CenturyLink is Committed to GDPR Compliance <p>Release Date: July 16, 2020</p>
<p>CenturyLink is committed to compliance with GDPR and data protection regulations in general.
To ensure our services and customer support align with our customers’ own compliance efforts, we have a GDPR compliance program in place, that leverages our robust security, privacy and compliance infrastructure.</p>
<p>CenturyLink has customers in more than 60 countries, including multinational organizations that use our services worldwide.
To us, GDPR is not an EU-only matter, but rather an important data protection standard that affects our customers operating in the EU and beyond its borders.
Although based in the U.S., CenturyLink recognizes the need to satisfy regional requirements and provide global solutions to our customers.
GDPR requires mutual dependencies and cooperation between customers and service providers, and we believe those requirements will strengthen our relationships with customers.</p>
<p>For more information, please click here.</p> GDPR FAQs What measures did CenturyLink specifically undertake to achieve compliance and raise awareness about GDPR’s requirements? <p>CenturyLink undertook a comprehensive GDPR compliance initiative led by a cross-functional team with members of our Legal and Information Security departments.
The team worked with third-party experts and representatives of all our business units to assess and address CenturyLink’s obligations under GDPR.
CenturyLink’s senior leadership fully supported those efforts and is committed to our GDPR compliance.</p>
<p>CenturyLink’s approach to GDPR compliance focuses on accountability and demonstrating compliance now and in the future. .
With that in mind, the GDPR compliance team took a long-term view to data protection and designed its data protection initiatives to be able to adapt as CenturyLink grows and new data protection laws emerge around the globe.</p> What is CenturyLink’s approach to cross-border data flows and the export of personal data outside the EU? <p>CenturyLink’s exportation of personal information from within the EU to other countries generally is covered under standard contractual clauses.
Whenever our services require us to export personal data subject to GDPR, CenturyLink will make the necessary contractual arrangements with our customers to ensure compliant data transmission.</p> How will CenturyLink handle requests for summaries and diagrams of data flows? <p>CenturyLink offers several products, many of which are customizable, to customers in more than 60 countries, so we do not maintain universal summaries or diagrams of data flows.
Customers can gain an infrastructure-level view of how and where the data flows from the relevant product documentation and each customer’s specific network or solution design. </p> Under what lawful basis (e.g., obtaining consent, legitimate interests, etc.) will CenturyLink process data under GDPR? <p>CenturyLink’s enterprise services rarely, if ever, require direct contact between CenturyLink and individual data subjects protected by the GDPR.
If we process any personal data, it will be either on instructions from a customer (the “controller” as defined by GDPR) or when CenturyLink acts as the controller in accordance with the legal grounds defined in Section 6 of GDPR.</p> What is GDPR’s effect on CenturyLink’s specific products? <p>CenturyLink has undertaken a review of our products to assess their potential for processing personal data.
In addition, we are committed to regularly reviewing our products for this purpose.
In most cases, CenturyLink does not have access to personal data, including information that is transmitted, stored, hosted or processed through a customer’s use of our products’ functions.
However, whenever necessary and consistent with the nature of our services, we will assist our customers in meeting their obligations under the GDPR.</p>
<p>
<b>What are CenturyLink’s procedures for providing notice of data breaches?</b>
</p>
<p>CenturyLink will provide notifications of breaches to all of our customers likely affected by a breach in accordance with legal requirements and as agreed with our customers.
When a breach is suspected, CenturyLink takes the following steps:</p>
<ol>
<li>Determine if a breach occurred</li>
<li>Research and identify products the breach may affect</li>
<li>Identify and notify our customers potentially affected by the breach</li>
</ol>
<p>CenturyLink’s level of access to information affected by a breach, including the specific data and data subjects, varies from product to product.
As a result, the amount of information in breach notifications will vary accordingly.</p> What are CenturyLink’s policies and procedures regarding data retention, destruction, and/or return? <p>Whether or how much personal data CenturyLink can return or destroy depends on the functionalities of the product processing the data.
For instance, we do not access, host, store or process the content of messages or other information traveling in our network, so we cannot return copies of such data.</p>
<p>However, when the data involves services where CenturyLink operates as a processor, such as information storage and hosting products, we will grant customers access to the data for retrieval or destruction.
