telefónica, s.a. telecommunications and information society department 1 data protection in...

1Telefónica, S.A.Telecommunications and Information Society Department

DATA PROTECTION IN TELEFONICA GROUP.Legal General Secretary TELEFÓNICA SA

TELEFÓNICA, S.A.15 December 2009, TEL-AVIV


INDEX

Telefónica

Data Protection in Telefónica Group:

Practical implementation of the Data Group Policy in the Telefonica Group: Process of consents and use of rights.

Data Protection when contracting in Telefónica.

Data Protection and Privacy: Telecom Package.Current debate.

01.

02.

03.

04.

05.


Telefónica. O1.

Among the 40 largest companies in the world by market cap

Among the 40 largest companies in the world by market cap

Among the 100 largest companies in the world by revenues

Among the 100 largest companies in the world by revenues

International integrated Telco operator by customer base

International integrated Telco operator by customer base

1st 1st

European Telco operator by market capitalisation

European Telco operator by market capitalisation

1st 1st

Telco in Dow Jones Sustainability IndexTelco in Dow Jones Sustainability Index

1st 1st


Telefónica. A Spanish company in the world..

TELEFÓNICA

ESPAÑA(fixed and

mobile)

TELEFÓNICA

LATAM(fixed and

mobile)

TELEFÓNICA

EUROPE(fixed and

mobile)

TELEFÓNICA today (operations in 25 countries)

INTERNATIONAL

ALLIANCES

01.

Today Telefónica is present in over 25 countries, has a balanced geographic and services portfolios, and more than 258,8 million customer accesses over the world; in particular, in the following geographical areas:

Spain (as incumbent)

Latam (with fixed and mobile businesses, in most of the cases as incumbent)

Europe (basically in the mobile business, as second or third operator, but also as incumbent in the fixed business)

Strategic participations in China, Italy and Portugal.


Telefónica is a leader in the Latin American Telco market …

Argentina: 21.4 million

Brazil: 64.2 million

Central America: 6.1 million

Colombia: 11.5 million

Chile: 10.4 million

Ecuador: 3.5 million

Mexico: 16.8 million

Peru: 15.7 million

Uruguay: 1.6 million

Venezuela: 11.9 million

Wireline market rank Mobile market rank

21

12

21

11

2

2

11

1

2

2

Notes: - Central America includes Guatemala, Panama, El Salvador and Nicaragua- Total accesses figure includes Narrowband Internet accesses of Terra Brasil and Terra Colombia, and Broadband Internet accesses of Terra Brasil, Telefónica de Argentina, Terra Guatemala and Terra México.

Data as of September ‘09

Total Accesses (as of Sep ‘09)

163.7 million

01.


... enjoys a significant footprint in Europe …

Spain: 47.3 million

UK: 21.5 million

Germany: 17.0 million

Ireland: 1.7 million

Czech Republic: 7.8 million

Slovakia: 0.5 million

Total Accesses (as of Sep ‘09)95.9 million

1

21

11

4

2

Wireline market rankMobile market rank

3

Data as of September ‘09

01.


… and it is widening its horizons for growth through strategic, industrial and business alliancesStrategic & Industrial alliances

Business alliances

•Largest Telecom alliance in Europe, with ~17% market share(1)

•Combined presence in 8 European countries

•Combined accesses in Europe as of September ‘09 (millions of customers):

•Telefónica ………………………………………. 95.9•Telecom Italia ………………………………… 65.6•Total industrial alliance …………… 161.5

(1) Market share in Europe as of Dec ‘08 market size (IDATE)

•The largest worldwide strategic alliance in the industry. Combined accesses up to 556 million (September ‘09), which is about 10% of world’s population

•2nd integrated operator in China with a countrywide 3G licence (European standard)

•Mutual investment agreement•Telefónica: from 5.38% to 8.37% in China Unicom•China Unicom: 0.88% in Telefónica

•Joint cooperation in different areas such as service provisioning, equipment & devices acquisition, R&D+i, sharing of best practices…

01.


