GDPR Information

GDPR stipulates that processing by a processor must be governed by a contract that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

Where Aspect acts as processor under GDPR, Aspect will enter into the legally required data processing agreements (DPA) with the controller (the customer). This will ensure that the customer maintains the control over the data and that Aspect processes data only under the instructions of the customer and not for any other purposes.

Aspect provides language in its standard contract templates that fulfils the GDPR requirements, including:

• Terms regarding the support provided to customer in cases where the individuals exercise their rights to access, delete or correct the personal data held about them,
• Standard Contractual Clauses to safeguard possible data transfers to countries outside the European Economic Area (EEA) (please see also FAQ “Where does Aspect process EU personal data?” below),
• Details of the respective processing activities and Aspect’s technical and organizational security measures (so called TOMS).

Aspect has already reached out to our existing EU customers to supplement existing customer agreements with DPAs. If you have not received Aspect’s DPA by now although you have commissioned Aspect with data processing services, please reach out to gdpr@aspect.com.

Should a non-EU customer process EU personal data by the means of Aspect products, that customer will have to notify Aspect in which case we will add appropriate regional DPA to the contract.

Aspect does not anticipate that updates or modifications to Aspect products will be specifically required for customers to remain compliant with GDPR. Our goal is to support customers in addressing the requirements of GDPR within the capabilities of their currently-deployed product releases (assuming that a support contract is in place for a product that is not end of life). If this changes for unexpected or compelling reasons, you will receive direct notification and advance notice through standard support channels.

Aspect will provide product-specific guidance during the first half of 2018 (extending through Summer 2018) as our product delivery teams continue their assessments and implementations of GDPR’s data protection principles, program build requirements, and response mechanisms for data subject’s rights under GDPR. Access to this documentation will be made available within the Aspect Customer Care Community.

Aspect is reaching out to EU customers to provide them with the required written data processing provisions along with a brief explanation in an email. Customers can email gdpr@aspect.com with further questions or concerns at any time. Of course, Aspect customers can also reach out to their account team or Aspect Customer Care for further assistance and clarification.

Aspect has not increased any fees for its products and services as a result of GDPR. Our baseline approach assumes that Aspect’s obligations as a processor and assistance services required by GDPR are free of charge and are provided as part of your active Aspect support. There may be exceptional cases where a Professional Services engagement will be necessary, or where Aspect will ask for cost reimbursement for additional support activities provided by Aspect to the customer to enable the customer to meet its obligations as a controller under GDPR.

Aspect encourages customers to take ownership of their own GDPR readiness plans (including Aspect products and services that are in scope). Planning should start with getting a team formed (with full executive support) to identify all systems where the organization stores personal data, creating a data inventory. Aspect will assist the customer in complying with GDPR regarding the processing of personal data by means of Aspect’s products and services and may also assist customers in conducting Data Protection Impact Assessments (DPIAs) as further specified in Aspect’s standard contracts.

Customers as controllers are the main responsible party under GDPR and must make sure that personal data has been obtained lawfully, that individuals are informed about the processing of their data, that the personal data collected is proportional and the personal data is used only for the purpose(s) for which it was collected.

Yes. Aspect provides technical and organizational security measures for protection of the security, confidentiality and integrity of personal data as set forth in Aspect’s TOMS documentation.

Customers must make sure that they choose suppliers like Aspect that ensure safeguards for the protection of personal data, including the implementation of adequate technical and organizational measures, but must not forget that customers’ own IT infrastructure and other organizational assets play an essential role.

The implementation of adequate technical and organizational measures by Aspect for its products and services will help customers to minimize the impact of a data breach or a data loss. However, Aspect is not responsible for the customer’s own technical and organizational measures or IT infrastructure.

Yes. Aspect has updated its AspectPro partner agreements as appropriate and will provide partners with DPAs for channel partners in time for GDPR.

Due to its global service architecture, in some cases personal data will be securely transferred to countries outside the EEA for centralized processing operations. Remote access to EEA-based data from authorized Aspect personnel based in US and India may also be required.

To ensure an adequate level of data protection, Aspect also offers Standard Contractual Clauses (controller-processor) (“SCC”) between customers in the EU and Aspect Software, Inc., USA.

Aspect provides products and services that involve products and services of sub-processors, including Aspect-affiliated companies and third party suppliers. A current list of sub-processors for specific products and services is available upon customer request. Aspect will enter into written agreements with the sub-processor in accordance with GDPR. Aspect may remove, replace or appoint suitable and reliable further sub-processors in its sole discretion but will inform customers about any changes to the list of sub-processors in accordance with our DPA.

Customers can email gdpr@aspect.com with questions or concerns. Of course, Aspect customers can also reach out to their account team or Aspect Customer Care for further assistance and clarification.