You are here

Privacy and security

Privacy is a core value in democratic societies, reflected in various fundamental rights such as data protection and the right to privacy. At Telefónica, we always bear this in mind and place special emphasis on security developments for our customers. 

PRIVACY

Here at Telefónica we understand the concept of privacy to be defined by historical context, culture, its uses and a country's technological innovation and specific geographical region. Privacy is a core value in democratic societies such as our own. Legislative frameworks have defined it as a person's right for nothing and no one to interfere with his or her private correspondence (the right to confidential communication), the management of his or her personal data (the right to the protection of personal data) and the protection of personal or family privacy (the right to privacy). Because of this, and since the expansion of the Internet, 'confidentiality of information' and the use of personal data for commercial means have become two of the most debated and controversial topics in the last decade. 

We do not conceive privacy as a unidimensional concept and therefore we speak of 'digital confidence' as a term that includes the concepts of privacy, transparency and security. This is a sustainable approach that allows citizens to maintain control over their personal data and preserve their private identities, knowing that their data is secure.

Ultimately, our commitment to this principle has led us to design a culture based on improving our consumers' digital confidence, with shared obligatory performance standards among all our regions and entities and a set of clear, coherent positions regarding our privacy practices and data protection. This culture is based upon the following pillars:

  • Self-regulation of the rights and security of the users, far beyond local and international laws.
  • Transparency as a driving force of confidence and the key attributes of Telefónica.
  • Privacy as an element to make innovation, well-being and prosperity possible in the digital world. 

Acceptance of these global principles will help us establish a common global framework based on which a secure, transparent and private digital experience can be developed, a solid foundation for the sustainable growth of a digitised economy and society. 

Policy and Privacy Committee​

The objective of the Privacy Policy, approved by the Telefónica Group advisory board, is to establish the guidelines the companies of the Group should follow in order to protect the privacy of all those persons who entrust us with their information through the use of our products and services

This policy responds to our Business Principles and describes what type of information is collected by the companies of the Group and how it is processed in order to guarantee the privacy of its users. Additionally, it incorporates our commitment to: 

  • Transparency and choice in the use of personal information.
  • The right to access, rectification, opposition and elimination of personal information. 
  • Security and integrity of personal data.
  • Privacy of minors.

This Policy has allowed us to maintain a unique, clear and coherent position regarding privacy and data protection, and on the part of Telefónica, to take utmost advantage of the opportunities generated in our current digital environment.

The Privacy Committee was created in 2013 as a reference point, both internally and externally, to support Telefónica's actions in this area. It is the authority that oversees the implementation of the Privacy Policy. The Privacy Committee is headed by the Chief Privacy Officer, who, in the sphere of the Telefónica Group, is charged with overseeing the fulfilment of national and international regulations regarding data protection.

Freedom of Expression

Throughout 2014 Telefónica has continued to work in its capacity as member of Telecom Industry Dialogue, a group of nine global telecommunications operators and vendors, towards collective implementation of the 10 Guiding Principles on Privacy and Freedom of Expression, which were signed and published in March 2013. In the 2013 Sustainability Report we published our progress for the first time. Our progress and the measures adopted during 2014 are laid out in the following table.

Governing Principles for Privacy and Freedom of Expression within Telefónica

Governing principle

Telefónica Programme

1. To create and/or maintain relevant policies, under the supervision of the Board of Directors or equivalent, emphasising a commitment to prevent, evaluate and mitigate, to the best of their ability, the risks to freedom of expression and privacy associated with the design, sale and operation of technology and telecommunication services. 
  • Revised in 2010, our Business Principles recognise the right to privacy as the foundation for a trust-based relationship with our stakeholders. 
  • Likewise, the Group has a Privacy Policy, approved by the Board in March 2013, with which compliance is obligatory in all countries where we operate.    
  • The Group also has a Chief Privacy Officer, who is ultimately responsible for the implementation and monitoring of the Policy and who offers support to the local Data Protection Officers. 
  • As far as security management is concerned, the Group has a Corporate Information Security Policy, as well as other regulations, which is based on international standards and updated according to increasing international demand regarding security. In addition to receiving policy-specific training, all of our employees have access to the Policy via the Group Intranet.

Governing principle

Telefónica Programme

2. To regularly perform impact assessments on Human Rights and utilise due diligence processes, adapted to the Company, in order to identify, mitigate and manage risks to the freedom of expression and privacy (both in relation to technology, products and services, as well as to specific countries) in compliance with the Guiding Principles for the application of the UN framework 'Protect, respect, and remedy.' 
  • Respect and commitment to Human Rights is one of the foundations of our Guiding Principles. Therefore, following the framework offered by the Guiding Principles on Business and Human Rights, in 2012 we performed an assessment – with the support of Business for Social Responsibility – within all our operations in order to evaluate the global impact of our activities. In 2014, Telefónica continued integrating the results of the assessment on the impact on Human Rights that was carried out in 2012 via its business units. This included a new evaluation to assess on a global scale how its operating businesses respond to governmental requests for users' personal data or content restriction, as well as the circumstances and contexts in which these petitions are generally received. As part of this process, in 2015, Telefónica will develop a global procedure guide regarding governmental requirements.   

