How Syniverse complies with EU data protection laws
Syniverse provides this document to answer the most frequently asked questions that our customers ask about the General Data Protection Regulation (GDPR). It does not, and is not intended to, confer legal advice. You should always speak to your own, independent legal advisers to understand your legal responsibilities under the GDPR.
This document is organized in two sections. The first section provides an overview of the data protection law that applies to Syniverse, and the second provides a description of Syniverse's data processing operations and how the company complies with applicable data protection law.
Data Protection Law
What are data protection laws?
Data protection laws govern the way businesses collect, use, and share personal data about individuals. Among other things, they require businesses
- To process individuals' personal data fairly and lawfully
- To allow individuals to exercise legal rights with respect to their personal data (e.g., to access, correct or delete their personal data)
- To have in place appropriate security protections in order to protect the personal data that they process
What laws in the European Union govern data protection?
In the European Union, data protection rules are now set out in a new data protection law called the General Data Protection Regulation.
What is the General Data Protection Regulation?
The General Data Protection Regulation (or "GDPR") (Regulation (EU) 2016/679) is Europe's new data protection law that became effective on May 25, 2018. The GDPR is a major overhaul of the data protection rules, and Syniverse, like many organizations, has taken steps to ensure that it is compliant with GDPR from the time the new law took effect.
GDPR aims to update Europe's existing data protection rules to make sure they are fit for the 21st century. Among other things, it harmonizes data protection rules throughout European Union member states, introduces new requirements for data processors (the original directive applied only to data controllers), enhances individual's privacy rights (introducing new rights to be forgotten and to data portability), and creates significant penalties for non-compliance (including potential fines of up to 4% annual worldwide revenue).
Who does the GDPR apply to?
The GDPR applies to any organization which is established within the European Union (i.e., has a subsidiary or branch in the EU). It also applies to any non-EU organization which either:
- Offers goods or services to individuals in the EU (including free goods and services); or
- Monitors the behavior of individuals in the EU (for example, through the use of advertising or analytics technologies).
Does European data protection law apply only to data controllers?
No. One of the significant changes brought in by the GDPR is that it applies to both data controllers and to data processors. There are, however, more obligations imposed on data controllers under the GDPR than on data processors.
What is a data controller and a data processor?
A data controller is the entity that determines the "purposes and means of the processing" of data – in other words, how and why personal data will be processed.
A data processor processes personal data only on behalf of, and under the instruction of, a data controller.
Syniverse's Approach to Data Protection Law
Does Syniverse comply with the GDPR?
Like any responsible organization, Syniverse aims to comply with the data protection laws that apply to it. Because Syniverse has an EU establishment, the company is directly subject to GDPR (see our FAQ above "Who does the GDPR apply to?").
What types of products and services does Syniverse provide?
Syniverse is a leading global transaction processor that connects Mobile Network Operators and enterprises in nearly 200 countries, enabling seamless mobile communications across disparate and rapidly evolving networks, devices and applications.
Syniverse processes transactions that include the authorization and delivery of end-user traffic, clearing of billing records and settlement of payments. Syniverse also offers a unique portfolio of intelligent policy and charging tools that enable its customers to use the real-time data generated by these transactions to deliver customized services and choices to their end users.
What type of personal data is Syniverse collecting?
The types of personal data Syniverse will process as part of its normal business include device data, such as device identifiers and similar device-related information (e.g. IMSI, sender ID, destination MSISDN), as well as IP addresses, and billing data (e.g., TAP files under GSMA rules).
In addition, Syniverse processes personal data about our employees and business contact data relating to our customers, suppliers and other individuals with whom we have a business relationship. We also gather personal information through our website.
Syniverse does not generally process sensitive personal data, other than personal data of our employees. Syniverse takes care to protect all the personal information that we hold in accordance with law.
Syniverse has invested considerable effort as part of its GDPR preparations to have a robust record of data that it processes – both as a data processor for customers and as a data controller – to have a clear understanding of the legal basis under which we process that data.
Is Syniverse a controller or processor?
When providing its services to customers, Syniverse is generally a data processor processing personal data at the instruction of its customers, the controller.
