United Kingdom and Europe Supplement to 8x8 Virtual Office and Virtual Contact Centre Regional Terms

(Last updated on Nov 14, 2018)

UK and Europe Supplement Printable Version PDF

EU-1. Applicability; Service Provider Entity. The provisions of this United Kingdom and Europe Supplement to 8x8 Virtual Office and Virtual Contact Centre Regional Terms (this “Supplement”) (a) are a supplement to, and part of, the Regional Terms and (b) shall apply solely with respect to Ordered Products provided to a Customer Location in the United Kingdom (the “UK”) or Europe. The relevant 8x8 company that provides Ordered Products, if any, to Customer in the UK and/or Europe, and to which this Regional Supplement relates, is: 8x8 UK Limited (trading as 8x8), registered in England with company number: 05083841 (Oxford House, Bell Business Park, Smeaton Close, Aylesbury, Buckinghamshire HP19 8JR), as per the relevant Order. References to 8x8 within this Supplement shall be references to 8x8 UK Limited. As among 8x8, Inc., 8x8 UK Limited, and 8x8, Inc.’s other Affiliates, 8x8 UK Limited shall be solely liable with respect to such Ordered Products and under the related Orders (to the extent that they relate to such Ordered Products).

EU-2. UK Europe Emergency Calling Notice. Customer acknowledges the notice related to emergency calling set forth at https://www.8x8.com/terms-and-conditions/europe-emergency-calling-notice, which notice shall apply to any 8x8 Virtual Office or 8x8 Virtual Contact Centre Ordered SaaS Services within the scope of this Supplement.

EU-3. Numbers and Porting.  All provisions of Section B (Numbers and Porting) of the Regional Terms other than those that expressly apply to the US and/or Canada shall apply with respect to Ordered SaaS Services within the scope of this Supplement.  In addition, 8x8 shall take reasonable steps to ensure that the transfer of numbers and subsequent activation is completed as soon as reasonably practicable in accordance with applicable laws and regulations.  Customer acknowledges that the timing of any such transfer can be impacted by certain technical and procedural requirements in relation to number transfers, including, but not limited to, where 8x8 needs to secure an agreement with another communications provider relating to number transfers. Customer may claim compensation in the form of credit against Customer’s next bill (calculated as follows) for the period from the second business day after the confirmed transfer date through the number transfer completion date, provided that Customer agrees that any compensation awarded shall be in full and final settlement of any claim that Customer may have against 8x8 or its Affiliates (now or in the future) in respect of the delay:  [the monthly charges for the Ordered SaaS Services relevant to such number] multiplied by [12] divided by [365] multiplied by [the number of days delayed until porting is complete].  Notwithstanding the foregoing, unless provided otherwise under applicable law, any delay caused by Customer or any other relevant third party shall not constitute a delay or abuse in porting and shall not give rise to a claim for compensation.

EU-4. Country-Specific Contact Details/Information.

Ombudsman Service Scheme in the UK† See http://sims.8x8.com/Documents/711664_3_8x8_UK_Complaints_Procedure_-_2016.pdf
Ombudsman Service Scheme in Belgium† See www.ombudsmantelecom.be; also:  The Office of the Ombudsman for telecommunications Boulevard Roi Albert II 8 boîte 3, 1000 Brussels, Belgium Telephone: 02 223 09 09; Fax: 02 219 86 59 plaintes@mediateurtelecom.be; klachten@ombudsmantelecom.be
Dispute Service Scheme in Germany Commission for Communications Regulation (CommReg) 1 Dockland Central, Guild Street, Dublin 1, D01 E4X0 
CommReg Dispute Service Scheme in Ireland See https://www.comreg.ie/queries-complaints/phone/
National Regulatory Authority in Netherlands* Authority for Consumers and Markets PO Box 16326 2500 BH The Hague, The Netherlands Telephone: +31 70 7222 000; Fax: +31 70 7222 355
National Regulatory Authority in Poland* The President of the Office of Electronic Communications (Urząd Komunikacji Elektronicznej) 18/20 Kasprzaka Street 01-211 Warsaw, Poland Telephone: +48 22 53 49 156; Fax: +48 22 53 49 155 E-mail: uke@uke.gov.pl; Online: https://www.uke.gov.pl/kontakt/
National Regulatory Authority in Sweden* Authority in Sweden*The Swedish Post and Telecom Authority (PTS) Box 5398 SE-102 49 Stockholm, Sweden E-mail: pts@pts.se Telephone: +46 8 678 55 00; Telefax: +46 8 678 55 05

