On February 5th, Avaya obtained the approval of its Binding Corporate Rules (BCR) by the German Data Protection Authority of the Hesse region, following the formal submission of its BCR to the DPA on 20th March 2017. Avaya obtained this approval in less than a year from the date of submission, effectively making it one of the fastest BCR approvals obtained by Fieldfisher.
BCRs were developed by the EU Article 29 Working Party to provide a global data protection policy framework for multinational corporations, international organisations and groups of companies to allow them to transfer personal data across borders within their group of entities and subsidiaries in compliance with European Union Data Protection law. To achieve BCR authorisation, companies such as Avaya must commit to strict, intra-corporate global privacy policies, set of practices, processes and guidelines that satisfy EU standards, and must implement those through comprehensive training and audit programs.
This win puts Avaya at the forefront of global privacy compliance given that BCR are now being widely recognized as a key component and highly effective tool that enables multi-national organizations to comply with the General Data Protection Regulation (GDPR). In particular, Avaya made a conscious and strategic choice to adopt BCR both as a controller for its own data, and as a processor for the data the company receives from its customers. As a result, Avaya gets an immediate competitive advantage compared to other organizations that do not have BCR.
Founded in 2000, Avaya is headquartered in Santa Clara, California. It has more than 8,700 employees and serves organizations at 220,000 customer locations worldwide. As the global leader in delivering superior communications experiences, Avaya provides the most complete portfolio of software and services for contact center and unified communications— offered on premises, in the cloud, or a hybrid.
Koldo Loidi, Avaya's Data Protection Officer, comments the work accomplished with Fieldfisher: “We are delighted to have completed our binding corporate rules procedure as a controller and as a processor successfully. This validates the personal data handling practices of Avaya. We chose the right partner to navigate through this process: Fieldfisher."
"The binding corporate rules procedure can seem daunting and onerous for companies. It so seemed to us before we started. These concerns were dissipated early on in the process as we fully leveraged the experience and know-how of Fieldfisher. Working hand in hand with them we reached a very successful outcome within a short timeframe."
This project was led by Brussels Privacy Partner, Olivier Proust, with the support of Fieldfisher's Hamburg office. Olivier, who helps multinational organizations to implement global privacy compliance programs and in particular to implement data transfer mechanisms such as binding corporate rules, said:
"Companies always struggle in the beginning with BCR but once they set things into motion, eventually it pays off. Avaya made the right choice and largely owes its success to the commitment and devotion of its Privacy team. With less than 100 days to go before the GDPR comes into force, Avaya is ahead of most companies in terms of GDPR compliance and one of the very few companies in the world to have BCR in place. Avaya has set the path for many companies in the future."
The approval of Avaya's BCR demonstrates once more Fieldfisher's leading expertise in the field of Privacy, especially on complex, multi-jurisdictional privacy projects such as this one. It also further shows how Fieldfisher's strong relations with data protection authorities are key to a successful result in this area.
Sign up to our email digest