Privacy Statement

Telefonica Tech UK&I are committed to compliance with all applicable laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process.

 

We’ll tell you:

• what legislation guides us when processing your data;
• what your data subject rights are and how to exercise them;
• why we are processing your data, and whether you have to provide it to us;
• how long we intend to store your data for;
• whether there are other recipients of your personal data;
• whether we intend to transfer it to another country; and
• whether we engage in automated decision-making or profiling.

 

This statement applies to all our personal data processing functions, including those performed on behalf of customers’, clients’, employees’, and suppliers’ personal data, and any other personal data we process from any source.

 

References to ‘we’ or ‘us’ means Telefónica Tech UK&I and our group companies.

 

What Legislation Guides Us When Processing Your Data?

Our core processing activities are related to UK-based data subjects therefore we are subject to the UK GDPR and Data Protection Act 2018, we are registered with the Information Commissioner’s Office.

Telefónica Tech UK Managed Services Limited – ICO Registration Ref: X248565X
Telefónica Tech UK Limited – ICO Registration Ref: Z4607923
Telefónica Tech Northern Ireland Limited – ICO Registration Ref: Z8322782

 

Data Protection Principles

All processing of personal data must be conducted in accordance with the Data Protection Principles as set out in the UK GDPR and outlined below.

 

Our policies and procedures are designed to ensure compliance with these Principles.

 

1. Personal data must be processed lawfully, fairly, and transparently
2. Personal data can only be collected for specific, explicit, and legitimate purposes
3. Personal data must be adequate, relevant, and limited to what is necessary for processing
4. Personal data must be kept accurate and, where necessary, kept up to date
5. Personal data must be kept in a form such that the Data Subject can be identified only as long as is necessary for processing
6. Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
7. The GDPR includes provisions that promote accountability and governance. These complement the regulation’s transparency requirements. Accountability requests us to proactively demonstrate that we comply with the principles.

 

We will demonstrate compliance with GDPR Principles by implementing and adhering to data protection policies, implementing technical and organisational measures, as well as adopting techniques such as Data Protection by Design, Data Protection Impact Assessments, breach notification procedures and incident response plans.

 

What Are Your Data Subject Rights And How Can You Exercise Them?

The GDPR provides the following rights for individuals in relation to their personal data;

 

• The right to be informed
• The right of access
• The right of rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

 

Data Subject Rights Requests

We recognise your rights as a data subject as detailed above.  If you wish to make a request to exercise your rights regarding personal information we hold about you please contact our Data Protection Officer at dataprotection@telefonicatech.uk.

 

Why Do We Process Your Personal Data

 

• compliance with legal, regulatory and corporate governance obligations and good practice
• operational reasons, such as recording transactions, training and quality control
• ensuring the confidentiality of commercially sensitive information
• statistical analysis
• checking references
• processing customer or third-party data
• marketing our business and those of our group companies
• analysing purchasing preferences and improving services
• providing customer services

 

What Is The Purpose Of The Processing And How Is The Information Provided?

Most of the personal information we process is provided to us directly by you for one of the following reasons:

 

• You have made a query regarding our services
• You are a current user of our services
• You wish to attend, or have attended, an event
• You subscribe to our e-newsletter
• You have applied for a job, placement, or internship with us.

 

We also receive personal information indirectly, in the following scenarios:

 

• We may request information about you in the vetting process of applying for a role
• An employee of ours gives your contact details as an emergency contact or a referee.

 

What Is The Lawful Basis For Processing Your Personal Information?

Article 6 of the UK GDPR sets out the lawful bases for processing, at least one of these must apply whenever processing personal data:

 

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose;

We seek your consent for processing certain types of information.  Where we seek your consent, it will be explicit and clear what you are agreeing to. We manage your consent in line with the regulator’s guidance.

 

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract;

For example if you enter into a contract of employment with us we must process certain personal details to ensure you are paid correctly. Such processing would be necessary under the terms of the contract and is documented in our Record of Processing Activities.

 

(c) Legal Obligation: the processing is necessary for you to comply with the law (not including contractual obligations);

As an employer, we process personal data to comply with our legal obligation to disclose employee salary details to HMRC.

 

(d) Vital Interests: the processing is necessary to protect someone’s life;

This only applies to processing essential for someone’s life.  Therefore, this lawful basis is very limited in its scope, and generally only applies to matters of life and death.

 

(e) Public Task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law;

This basis largely only applies to public bodies and some adjacent private entities who work on their behalf. It is not anticipated that TTUK will process personal data under this basis.

 

(f) Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

We process marketing data, that which does not require consent via other legislation, like Privacy and Electronic Communications Regulation (PECR), under legitimate interests in some cases. Legitimate interest is most likely to be an appropriate basis where data is used in ways that data subjects would reasonably expect given their interaction, and that have a minimal privacy impact.

 

Special Category Data

Special category data is personal information that needs more protection because it is sensitive in nature.

 

Cookies

When you use our website, we may gather information about you through Internet access logs, cookies and other technical means.

 

‘Cookies’ are text files placed on your computer to collect Internet log information and user behaviour information.

 

Some of the cookies we use are essential for parts of the site to operate and have already been set. You may find that blocking certain common cookies may result in aspects of our website being unviewable.

 

To find out more about the cookies we use and how to delete them, please view our cookie policy here.

 

Direct Marketing

Information relating to you will be used to notify you by post, email, or other electronic means of our relevant services and solutions and those of our group companies and third-party business partners, in which we believe you may be interested. This will only ever occur where you have proactively indicated your interest and provided consent to be contacted.

 

You can withdraw your consent to use of personal data for marketing at any time by contacting us at marketing@telefonicatech.uk.

 

Third Party Processors

From time to time, we use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it only for the period we instruct.

 

Digital Marketing Service Providers

We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:

 

• Right On The Line Limited. Reg no. 04044730 | VAT Registration No. GB742504257. You can contact Right On The Line and view their privacy policy here. https://www.rightontheline.com/privacy-policy
• Session Media. Reg no. 11451529 | You can contact Session Media and view their privacy policy here. https://session-media.com/privacy-policy/

 

Children

Personal data relating to children has specific protections under the UK GDPR.

 

We do not provide services directly to children or proactively collect their personal information.

 

International Transfers

International transfers of personal data means information has been sent received/processed in a third country, a third country is a country or territory outside of the UK. The Data Protection Act 2018 places limits on the circumstances when we can share:

 

• the transfer must be necessary for any of the law enforcement purposes
• the transfer has to be based on either a finding of adequacy in respect of the third country, or where other appropriate safeguards are in place, or if not, that the transfer is for certain specific special circumstances. TTUK&I apply relevant Standard Contractual Clauses
• the transfer is to a relevant authority in the third country, or is a ‘relevant international organisation;, ie an international body that carries out functions for any of the law enforcement purposes.

 

Where personal data is transferred outside the UK/EEA, we ensure that an International Transfer Risk Assessment has been carried out. We align this assessment with the relevant ICO guidance.

 

Changes To Privacy Statement

We are currently reviewing our Data Protection suite of policies and procedures – once this review is complete, we will update this document as necessary. Changes will be uploaded to our site here and pushed out to third parties as required.

 

Further Enquiries

Please contact our dedicated Data Protection Officer if you have any questions in relation to our handling of your personal data. We will respond to any requests within one calendar month.

 

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices for those websites as applicable.

 

Data Protection Officer
Telefónica Tech UK Limited
East House
New Pound Common
Wisborough Green
West Sussex RH14 0AZ

E: dataprotection@telefonicatech.uk

Last updated: March 2023