Lumen Data Protection Exhibit
Applicability. This Data Protection Exhibit (“DP Exhibit”) forms part of the Agreement between Customer and CenturyLink and is applicable to the provision of certain CenturyLink Services. In the event of a conflict between the Agreement, the applicable Services Exhibit(s) and this DP Exhibit, the terms of this DP Exhibit shall control.
Definitions. In this DP Exhibit, the following definitions apply:
“Data Controller” “Data Processor” “Data Subjects” “Personal Data” and “Personal Data Breach” shall have the meanings ascribed to them in the GDPR.
“Data Protection Laws” means the provisions of applicable laws regulating the use and processing of data relating to persons, as may be defined in such provisions, including a) prior to 25 May 2018, the EU Data Protection Directive 95/46/EC, b) after 25 May 2018 the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), c) the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and d) all other applicable laws and regulations relating to processing of personal data.
“Services” means the CenturyLink Services to be provided to Customer under the Agreement and the applicable Services Exhibit(s).
Compliance with Data Protection Laws.
CenturyLink and Customer agree that, Customer is an independent Data Controller with respect to the processing of Personal Data which is necessary for the operation of the Services, and CenturyLink is an independent Data Controller with respect to the processing of billing, utilisation, usage patterns/counts/statistics, traffic data and other Customer account related information (e.g. name, address, email address)to the extent it is Personal Data, which is necessary for CenturyLink’s performance of its obligations under the Agreement and the applicable Services Exhibit(s), or with respect to any Personal Data held for general business purposes.
CenturyLink and Customer shall each comply at all times with its obligations under Data Protection Laws in respect of any Personal Data processed by it under the Agreement.
CenturyLink acknowledges that it is a Data Processor on behalf of the Customer for the purposes of providing Services and performing its related obligations (including incident resolution, support or consultancy services). The subject matter, duration and nature of the processing, the types of Personal Data and applicable Data Subjects are described in the applicable Services Exhibit(s).
In so far as CenturyLink processes Personal Data on behalf of Customer as a Data Processor, CenturyLink will (and will procure that CenturyLink affiliates will):
Only process Personal Data in accordance with the Customer’s documented instructions, including as set out in the Agreement and this DP Exhibit and ensure that CenturyLink personnel process Personal Data only on such instructions of the Customer, unless processing is required by EU or member state law to which CenturyLink are subject, in which case CenturyLink shall, to the extent permitted by such law, inform Customer of that legal requirement before processing that Personal Data;
Restrict the disclosure and processing of Personal Data to the extent necessary to provide the Services, or as otherwise permitted under the Agreement and this DP Exhibit, or by Customer in writing, and only disclose Personal Data on a need to know basis in connection with the Services to those who have committed themselves to confidentiality, or as required by applicable law;
Taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing and ensure a level of security appropriate to the risk presented by the processing;
Ensure that only those personnel who need to have access to Personal Data are granted access to it, and that such access is granted only for the proper provision of the Services; and
If and to the extent CenturyLink retains a copy of any Personal Data, not retain that Personal Data for longer than is necessary to perform the Services and at Customer’s option, securely destroy or return such Personal Data, except where required to retain the Personal Data by law or regulation. The parties agree that CenturyLink shall not actively process such Personal Data and shall be bound by the provisions of this DP Exhibit in respect of any such retained Personal Data. CenturyLink shall delete such data promptly after it ceases to be obliged to retain it and shall only process it to the extent required to comply with applicable laws.
The Customer generally authorises CenturyLink to appoint sub-processors in accordance with any restrictions in this DP Exhibit and the Agreement.
Prior to disclosing any Personal Data to any sub-processor, CenturyLink shall ensure that it has undertaken appropriate due diligence in respect of such sub-processor, and shall ensure the sub-processor enters into a written agreement on terms which provide that the sub-processor has equivalent obligations to those set out in this DP Exhibit. CenturyLink shall remain fully liable to Customer for any breach of such obligations by the sub-processor.
CenturyLink shall maintain an up to date list of its sub-processors and shall inform Customer with details of any intended change in sub-processors at least 30 days prior to any such change. The Customer may object to CenturyLink's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, CenturyLink will either not appoint or replace the sub-processor or, if this is not possible, the Customer may terminate the applicable Service Exhibit (without prejudice to any fees incurred by the Customer prior to termination). CenturyLink shall not use such sub-processor until any such objections are resolved or the Customer has terminated the applicable Service Exhibit.
CenturyLink shall, insofar as is possible, promptly notify Customer of any inquiry, complaint notice or other communication it receives from any supervisory authority, or from any Data Subject relating to the Services (including any requests to access, correct, delete, block or restrict access to their Personal Data or receive a machine-readable copy thereof) and, insofar as is possible and to the extent technically feasible, assist Customer with its obligation to respond to any notification or Data Subject rights request in accordance with the timescales set out in the Data Protection Laws.