*For Ordered SaaS Services that are telecommunications services. †To the extent that an ombudsman service scheme applies, the independent and impartial ombudsman will consider both sides of the complaint and resolve the dispute; in such cases, 8x8 will be bound by that decision, but Customer may reject it and pursue other avenues

EU-5. Customer Support. The Terms describe the support provided to Customer.  Customer may contact customer support on uk-support@8x8.com(or by calling 8x8’s main line number +44 (0)02070966060 and stating clearly that Customer requires support), or such other address as may be notified by 8x8 from time to time, for further details.

EU-6. B2B Contract; List Pricing.  Customer confirms it receives Ordered Products as a business user, and the Agreement represents a business-to-business contract.  All relevant current list pricing is available at www.8x8.com/uk.

EU-7. Payment and Dispute Resolution for Spanish Customers. Spanish Customers with Ordered SaaS Services provided to a Customer Location in Spain are entitled to request that payments are made by means other than direct debit, if such other means are generally market-accepted. Spanish Customers may address any claim regarding the Services provided under this Agreement to the Spanish Secretaría De Estado De Las Telecomunicaciones Y Para La Sociedad De La Información (SETSI).

EU-8. Data Protection and Security.

EU-8.1. Data Protection Appendix. The Data Protection Appendix attached to this Supplement (the “DPA”) contains the following information about the Ordered SaaS Services:  (a) subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, and the categories of data subjects and (b) the obligations and rights of the controller.  The DPA also includes the security measures that 8x8 has in place to protect Customer Personal Data.  To the extent that Customer has purchased particular SaaS Services, the relevant terms for such particular SaaS Services set out in the DPA shall apply, and such terms shall be made a part of this Supplement and incorporated herein by reference. 8x8 may update the DPA from time to time in its discretion to reflect the addition, removal, or discontinuation of Services and/or changes to the security measures set forth in Part B (Security Measures) of the DPA that do not have a material adverse effect on the use of the SaaS Services.

EU-8.2. Relationship of the Parties. Customer is the controller of Customer Personal Data. 8x8 acts as a controller of 8x8 Personal Data and a processor of Customer Personal Data under the Agreement.

EU-8.3. 8x8 as a Controller. Where 8x8 acts as a controller, it will process Personal Data in accordance with Applicable Data Protection Law. Further information about how 8x8 processes Personal Data may be found in 8x8’s Privacy Notice (available at https://www.8x8.com/terms-and-conditions/privacy-policy).

EU-8.3.1. 8x8 shall maintain appropriate technical and organisational security measures to protect Personal Data against a Personal Data Breach.

EU-8.3.2. Customer warrants that it has obtained all necessary consents, notifications, and permissions required under Applicable Data Protection Law to permit Customer to share such Personal Data with 8x8 and allow 8x8 to otherwise collect, use, or process such Personal Data (including without limitation that which 8x8 might collect directly from Agents or any other end users via cookies or other means) as described in the Agreement; in order to provide the Services or equipment or to otherwise fulfil 8x8’s obligations under the Agreement;as otherwise set out in the DPA or 8x8’s Privacy Notice; or as otherwise agreed by the Parties in writing (collectively, the “Permitted Purposes”).  As between Customer and 8x8, Customer is solely responsible for disclosing to Agents and other end users that 8x8 is processing Personal Data for the Permitted Purposes and for notifying or otherwise directing such Agents and end users to 8x8’s Privacy Notice.

