Privacy Governance

Organizational Model

The Global Data Protection Office led by the Telefónica Group’s Data Protection Officer (DPO) advises the Telefónica Group on data protection, coordinating the supervision of compliance with current regulations. This figure is supported by other transversal roles such as General Secretary, Security, Technology, Regulation, Corporate Ethics and Sustainability, Compliance, Audit and Business. It also coordinates activities with the DPOs appointed in the Group and with the Privacy Officers of the different companies.

The Organisational Model defines the roles, functions and interrelationships between the different teams related to the processing of personal data, both at Global and Corporate level. On the other hand, the structure of meetings is defined to ensure the appropriate monitoring of the most relevant aspects in this area. In this way:

Description of the infographic on the Organisational Model for ‘Privacy Governance’ shown below:
Operative model – Definition the most relevant procedures in relation to the treatment and management of Personal Data. Soe of these procedures are: Consent management; Management of Treatment Managers / Third Parties; Security Breaches Management; Data conversation; International Data Transfers; Rights of Data Subjects.
Organizational and Relationship Model – Definition of roles, functions and interrelations between the different teams that are related to the treatment of Personal Data, both Globally and Corporate. On the other hand, the Definition of the Meeting Structure that allows an adequate follow-up of the most significant aspects in this matter.
Strategic Model – Establishment of the principles and criteria that mark the bases of the different types of treatment of personal data.
Guides and Explanatory Documents – Certain procedures will have support documentation, with the objective of facilitating the Operations to be carried out of them.

Zoom

• Data Protection Officer (DPO): The DPO is the head of the Personal Data Protection Function and reports directly to the Board of Directors of Telefónica, S.A. In addition of being responsible for ensuring privacy and data protection in the Group, the DPO provides, directly or indirectly, consultancy and advice on these matters to the corporate areas, centralised business units, regions and, in general, all the companies of the Group. All its functions and responsibilities are defined in detail in the Regulations.
• DPO Office: The DPO is responsible and is supported by the Data Protection technical function and the Compliance and Data coordination function and other areas of the company, such as Compliance, CDO, Technology/IT, General Secretary’s Office, Security, Corporate Ethics and Sustainability, Business and Internal Audit.
• Relationship structure: The different axes are related through the following forums or interactions:
  
  • Board of Directors: The DPO shall report annually to the Board of Directors, through the Audit and Control Committee, about the most important aspects of the compliance activity that it supervises.
  • Company Governing Boards: At the request of the Company’s Governing Boards, the DPO may report on any specific aspects related to the scope of its activity.
  • Steering Committee: It will meet every six months with representation from each of the areas (Compliance, CDO, Technology/IT, General Secretary’s Office, Security, Corporate Ethics and Sustainability, Business and Internal Audit).
  • Business Committees: The DPO Office will maintain, through the technical Data Protection function, permanent interactions with the areas, through the Compliance Officers, in order to ensure maximum uniformity in the application of the common processes, and/or the identification and treatment of specific privacy problems in the sphere of activity of each area.
  • DPO Forums: The Forum of local Data Protection Officers (DPO Forum) will meet every six months under the coordination of the Compliance and Data Coordination function, with the assistance of a representative of the Privacy Legal Advisory function. The compliance status of the Telefónica Group’s privacy governance model in each territory will be reviewed, and also the specific issues that may be transversal to these organisations.

This organisational and relationship model identifies the Data Delegate and Compliance Responsible in each area to ensure compliance with the databases managed in that department.

Description of the infographic on ‘Organizational Relationship Model’ shown below:
N4. Executive Committee or internal governance board
Highest level of oversight and decision-making regarding privacy and data protection.
N3. Internal Privacy Committee
Multidisciplinary group that coordinates and supervises the privacy strategy within the organization.
N2. Technical function of Data Protection
Specialized team that implements technical and operational measures to ensure regulatory compliance.
N1. Data Delegate of the area and Compliance Responsible of the area
Responsible for applying privacy policies in each business unit or functional area.

Strategic Model

As a Strategic Model, the DPO Office focuses on ensuring that data protection is aligned with the Group’s strategic approach and on compliance with a series of principles that guarantee the assurance of Privacy.

Operative Model

The operating model defines the main procedures related to the supervision of the Company’s compliance with the Personal Data Protection regulations. Three types of processes are defined:

• Strategic: Telefónica Group Privacy Policy.
• Operational: Defines specific Core Processes (Operational Processes or “privacy domains”) to comply with the provisions of current regulations (data processing; management of security breaches; management of third parties; data subjects’ rights; data classification; international data transfer; consent management; data retention);
• Support: It establishes the basis for the progressive consolidation of a culture of compliance in the area of privacy and personal data protection across the Company, through auditing, training and awareness-raising plans.