In most of these cases, we do not have access to information but will help customers as appropriate to address their GDPR obligations relating to retention, destruction and retrieval of data processed by CenturyLink products.
Typically, customers will have full control of these activities through the tools and functionalities available with the products.</p> What GDPR-related language will appear in CenturyLink contracts with customers? <p>Depending on the specific CenturyLink product and customer arrangement, CenturyLink acts as controller, processer or both.
As such, we will make the necessary contractual arrangements to comply with GDPR.
We will address general GDPR obligations at the master agreement level.
In specific cases of personal data processing by our services, we will address contractual language as appropriate.</p> CenturyLink Details of Processing for Services CenturyLink Details of Processing <p>
<b>Customer Instructions.</b> .
Service type, locations, quantity, configuration, features, term and similar details selected and ordered by Customer shall constitute Processing instructions to CenturyLink to the extent required under data protection laws. .
Customer self-service activity (via online portals and similar functionality), Customer-directed actions such as moves/adds/changes, and similar interaction with the Services that impact the Processing shall similarly constitute Processing instructions to CenturyLink.</p>
<p>
<b>GDPR Data Processing.</b> .
For Services for which links to privacy data sheets are displayed below, CenturyLink provides additional Processing details where CenturyLink acts as Customer’s Processor of Customer’s End User Personal Data within the meaning of the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) while providing Customer with Services. .
These Processing details supplement the applicable Service descriptions and orders included in the Agreement between CenturyLink and Customer and will be updated as details change. .
Capitalized terms used herein have the meaning set forth in the Agreement.</p>
<p>
<b>Data Processing where GDPR does not apply. .
</b>CenturyLink operates as a mere conduit for much of the data collected, processed, and transmitted by its customers via the Services. .
For many Services, Customers determine what data is collected, used and processed by their information technology systems, whether and for how long such data may be stored or processed using CenturyLink services, where data processing or transmission takes place based on Service locations, and whether to configure CenturyLink services or purchase additional services to increase security protections for customer data. .
For these Services:</p>
<p>A.  .
<b>Subject Matter.</b> .
The subject matter of the Processing is the Personal Data Customer elects to send to CenturyLink to Process via the Services.</p>
<p>B.  .
<b>Duration.</b> .
The duration of the Processing undertaken by CenturyLink as a Processor is the service term applicable to the relevant Services as ordered, instructed, or otherwise initiated by Customer from time-to-time and as may be set forth on the applicable order forms and/or statements of work.</p>
<p>C.  .
<b>Nature.</b> .
The nature of the Processing undertaken by CenturyLink as a Processor is the transmission, computing, storage or other similar information technology infrastructure services and Processing activities available through Customer’s use of the applicable Services and as further described in the Agreement and relevant order forms and/or statements of work.</p>
<p>D.  .
<b>Purpose.</b> .
The purpose of the Processing undertaken by CenturyLink as a Processor is the provision of the applicable Services to the Customer.</p>
<p>E.  .
<b>Type of Personal Data.</b> .
The type of Personal Data Processed by CenturyLink as a Processor is determined by the Customer and includes any type of Personal Data Customer elects to send to CenturyLink through Customer’s use of the Services. </p>
<p>F.  .
<b>Categories of Data Subjects.</b> .
The categories of Data Subjects whose Personal Data may be Processed by CenturyLink as a Processor is determined by the Customer and includes any categories of Data Subjects those Personal Data Customer elects to send to CenturyLink to Process through Customer’s use of the Services. </p>
<b>CenturyLink Products Processing Only Traffic Data of Customer’s End Users</b>
<p>Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector .
(the ePrivacy Directive) defines traffic data as: any data processed for the purpose of the conveyance of a communication on an electronic communications network or the billing thereof. </p>
<p>The CenturyLink products listed below process only traffic data associated with Customer’s End Users, in the course of providing service to CenturyLink’s customer.</p>
<p>
<b>Voice &.