EU-8.3.3. Customer shall notify 8x8 of:  (i) any limitations in Customer’s privacy notice to data subjects, (ii) any changes in, or revocation of, consent by a data subject to use or disclose Personal Data, and/or (iii) any restrictions on the use of Personal Data to which Customer has agreed in accordance with its agreements with data subjects; in each case, to the extent that such limitations, changes, or restrictions may affect 8x8’s uses or disclosures of Personal Data.

EU-8.3.4. The Parties shall not act as joint controllers for the purposes of Article 26 of the GDPR in relation to any processing of Personal Data under the Agreement.

EU-8.4. 8x8 as a Processor. Customer (the controller) appoints 8x8 as a processor to process the Customer Personal Data for the Permitted Purposes. Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law.

EU-8.4.1. 8x8 shall process Customer Personal Data in accordance with Customer’s instructions, which Customer acknowledges and agrees are set out in the Agreement.

EU-8.4.2. International Transfers. 8x8 shall not process or transfer Customer Personal Data originating from the European Economic Area (“EEA”) outside of the EEA unless 8x8 has taken such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Data Protection Law. Such measures may include without limitation transferring Customer Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data (such as the US where Privacy Shield is utilised), to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

EU-8.4.3. Confidentiality of Processing. Subject to any exclusion or limitation of liability provided for in the Agreement, 8x8 shall ensure that any person it authorises to process Customer Personal Data (an “Authorised Person”) shall disclose Customer Personal Data only (a) to 8x8, (b) to those of 8x8’s personnel, advisors, Affiliates, or Partners to which such disclosure is reasonably necessary to accomplish a Permitted Purpose or other purpose for it was disclosed to 8x8 and which are bound to reasonable confidentiality obligations with respect to such Customer Personal Data, (c) in response to a judicial order or other lawful process, or (d) as approved or instructed by Customer.

EU-8.4.4. Security as a Processor. 8x8 shall implement technical and organisational measures as set out in the DPA to protect Customer Personal Data from loss, alteration, or unauthorised disclosure or access (each a “Security Incident”) or accidental or unlawful destruction.

EU-8.4.5. Subcontracting. Customer consents to 8x8’s engagement of third-party subprocessors to process Customer Personal Data for the Permitted Purposes, provided that: (a) 8x8 maintain an up-to-date list of its subprocessors on its website, (b) 8x8 impose on such subprocessors data protection terms with respect to Customer Personal Data that are no less onerous than those set out in this Section EU-8.4 (8x8 as a Processor), and (c) 8x8 remain liable for any breach of this Section EU-8.4 (8x8 as a Processor) that is caused by an act, error, or omission of such a subprocessor in connection with performing its obligations as such a processor. No change to such list shall be effective until ten (10) days (or such longer period specified by 8x8) after 8x8’s posting of the details, or 8x8’s other notification of Customer, of the new engagement. 8x8 will be considered to have materially breached the Agreement for purposes of Customer’s right thereunder to terminate such Agreement for 8x8’s material breach thereof in the event that (i) Customer objects (via notice to 8x8) to such new engagement on reasonable grounds relating to data protection within such advance posting/notification period, (ii) 8x8’s cancellation of such engagement is reasonably practicable, and (iii) 8x8 nevertheless declines to cancel such engagement.

EU-8.4.6. Cooperation and Data Subjects’ Rights. 8x8 shall, at Customer’s sole expense, provide reasonable and timely assistance to Customer to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any other correspondence, enquiry, or complaint received from a data subject, regulator, or other third party in connection with the processing of Customer Personal Data. In the event that any such request, correspondence, enquiry, or complaint is made directly to 8x8, 8x8 shall, at Customer’s sole expense, promptly inform Customer of, and provide reasonable details as to, the same.

