www.telefonica.com

Global Transparency Center

Privacy Governance

Organizational Model

The Global Data Protection Office led by the Telefónica Group’s Data Protection Officer (DPO) advises the Telefónica Group on data protection, coordinating the supervision of compliance with current regulations. This figure is supported by other transversal roles such as General Secretary, Security, Technology, Regulation, Corporate Ethics and Sustainability, Compliance, Audit and Business. It also coordinates activities with the DPOs appointed in the Group and with the Privacy Officers of the different companies.

The Organisational Model defines the roles, functions and interrelationships between the different teams related to the processing of personal data, both at Global and Corporate level. On the other hand, the structure of meetings is defined to ensure the appropriate monitoring of the most relevant aspects in this area. In this way:

Infographic Organizational Model of Telefónica

Strategic Model
Definition of core principles and criteria that define the basis of personal data processing.

Organizational and Relationship Model
Definition of roles, functions, and interrelationships between the teams involved in the processing of personal data, both globally and corporately.
Regarding the Meeting Structure, its definition implies an adequate monitoring of its significant aspects.

  • Meeting structure
  • Inter-team relationships
  • Organizational structure
  • Roles and responsibilities

Operational Model
Structuring relevant processes related to personal data processing. For example:

  • Consent management
  • Management of Data Processors and Third Parties
  • Data retention
  • Security breach management
  • International data transfers
  • Data subject rights

Guidelines and Explanatory Documents
Certain procedures will include supporting documentation aimed at facilitating their execution and ensuring consistency across operations.

  • Data Protection Officer (DPO): The DPO is the head of the Personal Data Protection Function and reports directly to the Board of Directors of Telefónica, S.A. In addition of being responsible for ensuring privacy and data protection in the Group, the DPO provides, directly or indirectly, consultancy and advice on these matters to the corporate areas, centralised business units, regions and, in general, all the companies of the Group. All its functions and responsibilities are defined in detail in the Regulations.
  • DPO Office: The DPO is responsible and is supported by the Data Protection technical function and the Compliance and Data coordination function and other areas of the company, such as Compliance, CDO, Technology/IT, General Secretary’s Office, Security, Corporate Ethics and Sustainability, Business and Internal Audit.
  • Relationship structure: The different axes are related through the following forums or interactions:
    • Board of Directors: The DPO shall report annually to the Board of Directors, through the Audit and Control Committee, about the most important aspects of the compliance activity that it supervises.
    • Company Governing Boards: At the request of the Company’s Governing Boards, the DPO may report on any specific aspects related to the scope of its activity.
    • Steering Committee: It will meet every six months with representation from each of the areas (Compliance, CDO, Technology/IT, General Secretary’s Office, Security, Corporate Ethics and Sustainability, Business and Internal Audit).
    • Business Committees: The DPO Office will maintain, through the technical Data Protection function, permanent interactions with the areas, through the Compliance Officers, in order to ensure maximum uniformity in the application of the common processes, and/or the identification and treatment of specific privacy problems in the sphere of activity of each area.
    • DPO Forums: The Forum of local Data Protection Officers (DPO Forum) will meet every six months under the coordination of the Compliance and Data Coordination function, with the assistance of a representative of the Privacy Legal Advisory function. The compliance status of the Telefónica Group’s privacy governance model in each territory will be reviewed, and also the specific issues that may be transversal to these organisations.

This organisational and relationship model identifies the Data Delegate and Compliance Responsible in each area to ensure compliance with the databases managed in that department.

Description of the infographic on ‘Organizational Relationship Model’ shown below:
N4. Executive Committee or internal governance board
Highest level of oversight and decision-making regarding privacy and data protection.
N3. Internal Privacy Committee
Multidisciplinary group that coordinates and supervises the privacy strategy within the organization.
N2. Technical function of Data Protection
Specialized team that implements technical and operational measures to ensure regulatory compliance.
N1. Data Delegate of the area and Compliance Responsible of the area
Responsible for applying privacy policies in each business unit or functional area.

N1. Data Deleate of the area and Compliance Responsible of the area; N2. Technical function of Data Protection; N3. Internal Privacy Committee; N4. Executive Committee or internal governance board.

Strategic Model

As a Strategic Model, the DPO Office focuses on ensuring that data protection is aligned with the Group’s strategic approach and on compliance with a series of principles that guarantee the assurance of Privacy.

Operative Model

The operating model defines the main procedures related to the supervision of the Company’s compliance with the Personal Data Protection regulations. Three types of processes are defined:

  • Strategic: Telefónica Group Privacy Policy.
  • Support: It establishes the basis for the progressive consolidation of a culture of compliance in the area of privacy and personal data protection across the Company, through auditing, training and awareness-raising plans.
  • Operational: Defines specific Core Processes (Operational Processes or “privacy domains”) to comply with the provisions of current regulations. Domains regulate the following aspects:
  • Records of processing activities, risk analyses and impact assessments: guidelines for inventories, risk evaluations and DPIAs.
  • International transfers: requirements and safeguards for transferring data outside the originating jurisdiction.
  • Data classification: categorization according to sensitivity to ensure the application of appropriate measures.
  • Legal basis and duty to inform: criteria to justify data processing and communicate it to data subjects.
  • Personal data breaches: establishes the guidelines for detecting, analyzing, notifying and mitigating incidents that may compromise personal data. Telefónica will notify the competent authorities without undue delay when required by applicable regulations, providing the necessary information on the nature of the incident, the data affected, the potential consequences and the measures adopted. It also includes guidance for informing affected data subjects when a relevant risk exists, including the identification of impacted individuals, the determination of compromised data and the assessment of risk, among other aspects necessary to reduce the impact. Likewise, it describes the technical and organizational measures to be applied to mitigate the breach, such as immediate containment and the implementation of corrective and preventive actions.
  • Third-party management: oversight of compliance by providers and partners.
  • Internal audits: planning and execution of privacy audits.
  • Training and awareness: employee training.
  • Data subject rights: protocols for handling rights requests.
  • Data retention and deletion: application of the data minimization principle and retention periods.
  • Binding Corporate Rules (BCRs): obligations and governance for intra-group data transfers.