Data Protection in Telefónica Group. O2.


Data Protection in Telefónica Group : introduction and aim.

02.

Telefónica Group realised the necessity to promote the adoption of measures to guarantee the best level of personal data protection in all its

companies whichever the country in which they perform their activity.

This aim was complicated to achieve due to the complexity of Telefónica organizational structure and the legislative peculiarities of the countries in which our companies are established. Best efforts of all the Companies have been made in order to comply with this Data Protection Group Project.


Data Protection in Telefónica Group: phases.

02.

IMPLEMENTATION PHASES

I STAGE. Creation of a Data Protection Corporate Policy.

II STAGE. Implementation of the Policy in the Group.


September, 2009: Approval by the General Counsel the Data Protection Policy for all the Group.

Sanction: Telefónica’s Business Principles Office.

Goal: Establishment of an obligatory framework in the Group that establishes a minimum of security in relation with data protection treatment.

Content:

Criteria for the use of data privacy: company obligations and secret of the communications.

Cession of files with personal data. Processing of personal data. International data privacy transfer.

Design of common procedures regarding the use of data privacy.

Identification of data privacy files. Files control. Application of current corporate security measures. Procedure for solving claims.

I STAGE. Definition of a Data Protection Corporate Policy: Business Principle Office.

02.1


I STAGE. Definition of a Data Protection Corporate Policy.02.1

Documents approved for the implementation of the data

protection policy:

I.- Minimum standards of Data Protection.

II.- Corporate Information Security Standard, 3th Edition.

III.- Madre Guidelines.


These regulations may be adapted, following their study on the part of the legal services, to the peculiarities of each company.

Minimum standards of Data Protection.

I.

OBJECTIVEThe object of the present document is to lay down the basic principles for establishing a compulsory compliance framework in Telefónica Group Companies.

AREA OF APPLICATIO

N

SCOPE

MINIMUM

NATURE

These instructions shall apply for the Telefónica Group companies.

The present document shall be applicable to the personal data collected on a physical support.

The regulations published by Telefónica S.A. are also of a minimum nature, the managers of the different companies affected will responsible for their enforcement and publication.


Principles of Data Protection.

1) Quality of Data.

2) Right of information in the collection of data.

3) Consent of the data subject.

4) Data with special protection.

5) Data security.

6) Duty of secrecy.

7) Communication of data.

8) Access to data on behalf of third parties.


I.



I.

Access right

The data subject shall have the right to request and obtain free of charge information on his personal data.

Rectification and

cancellation right

Objection Right

The data subject has the right to object to its processing data with a reasonable request or a legal reason..

These rights can be exercise:Each company shall establish the specific procedures and

terms for exercising these rights according to its laws.

Rights of persons.General Rights that correspond to the data

subject as owners of the data.

Rectification or cancellation shall apply to data whose processing is not in accordance with the provisions of this Law.


Corporate Information Security Standard.

II.

The rule was approved by the Corporate Security Committee: Telefónica must follow the criteria and directives approved by this Committee.

Objective: This document defines the compulsory criteria and controls to be applied by all Telefónica Group regarding the Corporate information Security Police.

Area of Application: Mandatory Standards that must be applied by all the subsidiary companies and business partners of the Telefónica Group.

Scope: This standard is for application during all phases of the life-cycle of the data and in the systems and networks which process such data.

Control [CF04] “Legislation on the Protection of Personal Data”


MADRE a web application for data privacy complianceWelcome page

III.


MADRE: Introduction.

MADRE is an automated application supporting the Telefónica Group Companies, aimed at enforcing compliance with current personal data protection regulations on a corporate level (Binding Corporate Rules). The functions included in the application:

Maintenance of an inventory of personal data “Files”. A File is a group of personal data with a specific purpose, i.e. customers, providers, employees, visits, etc.