EU-8.4.7. Data Protection Impact Assessment. If 8x8 believes or becomes aware that its processing of Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, 8x8 shall inform Customer and, at Customer’s sole expense, provide reasonable cooperation in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

EU-8.4.8. Security Incidents. If 8x8 becomes aware of a confirmed Security Incident, it shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can timely fulfil any data breach reporting obligations that Customer might have under Applicable Data Protection Law. 8x8 shall further take measures and actions reasonably necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection therewith. Customer acknowledges that such assistance or other actions by 8x8 shall be at Customer’s own cost, unless the Security Incident occurred as a direct result of 8x8’s breach of its obligations under Section EU-8.4.4 (Security as a Processor).

EU-8.4.9. Deletion or Return of Data. Upon termination or expiration of the Agreement, and without prejudice to the other provisions of the Agreement that contemplate data storage, 8x8 shall, at Customer’s election and cost, destroy or return to Customer all Customer Personal Data in 8x8’s possession or control. The foregoing requirement shall not apply to the extent that 8x8 is required by applicable law to retain some or all of the Customer Personal Data, or to retain Customer Personal Data that 8x8 has archived on back-up systems, which Customer Personal Data 8x8 shall securely isolate and protect from any further processing not required or permitted by such law.

EU-8.4.10. Audit. Customer acknowledges that 8x8 is regularly audited against ISO 27001, ISO 9001, and Cyber Essentials (or substantially equivalent) standards by independent third-party auditors. Upon Customer’s reasonable request, 8x8 shall supply a summary copy of its audit report(s) to Customer, provided that Customer shall (a) keep such reports confidential and not disclose them to any party other than those of its own personnel and advisors to whom such disclosure is necessary in connection with Customer’s reasonable compliance and data security efforts and whom are bound to reasonable confidentiality obligations with respect to such report(s), (b) not use such report(s) except in connection with such efforts, and (c) protect their confidentiality with the same degree of care as Customer uses to protect its own confidential information of like kind, but in no event less than reasonable care.

EU-8.5. The following Sections shall only apply from 25 May 2018: EU-8.4.5 (Subcontracting), EU-8.4.7 (Data Protection Impact Assessment), EU-8.4.8 (Security Incidents), and EU-8.4.9 (Deletion or Return of Data).

EU-8.6. Processing – Third-Party Services. Where Customer uses third-party services, or has otherwise requested that third-party services be made available, as part of the Ordered Products, Customer agrees that any processing of Personal Data that relates to such third-party services shall be carried out by the third party directly and that 8x8 shall have no liability or responsibilities in relation to such processing. Any and all terms governing such processing shall be as set out in a separate agreement between Customer and the third party.

EU-8.7. Liability. Customer acknowledges that 8x8 relies on Customer for direction as to the extent to which 8x8 is entitled to use and process the Customer Personal Data. Consequently, 8x8 will shall not be liable for any Claim brought by a data subject in relation to Customer Personal Data not arising from:

EU-8.7.1. Any failure by 8x8 to comply with its obligations under Section 8.4.4 (Security as a Processor); or

EU-8.7.2. 8x8 acting outside of, or contrary to, the lawful instructions provided by Customer under the Agreement or the relevant regulator to 8x8.

EU-8.8. Definitions. For purposes of this Section EU-8 (Data Protection and Security), the following terms will have the following meanings:

8x8 Personal Data” means the Personal Data for which 8x8 determines the purposes and means of processing and, for the avoidance of doubt, excludes Customer Personal Data.

Applicable Data Protection Law” means all applicable binding laws and regulations which apply to the Parties in relation to the processing of personal data and an individual’s privacy rights under the Agreement, provided that where such applicable law is the EU Data Protection Directive (Directive 95/46/EC), this shall apply prior to 25 May 2018; however on and after 25 May 2018, this shall be replaced by the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”).

controller”, “processor”, “data subject”, “Personal Data Breach”, and “processing” (and “process”) have the meanings given to them in Applicable Data Protection Law.

