United Kingdom and Europe Supplement to 8x8-Customer Regional Terms for Resold 8x8 Virtual Office and Virtual Contact Centre Services

Last updated: October 28, 2019 UK and Europe Supplement Printable Version PDF

8x8/C - EU-1. Applicability; Service Provider Entity. The provisions of this United Kingdom and Europe Supplement to 8x8-Customer Regional Terms for Resold 8x8 Virtual Office and Virtual Contact Centre Services (this“Supplement”) (a) are a supplement to, and part of, the Regional Terms of the 8x8-Customer Terms for Resold 8x8 Virtual Office and Virtual Contact Center Services and (b) shall apply solely with respect to Ordered Products provided to a Customer Location in the United Kingdom (the “UK”) or Europe. The relevant 8x8 company that provides Ordered Products, if any, to Customer in the UK and/or Europe, and to which this Regional Supplement relates, is: 8x8 UK Limited (trading as 8x8), registered in England with company number: 05083841 (Oxford House, Bell Business Park, Smeaton Close, Aylesbury, Buckinghamshire HP19 8JR), as per the relevant Order. References to 8x8 within this Supplement shall be references to 8x8 UK Limited. As among 8x8, Inc., 8x8 UK Limited, and 8x8, Inc.’s other Affiliates, 8x8 UK Limited shall be solely liable with respect to such Ordered Products and under the related Orders (to the extent that they relate to such Ordered Products).

8x8/C - EU-2. UK/Europe Emergency Calling Notice. Customer acknowledges the notice related to emergency calling set forth at https://www.8x8.com/terms-and-conditions/europe-emergency-calling-notice, which notice shall apply to any 8x8 Virtual Office or 8x8 Virtual Contact Centre Ordered 8x8 SaaS Services within the scope of this Supplement.

8x8/C - EU-3. Numbers and Porting.  All provisions of Section B (Numbers and Porting) of the Regional Terms other than those that expressly apply to the US and/or Canada shall apply with respect to Ordered 8x8 SaaS Services within the scope of this Supplement. In addition, 8x8 shall take reasonable steps to ensure that the transfer of numbers and subsequent activation is completed as soon as reasonably practicable in accordance with applicable laws and regulations. Customer acknowledges that the timing of any such transfer can be impacted by certain technical and procedural requirements in relation to number transfers, including, but not limited to, where 8x8 needs to secure an agreement with another communications provider relating to number transfers.

8x8/C - EU-4. Country-Specific Contact Details/Information.

Ombudsman Service Scheme in the UK† See http://sims.8x8.com/Documents/711664_3_8x8_UK_Complaints_Procedure_-_2016.pdf
Ombudsman Service Scheme in Belgium† See www.ombudsmantelecom.be; also:  The Office of the Ombudsman for telecommunications Boulevard Roi Albert II 8 boîte 3, 1000 Brussels, Belgium Telephone: 02 223 09 09; Fax: 02 219 86 59 plaintes@mediateurtelecom.be; klachten@ombudsmantelecom.be
Dispute Service Scheme in Germany See https://www.bundesnetzagentur.de/DE/Sachgebiete/Telekommunikation/Verbraucher/Streitbeilegung/streitbeilegung-node.html
National Regulatory Authority in Ireland* Commission for Communications Regulation (CommReg) 1 Dockland Central, Guild Street, Dublin 1, D01 E4X0 
CommReg Dispute Service Scheme in Ireland See https://www.comreg.ie/queries-complaints/phone/

National Regulatory Authority in Netherlands*

Authority for Consumers and Markets PO Box 16326 2500 BH The Hague, The Netherlands Telephone: +31 70 7222 000; Fax: +31 70 7222 355

National Regulatory Authority in Poland*

The President of the Office of Electronic Communications (Urząd Komunikacji Elektronicznej) 18/20 Kasprzaka Street 01-211 Warsaw, Poland Telephone: +48 22 53 49 156; Fax: +48 22 53 49 155 E-mail: uke@uke.gov.pl; Online: https://www.uke.gov.pl/kontakt/

National Regulatory Authority in Sweden*

The Swedish Post and Telecom Authority (PTS) Box 5398 SE-102 49 Stockholm, Sweden E-mail: pts@pts.se Telephone: +46 8 678 55 00; Telefax: +46 8 678 55 05

*For Ordered 8x8 SaaS Services that are telecommunications services. †To the extent that an ombudsman service scheme applies, the independent and impartial ombudsman will consider both sides of the complaint and resolve the dispute; in such cases, 8x8 will be bound by that decision, but Customer may reject it and pursue other avenues.

