Data Protection Information Sheet

For customers of
Telefónica Germany GmbH & Co. OHG
Georg-Brauchle-Ring 50
80992 Munich

hereinafter referred to as “Telefónica Germany”.

Introduction

In this document, Telefónica Germany GmbH & Co. OHG (hereinafter “we”) will provide you with information on how your data are processed in connection with the use of our telecommunications services and products as an end customer (e.g. telecommunications service, sale of devices) and your rights under data protection laws. If you, as our contractual provider, pass on our services/products for use by other persons, we process their data as well. Please inform these persons of the content of this data protection information sheet. 

If you use our web services (e.g. website, online self-service area, apps), please also consult the data protection declarations for our web services. 

1. Controller contact details

   Telefónica Germany GmbH & Co. OHG, Georg-Brauchle-Ring 50, 80992 Munich, Germany, encrypted contact form: https://www.telefonica.de/datenschutz-kontakt

2. Data Protection Officer contact details

   Telefónica Germany GmbH & Co. OHG, Data Protection Officer, Georg-Brauchle-Ring 50, 80992 Munich, Germany, encrypted contact form: https://www.telefonica.de/datenschutz-kontakt

3. Personal data

   Personal data means any information relating to an identified or identifiable natural person (“data subject”). 

   In connection with telecommunications contracts, we process customer data and traffic data in particular (see section 5 for information on traffic data).

   Customer data are all personal data needed for the formation, content design, amendment or termination of your contract, such as your name, title, address, date of birth, phone number, total monthly sales, total use per network (national and international), start and end of your contract, correspondence with us about your contract. 

4. Purposes and legal basis of data processing

   We process personal data in line with the provisions of data protection law.

   1. Contract fulfilment/steps prior to entering into a contract (Article 6(1) (b) of the GDPR)

      Personal data are processed for the purposes of entering into a contract and performing and terminating contracts that have already been entered into. This includes data processing in connection with our customer service, for example. The personal data required for entering into a contract are marked as mandatory in the order forms. The contract cannot be entered into without these personal data being provided.

   2. Protection of legitimate interests (Article 6(1) (f) GDPR)

      We process your personal data to the extent that this is necessary to protect our interests or the interests of third parties and do not outweigh your interests. We process personal data in order to protect the following legitimate interests:

      • detecting risks of default (e.g. credit check, fraud prevention);
      • collecting or selling outstanding receivables (e.g. debt collection);
      • refinement of our services and products (e.g. by analysing connections between multiple contracts);
      • gaining insight into market structures and dynamics (e.g. market research and opinion polling);
      • preventing and investigating crimes and abuse;
      • averting damage to our IT systems;
      • preventing products from being sent to the wrong address (e.g. address verification);
      • billing with parties involved in the provision and distribution of our services;
      • safeguarding legal claims and defence in legal disputes.

   3. Compliance with a legal obligation (Article 6(1) (c) GDPR)

      We are subject to various legal provisions that can give rise to an obligation to process personal data: requirements of telecommunications law, including to provide information, including identity checks, information and telecommunications surveillance, information on incoming calls (malicious caller identification) and to connect emergency calls under commercial, company, competition and tax laws, data protection laws and other general statutory obligations or official orders.

   4. Processing on the basis of consent (Article 6(1) (a) GDPR)

      We process your personal data if you have consented to this, e.g. for recording calls on our hotlines. You can revoke your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You will receive further information, e.g. on purposes and your options for revoking consent, when you grant your consent.

5. Traffic data and communication content

   Traffic data are data that must be collected, processed or used for the performance of telecommunications services: the number or name of your call and your devices; the telecommunications services you have used, including the location data generated, IP addresses, start, end and scope of the calls and data volumes transmitted.

