The Global Data Protection Office led by the Telefónica Group’s Data Protection Officer (DPO) advises the Telefónica Group on data protection, coordinating the supervision of compliance with current regulations. This figure is supported by other transversal roles such as General Secretary, Security, Technology, Regulation, Corporate Ethics and Sustainability, Compliance, Audit and Business. It also coordinates activities with the DPOs appointed in the Group and with the Privacy Officers of the different companies.
The Organisational Model defines the roles, functions and interrelationships between the different teams related to the processing of personal data, both at Global and Corporate level. On the other hand, the structure of meetings is defined to ensure the appropriate monitoring of the most relevant aspects in this area. In this way:
- Data Protection Officer (DPO): The DPO is the head of the Personal Data Protection Function and reports directly to the Board of Directors of Telefónica, S.A. In addition of being responsible for ensuring privacy and data protection in the Group, the DPO provides, directly or indirectly, consultancy and advice on these matters to the corporate areas, centralised business units, regions and, in general, all the companies of the Group. All its functions and responsibilities are defined in detail in the Regulations.
- DPO Office: The DPO is responsible and is supported by the Data Protection technical function and the Compliance and Data coordination function and other areas of the company, such as Compliance, CDO, Technology/IT, General Secretary’s Office, Security, Corporate Ethics and Sustainability, Business and Internal Audit.
- Relationship structure: The different axes are related through the following forums or interactions:
- Board of Directors: The DPO shall report annually to the Board of Directors, through the Audit and Control Committee, about the most important aspects of the compliance activity that it supervises.
- Company Governing Boards: At the request of the Company’s Governing Boards, the DPO may report on any specific aspects related to the scope of its activity.
- Steering Committee: It will meet every six months with representation from each of the areas (Compliance, CDO, Technology/IT, General Secretary’s Office, Security, Corporate Ethics and Sustainability, Business and Internal Audit).
- Business Committees: The DPO Office will maintain, through the technical Data Protection function, permanent interactions with the areas, through the Compliance Officers, in order to ensure maximum uniformity in the application of the common processes, and/or the identification and treatment of specific privacy problems in the sphere of activity of each area.
- DPO Forums: The Forum of local Data Protection Officers (DPO Forum) will meet every six months under the coordination of the Compliance and Data Coordination function, with the assistance of a representative of the Privacy Legal Advisory function. The compliance status of the Telefónica Group’s privacy governance model in each territory will be reviewed, and also the specific issues that may be transversal to these organisations.
This organisational and relationship model identifies the Data Delegate and Compliance Responsible in each area to ensure compliance with the databases managed in that department.
As a Strategic Model, the DPO Office focuses on ensuring that data protection is aligned with the Group’s strategic approach and on compliance with a series of principles that guarantee the assurance of Privacy.
The operating model defines the main procedures related to the supervision of the Company’s compliance with the Personal Data Protection regulations. Three types of processes are defined:
- Operational: Defines specific Core Processes (Operational Processes or “privacy domains”) to comply with the provisions of current regulations (data processing; management of security breaches; management of third parties; data subjects’ rights; data classification; international data transfer; consent management; data retention);
- Support: It establishes the basis for the progressive consolidation of a culture of compliance in the area of privacy and personal data protection across the Company, through auditing, training and awareness-raising plans.