Maintenance of the Security Document of each File. A Security Document describes the compliance of security controls in that systems which process data of the File.

Maintenance of the Data Protection Document of each File. A Data Protection Document describes the compliance of legal goals in the data treatment of the File.

Maintenance of a FAQ (Frequently Asked Questions )

Telefónica facilitates the use of Madre for other Telefónica companies.

III.


MADRE : How to implement the application.

III.

Prior to using MADRE, the companies must:

identify personal data Files,

assign responsibilities,

test connectivity,

request users credentials.

And later:

add personal data Files in MADRE

fill out the Security Document of each File (IT or security department)

fill out the Data Protection Document of each File (Legal department)


II STAGE. Implementation of the Policy in the Group.Data Protection in Telefónica España: Standard Code..

O2.2


Implementation of a Data Policy in Telefónica España S.A.U.: Standard Code.

0.2.2

Filed at the Spanish Agency for the Data Privacy.

Content:

- Organizational conditions.

- Principles of the corporate policy.

- Technical conditions for current files and for the ones that could be created in the future.

- Conditions for the collection and use of personal data.

- Establishment of the procedure for the use of the access, rectification, erasure and objection rights.

- Declaration of rights in the telecommunication sector.

Filed at the Spanish Agency for the Data Privacy.

Content:

- Organizational conditions.

- Principles of the corporate policy.

- Technical conditions for current files and for the ones that could be created in the future.

- Conditions for the collection and use of personal data.

- Establishment of the procedure for the use of the access, rectification, erasure and objection rights.

- Declaration of rights in the telecommunication sector.


Other important issues of the Standard Code.

Access to data on behalf of third parties.

Access to data by third parties for the provision of services.

International data transfers.

Adoption of security measures.

Other important issues of the Standard Code.

Access to data on behalf of third parties.

Access to data by third parties for the provision of services.

International data transfers.

Adoption of security measures.

Implementation of a Data Policy in Telefónica España S.A.U.: Standard Code.

0.2.2


Practical implementation of the Data Group Policy in Telefónica Group.

Process of consents and use of Rights.

O3.


Data Protection in Telefónica S.A.0.3


Data Protection in Telefónica de España S.A.U.0.3

Specific consent and specific companies regarding the share of data in the Group: Instructions of the AEPD.

Separate consent for the process of data. Different from the general contract.


Data Protection in Telefónica Móviles España S.A.0.3


Data Protection when contracting in Telefónica.O4.


Processing of data in relation with the contracting policy of Telefónica. Fixed and Mobile.

A.- Face to face contracting procedures.

Personal Identification is required.

The data are verified. The customer can give its data and its consent for promotional campaigns.

O4.



B.- Telephony contracting procedures.

Informed and consent record of the conversation. This is used as a proved and in some cases, as the consent in order to process the Data.

After contracting by phone, the documentation is sent by mail with the general conditions annexed and with all the information contained in the Web page.

Judicially, any solid proved is accepted in order to verify the contract. (* Sent. Audiencia Nacional 14-1-2009). Last Sentence of the Courts states that the bill is not a prove of the contracting but yes of the verification of data.

O4.


Contracting in the virtual web with a especial form.

After contracting, the documentation is sent by mail with the general conditions annexed and with all the information contained in the Web page.

Judicially, any solid proved is accepted in order to verify the contract. (* Sent. Audiencia Nacional 14-1-2009). Last Sentence of the Courts states that the bill is not a prove of the contracting but yes of the verification of data.


C.- Online contracting procedures.

O4.


Processing of data in relation with the contracting policy of Telefonica. Prepaid obligations.O4.

Application of the unique Additional Disposition of the Law 25/2007 de 18 de October regarding the conservation of data:

Registration of the name, nationality and number of identification to verify the identity of the buyer.

Identification must be made when contracting.

Transitional period of 2 years. After this period, if the prepayment has not been identified, must be cancelled.

