Data Processing Activities
Nature and purpose of personal data processing
In the course of providing products and services (“services”) to its customers, Verizon and its affiliates (“Verizon”), as well as its vendors and partners may need to process personal data as defined in the EU General Data Protection Regulation (GDPR) and other privacy laws around the world. Article 28 requires Processors to provide detailed information to Controllers as to how their data will be processed. Article 30 also requires the Controller (with the assistance of its processors) to demonstrate how it will comply with the GDPR. The following information explains Verizon’s status under GDPR and similar privacy laws around the world and provides customers with further information regarding Verizon’s key services and the nature of processing where the GDPR or equivalent privacy laws are applicable.
When Verizon is a controller.
Verizon processes personal data for administrative purposes in order to manage the relationship with its customers. This will include activities such as billing, installation, maintenance and customer service. In such circumstances Verizon is the Controller because it ‘determines the purpose and manner in which the data will be used’. Personal data processed for these administrative purposes will be retained in accordance with applicable law(s) and/or Verizon records retention policies unless otherwise stated in the customer agreement. For further information regarding the use of this data please contact emeadataprotection@intl.verizon.com.
In addition, in a limited set of circumstances Verizon may be considered a Controller in the course of providing services to customers. This will occur when Verizon is providing services where Verizon determines how the data should be processed in order to provide the service.
Example: Verizon provides professional services to a customer in Belgium. This may include services such as managed security and on-premise security solutions. In such circumstances, it will be necessary for Verizon to process Customer Data. In doing so Verizon will determine how the data should be processed in order to provide the service requested.
When Verizon is a processor.
If GDPR applies, in most cases, when providing services to customers, Verizon will be a Processor. This means that Verizon will act on the instructions of the customer with regards to the personal data.
Example: Verizon provides managed hosting services to its customer in Italy. The customer collects personal data about its end users and employees which Verizon stores on its behalf. In the course of providing such services Verizon may access this data and is a Processor on behalf of the customer.
Where GDPR does not apply.
There will be circumstances where GDPR does not apply. This can be because the data used to provide the service is not included in the definition of personal data under Article 4 of GDPR, or because the nature of the services Verizon is providing is not considered Processing under Article 4 GDPR.
Example: An EU based customer purchases network services from Verizon. Verizon does not have logical access to any customer data in connection with the services. Verizon is not considered a Processor as it is a ‘mere conduit’ of the data (Article 2(4) GDPR and Article 12 Directive 2000/13/EC).
Example: An EU based customer purchases pure co-location services from Verizon in Amsterdam. The customer’s servers reside in Verizon’s data centre but Verizon provides only space, power, cooling, and physical security for the server. This is not considered processing under GDPR.
Where Verizon is a Processor, customers should understand what Verizon is doing with their personal data.
What are the categories of personal data?
Verizon will process a limited amount of personal data when providing services to customers. This will include:
- contacts of customers
- customer’s employees
- customer contractors
The nature of personal data.
The type of data processed by Verizon Enterprise Solutions will depend on the nature of the business. However, when processing data on behalf of its customers Verizon is likely to process: IP traffic; names; business email addresses; business telephone numbers.
Verizon Connect will process additional types of personal data when providing services. This may include the following data elements that are necessary to provide telematics service: End user email address; IP address and geo-location data.
In addition, at a customer’s request Verizon Connect can collect other information including driver licence expiration details. Any additional information would be at the direction of the customer and will be specifically agreed in the contract.
International transfers
Verizon processes data outside the EEA. Verizon has Binding Corporate Rules (BCRs) approved as both a Controller and Processor. As a result, Verizon Enterprise Solutions and Verizon Connect may transfer personal data outside of the EEA consistent with Article 47 GDPR. Further information regarding Verizon’s BCRs can be found at the International Privacy Centre.
Data retention
Where a specific data retention period is not defined in the [tables below] for a service, the retention period may be agreed as part of the contractual negotiations on an individual customer basis and detailed in that contract.
Privacy contact details
For queries regarding data processing activities please e-mail or contact us in writing at the following address:
Jannine Aston
International Data Privacy Office
Verizon Legal Department
RIBP Floor 1 Spur D Basingstoke Road
Reading, Berkshire
United Kingdom RG26DA
Please note that not all Verizon companies are required to appoint a Data Protection Officer (DPO) for the purposes of Article 37 GDPR. This is due to the differing nature of the services that they provide. However, Verizon Connect is required to appoint a DPO and she can be contacted as described above.
There may also be other countries outside the EU that require a DPO to be appointed such as Brazil and for this purpose the same contact details are applicable.
Security
Please refer to the Verizon Security Summary for a description of the technical and organisational security measures that Verizon implements to comply with its obligations under Article 32(1).
Where additional security measures are necessary for particular services, these will be detailed in the customer’s contractual documentation.
Description of processing of personal data by Verizon for services as Processor for Customer – Article 28 GDPR
Please note that if you cannot find your service listed in the attached links you should contact your account team who can provide you with additional information where applicable.
Verizon services processing details information
Verizon Connect services processing details information
For further information regarding how Verizon will protect your data please see the Verizon International Privacy Policy