Governing principle

Telefónica Programme

3. To create and/or maintain processes and operating procedures in order to evaluate and manage governmental requests that may have an impact on freedom of expression and privacy.
  • Telefónica has various processes in place to attend to requests made by local/governmental authorities. These processes are the responsibility of the General Secretary and Security of each of the Group's companies. The Privacy Committee and the Security Committee endeavour to sensitise and inform on the necessity to document such processes.  

Governing principle

Telefónica Programme

4. Wherever possible, to adopt strategies to anticipate, respond to, and minimize the potential impact on the freedom of expression and privacy in the event that an illegal governmental petition or demand is received, or that the government is considered to be making improper use of the products or technology for unlawful purposes.  
  • The Chief Privacy Officer, on a global level, and the Data Protection Officers offer greater homogeneity to the procedures and processes that affect our clients' privacy. The Privacy Committee articulates its mission and functions through the Global Chief Privacy Officer and the Data Privacy Officers/Data Protection Officers (DPOs) in each of the Group companies. 

Governing principle

Telefónica Programme

5. To seek to always guarantee the security and freedom of Company employees that could be exposed to situations of risk. 
  • Health, security, and occupational well-being are the three pillars of Telefónica, not only guaranteeing the protection of employees, but also to having a direct influence on their job satisfaction at the Company. Regarding physical security, the Global Security Directorate has established a series of guidelines to be followed, adapted to the risks identified for each country, as well as to cover the displacement process. 

Governing principle

Telefónica Programme

6. To sensitise and train the employees affected by the relevant policies and processes. 
  • The Telefónica Group has designed a specific plan to train and sensitise employees in the policies and processes which affect them. This continual training programme is carried out both in person as well as online. In 2014, more than 62,250 employees were trained in matters of Data Protection and Information Security.

Governing principle

Telefónica Programme

7. To share knowledge and impressions, whenever relevant and appropriate, with all the interested parties involved in order to better understand the legal framework and efficiency of these principles in practice and to offer support for their application and development.
  • We consider continual dialogue with our stakeholders to be fundamental in order to identify and mitigate risks, as well as to develop new business opportunities. We believe that transparency, as well as knowledge sharing, among this group is key to encouraging these Guiding Principles. Moreover, Telefónica has undertaken a project to map out internal and external stakeholders on corporate and local levels regarding issues of freedom of expression and privacy. The result of this map will determine the level and type of relationship with each of them, with the purpose of improving Telefónica's response capacity to consultations made by interested parties.   Likewise, at the heart of the Privacy Committee, the Data Protection Officers and Corporation directors agree on and discuss the commercial, institutional and regulatory projects that are most relevant to the topic of privacy, with the aim of ensuring a consistent approach throughout the entire organisation. Parallel to this, there is an internal communication channel (Global Privacy Centre, in Yammer) which is made up of all the people related to or interested in privacy management at the Group level, and which serves to share experiences, news and strategies.

Governing principle

Telefónica Programme

8. To annually, as well as when circumstances deem it necessary, report externally on the progress achieved regarding the application of the principles and, when appropriate, regarding the main events that occur in this regard.  
  • This Report summarises the advances carried out by the Telefónica Group regarding privacy and freedom of expression.

Governing principle

Telefónica Programme

9. To aid in the elaboration of policies and regulations that promote freedom of expression and privacy, both in an individual manner and in collaboration with other entities, seeking to mitigate the potential negative impacts that are derived from policies and regulations.
  • We are convinced that the best way to achieve global progress with respect to freedom of expression and privacy is through dialogue between governments, industry, civil society (including Human Rights experts), investors, supranational organisations and other interested parties. Proof of this is our Digital Manifesto, published in January 2014. The Manifesto highlights the different challenges to be resolved by public policies in order to liberate the digital world's full potential, to the benefit of customers, companies and public administrations. At the same time, it provides ten recommendations to improve users' Internet experience and to promote greater investment in digital infrastructures. Likewise, on an internal level, and with the purpose of overseeing the adequate implementation and fulfilment of the Privacy Policy, at the core of the Global Privacy Committee the following are developed, agreed upon and approved: regulations, instructions and guidelines related to the many diverse aspects of privacy (incidence management, recommended structures, description of functions and activities, development of web pages and apps insurance, etc.). The Committee is the internal and external point of reference, and the foundation for conduct within the field of privacy.