If Customer reasonably believes that CenturyLink’s processing of Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, CenturyLink shall, on request from Customer, assist Customer in connection with any data protection impact assessment and prior consultation, which may be subject to additional fees and terms, that may be required under Data Protection Laws, taking into account the nature of the processing and the information available to CenturyLink.
Breach Reporting. CenturyLink shall notify Customer without undue delay on becoming aware of any Personal Data Breach involving Personal Data Processed on behalf of Customer using the Services, and thereafter co-operate with Customer and provide assistance as may be reasonably required by Customer in the investigation, remediation and mitigation of such breach. CenturyLink shall provide reasonable assistance to Customer in respect of any breach reporting obligations Customer may have, and provide such additional information relating to such breach as Customer may reasonably require. The parties will agree in advance and in writing on any material remediation responsibilities and costs that exceed CenturyLink’s standard incident response process.
Audits. CenturyLink will maintain all information necessary to demonstrate compliance with its obligations identified in this DP Exhibit and a written record of all processing of Personal Data on behalf of Customer and, upon reasonable request grant Customer and its auditors and agents a right of access to and to take copies of records relating to compliance and all processing of such Personal Data on behalf of Customer in order to assess whether CenturyLink has complied with its obligations in respect of the processing of Personal Data. Upon reasonable notice, CenturyLink shall allow Customer to, or where applicable, shall cooperate with Customer and CenturyLink’s third-party providers to arrange for access to premises and other materials and personnel and shall provide reasonable assistance in order to assist Customer in exercising its audit rights under this clause provided that: (i) such access shall occur at a mutually agreeable time and the scope of the visit will be mutually agreed upon; (ii) such access shall not unreasonably interfere with CenturyLink’s operations; and (iii) access to CenturyLink premises and systems shall be subject to CenturyLink’s reasonable access requirements and security policies, and shall not compromise any confidential information to which the Customer has no entitlement.
Transfers. CenturyLink shall not transfer any Personal Data outside the EEA except to the extent authorised by Customer as follows:
At the date of this DP Exhibit Customer authorises CenturyLink to transfer Personal Data to the United States for the specific purpose of providing Services and performing its obligations under the Agreement and applicable Services Exhibit. The parties agree to enter into the Standard Contractual Clauses (in the form adopted by decision 2010/87/EU of 5 February 2010) with CenturyLink affiliate(s) on Customer’s behalf and in Customer’s name in order to provide adequate protection for such Personal Data, with Appendix 1 and Appendix 2 to such Clauses in the form appended hereto; and
If after the date of this DP Exhibit, CenturyLink (or any affiliate or any sub-contractor) proposes to transfer any Personal Data outside the EEA, other than as authorised above, CenturyLink (or any affiliate or any sub-contractor) shall obtain Customer’s consent prior to such transfer, which consent may be conditional upon the relevant parties having entered into an agreement what ensures that Personal Data is accurately protected as required by the Data Protection Laws.
Damages Cap. NOTWITHSTANDING ANYTHING TO THE CONTRARY ELSEWHERE IN THE AGREEMENT, THE TOTAL AGGREGATE LIABILITY FOR EACH PARTY ARISING OUT OF OR RELATED TO THIS EXHIBIT WILL BE LIMITED TO THE LESSER OF (I) THE TOTAL MRCs AND USAGE CHARGES PAID OR PAYABLE BY CUSTOMER TO CENTURYLINK IN THE 12 MONTHS IMMEDIATELY PRECEDING THE OCCURRENCE OF THE EVENT GIVING RISE TO THE CLAIM, OR (II) TWO MILLION DOLLARS. IN ADDITION, CENTURYLINK WILL NOT BE LIABLE HEREUNDER TO THE EXTENT ANY LIABILITY IS CAUSED BY OR CONTRIBUTED TO BY ANY PARTY OTHER THAN CENTURYLINK OR ITS SUBPROCESSORS.
Future Amendments. The parties may amend this DP Exhibit at any time during the term of the Agreement by written agreement if necessary to comply with any legal requirement or guidance from a supervisory authority, or if required to take account of any changes to the processing of Personal Data pursuant to the Agreement and applicable Services Exhibit(s).
Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed by the Parties.
Data Exporter: The Data Exporter is Customer, a business customer of the Data Importer that is domiciled in the United States and that processes personal data in the ordinary course of its business, and that desires to obtain processing services, as authorized by its Affiliates in the EEA and their respective branches who are controllers based in the EEA.