8x8/C - EU-5.Customer Support. The Reseller-Customer Terms for Resold 8x8 Virtual Office and Virtual Contact Center Services and the 8x8-Customer Terms describe the support provided to Customer.

8x8/C - EU-6. B2B Contract; List Pricing. Customer confirms it receives Ordered Products as a business user, and the Reseller-Customer Agreement and 8x8-Customer Agreement represent business-to-business contracts.

8x8/C - EU-7. Payment and Dispute Resolution for Spanish Customers. Spanish Customers may address any claim regarding the Services provided under the 8x8-Customer Agreement to the Spanish Secretaría De Estado De Las Telecomunicaciones Y Para La Sociedad De La Información (SETSI).

8x8/C - EU-8. Data Protection and Security.

8x8/C - EU-8.1. Data Protection Appendix. The Data Protection Appendix attached to this Supplement (the “DPA”) contains the following information about the Ordered 8x8 SaaS Services: (a) subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, and the categories of data subjects and (b) the obligations and rights of the controller. The DPA also includes the security measures that 8x8 has in place to protect Customer Personal Data. To the extent that Customer has purchased particular 8x8 SaaS Services, the relevant terms for such particular 8x8 SaaS Services set out in the DPA shall apply, and such terms shall be made a part of this Supplement and incorporated herein by reference. 8x8 may update the DPA from time to time in its discretion to reflect the addition, removal, or discontinuation of Services and/or changes to the security measures set forth in 8x8/C - Part B (Security Measures) of the DPA that do not have a material adverse effect on the use of the 8x8 SaaS Services.

8x8/C - EU-8.2. Relationship of the Parties. Customer is the controller of Customer Personal Data. 8x8 acts as a controller of 8x8 Personal Data and a processor of Customer Personal Data under the 8x8-Customer Agreement.

8x8/C - EU-8.3. 8x8 as a Controller. Where 8x8 acts as a controller, it will process Personal Data in accordance with Applicable Data Protection Law. Further information about how 8x8 processes Personal Data may be found in 8x8’s Privacy Notice (available at https://www.8x8.com/terms-and-conditions/privacy-policy).

8x8/C - EU-8.3.1. 8x8 shall maintain appropriate technical and organisational security measures to protect Personal Data against a Personal Data Breach.

8x8/C - EU-8.3.2. Customer warrants that it has obtained all necessary consents, notifications, and permissions required under Applicable Data Protection Law to permit Customer to share such Personal Data with 8x8 and allow 8x8 to otherwise collect, use, or process such Personal Data (including without limitation that which 8x8 might collect directly from Agents or any other end users via cookies or other means) as described in the 8x8-Customer Agreement; in order to provide the Ordered Products or to otherwise fulfil 8x8’s obligations under the 8x8-Customer Agreement; as otherwise set out in the DPA or 8x8’s Privacy Notice; or as otherwise agreed by the Parties in writing (collectively, the “Permitted Purposes”). As between Customer and 8x8, Customer is solely responsible for disclosing to Agents and other end users that 8x8 is processing Personal Data for the Permitted Purposes and for notifying or otherwise directing such Agents and end users to 8x8’s Privacy Notice.

8x8/C - EU-8.3.3. Customer shall notify 8x8 of: (i) any limitations in Customer’s privacy notice to data subjects, (ii) any changes in, or revocation of, consent by a data subject to use or disclose Personal Data, and/or (iii) any restrictions on the use of Personal Data to which Customer has agreed in accordance with its agreements with data subjects; in each case, to the extent that such limitations, changes, or restrictions may affect 8x8’s uses or disclosures of Personal Data.