Governing principle

Telefónica Programme

10. To collectively examine options for the implementation of appropriate complaint mechanisms, as set out in Principle 31 of the UN Guiding Principles on Business and Human Rights.
  • Telefónica is developing complaint mechanisms at both corporate and local levels, which will be ready for implementation in 2015-2016.

Security and Data protection

To guarantee the safety and security of the data of our customers and our services, Telefónica has various regulations in place aimed at strengthening information security. 

The Telefónica Group companies follow the directives regarding information security as defined by the Corporate Security Committee. This authority's objective is to oversee the continual improvement of security, guaranteeing a minimum uniform level of security in accordance with the needs of each business. Additionally, its responsibilities include establishing policies, standards and implementation procedures for use and sound practices, the tracking of certificate acquirement within the Group companies and continual monitoring, with regular reports given to the Security Committee.

Data security

Telefónica has an internal concept of the Group's global integral security which covers information security by establishing a set of preventive and reactive measures regarding the protection of personal data and technological systems. This allows information to be shielded and protected, seeking to maintain its confidentiality, availability and integrity.    

Information security has a significant effect on our customers' privacy, taking on different dimensions according to each culture and country.

Within Telefónica's Corporate Security Committee, specific tracking is carried out on the Group's security certifications, which covers the development, implementation and maintenance of the Company's certification management system. 

Security of services

Threats and attacks, against both the users of communication networks as well as against the networks themselves and critical governmental infrastructures, are becoming ever more frequent and sophisticated. In Telefónica's own BackBone, systems like Escudo DDoS are deployed in order to mitigate service denial attacks against both infrastructures as well as customers. As for defence against malicious software, phishing and digital identity theft, for that we have Smart DNS.

2014 saw the presentation of a process of transformation based on innovation through technology. At Telefónica, in our commitment to cybersecurity and investment in in-house development, we have launched new services with new security capabilities that contribute to our clients' businesses being highly protected against threats within the environments in which they operate.  

  • ElevenPaths has focused its efforts on the development of unique and innovative products in the market. Proof of these efforts can be seen below:
    • Path5, a new cyber-intelligence product that fights against threats to mobile phones. It is a cybersecurity product developed by ElevenPaths that allows and facilitates research for security professionals and experts on mobile applications through its patented gig data technology and correlation engine. Additionally, it offers an integral solution that improves analysis and investigation in order to respond to any fraudulent action in which a mobile component may have been used. Path5 allows analysts to track the activity of these mobile components created by developers, and to predict other similar activities. It also allows for alerts to be set that detect fraudulent activity by these developers, thereby making Path5 an ideal solution for security, legal and company marketing teams or for analysts of mobile application tendencies. 
    • Latch was launched in 2014 for Windows Mobile and Firefox OS (FFOS), the operating system based on open standards developed by Mozilla and supported since inception by Telefónica, which already markets terminals using this operating system in Spain and in some Latin American markets. Latch is a mobile application that, very simply, allows users to create an additional layer of security for the different online service accounts they use, helping them to protect their digital lives. With this digital "latch", users can decide when to "turn on and turn off" Internet services, as well as profiles on social networks, online stores and electronic banking, blocking their use while disconnected. Additionally, the application sends an alert if someone tries to access these services when the user has them "turned off".
  • Sinfonier. Due to the need to give real-time support to the processing of information that is gathered from various sources, Sinfonier provides users with a free infrastructure so that they can create their topologies using the modules available within the community and develop their own modules. Thanks to Sinfonier, it is possible to gather information from a multitude of sources, process it, and enhance it in a continuous and dynamic manner.

Business continuity plan​

For Telefónica, business continuity is a concept that includes both a disaster recovery plan (DRP) and a business restoration plan.

On this basis, we annually develop and improve logistics plans with the goal of being able to recover and restore critical functions within a set amount of time, having been partially or completely interrupted following an unwanted interruption or potential disaster. 

This plan is Telefónica's forward-looking response to the risk situations that could critically affect it. Business impact analyses are reviewed and audited yearly in compliance with regulation ISO 27001, and the Company has ISO 22301 on its critical certification path as an objective strategy.

In fact, in 2012, Telefónica was the first mobile operator in the United Kingdom to obtain ISO 22301 certification for all its operations.

Data protection and audits​

At Telefónica we conduct our own audits as demanded by the government of each country in which we are present, which is usually every two years. However, we have also instituted a yearly internal auditing system to confirm not only fulfilment but also application of the best market practices regarding data protection. In 2014, we continued carrying out personal data protection reviews, executing 9 audits for entities collaborating with Fundación Telefónica in 5 Latin American countries, one in the Central American region and 19 audits for Group companies, in Europe as well as in Latin America.  