Data Importer: The Data Importer is CenturyLink Communications, a company that is engaged in the provision of communications services, and that provides data processing services to the Data Exporter.
Data subjects: The personal data transferred concerns the current, former, and prospective employees, users, customers and similar parties engaged with the Data Exporter.
Categories of data: The personal data transferred may include, but is not limited to, name, address, email, phone number and such other personal data that may be transferred from the data controller to the data processor for processing services.
Special categories of data: The personal data transferred may concern special categories of data.
Processor operations: The Data Importer will, through authorized personnel, perform the following processing services: cloud hosting and communications services as may be individually ordered by Data Exporter and as more fully described in service orders, service exhibits and similar contractual documentation.
Standard Contractual Clauses
CenturyLink has implemented the data security measures described in this Appendix and shall maintain them, or an equally secure equivalent, during the applicable term of the Services. These measures generally apply to CenturyLink’s standard services and certain measures may not apply or may be applied differently to customized services, configurations, or environments ordered or as deployed by Customer. These measures have been implemented by CenturyLink to protect, directly or indirectly, the confidentiality, integrity and availability of Customer Data. As used in this Appendix, “Customer Data” means any data, content or information of Customer or its end users that is stored, transmitted, or otherwise processed using the CenturyLink Services.
COMPLIANCE WITH LAW, AUDIT REPORT. CenturyLink has adopted and implemented a corporate information security program as described below, which program is subject to reasonable changes by CenturyLink from time to time. CenturyLink has completed an AICPA sanctioned Type II audit report (SSAE18/ISAE3402 SOC 1 or SOC 2) for certain facilities/services and will continue to conduct such audits pursuant to a currently sanctioned or successor standard. Customer will be entitled to receive a copy of the then-available report upon request, which report is CenturyLink Confidential Information. Customer may make such report available to its end users subject to confidentiality terms provided by CenturyLink. Customer will ensure that all Customer Data complies with all applicable laws and appropriate information security practices, and nothing herein shall relieve Customer from its responsibility to select and implement such practices.
INFORMATION SECURITY PROGRAM. CenturyLink has implemented an information security program (the “Program”) that includes reasonable measures designed to: (1) secure the confidentiality and integrity of Customer Data; (2) to the extent related to the Services and CenturyLink infrastructure, protect against foreseeable threats to the security or integrity of Customer Data; (3) protect against unauthorized access to, disclosure of or unauthorized use of Customer Data; and (4) provide that CenturyLink employees are aware of the need to maintain the confidentiality, integrity and security of Customer Data. CenturyLink will limit access to Customer Data to only those employees, agents, contractors or service providers of CenturyLink who need the information to carry out the purposes for which Customer Data was disclosed to CenturyLink.
The CenturyLink Program is modelled on the ISO27001:2013-based Information Security Management System (“ISMS”), which establishes the guidelines and general principles used for establishing, implementing, operating, monitoring, reviewing, maintaining and improving protections for CenturyLink information and Customer Data. The CenturyLink Program, in alignment with the ISMS, is designed to select adequate and proportionate security controls to protect information and provides general guidance on the commonly accepted goals of information security management and standard practices for controls in the following areas of information security management:
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Communications security
- Access control
- Information systems acquisition, development, and maintenance
- Information security incident management
- Business continuity management
- Supplier relationships
CenturyLink has also implemented a formal information security policy and supporting methods and procedures, technical standards, and processes to reinforce the importance of information security throughout the organization (“Information Security Policy”). The Information Security Policy is in alignment with ISO 27002:2013 and is approved by the Chief Information Security Officer. The Information Security Policy outlines the requirements to maintain reasonable security for the Services. Employees and contractors with access to corporate information and Customer Data are required to complete annual security training based on the Information Security Policy. The Information Security Policy includes the following:
- Physical Security Policy for data centers and Office Locations
- Electronic Use Policy including:
- Email Usage
- Wireless Networks
- Internet Access
- Anti-Virus control
- Password Management
- Remote and Home Working
- Computer Security Incident Response Plan
- Information Protection
- Third Party Connections Agreements
- Third Party Access
- Wireless Scanning
- Risk Management
- Vendor Management
SPECIFIC SECURITY CONTROLS. CenturyLink’s security controls include:
- Logical access controls to manage access to Customer Data on a least privilege and need-to-know basis, including through the use of defined authority levels and job functions, unique IDs and passwords, strong (i.e. two-factor) authentication for remote access systems (and elsewhere as appropriate), and promptly revoking or changing access in response to terminations or changes in job functions.
- Password controls to manage and control password complexity and expiration. Any password controlling access to the CenturyLink infrastructure must be of a minimum length and complexity.
- Operational procedures and controls to provide that technology and information systems are configured and maintained according to prescribed internal standards.