8x8/C - EU-8.3.4. The Parties shall not act as joint controllers for the purposes of Article 26 of the GDPR in relation to any processing of Personal Data under the 8x8-Customer Agreement or the Reseller-Customer Agreement.

8x8/C - EU-8.4.8x8 as a Processor. Customer (the controller) appoints 8x8 as a processor to process the Customer Personal Data for the Permitted Purposes. Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law.

8x8/C - EU-8.4.1. 8x8 shall process Customer Personal Data in accordance with Customer’s instructions, which Customer acknowledges and agrees are set out in the 8x8 Customer Agreement.

8x8/C - EU-8.4.2. International Transfers. 8x8 shall not process or transfer Customer Personal Data originating from the European Economic Area (“EEA”) outside of the EEA unless 8x8 has taken such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Data Protection Law. Such measures may include without limitation transferring Customer Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data (such as the US where Privacy Shield is utilised), to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

8x8/C - EU-8.4.3. Confidentiality of Processing. Subject to any exclusion or limitation of liability provided for in the 8x8-Customer Agreement, 8x8 shall ensure that any person it authorises to process Customer Personal Data (an “Authorised Person”) shall disclose Customer Personal Data only (a) to 8x8, (b) to those of 8x8’s personnel, advisors, Affiliates, or Partners to which such disclosure is reasonably necessary to accomplish a Permitted Purpose or other purpose for it was disclosed to 8x8 and which are bound to reasonable confidentiality obligations with respect to such Customer Personal Data, (c) in response to a judicial order or other lawful process, or (d) as approved or instructed by Customer.

8x8/C - EU-8.4.4. Security as a Processor. 8x8 shall implement technical and organisational measures as set out in the DPA to protect Customer Personal Data from loss, alteration, or unauthorised disclosure or access (each a “Security Incident”) or accidental or unlawful destruction.

8x8/C - EU-8.4.5. Subcontracting. Customer consents to 8x8’s engagement of third-party subprocessors to process Customer Personal Data for the Permitted Purposes, provided that: (a) 8x8 maintain an up-to-date list of its subprocessors on its website, (b) 8x8 impose on such subprocessors data protection terms with respect to Customer Personal Data that are no less onerous than those set out in this Section 8x8/C - EU-8.4 (8x8 as a Processor), and (c) 8x8 remain liable for any breach of this Section 8x8/C - EU-8.4 (8x8 as a Processor) that is caused by an act, error, or omission of such a subprocessor in connection with performing its obligations as such a processor. No change to such list shall be effective until ten (10) days (or such longer period specified by 8x8) after 8x8’s posting of the details, or 8x8’s other notification of Customer, of the new engagement. 8x8 will be considered to have materially breached the 8x8-Customer Agreement for purposes of Customer’s right thereunder to terminate the 8x8-Customer Agreement for 8x8’s material breach thereof in the event that (i) Customer objects (via notice to 8x8) to such new engagement on reasonable grounds relating to data protection within such advance posting/notification period, (ii) 8x8’s cancellation of such engagement is reasonably practicable, and (iii) 8x8 nevertheless declines to cancel such engagement.

8x8/C - EU-8.4.6. Cooperation and Data Subjects’ Rights. 8x8 shall, at Customer’s sole expense, provide reasonable and timely assistance to Customer to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any other correspondence, enquiry, or complaint received from a data subject, regulator, or other third party in connection with the processing of Customer Personal Data. In the event that any such request, correspondence, enquiry, or complaint is made directly to 8x8, 8x8 shall, at Customer’s sole expense, promptly inform Customer of, and provide reasonable details as to, the same.

8x8/C - EU-8.4.7. Data Protection Impact Assessment If 8x8 believes or becomes aware that its processing of Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, 8x8 shall inform Customer and, at Customer’s sole expense, provide reasonable cooperation in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

8x8/C - EU-8.4.8. Security Incidents. If 8x8 becomes aware of a confirmed Security Incident, it shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can timely fulfil any data breach reporting obligations that Customer might have under Applicable Data Protection Law. 8x8 shall further take measures and actions reasonably necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection therewith. Customer acknowledges that such assistance or other actions by 8x8 shall be at Customer’s own cost, unless the Security Incident occurred as a direct result of 8x8’s breach of its obligations under Section 8x8/C - EU-8.4.4 (Security as a Processor).

