The new General Data Protection Regulation (GDPR) regulation impacts companies in many ways. It will increase EU data subject rights, increase data protection expectations, and provide regulators with ability to enforcement options including fines of up to four percent of worldwide annual turnover. Significantly, the GDPR applies to anyone who is collecting and processing EU personal data, even if the processing is done outside of the EU. The new requirements build on the existing EU Data Protection Directive and present significant challenges to companies handing Personal Data of EU data subjects. This document is intended to outline Nuance’s approach to the key GDPR requirements and outline how Nuance intends to support our customers in their own compliance efforts.
Controllers and Processors:
To use GDPR parlance, when Nuance provides you with products and services that use personal data, we act as a processor of personal data on behalf of you, the controller. The GDPR places obligations on both controllers and processors. As a processor, Nuance is bound to use EU Personal Data for specific purposes that have been described to data subjects (Individuals within the EU). If you need further information on how Nuance may use EU Personal Data for a particular product please review your customer agreement and the Nuance Privacy Notice. For further information, you may contact us at firstname.lastname@example.org.
Personal data handled by Nuance:
Commonly, Nuance handles voice information that is provided by partners for voice-recognition services. By design, Nuance does not store specific personal identifiers after a message is processed apart from the voice file itself, which Nuance cannot tie to any specific individual for most products. In virtually all products, the voice file itself is also insufficient to serve as an identifier either from the characteristics of the voice or from the content. Further, no contact information, data subject names, or partner ID’s are retained once processing is complete. As such, Nuance does not and cannot identify the individual to which the file belongs nor can Nuance retrieve files for a specific individual in the majority of our systems.
For medical products and services that may include personally identifying information Nuance will work with customers to help them meet any potential data subject rights under GDPR. Commonly, identifiers are not held on any patient but information may be held on a specific physician for a medical institution. Voice recordings are stored in snippets a few seconds long and are not contiguous. It is not possible to isolate any individual voice recording in its entirety. Nuance does not use data provided by customers for purposes beyond contractual services and product enhancement (e.g. retaining a physician’s voice recordings to improve accuracy of future transcriptions). More information on how Nuance handles Personal Information can be found on Nuance’s Nuance’s Privacy Notice .
If a partner wishes to receive a voice log to respond to a Data Subject Access Request, Nuance can only retrieve information that is less than 90 days old and can only locate voice files based on a partner ID.