- Network security controls, including the use of firewalls, layered DMZs, and updated intrusion detection/prevention systems to help protect systems from intrusion and/or limit the scope or success of any attack or attempt at unauthorized access.
- Vulnerability management procedures and technologies to identify, assess, mitigate and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code.
- Approved anti-malware software is installed on CenturyLink equipment capable of running it where the risk of infection is high. It is configured to prevent users disabling the software where possible or altering its configuration without authorization. Periodic evaluations are performed to confirm whether systems continue to require (or not) antivirus software.
- Change management procedures outlining that modifications to CenturyLink technology and information assets are tested, approved, recorded, and monitored.
- Organizational management designed to ensure the proper development and maintenance of information security and technology policies, procedures and standards.
- Dedicated organizations with global responsibility for all physical security operations, security systems, access administration, and security controls within all CenturyLink-owned facilities and data centers. Third-party data centers are utilized for certain services and, in such cases, certain physical security and other controls are reviewed by CenturyLink.
- Security policies which reinforce the importance of physical security of all company facilities including procedures specific to data center physical security. Data center security personnel are responsible for controlling data center access, monitoring local security alarms and managing all reported physical security-related events.
- CCTV (Closed Circuit Television) commonly deployed as a physical security control in high value facilities to deter, detect and identify intruders. The Corporate Security Operations Center (CSOC) provides global, 24/7 support with remote monitoring, management, administration and maintenance of the CCTV video surveillance systems used throughout CenturyLink.
- The Central Access Control Center (CACC) supports the distribution of all CenturyLink access badges and administration of access permissions within the access control system.
- Disposal procedures for different types and classifications of information which are documented and communicated to personnel. Employees have access to secure shredders for hardcopy. Electronic media are disposed of through certified disposal vendors.
- Pre-employment screening and background checks are conducted on incoming personnel in accordance with CenturyLink human resource on-boarding practices and applicable local law. The checks are dependent on, amongst other things: the role, location, any custom requirements, and can include: identity, drug, criminal, academic and credit checks.
- Annual security awareness training for CenturyLink employees and contractors working on CenturyLink premises. The training reflects current threats and encourages basic security good practice, access to and knowledge of Information Security Policy and procedures such as how to report an incident. Employees in particular positions receive supplementary security training and if a training or testing issue arises (e.g., internal phishing exercises), further guidance is provided. CenturyLink conducts a continuous program of phishing tests on staff to reinforce the requirement for awareness and good email and browsing habits and to assess the effectiveness of security awareness training. The company intranet and email system are used to disseminate flash announcements on security matters as appropriate.
- SECURITY AUDITS. Customer may, no more than once per year and at its own expense, audit CenturyLink’s performance with respect to its security obligations under this Appendix (“Audit”). In the event Customer retains a third party to perform an Audit, CenturyLink may require additional documentation be executed by the third party auditor prior to granting access to a CenturyLink facility where Services are provided, and CenturyLink may, at its sole and reasonable discretion, decline to allow a third party access to a data center. CenturyLink shall reasonably cooperate with Customer in its performance of the Audit and shall make available to Customer or its auditors documents and records reasonably required to complete the Audit. CenturyLink shall provide Customer with reasonable access to the relevant facility for the purpose of inspection of the equipment and facilities which are used to provide the Services to Customer. For purposes of clarification, access will not be granted to certain areas of certain facilities (such as data centers) to which CenturyLink does not generally allow access to its customers (e.g. areas which house equipment used to support services for multiple customers). Audit access is subject to CenturyLink’s reasonable security requirements for its most sensitive security policies/materials. Audit access must be within CenturyLink’s normal business hours and must be scheduled at least ten (10) business days in advance, and Customer or its auditor shall be escorted by CenturyLink personnel during the period of access. The Audit and any findings related thereto shall be treated as Confidential Information.
- SECURITY INCIDENTS AND RESPONSE.In the event CenturyLink determines that a Security Incident has impacted Customer Data, CenturyLink shall promptly take the following actions:
- Notify Customer of such Security Incident and provide periodic updates as appropriate given the nature of the Security Incident and as information becomes available;
- Take reasonable steps to remediate and mitigate the Security Incident, to the extent such steps are technically feasible and appropriate in the circumstances;
- Conduct a preliminary investigation into the Security Incident to determine, to the extent reasonably feasible, its root cause; and
- Reasonably cooperate with Customer in its efforts to remediate or mitigate the Security Incident and its efforts to comply with applicable law and legal authorities, as necessary.
For purposes hereof, “Security Incident” means any unlawful or unauthorized access, theft, or use of Customer Data while being stored, transmitted or otherwise processed using CenturyLink services.