   We process your traffic data:

   • to perform our telecommunications services (section 9 of the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG – German Telecommunications-Telemedia Data Protection Act));
   • to market telecommunications services, appropriately design telecommunications services or provide services if you have granted consent (section 9 TTDSG);
   • to fulfil our duties to process traffic data on the basis of other legal provisions (section 9 TTDSG);
   • for charging and billing purposes (section 10 TTDSG);
   • to identify, limit and fix faults and to secure our claim to remuneration in order to detect and stop the illegal use of telecommunications services (section 12 TTDSG).

   We only store the content of your communications in the form of intermediate storage for the provision of certain services (e.g. text messages, mailbox systems), to the extent that this is necessary (section 6 TTDSG) and has been agreed with you.

6. Recipients of personal data

   The following recipients have access to your personal data to the extent necessary to fulfil the purposes described above:

   • employees of our company;
   • data processors that assist us in processing data for the purposes of order processing in the areas of IT and network operation, analysis, call centres, customer service, mail processing, destruction of files/data storage media, letter shop, print shop, archiving, identity checks, credit ratings, fraud prevention, sales partners, advertising and marketing, market research, operation of online services, websites and apps. These service providers were carefully selected and are subject to strict contractual agreements, including with respect to confidentiality;
   • other recipients outside our company not acting on our behalf for the purposes of order processing:
   • telecommunications service providers, e.g. for making calls, sending text messages, etc.;
   • other companies involved in providing the requested service, e.g. directory publishers if you wish to be included in a telephone directory, companies that offer music services if such services are desired, or companies hired to make repairs to your devices;
   • sales partners and other companies assisting us in the distribution of our products;
   • banks, e.g. to provide direct debit services;
   • payment service providers, e.g. for alternative payment methods;
   • debt collection companies, e.g. for the collection of outstanding receivables;
   • credit agencies (see section 9 for more information);
   • tax advisors/auditors for ensuring and reviewing the compliance of accounting with the statutory provisions (e.g. the provisions of tax law);
   • lawyers for the representation and enforcement of our legal interests;
   • logistics providers used for postal delivery.

   These recipients are also required to maintain data protection on the basis of statutory or professional obligations or contractual agreements.

   • official authorities (e.g. requests for information from investigating authorities) or natural/legal persons (e.g. for copyright claims), in some cases on the basis of statutory obligations.

7. Processing in third countries

   We only process your personal data in Germany and within the European Union. 

   Personal data are only processed in countries outside the European Union (“third countries”) when there is an “adequacy decision” from the European Commission for the respective third country (Article 45 GDPR) or the recipient has established “appropriate safeguards” (Article 46 GDPR) or “corporate rules” (Article 47 GDPR). Additional procedures are arranged with the recipient in the third country if necessary. General information on adequacy decisions: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en; General information on appropriate safeguards: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en; General information on corporate rules: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_en. You can contact the officer in charge for further information.

   In other respects, your personal data are only processed in third countries to the extent that this is necessary for contract performance (e.g. provision of telecommunications service – calls to third countries/roaming calls), you have given your consent or we are legally obliged to do so. 

8. Data transfer to credit agencies

   We work with the following credit agencies in connection with the conclusion, fulfilment and termination of contracts:

   • SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany (hereinafter referred to as “SCHUFA”)
   • infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany
   • CRIF GmbH, Leopoldstrasse 244, 80807 Munich

   When entering into contracts with business customers, we also work with the following credit agencies:

   • Verband der Vereine Creditreform e.V., Hammfelddamm 13, 41415 Neuss
   • Dun & Bradstreet Deutschland GmbH, Robert-Bosch-Str. 11, 64293 Darmstadt

   Credit and identity checks

   We use automated decision-making for contracts in which we provide performance in advance of payment (e.g. fixed-term contract, payment on account) and contracts in which we offer payment in instalments or by direct debit. Such wholly automated decision-making produces a decision based on automatic processing with no involvement on the part of a natural person. This involves the processing of personal data to assess certain personal aspects such as reliable payment of invoices (profiling).

   To do so, we send the personal data provided during contract formation (name, addresses, date and place of birth, e-mail address, bank account details) to one or more of the above credit agencies for a credit and identity check (Article 6(1) (f) GDPR). 

