Syniverse provides this document to answer the most frequently asked questions that our customers ask about the General Data Protection Regulation (GDPR). It does not, and is not intended to, confer legal advice. You should always speak to your own, independent legal advisers to understand your legal responsibilities under the GDPR.
This document is organized in two sections. The first section provides an overview of the data protection law that applies to Syniverse, and the second provides a description of Syniverse's data processing operations and how the company complies with applicable data protection law.
Data protection laws govern the way businesses collect, use, and share personal data about individuals. Among other things, they require businesses
In the European Union, data protection rules are now set out in a new data protection law called the General Data Protection Regulation.
The General Data Protection Regulation (or "GDPR") (Regulation (EU) 2016/679) is Europe's new data protection law that became effective on May 25, 2018. The GDPR is a major overhaul of the data protection rules, and Syniverse, like many organizations, has taken steps to ensure that it is compliant with GDPR from the time the new law took effect.
GDPR aims to update Europe's existing data protection rules to make sure they are fit for the 21st century. Among other things, it harmonizes data protection rules throughout European Union member states, introduces new requirements for data processors (the original directive applied only to data controllers), enhances individual's privacy rights (introducing new rights to be forgotten and to data portability), and creates significant penalties for non-compliance (including potential fines of up to 4% annual worldwide revenue).
The GDPR applies to any organization which is established within the European Union (i.e., has a subsidiary or branch in the EU). It also applies to any non-EU organization which either:
No. One of the significant changes brought in by the GDPR is that it applies to both data controllers and to data processors. There are, however, more obligations imposed on data controllers under the GDPR than on data processors.
A data controller is the entity that determines the "purposes and means of the processing" of data – in other words, how and why personal data will be processed.
A data processor processes personal data only on behalf of, and under the instruction of, a data controller.
Like any responsible organization, Syniverse aims to comply with the data protection laws that apply to it. Because Syniverse has an EU establishment, the company is directly subject to GDPR (see our FAQ above "Who does the GDPR apply to?").
Syniverse is a leading global transaction processor that connects Mobile Network Operators and enterprises in nearly 200 countries, enabling seamless mobile communications across disparate and rapidly evolving networks, devices and applications.
Syniverse processes transactions that include the authorization and delivery of end-user traffic, clearing of billing records and settlement of payments. Syniverse also offers a unique portfolio of intelligent policy and charging tools that enable its customers to use the real-time data generated by these transactions to deliver customized services and choices to their end users.
The types of personal data Syniverse will process as part of its normal business include device data, such as device identifiers and similar device-related information (e.g. IMSI, sender ID, destination MSISDN), as well as IP addresses, and billing data (e.g., TAP files under GSMA rules).
In addition, Syniverse processes personal data about our employees and business contact data relating to our customers, suppliers and other individuals with whom we have a business relationship. We also gather personal information through our website.
Syniverse does not generally process sensitive personal data, other than personal data of our employees. Syniverse takes care to protect all the personal information that we hold in accordance with law.
Syniverse has invested considerable effort as part of its GDPR preparations to have a robust record of data that it processes – both as a data processor for customers and as a data controller – to have a clear understanding of the legal basis under which we process that data.
When providing its services to customers, Syniverse is generally a data processor processing personal data at the instruction of its customers, the controller.
However, in some circumstances Syniverse may be a data controller, such as when we collect business contact data relating to our customers, suppliers and other individuals with whom we have a business relationship and where we provide business analysis tools through various Syniverse hosted portals to customer employees or gather personal information through our website.
Syniverse also considers itself a controller of communications meta data (i.e. data processed for the conveyance of (or billing of) any electronic communication or communication on an electronic communications network, including connection and records, routing information, tracking information), where Syniverse uses this data for its own billing and tracking purposes and is determining the routing for a message (e.g., which text message aggregators and operators to use to route the messages). Syniverse is also a controller of its own employees’ personal data.
Syniverse will only be able to process personal data if it can demonstrate it has a lawful processing ground – such as performance of a contract, reliance on its legitimate interests – where processing is to comply with a legal obligation or with consent from the individual whose personal information is processed. As part of our data mapping exercise Syniverse confirmed and recorded the legal basis for processing for each type of process or application.
Syniverse provides clear high-level descriptions of the data it processes in its privacy policies and internal notices, which it has reviewed, updated and published on the company’s intranet (for internal policies) and external website, Syniverse.com.
Under the GDPR, individuals can exercise the following rights against data controllers:
Syniverse has put in place procedures to ensure that it handles all such requests made to it as a controller in compliance with the GDPR. For data where Syniverse is a processor, Syniverse also has processes in place to ensure it forwards any such requests it receives to the relevant customer for response and will assist the controller in responding as required by the GDPR.
If our customers are located outside of Europe, yes.
Otherwise, please note that Syniverse is a US-headquartered company with affiliates in the European Union, Cost Rica, India and Asia Pacific, and we enable individual mobile subscribers to make calls or send messages when roaming. Syniverse operates on a global basis in support of its customers.
Customer personal data may be transferred outside Europe, including to the US. With certain products and internal applications, we also work with international service providers who help us to manage and deliver our services. However, they do so under strict contractual terms to ensure they protect the privacy and security of customer personal information.
Syniverse has put in place a revised global data transfer agreement based on the EU model clauses.
We understand the single biggest novelty of the GDPR is the introduction of requirements intended to make businesses more accountable for their data practices. We realize that it is important for Syniverse to document its activities, so the company can demonstrate compliance to a customer or competent authority. Syniverse has taken steps to adopt and enforce policies and procedures, including those regarding data retention, data privacy impact assessments, and data security policies and incident response plans.
Syniverse has provided documented training for all staff around the globe on the basic elements of GDPR. Further courses and individual training will be rolled out as the Syniverse privacy curriculum evolves.
Given the scale and nature of data processing Syniverse undertakes on a global basis, the company has appointed a Data Protection Officer, for whom contact details are listed below.
Syniverse is committed to ensuring that personal data is secure. Syniverse implements appropriate technical and organisational security measures to protect personal data against: (i) accidental or unlawful destruction; and (ii) loss, alteration, unauthorised disclosure or access. For more information concerning the technical and organisation measures taken by Syniverse please refer to the Data Protection Officer contact information below.
If you have any further questions about Syniverse's compliance with EU data protection requirements or GDPR, please contact the Syniverse Data Protection Officer at:
FAO: Data Protection Officer
Syniverse Technologies 15 Rue Edmund Reuter
Last update: June 2018