8x8/C - EU-8.4.9. Deletion or Return of Data. Upon termination or expiration of the 8x8-Customer Agreement, and without prejudice to the other provisions of the 8x8-Customer Agreement that contemplate data storage, 8x8 shall, at Customer’s election and cost, destroy or return to Customer all Customer Personal Data in 8x8’s possession or control. The foregoing requirement shall not apply to the extent that 8x8 is required by applicable law to retain some or all of the Customer Personal Data, or to retain Customer Personal Data that 8x8 has archived on back-up systems, which Customer Personal Data 8x8 shall securely isolate and protect from any further processing not required or permitted by such law.

8x8/C - EU-8.4.10. Audit. Customer acknowledges that 8x8 is regularly audited against ISO 27001, ISO 9001, and Cyber Essentials (or substantially equivalent) standards by independent third-party auditors. Upon Customer’s reasonable request, 8x8 shall supply a summary copy of its audit report(s) to Customer, provided that Customer shall (a) keep such reports confidential and not disclose them to any party other than those of its own personnel and advisors to whom such disclosure is necessary in connection with Customer’s reasonable compliance and data security efforts and whom are bound to reasonable confidentiality obligations with respect to such report(s), (b) not use such report(s) except in connection with such efforts, and (c) protect their confidentiality with the same degree of care as Customer uses to protect its own confidential information of like kind, but in no event less than reasonable care.

8x8/C - EU-8.5. Processing – Third-Party Services. Where Customer uses third-party services, or has otherwise requested that third-party services be made available, as part of the Ordered Products, Customer agrees that any processing of Personal Data that relates to such third-party services shall be carried out by the third party directly and that 8x8 shall have no liability or responsibilities in relation to such processing. Any and all terms governing such processing shall be as set out in a separate agreement between Customer and the third party.

8x8/C - EU-8.6. Liability. Customer acknowledges that 8x8 relies on Customer for direction as to the extent to which 8x8 is entitled to use and process the Customer Personal Data. Consequently, 8x8 will shall not be liable for any Claim brought by a data subject in relation to Customer Personal Data not arising from:

8x8/C - EU-8.6.1. Any failure by 8x8 to comply with its obligations under Section 8x8/C - EU-8.4.4 (Security as a Processor); or

8x8/C - EU-8.6.2. 8x8 acting outside of, or contrary to, the lawful instructions provided by Customer under the 8x8-Customer Agreement or the relevant regulator to 8x8.

8x8/C - EU-8.7. Definitions. For purposes of this Section 8x8/C - EU-8 (Data Protection and Security), the following terms will have the following meanings:

"8x8 Personal Data" means the Personal Data for which 8x8 determines the purposes and means of processing and, for the avoidance of doubt, excludes Customer Personal Data.

"Applicable Data Protection Law” means all applicable binding laws and regulations which apply to the Parties in relation to the processing of personal data and an individual's privacy rights under the 8x8-Customer Agreement.

"controller”, “processor”, “data subject”, “Personal Data Breach”, and “processing” (and “process”) have the meanings given to them in Applicable Data Protection Law.

"Customer Personal Data” means only that proportion of the Personal Data for which Customer decides the purposes and means of processing and which is processed by 8x8 to provide the Ordered 8x8 SaaS Services or other Services ordered under the Reseller-Customer Agreement (the “Ordered Services”) in accordance with Customer’s instructions

"GDPR” means the EU General Data Protection Regulation (Regulation 2016/679). "Personal Data” has the meaning given in Applicable Data Protection Law.

Data Protection Appendix

8x8/C - Part A – Processing Details – Customer Personal Data

The following terms shall apply to the processing activities that 8x8 carries out as a processor, in each case to the extent that Customer has ordered the applicable 8x8 SaaS Services under the Reseller-Customer Agreement.