Customer Personal Data” means only that proportion of the Personal Data for which Customer decides the purposes and means of processing and which is processed by 8x8 to provide the Ordered SaaS Services or other Services ordered under the Agreement (the “Ordered Services”) in accordance with Customer’s instructions

Personal Data” has the meaning given in Applicable Data Protection Law.

Data Protection Appendix

Part A – Processing Details – Customer Personal Data

The following terms shall apply to the processing activities that 8x8 carries out as a processor, in each case to the extent that Customer has ordered the applicable SaaS Services under the Agreement.

8x8 Virtual Office* 8x8 Virtual Contact Centre* 8x8 ContactNow*
Subject-matter 8x8 provides voice over IP cloud services, enabling its customers (and its customers’ agents and other end users) to (a) communicate across a range of digital devices, and (b) make phone calls, join video conferences, send text messages, manage voicemails, and access their corporate directory. 8x8 provides a cloud-based contact centre service, enabling its customers (and its customers’ agents and other end users) to (a) set up and operate their contact centres from a range of digital devices, (b) manage call routing and campaigns, and (c) run analytics reports to monitor the customer’s traffic and agent performance. 8x8 provides cloud-based services that allow customers (and customers’ agents and other end users) to manage call routing and campaigns and can run analytics reports to monitor the customer’s traffic and agent performance.
Duration of processing Effective Period of the Agreement
Nature/purpose of processing Provision of such Ordered SaaS Services, as set out in the Agreement. Agents and other end users may transmit, receive, and/or store through such Ordered SaaS Services audio, textual, visual, and video content in the form of voice calls, video calls, voicemails, voice recording, internet facsimiles, text and other messages, video meetings, and device screen shares or captures. They may also record and/or store (and, in the case of 8x8 Virtual Contact Centre and 8x8 ContactNow, upload) within such Ordered SaaS Services information (such as profiles for individual contacts or notes regarding a call or support case or ticket) regarding the third parties with or about whom they communicate through such Ordered SaaS Services. Customer can also decide whether to integrate additional third-party tools into such Ordered SaaS Services (such as CRM or email tools) to provide an integrated user experience. With respect to 8x8 ContactNow, 8x8 also provides real time analytics reporting, so customers can monitor the performance of their call centres.
Type of Personal Data Name, contact details, and job-related Personal Data (such as work title and email address); Personal Data regarding calling and other communications activity and preferences and usages of such Ordered SaaS Services; IP addresses; (in the case of 8x8 Virtual Contact Centre and 8x8 ContactNow, web browsing and online searching activity and accessing of the Services); or accessing and/or consumption of content such as videos, emails, written materials, and product demonstrations; any Personal Data voluntarily disclosed by the user or third party with whom Agents and other end users communicate.
Categories of data subjects Agents and other end users of such Ordered SaaS Services; those with whom such Agents and other end users communicate, record, or store information through such Ordered SaaS Services.
Obligations/rights of controller As set out in the Agreement

Obligations/rights of controller As set out in the Agreement

*Includes the relevant service whether ordered/provided as a stand-alone service or as included in a product  bundle that includes other services (such as in 8x8 Editions or 8x8 X Series.

Part B – Security Measures

The following terms shall apply to any Customer Personal Data that 8x8 processes to provide Ordered Services.

Administrative, physical, and technical safeguards implemented in accordance with 8x8’s existing data security program, which includes:

(i)     limiting access to information on 8x8’s information system media to authorized users;

(ii)    limiting physical access to 8x8’s information systems and related equipment to authorized individuals;

(iii)   regular assessments of information security risks to 8x8’s information systems and associated information processing activities and of the effectiveness of information security controls in 8x8’s information systems;

(iv)   training of 8x8’s managers and users of 8x8’s information systems regarding the information security risks associated with their activities and applicable laws and policies; and

(v)    imposition of formal sanctions for 8x8 personnel failing to comply with 8x8’s information security policies and procedures.