CenturyLink offers several products, many of which are customizable, to customers in more than 60 countries, so we do not maintain universal summaries or diagrams of data flows. Customers can gain an infrastructure-level view of how and where the data flows from the relevant product documentation and each customer’s specific network or solution design. 

CenturyLink’s enterprise services rarely, if ever, require direct contact between CenturyLink and individual data subjects protected by the GDPR. If we process any personal data, it will be either on instructions from a customer (the “controller” as defined by GDPR) or when CenturyLink acts as the controller in accordance with the legal grounds defined in Section 6 of GDPR.

CenturyLink has undertaken a review of our products to assess their potential for processing personal data. In addition, we are committed to regularly reviewing our products for this purpose. In most cases, CenturyLink does not have access to personal data, including information that is transmitted, stored, hosted or processed through a customer’s use of our products’ functions. However, whenever necessary and consistent with the nature of our services, we will assist our customers in meeting their obligations under the GDPR.

What are CenturyLink’s procedures for providing notice of data breaches?

CenturyLink will provide notifications of breaches to all of our customers likely affected by a breach in accordance with legal requirements and as agreed with our customers. When a breach is suspected, CenturyLink takes the following steps:

1. Determine if a breach occurred
2. Research and identify products the breach may affect
3. Identify and notify our customers potentially affected by the breach

CenturyLink’s level of access to information affected by a breach, including the specific data and data subjects, varies from product to product. As a result, the amount of information in breach notifications will vary accordingly.

Whether or how much personal data CenturyLink can return or destroy depends on the functionalities of the product processing the data. For instance, we do not access, host, store or process the content of messages or other information traveling in our network, so we cannot return copies of such data.

However, when the data involves services where CenturyLink operates as a processor, such as information storage and hosting products, we will grant customers access to the data for retrieval or destruction. In most of these cases, we do not have access to information but will help customers as appropriate to address their GDPR obligations relating to retention, destruction and retrieval of data processed by CenturyLink products. Typically, customers will have full control of these activities through the tools and functionalities available with the products.

Depending on the specific CenturyLink product and customer arrangement, CenturyLink acts as controller, processer or both. As such, we will make the necessary contractual arrangements to comply with GDPR. We will address general GDPR obligations at the master agreement level. In specific cases of personal data processing by our services, we will address contractual language as appropriate.

Customer Instructions.  Service type, locations, quantity, configuration, features, term and similar details selected and ordered by Customer shall constitute Processing instructions to CenturyLink to the extent required under data protection laws.  Customer self-service activity (via online portals and similar functionality), Customer-directed actions such as moves/adds/changes, and similar interaction with the Services that impact the Processing shall similarly constitute Processing instructions to CenturyLink.

GDPR Data Processing.  For Services for which links to privacy data sheets are displayed below, CenturyLink provides additional Processing details where CenturyLink acts as Customer’s Processor of Customer’s End User Personal Data within the meaning of the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) while providing Customer with Services.  These Processing details supplement the applicable Service descriptions and orders included in the Agreement between CenturyLink and Customer and will be updated as details change.  Capitalized terms used herein have the meaning set forth in the Agreement.

Data Processing where GDPR does not apply.  CenturyLink operates as a mere conduit for much of the data collected, processed, and transmitted by its customers via the Services.  For many Services, Customers determine what data is collected, used and processed by their information technology systems, whether and for how long such data may be stored or processed using CenturyLink services, where data processing or transmission takes place based on Service locations, and whether to configure CenturyLink services or purchase additional services to increase security protections for customer data.  For these Services:

A.       Subject Matter.  The subject matter of the Processing is the Personal Data Customer elects to send to CenturyLink to Process via the Services.

B.       Duration.  The duration of the Processing undertaken by CenturyLink as a Processor is the service term applicable to the relevant Services as ordered, instructed, or otherwise initiated by Customer from time-to-time and as may be set forth on the applicable order forms and/or statements of work.

C.        Nature.  The nature of the Processing undertaken by CenturyLink as a Processor is the transmission, computing, storage or other similar information technology infrastructure services and Processing activities available through Customer’s use of the applicable Services and as further described in the Agreement and relevant order forms and/or statements of work.

D.       Purpose.  The purpose of the Processing undertaken by CenturyLink as a Processor is the provision of the applicable Services to the Customer.

E.        Type of Personal Data.  The type of Personal Data Processed by CenturyLink as a Processor is determined by the Customer and includes any type of Personal Data Customer elects to send to CenturyLink through Customer’s use of the Services. 

F.        Categories of Data Subjects.  The categories of Data Subjects whose Personal Data may be Processed by CenturyLink as a Processor is determined by the Customer and includes any categories of Data Subjects those Personal Data Customer elects to send to CenturyLink to Process through Customer’s use of the Services.  

Click to download (PDF):

All downloads require the free Acrobat Reader to view.