Privacy by Design

The principle of Privacy by Design is one of the essential and strategic elements of the Telefónica Group and is set out in our internal regulations.

The concept of Privacy by Design implies the obligation of the entire organisation to establish, in the design of products and services, procedures that mainly take into account two aspects. In first place, the application of privacy protection measures from a legal and security point of view in the initial phases of any project. And in second place, that all business processes and practices involved in each activity or processing that may affect personal data are contemplated in this principle of Privacy by Design.

We have our own privacy by design guidelines, as well as legal and security processes, in accordance with our Global Privacy Policy.

The Privacy by Design process defined by the Telefónica Group’s Global Data Protection Office includes at least the following activities:

Description of the infographic ‘Privacy by Design Process’ shown below:
Main Process
New processing of personal data → Definition and design of the processing → Record of the processing → Need for Impact assessment (PRE-PIA)
Potentially high-risk processing?
NO
→ Basic analysis of risks → Proposal for basic controls → Implementation of basic controls
Approval of the processing:
→ Start of processing of personal data
YES
Privacy Impact Assessment (PIA):
→ Carry out Impact assessment (PIA) → Proposal for basic and additional controls
Does it mitigate the potential high risk?
YES
→ Implementation of basic controls → Implementation of additional controls
→ Start of processing of personal data
NO
Prior consultation process:
→ Prior consultation with the control authority → Response from the control authority → Proposal for basic and additional controls
→ Implementation of basic controls → Implementation of additional controls
→ Start of processing of personal data
Main Process elements: Objective criteria of the need for PIA; Catalogue of privacy risks; Catalogue of controls; Control application rules; Automation; Approval of the processing

The implementation of these processes in practice means always considering, when defining or developing any product or service, aspects such as: (i) what is the legitimacy that allows us to process your personal data, (ii) the guarantee that the data are secure and the most appropriate security measures are complied with according to the potential risks protecting their integrity and confidentiality, (iii) how you can be informed about how we process your personal data, (iv) the minimisation of data in the sense that they must be strictly necessary for the purposes of the processing, (v) the commitment to the rights of data subjects and (vi) the limitation of the storage period, among others.

All of these are summarised in the following principles governing data processing. Each of the principles is shown below together with a short explanation:

PRINCIPLES OF PERSONAL DATA PROCESSING

Any processing of personal data must respect the key principles of data protection.

LAWFULNESS, FAIRNESS, AND TRANSPARENCY

The processing must be covered by any lawfulness of processing. In addition, the processing must be fair and informed.

STORAGE LIMITATION

The data must be kept for no longer than is necessary for the purposes of processing the personal data.

PURPOSE LIMITATION

The purpose of the processing of personal data must be clearly defined and the data must not be used for a different purpose.

INTEGRITY AND CONFIDENTIALITY

Protecting personal data against any risk that threatens its security (integrity, availability and confidentiality).

DATA MINIMISATION

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes.

ACCOUNTABILITY

Data controllers and processors must comply with these principles and be able to demonstrate such compliance.

ACCURACY

Personal data shall be accurate and, if necessary, updated.