Unified Communications Product</b>
</p>
<ul>
<li>Hosted VoIP (Voice over Internet Protocol)</li>
<li>Level 3® Voice Complete®</li>
<li>Voice Termination</li>
<li>VoIP (Voice over Internet Protocol) .
</li>
</ul>
<b>CenturyLink Products Not Processing Personal Data of Customer's End Users</b>
<p>Regulation (EU) 2016/679 of 27 April 2016, the General Data Protection Regulation (GDPR), defines personal data as: any information relating to an identified or identifiable natural person.
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.</p>
<p>The CenturyLink products listed below process no personal data associated with CenturyLink’s Customer’s end users, in the course of providing service to CenturyLink’s Customer.</p>
<p>
<b>CDN</b>
</p>
<ul>
<li>Vyvx Solutions</li>
</ul>
<p>
<b>Hybrid IT &.
Cloud Solutions</b>
</p>
<ul>
<li>Bare Metal</li>
<li>CenturyLink Cloud Block Storage</li>
<li>CenturyLink Network Storage</li>
<li>Cloud Application Manager (CAM) </li>
<li>Cloud Application Manager - Dedicated (CAM-D)</li>
<li>Cloud Application Manager (CAM) - Managed Services Anywhere</li>
<li>Cloud Connect (Private Network connections to a Cloud Provider using Wavelengths, Dynamic Connections, e-Line, eLynk, IPVPN, EVPL)</li>
<li>Data Protect Backup / Data Protect Backup Dedicated</li>
<li>Disaster Recovery as a Service</li>
<li>Foundation Hosting / Custom Managed Server / Managed Server 1.0</li>
<li>Object Storage</li>
<li>Private Cloud:<br>
<ul>
<li>CenturyLink Private Cloud on VMware Cloud Foundation (CPC on VMF)</li>
<li>Dedicated Cloud Compute (DCC) Virtual Intelligent Hosting Node (VIHN)/Virtual Intelligence Hosting Instance (VIHI)</li>
<li>Private Cloud on VMware Cloud Foundation (formerly known as Dedicated Cloud Compute Foundation (DCC-F))</li>
</ul>
</li>
<li>Resiliency Services </li>
</ul>
<p>
<b>Networking</b>
</p>
<ul>
<li>Colocation (Colocation Dedicated Hosting Services)</li>
<li>DF IRU (Dark Fiber Indefeasible Right to Use)</li>
<li>DF Lease (Dark Fiber Lease)</li>
<li>Dynamic Connections Ethernet</li>
<li>E-LINE</li>
<li>eLynk (see Cloud Connect)</li>
<li>Ethersphere (EVPL/VPLS, Legacy CenturyLink VPN, EVPL/VPLS (NID RECOMMENDED))</li>
<li>Managed Network/ Managed Router (formerly known as CPE Based Managed Services) </li>
<li>MPLS/IPVPN</li>
<li>SD-WAN with Cisco Meraki</li>
<li>VPN</li>
<li>Wavelength Services</li>
</ul>
<p>
<b>Voice &.
Unified Communications</b>
</p>
<ul>
<li>International Voice Termination</li>
<li>IPVPN (Internet Protocol Virtual Private Network)</li>
<li>Local Inbound</li>
</ul> Privacy Data Sheets for CenturyLink Products and Services <p>Click to download (PDF):</p>
<i>
</i> Adaptive Network Security (ANS) <i>
</i> Adaptive Threat Intelligence (ATI) <i>
</i> BlueJeans <i>
</i> Cisco Webex delivered by CenturyLink <i>
</i> Content Delivery Network (CDN) <i>
</i> DDoS Mitigation <i>
</i> Dedicated Internet Access (DIA) <i>
</i> High Speed IP (HSIP) <i>
</i> Hosted Skype for Business <i>
</i> iMeet Live <i>
</i> Managed Event <i>
</i> Managed Firewall <i>
</i> Managed Video Conferencing <i>
</i> Network Protection Service (NPS) <i>
</i> Ready-Access <i>
</i> SD-WAN Services with Cisco Viptela <i>
</i> SD-WAN with Versa Networks <i>
</i> Security Log Monitoring (SLM) <i>
</i> Web Meeting <p>All downloads require the free Acrobat Reader to view.<br>
</p>