EU General Data Protection Regulation (GDPR)

Overview

What is GDPR?

The GDPR is a comprehensive European data protection law that provides significant data rights for protecting the privacy of natural persons residing in the EU. Vonage Video API is committed to ensuring that our platform is GDPR-compliant.

How is GDPR applicable to Vonage Video API?

Vonage Video API has employees and customers all over the world. We respect everyone’s personal information regardless of where they live, and it makes perfect sense for us to have one privacy policy and set of procedures to protect everyone’s interests, including compliance with applicable local laws.

What personal information does Vonage Video API process on behalf of its customers?

  1. We collect and maintain personal contact details which includes contact name, job title, email address, telephone number, and company name. If the customer is an individual sole proprietor or unaffiliated with any commercial or non-profit entity, it’s possible that additional information such as street address and credit cardholder data is included.
  2. All customer data, that is, data controlled by our customers which we process according to their instructions, is appropriately classified as Confidential. This confidential data could contain personally-identifiable information about our Customers’ End Users, which we cannot identify because it is encrypted and not accessible by Vonage Video API staff.

What are Data Controllers and Data Processors?

GDPR is designed to ensure protection of the privacy rights of data subjects. Data subjects are people from whom or about whom you collect information in connection with your business and its operations. Your obligations with regard to data subjects and their personal data depend on whether you’re considered a controller or a processor under GDPR.

Data Controllers

GDPR defines a data controller as “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” In other words, if your organization processes personal data for your own organization’s purposes and needs—not merely as a service provider acting on behalf of another organization—then you are likely to be a data controller.

Vonage Video API is a Data Controller for our direct customers.

Data Processor

Businesses or organizations that process personal data solely on behalf of, and as directed by, data controllers are data processors. In other words, when a data controller outsources a data processing function to another entity, that other entity is generally a data processor.

For purposes of the GDPR, Vonage Video API is also considered a Data Processor for our customers’ end-users.

What steps has Vonage Video API taken to ensure GDPR compliance?

  1. We conducted an internal Data Protection Impact Assessment (DPIA) to discover what information we collect, and how it's being used.
  2. We published a Shared Responsibility Model so our customers know what their responsibility is for protecting the privacy of personal information, and informing them of what TokBox is responsible for. This is to reduce confusion and duplication of effort.
  3. We provided customers with resources and helpful information about privacy and GDPR, including white papers and blog posts.
  4. We announced an update of our Privacy Policy for GDPR.

Our Customers and the GDPR

As a Vonage Video API customer, what are my main responsibilities under the GDPR?

Vonage Video API customers are responsible for protecting the personal information of their end users, as Data Controllers or Data Exporters.

Your responsibilities under GDPR will depend on the nature of your business and your personal data processing activities. Nonetheless, broadly speaking, GDPR requires that personal data be:

  1. Processed lawfully, fairly and in a transparent manner,
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes,
  3. Adequate, relevant, and limited to what is necessary for achieving those purposes,
  4. Accurate and kept up to date
  5. Stored no longer than necessary to achieve the purposes for which it was collected, and
  6. Properly secured against accidental loss, destruction or damage.

It is our customer’s responsibility to obtain the express consent of individual Data Subjects (for example, your family members, co-workers, or customers) to transfer their Personal Data to Vonage Video API as a Data Processor and/or Data Importer. Vonage Video API processes all such information as Confidential Data in accordance with the terms of our Data Processing Agreement and/or this Privacy Policy.

What are the penalties for non-compliance with GDPR?

Depending on the nature of the violation, data protection authorities may issue fines or penalties for non-compliance up to € 20 million or 4% of global revenue.

Where can I get more information about GDPR?

You can find more information from The Council of the European Union, where the legislation was approved.

Have more questions? Submit a request