In the case of audits for the Group companies, the most important aspects reviewed were: the application of security measures in processing personal data, controlling access to it, the quality of information, consent to data processing and the possibility that those affected may exercise their rights to access, rectification, elimination or opposition.

In the case of Fundación Telefónica, the aspects reviewed were the quality of the information and consent to processing data of a personal nature.

Telefónica, in addition, within its Annual Audit Plan provides a comprenhensive Cybersecurity Auditing plan which, among other techniques, includes perfoming a penetration test by applying ethical hacking techniques based on the OSSTMM, CVSS and OWASP standards.

These audits are performed once a year on all IP addresses (public & private) of all Group operators, as well as on products and services for determining and, where necessary, improving their resilience against cyber attacks.

During 2014 Telefónica performed 18 cybersecurity audits of networks and systems for all operators. Seven audits were also performed specifically on products and services.

Training and awareness-raising​

In 2014 we continued with the Global Training Plan on data protection. A total of 62,950 employees were trained in matters of data protection, information security and awareness. This figure represents 50.9% of the total employees of the Group. The breakdown by region is as follows:

  • Telefónica Europe: 32,812 employees received training in matters of privacy and data protection. This represents, approximately, 60.8% of Telefónica employees in the region.
  • Telefónica Latin America: 30,138 employees were trained, both in person as well as online, in matters of privacy, data protection, security and confidentiality; this represents 44.2% of the employees in the region.

On a corporate level, various awareness initiatives have been carried out, including the following:

  • Sensitisation about phishing, to raise employee awareness and to understand the degree of exposure to a possible attack.
  • A five-hour course on security for technicians providing support to senior management.
  • Tutorials and advice about security were published and sent by email, the Intranet and Yammer to all Group employees.

In addition to internal training, data protection training and awareness workshops were given to those who worked with different organisations and local institutions: 

  • Germany. Regular participation in meetings with the Federal Data Protection Officer and other federal agencies. 
  • Colombia. Telefónica Colombia participated throughout 2014 in events both as speaker and attendee on topics of Cybersecurity and Data Protection (XVI ANDESCO National and International Congress, Public Services, TIC and TV, II International Data Protection Congress, organised by the Superintendence of Industry and Commerce, with the support of the Accountability Foundation).
  • Ecuador. Telefónica Ecuador participated in the Forum of Experience Exchange in Information Security (FTRESI), a group formed by large national companies to discuss information security, which meets on a quarterly basis.
  • Mexico. Telefónica Mexico signed up to the GSMA Mobile Privacy Principles through the initiative 'Nos Importa México' (We Care).
  • Uruguay. Lectures were given on the updating of new criminal methods in cash machines and sellers.
  • Innovation Security Day. During the event, Telefónica presented the challenges in ICT security innovation that we are faced with, based on the latest trends in cyber attacks, new protection mechanisms and tools, and our offered services. 

Incidents

9 incidents were reported on a global level relating to privacy and data protection, which were resolved by the compliance areas of the corresponding country; eight in the United Kingdom and one in Germany.

Fines​

In 2014 Telefónica Colombia was awarded 5 fines for matters concerning personal data protection. Three of these are pending final confirmation as they are subject to an appeal by Telefónica. The other two fines have been confirmed. No other countries have been punished for matters in this area.

Transparency

Trust is a critical value in an economy characterised by information management and analysis. All the studies carried out by Telefónica demonstrate a growing concern on the part of the users regarding the use of their data by digital and online services, and the loss of control over their data when they surf the web.

In fact, we are beginning to observe the first reactions of protection in the face of these trends: downloads of publicity-avoiding applications are rising considerably.

Our key to improving trust levels is transparency in the conditions of Internet use. Telefónica I+D has launched the Data Transparency Lab, a digital community project aimed at revealing the flow and use of personal data online, as well as exploring new ways of promoting transparency and accountability in the treatment of this information in the future, in order to make the Internet more open. Through this initiative, we also seek to promote the sustainability of the web economy through responsible and transparent use of advertising, e-commerce and online analytics.

The main objectives of the Data Transparency Lab are to develop tools, open up databases to users, and support research (by means of scholarships, R&D projects, etc.) in this field. Telefónica I+D is one of the founders of this new institution, alongside the MIT Human Dynamics Lab (headed by the prestigious Alex 'Sandy' Pentland), Mozilla, the Open Data Institute (directed by Sir Tim Berners Lee) and the Centre for the Digital Economy at the University of Surrey.

As a sample of the work being carried out by the Data Transparency Lab, the Telefónica I+D team, in conjunction with the Carlos III University and the Polytechnic University of Catalonia, have developed a tool, Sheriff, that identifies changes in the prices charged by online stores according to the IP address from which they are accessed; and in conjunction with Columbia University (New York) are seeking to understand which of our personal data is responsible for the advertisements that we see.