CenturyLink is committed to compliance with GDPR and data protection regulations in general. To ensure our services and customer support align with our customers’ own compliance efforts, we have a GDPR compliance program in place, that leverages our robust security, privacy and compliance infrastructure.
CenturyLink has customers in more than 60 countries, including multinational organizations that use our services worldwide. To us, GDPR is not an EU-only matter, but rather an important data protection standard that affects our customers operating in the EU and beyond its borders. Although based in the U.S., CenturyLink recognizes the need to satisfy regional requirements and provide global solutions to our customers. GDPR requires mutual dependencies and cooperation between customers and service providers, and we believe those requirements will strengthen our relationships with customers.
What measures did CenturyLink specifically undertake to achieve compliance and raise awareness about GDPR’s requirements?
CenturyLink undertook a comprehensive GDPR compliance initiative led by a cross-functional team with members of our Legal and Information Security departments. The team worked with third-party experts and representatives of all our business units to assess and address CenturyLink’s obligations under GDPR. CenturyLink’s senior leadership fully supported those efforts and is committed to our GDPR compliance.
CenturyLink’s approach to GDPR compliance focuses on accountability and demonstrating compliance now and in the future. With that in mind, the GDPR compliance team took a long-term view to data protection and designed its data protection initiatives to be able to adapt as CenturyLink grows and new data protection laws emerge around the globe.
What is CenturyLink’s approach to cross-border data flows and the export of personal data outside the EU?
CenturyLink’s exportation of personal information from within the EU to other countries generally is covered under standard contractual clauses. Whenever our services require us to export personal data subject to GDPR, CenturyLink will make the necessary contractual arrangements with our customers to ensure compliant data transmission.
How will CenturyLink handle requests for summaries and diagrams of data flows?
CenturyLink offers several products, many of which are customizable, to customers in more than 60 countries, so we do not maintain universal summaries or diagrams of data flows. Customers can gain an infrastructure-level view of how and where the data flows from the relevant product documentation and each customer’s specific network or solution design.
Under what lawful basis (e.g., obtaining consent, legitimate interests, etc.) will CenturyLink process data under GDPR?
CenturyLink’s enterprise services rarely, if ever, require direct contact between CenturyLink and individual data subjects protected by the GDPR. If we process any personal data, it will be either on instructions from a customer (the “controller” as defined by GDPR) or when CenturyLink acts as the controller in accordance with the legal grounds defined in Section 6 of GDPR.
What is GDPR’s effect on CenturyLink’s specific products?
CenturyLink has undertaken a review of our products to assess their potential for processing personal data. In addition, we are committed to regularly reviewing our products for this purpose. In most cases, CenturyLink does not have access to personal data, including information that is transmitted, stored, hosted or processed through a customer’s use of our products’ functions. However, whenever necessary and consistent with the nature of our services, we will assist our customers in meeting their obligations under the GDPR.
What are CenturyLink’s procedures for providing notice of data breaches?
CenturyLink will provide notifications of breaches to all of our customers likely affected by a breach in accordance with legal requirements and as agreed with our customers. When a breach is suspected, CenturyLink takes the following steps:
Determine if a breach occurred
Research and identify products the breach may affect
Identify and notify our customers potentially affected by the breach
CenturyLink’s level of access to information affected by a breach, including the specific data and data subjects, varies from product to product. As a result, the amount of information in breach notifications will vary accordingly.
What are CenturyLink’s policies and procedures regarding data retention, destruction, and/or return?
Whether or how much personal data CenturyLink can return or destroy depends on the functionalities of the product processing the data. For instance, we do not access, host, store or process the content of messages or other information traveling in our network, so we cannot return copies of such data.
However, when the data involves services where CenturyLink operates as a processor, such as information storage and hosting products, we will grant customers access to the data for retrieval or destruction. In most of these cases, we do not have access to information but will help customers as appropriate to address their GDPR obligations relating to retention, destruction and retrieval of data processed by CenturyLink products. Typically, customers will have full control of these activities through the tools and functionalities available with the products.
What GDPR-related language will appear in CenturyLink contracts with customers?
Depending on the specific CenturyLink product and customer arrangement, CenturyLink acts as controller, processer or both. As such, we will make the necessary contractual arrangements to comply with GDPR. We will address general GDPR obligations at the master agreement level. In specific cases of personal data processing by our services, we will address contractual language as appropriate.
CenturyLink Details of Processing for Services
CenturyLink Details of Processing
Customer Instructions. Service type, locations, quantity, configuration, features, term and similar details selected and ordered by Customer shall constitute Processing instructions to CenturyLink to the extent required under data protection laws. Customer self-service activity (via online portals and similar functionality), Customer-directed actions such as moves/adds/changes, and similar interaction with the Services that impact the Processing shall similarly constitute Processing instructions to CenturyLink.
GDPR Data Processing. For Services for which links to privacy data sheets are displayed below, CenturyLink provides additional Processing details where CenturyLink acts as Customer’s Processor of Customer’s End User Personal Data within the meaning of the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) while providing Customer with Services. These Processing details supplement the applicable Service descriptions and orders included in the Agreement between CenturyLink and Customer and will be updated as details change. Capitalized terms used herein have the meaning set forth in the Agreement.
Data Processing where GDPR does not apply. CenturyLink operates as a mere conduit for much of the data collected, processed, and transmitted by its customers via the Services. For many Services, Customers determine what data is collected, used and processed by their information technology systems, whether and for how long such data may be stored or processed using CenturyLink services, where data processing or transmission takes place based on Service locations, and whether to configure CenturyLink services or purchase additional services to increase security protections for customer data. For these Services:
A. Subject Matter. The subject matter of the Processing is the Personal Data Customer elects to send to CenturyLink to Process via the Services.
B. Duration. The duration of the Processing undertaken by CenturyLink as a Processor is the service term applicable to the relevant Services as ordered, instructed, or otherwise initiated by Customer from time-to-time and as may be set forth on the applicable order forms and/or statements of work.
C. Nature. The nature of the Processing undertaken by CenturyLink as a Processor is the transmission, computing, storage or other similar information technology infrastructure services and Processing activities available through Customer’s use of the applicable Services and as further described in the Agreement and relevant order forms and/or statements of work.
D. Purpose. The purpose of the Processing undertaken by CenturyLink as a Processor is the provision of the applicable Services to the Customer.
E. Type of Personal Data. The type of Personal Data Processed by CenturyLink as a Processor is determined by the Customer and includes any type of Personal Data Customer elects to send to CenturyLink through Customer’s use of the Services.
F. Categories of Data Subjects. The categories of Data Subjects whose Personal Data may be Processed by CenturyLink as a Processor is determined by the Customer and includes any categories of Data Subjects those Personal Data Customer elects to send to CenturyLink to Process through Customer’s use of the Services.
CenturyLink Products Processing Only Traffic Data of Customer’s End Users
Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ePrivacy Directive) defines traffic data as: any data processed for the purpose of the conveyance of a communication on an electronic communications network or the billing thereof.
The CenturyLink products listed below process only traffic data associated with Customer’s End Users, in the course of providing service to CenturyLink’s customer.
Voice & Unified Communications Product
Hosted VoIP (Voice over Internet Protocol)
Level 3® Voice Complete®
Voice Termination
VoIP (Voice over Internet Protocol)
CenturyLink Products Not Processing Personal Data of Customer's End Users
Regulation (EU) 2016/679 of 27 April 2016, the General Data Protection Regulation (GDPR), defines personal data as: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The CenturyLink products listed below process no personal data associated with CenturyLink’s Customer’s end users, in the course of providing service to CenturyLink’s Customer.