FAQs

Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

No. The data subject never stops being the owner of his personal information. There may be different data controllers of your personal information, so that each controller processes your personal information for the purposes they have indicated to you. For example, when you subscribe to a service with a provider, this provider will be responsible for processing your data for the provision of the service, as well as for the other purposes that the provider has indicated to you. Each data controller will process personal data in accordance with its Privacy Policy, and the data subject may always exercise his or her rights of access, rectification, erasure, restriction, right to object or portability with respect to the processing of the personal information.

In Spain, the data protection rights to which the data subject is entitled are:

• Right of access, to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.
• Right of rectification, The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
• Right to erasure, he right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay  unless there is a legal obligation to retain them and/or there are no other legitimate grounds for processing them.
• Right of restriction of processing, which, under the conditions laid down by law, allows you to stop the processing of data in such a way as to prevent us from processing your data in the future, and to retain them only for the purpose of pursuing or defending claims.
• Right to object, which, in certain circumstances and for reasons relating to your particular situation, allows you to object the processing of your data, except where, for legitimate overriding reasons, or for the exercise or defence of any claims, such processing is necessary.
• Right of portability, which allows you to receive the personal data you have provided to us in a commonly used format which enables you to transmit it directly to another data controller.

For other countries you can visit the different local transparency centres.

In Spain, the independent public authority in charge of ensuring the privacy and data protection of citizens is the Spanish Data Protection Agency (Agencia Española de Protección de Datos). Its website http://www.aepd.es/sets out, on the one hand, to make citizens aware of their rights and the possibilities that the Agency offers them and, on the other hand, to provide regulated entities an agile instrument that facilitates compliance with the regulations.

For other countries, please consult the different local transparency centres.

Before providing your personal information, you should analyse who is asking for it, for what purpose they are going to use it and if it is necessary for them to have that information. The personal information you need to provide in order to contract a product or service is not the same as the information you need to provide in order to use a mobile application. In the first case, it will probably be necessary to provide a lot of personal data; in the second case, it will only be necessary to fill in the information or provide the permissions that are related to the application’s functionalities.

One of the main reasons for protecting our personal information and the information of those with whom we communicate (contacts, photos, videos, emails, etc.) is to protect ourselves from cybercriminals.

For more information on this, you can consult the AEPD’s Guide to privacy and security on the Internet.

A data breach is a security incident that involves a loss of confidentiality, whereby unauthorised persons or persons outside the organisation illegally have access to privileged information. In order to reduce the probability of this type of incident occurs and minimise its possible impact, different types of security measures are established, such as:

• Organisational: a body of policies, regulations and procedures that allow, from a corporate point of view, to identify the controls that must be implemented, supervised, reviewed and improved to ensure the protection of information according to its levels of risk, as well as to establish different training and awareness-raising actions for all employees.
• Technical: these are measures to ensure the physical and logical security of information assets, such as security solutions or systems applied to the information or data lifecycle, which help to control, prevent and react in time to a possible data leak. Examples of such measures are email protection, monitoring of security patches and updates, backups, encryption of information and communications, advanced workstation protection, implementation of perimeter security solutions, management of users, roles and privileges, digital monitoring and digital surveillance, etc.
• Legal: these are measures associated with ensuring compliance with standards and regulations, including aspects such as the signing of confidentiality agreements (NDAs), service level agreements (SLAs), personal data processing agreements with suppliers (DPAs), contractual clauses, etc.

All security measures are subject to a process of periodic review and continuous improvement with the aim of minimising failures, increasing their effectiveness and efficiency, preventing and solving problems and guaranteeing that they provide an appropriate solution to the different scenarios and threats that appear and change over time.

The approach to security incident or cyber incident management is based on reporting security incidents in an appropriate manner, minimising their impact, identifying trends or patterns of suspicious activity, recovering availability as quickly as possible, analysing the causes, learning from the incidents and taking appropriate measures to prevent them from happening again.

Cyber incident management is based on three fundamental pillars: people, procedures and technology. With this objective in mind, Telefónica’s CSIRT (Computer Emergency Response Team) is made up of a team trained and skilled in incident management, and is responsible for the analysis, coordination and contention of breaches in order to mitigate the effect of any attack and minimise its possible impact, managing and responding throughout the life cycle of the security breach.

If necessary, the incident will be notified to the interested parties, both internal to the organisation and external (national and international CERTs, national data protection authorities, affected parties, etc.), as established in the different applicable regulations.

Cookies are small text files that we send to your computer, tablet or any other device that allows you to browse the Internet when you access to certain web pages.

They are a tool used by web servers to store and retrieve information about their visitors and allow, among other things, to keep track of your browsing habits or your computer, your preferences and remember them when you return.

In application of the so-called “right to be forgotten”, you can request your right to delete your data from the data controller of the website that publishes your information. Likewise, search engines allow you to request that your data be deleted from the search engine, so that your data will not be deleted from the website where they are published, but the links to the data will be de-indexed from the search engine.

As Telefónica does not publish the personal data of its customers, with the exception of telephone directories and with the prior consent of the customer for their inclusion in them, we can only provide for the deletion of your personal data in the official directories, which does not include publication by third parties outside Telefónica who may have obtained your personal data from these directories or from forms that are not the responsibility of Telefónica. To do so, you will have to contact the owner of the specific website and/or the search provider.

Telefónica is legally obliged to respond the requests made by the Competent Authorities, in the legitimate exercise of their powers, for the development of criminal and administrative investigations and for the enforcement and protection of citizens’ rights. Requests are rejected if they do not come from Competent Authorities empowered by law (e.g. requests submitted by private entities or persons), or if they do not comply with established legal procedures. Requests that, due to their exceptional nature, require it, are raised within the company and dealt with accordingly.

Yes, Telefónica blocks some websites and/or content on the Internet that are against local laws (usually related to child sexual abuse material, illegal online gambling, copyright infringement, defamation, illegal sale of medicines, weapons, unauthorised use of trademarks, etc.).