone Abuse Department, which handles and manages all requests for information from Law Enforcement Authorities and Government Agencies, as well as dealing with complaints of nuisance calls and investigation into fraud and number misuse.
The Abuse Department ensures that all requests for information are lawful by ensuring that the appropriate documentation fulfils the legal requirements relating to the request and that it is sent in the correct format (warrant, subpoena or court order), otherwise Voxbone will not process the request.
The Abuse Department will then send a request for this information to the customer under the terms of contract to ensure that the appropriate information is obtained. Please remember that such requests are confidential and may not be disclosed with third parties other than Voxbone.
GDPR, national criminal laws and telecommunications laws are different, but not contradictory. They pursue different legitimate goals and companies like Voxbone must guarantee compliance with all of them. Voxbone ensures that confidentiality and all applicable legal requirements in the processing of personal data are adhered to at all times.
What is Voxbone’s role in relation to GDPR and customers as companies?
If you are a Customer (or are planning to become one) you will share certain personal data with us. Probably by now you know the difference between corporate and personal data, but we are here to give you a quick reminder:
Corporate or enterprise data refers to data of a natural or legal person engaged in an economic activity (that is, pure company data) and personal data means data related to an identified or identifiable natural person. Corporate data falls outside the scope of the GDPR. Therefore, what personal data do we collect from you?
This will be data related to (a) the individuals that work in your company such as your commercial contacts and legal representatives and/or (b) your end users and calling and called parties involved in the usage of our services.
In some cases, Voxbone will only act as a processor and in some other cases, as a controller, depending on the type of data, as explained in our data processing agreement, accessible on this same portal.
How do we keep your data secure?
We implement appropriate technical and organizational measures to protect the personal data you provide to us. Such measures are designed to provide a level of security appropriate to the risk of processing your personal data.
Additionally, because we want your data to be safe at all times, apart from our Infrastructure department that keeps our systems up and running, Voxbone has a dedicated InfoSec team (working in accordance with a dedicated InfoSec internal functioning policy) that regularly meets up to discuss about security threats and possible improvements to Voxbone’s security measures and internal processes. The InfoSec team also contributes to keep Voxbone’s employees informed about their obligations towards information security, because we believe that working together as a team will help us tackle threats in a more efficient way.
You may check our Security Measures document here. Make sure you visit this site frequently to access the most recent version.
Our data processing agreement
You may access Voxbone’s Data Processing Agreement here.
Voxbone currently works with third party Sub-processors in order to (i) provide infrastructure and storage services, (ii) help us provide customer support and commercial communications and (iii) help us render our services to Customers. If such a provider processes any personal data in order to render a specific service, Voxbone performs a privacy and security scan to evaluate the sub-processor’s privacy and security standards, and executes a data processing agreement.
You may check here for the most up to date list of sub-processors we work with, who may have access to certain personal data.
Please bear in mind that, in order to render our services, we work with partners whose names may not be disclosed due to confidentiality obligations. However, we make sure that, in cases where they might need to process your data, they do so under the same privacy and security standards as we do.
We will send email notifications to our customers whenever we update our Sub-processors list.
International data transfers
It is true that Voxbone is a Belgian company but also a company with global reach. That is why sometimes we need to perform data transfers. When and how will this happen?
We have employees located outside the EEA that may access certain personal data, only on a need-to-know basis, for the performance of the service we offer you (e.g. account management, technical support, legal compliance, etc). However, all employees are trained in the same way in order to be compliant with the GDPR, regardless of the country they are based in. Therefore, you don’t have to worry, your data will always be in good hands.
We may also share data with third parties outside the EEA whenever it is absolutely necessary to render our services. In all cases, our suppliers must sign a data processing agreement with us as well as relevant European Commission’s Model Clauses or be Privacy Shield certified.
What’s keeping us busy?
Because compliance is not just a one time “check the box” action, Voxbone will keep working on more privacy and security matters, such as the following:
- We will keep investing in improving our security measures in order to keep your data safe and in line with technological developments
- We will work on the maintenance of a training and awareness program, to make sure that even new employees are aware of Voxbone’s policies and obligations in relation to privacy and security.
- We will work on the optimization of our data deletion processes.
- We will keep an eye on the maintenance of live policies as we are committed to a periodical policy revision.
- We will only work with reliable suppliers. There is no room anymore for non-compliant processors in our commercial offer.
- We will improve the management of end user data.
- We will seek additional ways to demonstrate our commitment with privacy and security by adhering to codes of conduct and working on certifications.
How to reach us
Do you still have any questions related to our Data Protection practices? Your Data Protection Officer, Anne-Valérie Heuschen and Voxbone’s privacy team are here to help. Please feel free to contact us at firstname.lastname@example.org!