CenturyLink is Committed to GDPR Compliance

CenturyLink is committed to compliance with GDPR and data protection regulations in general. To ensure our services and customer support align with our customers’ own compliance efforts, we have a GDPR compliance program in place, that leverages our robust security, privacy and compliance infrastructure.

CenturyLink has customers in more than 60 countries, including multinational organizations that use our services worldwide. To us, GDPR is not an EU-only matter, but rather an important data protection standard that affects our customers operating in the EU and beyond its borders. Although based in the U.S., CenturyLink recognizes the need to satisfy regional requirements and provide global solutions to our customers. GDPR requires mutual dependencies and cooperation between customers and service providers, and we believe those requirements will strengthen our relationships with customers.

For more information, please click here.

GDPR FAQs

What measures did CenturyLink specifically undertake to achieve compliance and raise awareness about GDPR’s requirements?

CenturyLink undertook a comprehensive GDPR compliance initiative led by a cross-functional team with members of our Legal and Information Security departments. The team worked with third-party experts and representatives of all our business units to assess and address CenturyLink’s obligations under GDPR. CenturyLink’s senior leadership fully supported those efforts and is committed to our GDPR compliance.

CenturyLink’s approach to GDPR compliance focuses on accountability and demonstrating compliance now and in the future. With that in mind, the GDPR compliance team took a long-term view to data protection and designed its data protection initiatives to be able to adapt as CenturyLink grows and new data protection laws emerge around the globe.

What is CenturyLink’s approach to cross-border data flows and the export of personal data outside the EU?

CenturyLink’s exportation of personal information from within the EU to other countries generally is covered under standard contractual clauses. Whenever our services require us to export personal data subject to GDPR, CenturyLink will make the necessary contractual arrangements with our customers to ensure compliant data transmission.

How will CenturyLink handle requests for summaries and diagrams of data flows?

CenturyLink offers several products, many of which are customizable, to customers in more than 60 countries, so we do not maintain universal summaries or diagrams of data flows. Customers can gain an infrastructure-level view of how and where the data flows from the relevant product documentation and each customer’s specific network or solution design.

Under what lawful basis (e.g., obtaining consent, legitimate interests, etc.) will CenturyLink process data under GDPR?

CenturyLink’s enterprise services rarely, if ever, require direct contact between CenturyLink and individual data subjects protected by the GDPR. If we process any personal data, it will be either on instructions from a customer (the “controller” as defined by GDPR) or when CenturyLink acts as the controller in accordance with the legal grounds defined in Section 6 of GDPR.

What is GDPR’s effect on CenturyLink’s specific products?

CenturyLink has undertaken a review of our products to assess their potential for processing personal data. In addition, we are committed to regularly reviewing our products for this purpose. In most cases, CenturyLink does not have access to personal data, including information that is transmitted, stored, hosted or processed through a customer’s use of our products’ functions. However, whenever necessary and consistent with the nature of our services, we will assist our customers in meeting their obligations under the GDPR.

What are CenturyLink’s procedures for providing notice of data breaches?

CenturyLink will provide notifications of breaches to all of our customers likely affected by a breach in accordance with legal requirements and as agreed with our customers. When a breach is suspected, CenturyLink takes the following steps:

Determine if a breach occurred
Research and identify products the breach may affect
Identify and notify our customers potentially affected by the breach

CenturyLink’s level of access to information affected by a breach, including the specific data and data subjects, varies from product to product. As a result, the amount of information in breach notifications will vary accordingly.

What are CenturyLink’s policies and procedures regarding data retention, destruction, and/or return?

Whether or how much personal data CenturyLink can return or destroy depends on the functionalities of the product processing the data. For instance, we do not access, host, store or process the content of messages or other information traveling in our network, so we cannot return copies of such data.

However, when the data involves services where CenturyLink operates as a processor, such as information storage and hosting products, we will grant customers access to the data for retrieval or destruction. In most of these cases, we do not have access to information but will help customers as appropriate to address their GDPR obligations relating to retention, destruction and retrieval of data processed by CenturyLink products. Typically, customers will have full control of these activities through the tools and functionalities available with the products.

What GDPR-related language will appear in CenturyLink contracts with customers?

Depending on the specific CenturyLink product and customer arrangement, CenturyLink acts as controller, processer or both. As such, we will make the necessary contractual arrangements to comply with GDPR. We will address general GDPR obligations at the master agreement level. In specific cases of personal data processing by our services, we will address contractual language as appropriate.

CenturyLink Content Delivery Network FAQs

What Data Do We Collect?

Major broadcasting, media and internet companies use CenturyLink CDN solutions to securely deliver video streaming, digital downloads and website acceleration to their customers around the globe. Users access the content through a broad range of devices. Many CenturyLink customers also take advantage of our origin storage service, an easy-to-manage global platform that securely stores content libraries of virtually any size.

CenturyLink CDN collects a minimal amount of data about our customers’ users when they request content. The data collected is meant to ensure correct content delivery and satisfy customer specifications. We do not capture or store unnecessary information. Personal information about individuals accessing content is not visible, collected or logged. Data collected by the CDN falls under two general categories:

1. Event data consisting of date, time, content volume in bytes, delivery status and error codes.

2. End-user delivery data about the client requesting the content. This consists of IP address, access method, URL, HTTP Headers such as referrer, user agent, cookies, and extensions. This end-user delivery data, by itself, cannot be used to identify an individual end-user and CenturyLink does not utilize this data or combine it with any other data in an attempt to identify individual end-users.

When our customers’ users access content through the CenturyLink CDN, no personal data that identifies that individual end-user is collected by the platform except as necessary to provide CenturyLink CDN services as configured by a customer.

Customer Options

It is the customer’s responsibility, through the use of object delivery controls, to ensure that any personal data related to individual end-users that access the customer’s content through the CenturyLink CDN is not cached on the CenturyLink CDN. CenturyLink CDN customers can leverage a variety of self-service and security options available through the platform. Customers have the ability to manage their video delivery, object delivery and origin storage services through the secured and authorized use of the customer Media Portal. Customers may also use the Media Portal for the following:

Reporting
Analytics
Access invoices
Provision new services
Optimize content publication
Manage account permissions
APIs
Modify service attributes and parameters

LEGAL

Acceptable Use Policy
Privacy Policy
Copyright Notices
Website User Agreement
Payment Agreement
Online Security
Terms & Conditions
Tariff Library
About Internet Service Disclosure
CCTS
Contact Us
GDPR
LATAM

Contact Us

Password Reset, Billing or Service Related Issues:
Customer Support Email

Report Spam/Abuse

For Subpoenas Requesting Customer Information:
Law Enforcement Support

EU General Data Protection Regulation Questions:
Email

EU GDPR Data Subject Requests:
Email

Chief Privacy Officer
Linda Gardner
Associate General Counsel
Email

PRIVACY GROUP
CENTURYLINK LEGAL
100 CENTURYLINK DRIVE
MONROE LA 71203

Get Connected. See what's next for CenturyLink.