Additionally, the migration to a contract requires further action consistent in the identification and verification of the data of the buyer.


Data Protection and Privacy: Current debate.

O5.


All providers of publicly available electronic communications services or of public communications networks have to comply with certain provisions with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime.

TYPES OF SERVICES AND NETWORK:•Voice both fix and mobile.•Data, including SMS, MMS.•Internet, including access, e.mail and internet telephony.

*it does not apply to the content of communications.

RETENTION PERIODS: No less than six and not more than twelve months. from the date of the communicationCOMPETENT AUTHORITY: It up to the Member State to define what should be the authorithy entitled to make the request.

Directive 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 15 March

2006

IMPLEMENTATION REPORTOF THE DATA RETENTION DIRECTIVE.

O5.


LOCALIZATION. GENERAL PRINCIPLES (Article 9 Directive 2002/58/EC of 12 July 2002) (*When localization in made by mobile networks):

a) Users/ subscribers must always be able to allow or disallow the use of location data for aditional value service (unless they are made anonymous).

b) They should be previously informed of the conditions of the services being offered.

c) They must continue to have the posibility of temporarily refusing the processing of such data.

• IMPLEMENTED IN SPAIN by LAW 32/2003 of November 3rd and ROYAL DECREE 424/2005 of April 15th.

In conclusion, to avoid legal risks: (i) Inform the users, (ii) Obtain their prior explicit consent, and(iii) Provide procedures for temporary opt-out.

O5.THE ROL OF A ELECTRONIC COMMUNICATION SERVICE AND NETWORK PROVIDER


Data Protection and Privacy: Telecom Package.

2002 E.PRIVACY and DATA PROTECTION DIRECTIVE:

EU Institutions have declared "European citizens' privacy as a priority of the new telecoms rules". Main modifications are:

- Art. 4: e-communications providers will be obliged to inform the authorities and their customers about security breaches affecting their personal data. Authorities should be able to audit these obligations and impose sanctions in case of non compliance.

- Art. 5: better information about cookies and better user's control over his/her personal information. User should give his informed and previous consent.

- Art. 13: - Measures on spam (opt-in/opt-out rules) will apply to all kind of

communication, (including SMS and MMS).- Service providers will have the right of legal actions against

spammers.- Member States may also lay down rules on penalties on "negligent"

service providers "allowing spam" .

O5.


Data Protection and Privacy: Telecom Package.O5.

EU TELECOMS PACKAGE – EPRIVACY AND COPYRIGHT:

As far as the famous Amendment 138 is concerned, the final text of Art. 1(3) of the new Framework Directive reads as follows:

“Measures taken by Member States regarding end-users’ access to or use of services and applications through electronic communications networks shall respect the fundamental rights and freedoms of natural persons, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law. Any of these measures regarding end-users’ access to or use of services and applications through electronic communications networks liable to restrict those fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law, including effective judicial review and due process. Accordingly, these measures may only be taken with due respect for the principle of presumption of innocence and the right to privacy. A prior fair and impartial procedure shall be guaranteed, including the right to be heard of the person or persons concerned, subject to the need for appropriate conditions and procedural arrangements in duly substantiated cases of urgency in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms. The right to an effective and timely judicial review shall be guaranteed.”


• Any action regarding user’s right to access services or applications shall respect Fundamental Rights and Human Freedoms.

• Measures shall be appropriate, proportinate and necessary within the context of a democratic society.

• The implementation of the measures should be subject of procedural safeguards:

• Presumption of inocence.• The right to be heard.• Effecting judicial review.

Data Protection and Privacy: Telecom Package.O5.

EU TELECOMS PACKAGE – EPRIVACY AND COPYRIGHT. MAIN POINTS:


CONCLUSION

Training across the organisation is key to achieve

effective implementation of the data privacy policy. Everyone within the company must be aware of the importance of

data privacy.

THANK YOU VERY MUCH FOR YOUR ATTENTION