   We use probability scores – credit scores – for credit checks. Forecasts are made of future payment behaviour on the basis of personal data and, where applicable, past experience. The credit scores are calculated on the basis of various data categories that have been demonstrated to be significant in calculating the probability of future default using a scientifically recognised mathematical-statistical process. In addition to the external scores that we receive from credit agencies, we also calculate internal scores. To calculate the internal score, we essentially use billing information linked to your request, payment histories and reminders for the past 24 months, the duration of the oldest contract and ongoing hardware financing. The scores thus calculated represent the probability of default at the respective invoice date. Address data are also used in calculating the credit scores. 

   You have the right to obtain human intervention, to express your point of view and to contest the decision. If there are grounds to reject the contract, e.g. the suspicion of misuse or an inadequate credit rating, the evaluation and the underlying evidence can be reviewed by an employee. If you have specific reason to believe that our decision is based on personal data that you consider to be incomprehensible or incorrect, you are welcome to express your view to us so that we can check it again. A contract may possibly be entered into under amended conditions. 

   Registration of receivables

   If the legal conditions are met, we also send credit agencies data on conduct in breach of contract (e.g. receivables due, account/card misuse) in order to protect ourselves and market participants against bad debts (Article 6(1) (f) GDPR). You will be informed of the planned registration of such data in advance.

   In addition to the above credit agencies, Telekommunikations-Pool (c/o infoscore Consumer Data GmbH, Rheinstrasse 99, 76532 Baden-Baden) receives information on conduct in breach of contract: Telekommunikations-Pool (hereinafter referred to as “TKP”) is tasked with providing us and other TKP participants with information in order to protect us and other TKP subscribers against bad debts while also enabling us to protect you against further consequences in the event of the loss or misuse of your mobile phone card(s) (Article 6(1) (f) GDPR). TKP is a joint institution of companies providing paid telecommunications or telemedia services commercially.

   Creation of a service account (SCHUFA)

   To protect market participants against bad debts and risks, we send personal data on the application for, commencement and termination of the telecommunications contract (name, addresses, date of birth, information on the formation of this telecommunications contract, reference to the contract) to SCHUFA if sufficient relevance arises from the contracts (Article 6(1) (f) GDPR).

   It is important to establish as full a picture as possible of existing financial obligations in order to reliably assess a customer’s credit rating. The storage of contractual relationships in the telecommunications sector at SCHUFA assists with this. If you do not wish your data to be sent to SCHUFA, please write to SCHUFA-SK@telefonica.com.

   Further information on the credit agencies can be found here:

   • Schufa: https://www.schufa.de/datenschutz-dsgvo/
   • Infoscore & Telekommunikations-Pool: https://www.experian.de/selbstauskunft
   • CRIF: https://www.crif.de/datenschutz/
   • Creditreform: https://www.creditreform.de/datenschutz
   • Dun&Bradstreet: https://www.dnb.com/de-de/daten-und-sicherheit/

9. Erasure of personal data

   We erase personal data when they are no longer required (for the purposes described above). 

   We erase customer data without delay after the end of the contract unless we require them for post-contractual support, or no later than 14 months. Longer storage may be required in some cases (e.g. in the event of outstanding payments or legal disputes) until outstanding issues are resolved. We also store your data on the basis of statutory guidelines (e.g. requirements under commercial law, tax law or telecommunications law); in these cases we erase the data after the end of the statutory retention periods. 

   Scoring data are erased one year after being received. Data from accepted orders in the area of risk assessment (credit rating and fraud prevention) are erased three years after being received; data on rejected orders are erased no later than one year after being received.

   After the end of your call, we determine which of your traffic data are relevant for billing purposes. Data that are not relevant for billing with you or other service providers (which may include data from flat-rate calls and the number of your device) are erased immediately. The traffic data used to calculate your bill are erased no more than six months after the respective invoice is issued. If you have objected to a bill, your data may be stored until the objections have been conclusively resolved. Your traffic data are also stored beyond this period if we are legally required or entitled to do so. 