However, in some circumstances Syniverse may be a data controller, such as when we collect business contact data relating to our customers, suppliers and other individuals with whom we have a business relationship and where we provide business analysis tools through various Syniverse hosted portals to customer employees or gather personal information through our website.
Syniverse also considers itself a controller of communications meta data (i.e. data processed for the conveyance of (or billing of) any electronic communication or communication on an electronic communications network, including connection and records, routing information, tracking information), where Syniverse uses this data for its own billing and tracking purposes and is determining the routing for a message (e.g., which text message aggregators and operators to use to route the messages). Syniverse is also a controller of its own employees’ personal data.
What is Syniverse's lawful basis for processing personal data?
Syniverse will only be able to process personal data if it can demonstrate it has a lawful processing ground – such as performance of a contract, reliance on its legitimate interests – where processing is to comply with a legal obligation or with consent from the individual whose personal information is processed. As part of our data mapping exercise Syniverse confirmed and recorded the legal basis for processing for each type of process or application.
How does Syniverse provide transparency to data subjects?
Syniverse provides clear high-level descriptions of the data it processes in its privacy policies and internal notices, which it has reviewed, updated and published on the company’s intranet (for internal policies) and external website, Syniverse.com.
What data protection rights do data subjects have?
Under the GDPR, individuals can exercise the following rights against data controllers:
- A right to request access to, and a copy of, personal information processed about them
- A right to correct any inaccurate or outdated personal information processed about them
- A right to object to processing of their personal information
- A right to request erasure of their personal information (e.g., end users may want that their data gets deleted)
- A right to request that processing of their personal information be restricted (e.g., this can be supported with the “do not track” option in the browser)
- A right not to be subject to automated decisions that significantly or legally affect them
Syniverse has put in place procedures to ensure that it handles all such requests made to it as a controller in compliance with the GDPR. For data where Syniverse is a processor, Syniverse also has processes in place to ensure it forwards any such requests it receives to the relevant customer for response and will assist the controller in responding as required by the GDPR.
Will customer personal data ever be transferred outside Europe?
If our customers are located outside of Europe, yes.
Otherwise, please note that Syniverse is a US-headquartered company with affiliates in the European Union, Cost Rica, India and Asia Pacific, and we enable individual mobile subscribers to make calls or send messages when roaming. Syniverse operates on a global basis in support of its customers.
Customer personal data may be transferred outside Europe, including to the US. With certain products and internal applications, we also work with international service providers who help us to manage and deliver our services. However, they do so under strict contractual terms to ensure they protect the privacy and security of customer personal information.
What data transfer solution does Syniverse have in place?
Syniverse has put in place a revised global data transfer agreement based on the EU model clauses.
What other steps has Syniverse taken to be compliant with GDPR requirements?
We understand the single biggest novelty of the GDPR is the introduction of requirements intended to make businesses more accountable for their data practices. We realize that it is important for Syniverse to document its activities, so the company can demonstrate compliance to a customer or competent authority. Syniverse has taken steps to adopt and enforce policies and procedures, including those regarding data retention, data privacy impact assessments, and data security policies and incident response plans.
Syniverse has provided documented training for all staff around the globe on the basic elements of GDPR. Further courses and individual training will be rolled out as the Syniverse privacy curriculum evolves.
Given the scale and nature of data processing Syniverse undertakes on a global basis, the company has appointed a Data Protection Officer, for whom contact details are listed below.
What security measures does Syniverse apply to protect personal data?
Syniverse is committed to ensuring that personal data is secure. Syniverse implements appropriate technical and organisational security measures to protect personal data against: (i) accidental or unlawful destruction; and (ii) loss, alteration, unauthorised disclosure or access. For more information concerning the technical and organisation measures taken by Syniverse please refer to the Data Protection Officer contact information below.
Will Syniverse update its terms for GDPR compliance?
Who do I contact if I have further questions?
If you have any further questions about Syniverse's compliance with EU data protection requirements or GDPR, please contact the Syniverse Data Protection Officer at:
FAO: Global Data Protection Officer
8125 Highwoods Palm Way
Tampa, Florida, 33647
Last update: June 2019
FAO: Data Protection Officer
15 Rue Edmund Reuter
Last update: June 2019