   Communications content stored on an intermediate basis is erased after the retention periods agreed with you end. 

   If you have granted your consent for the processing of your personal data, we will erase your personal data at the latest when you revoke your consent and there is no other legal basis for processing.

   If you have entered into a contract with us that does not involve a telecommunications service (e.g. Mobile Device Management, Firewall, Cyber Threats), the personal data processed in connection with this contract are erased as soon as they are no longer required (e.g. end of warranty period) and the statutory retention periods have expired.

10. Source of personal data

    We do not just process personal data obtained directly from you. We obtain personal data from third parties in the following cases:

    • we obtain credit information (credit score, reportable negative entries in public registers, debt collection reports, identity information and associated address data) from credit agencies;
    • we obtain call data from the other network providers for billing purposes when our services are used through other network providers (e.g. roaming);
    • we obtain customer data from our sales partners if you utilise their services;
    • we obtain information on purchases of additional services from the companies involved in providing the requested service in order to bill the service (e.g. use of music services).

11. Statistical analysis

    As a network operator, Telefónica uses anonymised and aggregated information for statistical purposes for the benefit of business and society. No conclusions can be drawn regarding your personal information. Background information on the use of anonymised data for analysis and specific applications and purposes of use can be found at https://www.telefonica.de/analytics. You should always have control of your own personal data. If necessary, you can amend the current status for the inclusion of your data in anonymisation and their use in statistical analysis at https://www.telefonica.de/dap.

12. Hotline contact

    If you contact one of our service hotlines, the number from which you call us and the time and duration of the call will be processed. The call will only be recorded if you consent. Recordings of calls are used for business process and service optimisation and to preserve evidence.

13. Your rights

    As the data subject within the meaning of the GDPR, you have the following rights: 

    • You have the right to obtain information on the personal data being processed (Article 15 GDPR).
    • If you wish to arrange for incorrect personal data to be rectified or incomplete data to be completed, (Article 16 GDPR) you can make these changes yourself in the online self-service area.
    • You have the right to the erasure of your personal data under certain legal conditions (Article 17 GDPR).
    • You have the right to restriction of processing under certain legal conditions (Article 18 GDPR).
    • You have the right to receive or transmit the personal data concerning you under certain legal conditions (Article 20 GDPR). Please log in to your online self-service area to exercise this right.
    • You have the right to revoke your consent for the processing of your personal data at any time with effect for the future. This does not affect the lawfulness of processing based on consent prior to its revocation. When you give your consent, you are also informed of how you can revoke your consent.
    • You have the right to object under certain legal conditions. Information on this is provided in the next section of this data protection declaration.

    You can use our form https://meine-daten.telefonica.de/ to exercise your right of access. If you wish to make an inquiry about the other rights listed or have other questions about data protection, you can use the following form to contact us: https://www.telefonica.de/datenschutz-kontakt

    Alternatively, you can write to us at: 

    Telefónica Germany GmbH & Co. OHG, Data Protection department, Georg-Brauchle-Ring 50 80992 Munich 

    You also have the right to lodge a complaint with a supervisory authority (Article 77 GDPR). You can do so by contacting the data protection authority.

14. Your right to object (Article 21 GDPR)

    You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6(1) (f) GDPR, including profiling based on those provisions. In this case, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Such objections can be lodged at https://www.telefonica.de/datenschutz-kontakt.

    If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of these personal data for such marketing, including profiling to the extent that it is related to such direct marketing. We will then no longer process your personal data for this purpose. In connection with our telecommunications contracts, you can also lodge this objection at https://www.telefonica.de/datenschutz-kontakt.

    Alternatively, objections can be lodged in writing at: Telefónica Germany GmbH & Co. OHG, Data Protection department, Georg-Brauchle-Ring 50, 80992 Munich

15. Changes to the data protection information sheet

    As changes in the law or changes to our internal processes can necessitate the revision of this data protection sheet, which right we reserve accordingly, you can access the current version of the data protection sheet using this link.