Report on Transparency in Communications 2020 INTRODUCTION AND SCOPE OF OUR OUR DUE POLICIES AND REPORT BY 2020 REPORT ON TRANSPARENCY IN COMMUNICATIONS THE REPORT GOVERNANCE DILLIGENCE PROCESSES INDICATORS COUNTRY GLOSSARY CONTENTS 03 Introduction and Scope of the Report 04 Our Governance 06 Our Human Rights Due Diligence 08 Applicable Policies and Processes United Kingdom Germany 12 Indicators of this Report Spain Mexico 14 Report by Country Venezuela Colombia 15 Argentina 28 Ecuador 40 Spain Ecuador 18 Brazil 31 Germany 44 United Kingdom Peru 21 Chile 34 Mexico 48 Uruguay 24 Colombia 37 Peru 51 Venezuela Brazil Chile 54 Glossary Uruguay Argentina 2 INTRODUCTION AND SCOPE OF OUR OUR DUE POLICIES AND REPORT BY 2020 REPORT ON TRANSPARENCY IN COMMUNICATIONS THE REPORT GOVERNANCE DILLIGENCE PROCESSES INDICATORS COUNTRY GLOSSARY Introduction and Scope of the Report As testament to our commitment to the are shared when it comes to preserving and fundamental rights of privacy and freedom guaranteeing the rights of individuals. of expression, we are publishing our fifth Transparency Report with the aim of As part of this exercise in transparency, our contributing to a more open and transparent report elaborates on: society. i. our governance regarding human rights Respect for and promotion of human rights, in general and privacy and freedom of particularly privacy and freedom of expression, expression in particular; take on a new dimension in a digital world characterized by the use of new technologies, ii. our human rights due diligence; Artificial Intelligence and a growing importance of data on a global scale. iii. commitments, policies and processes we follow when responding to requests from Like other companies in our sector, at Telefónica Competent Authorities; we receive requests (view definition in glossary) for information concerning the communications iv. information on the legal context that provides of our customers and users, requests for the the Competent Authorities with the legal blocking of access to certain websites and basis to make these kinds of requests1; contents and the filtering of contents, as well as requests whose purpose is to temporarily v. the Competent Authorities that are suspend the service in certain areas or certain empowered under the local legislation to accounts. Such requests are made by the state request information on the indicators we this information so or unless a government or that we reject, the accesses that are affected security forces and bodies, governmental bodies report on; any other public entity already discloses said by each indicator and the URLs and/or IPs and/or judges (hereafter, the "Competent information; affected in the event of any blocking or Authorities", view definition in glossary). vi. the total number of requests we received content restrictions. last year in each of the countries we operate vii. and, in addition, whenever technically Transparency is key in this context, even more in, unless we are prohibited from publishing possible, we report the number of requests so in a world in which spaces of responsibility 1. The specific legal framework of each country, whenever relevant, also points out limitations in terms of how much information on the requests that Telefónica receives can be provided. When we do not provide data, we explain why we cannot do so. 3 INTRODUCTION AND SCOPE OF OUR OUR DUE POLICIES AND REPORT BY 2020 REPORT ON TRANSPARENCY IN COMMUNICATIONS THE REPORT GOVERNANCE DILLIGENCE PROCESSES INDICATORS COUNTRY GLOSSARY Our Governance BOARD OF DIRECTORS Approves the Responsible Business Plan (which includes objectives/measures related to human rights/privacy/freedom of expression). We have established a governance model with clear responsibilities for the protection of human SECRETARY OF THE BOARD rights in general and privacy and freedom of AND REGULATORY AFFAIRS A member of the Board of Directors and responsible, expression in particular. among other matters, for promoting privacy/ freedom of expression with the relevant external Our human rights activities are defined and stakeholders. implemented by means of the Responsible Business Plan, which sets out the company’s sustainability strategy and objectives and is directly approved and monitored by the Board of Directors and its Sustainability and Quality Committee (one of the Board’s permanent SUSTAINABILITY AND QUALITY COMMITTEE AUDIT AND CONTROL COMMITTEE (Permanent committee of the Board) (Permanent committee of the Board) committees). Oversees the implementation of the Responsible Monitors, among other matters, specific issues Business Plan (which includes objectives/measures related to privacy and freedom of expression by Our Human Rights Policy and our due diligence related to human rights/privacy/freedom of means of a regular report by the Compliance Officer process, which are based, amongst others, on expression) by means of a monthly report. and Data Protection Officer. the UN Guiding Principles on Business and Hu- man Rights and the Principles of the GNI (Global Network Initiative), form an integral part of the Responsible Business Plan. This governance model, headed by the Board of RESPONSIBLE BUSINESS OFFICE COMPLIANCE/DATA PROTECTION OFFICER Directors and the Responsible Business Office The Responsible Business Office (headed by the Compliance/Data Protection Officer is the function and involving all the relevant departments, Corporate Ethics and Sustainability department) responsible within the Group for privacy issues. seeks to ensure that our commitment to human brings together all the company’s relevant rights is incorporated into all activities and levels department directors to define and monitor the of the company. Responsible Business Plan. 4 INTRODUCTION AND SCOPE OF OUR OUR DUE POLICIES AND REPORT BY 2020 REPORT ON TRANSPARENCY IN COMMUNICATIONS THE REPORT GOVERNANCE DILLIGENCE PROCESSES INDICATORS COUNTRY GLOSSARY In addition, the DPO (Data Protection Officer) specifically regarding data reported by the busi- is the function responsible within the Group ness units. The objective is to ensure at all times for the protection of personal data and reports the quality of the data as evidence of complying directly to the Board of Directors via the Audit with current legislation and the protection of and Control Committee (one of the Board’s fundamental rights of individuals. permanent committees). The DPO coordinates the Steering Committee, involving all relevant Those requests, which due to their characteris- corporate areas for specific matters relating to tics and exceptional nature so require, are analy- privacy and freedom of expression. As a member sed by the heads of the respective business of the aforementioned Responsible Business units by means of the appropriate weighting of Office, the DPO regularly feeds issues related to all the interests potentially involved, including his function back into said Office. human rights, fundamental freedoms and any other interests that may be applicable and, if Lastly, the General and Regulatory Affairs Secre- circumstances arise, by the bodies within the tary is a member of the Board of Directors and is company whose functions include the as- responsible, among other matters, for promo- sessment and management of situations which ting privacy and freedom of expression with could eventually lead to a crisis. relevant external stakeholders. In this function, he also led the publication and dissemination of The procedure established in the Global Crisis Telefónica´s “Digital Manifesto” in 2018, which Management System is applied in the event of a calls for a new cooperative effort between gover- crisis. Its taxonomy of critical incidents that could nments, business and civil society to define a lead to a crisis lists, amongst others, requests New Digital Deal adapting the current regulatory from authorities which may have an impact on environment for the digital age, paying special freedom of expression and privacy and/or legis- attention to the issues of privacy and freedom lations with a potentially high negative impact of expression. on human rights (freedom of expression, etc.). The Global Crisis Management System stipulates What is more, we have a Transparency Com- that, in the event of a crisis related to privacy mittee for privacy and freedom of expression and/or freedom of expression issues, the Chair of issues related to requests made by Competent the Crisis Committee may convene the so-called Authorities, which is composed by the Legal “Human Rights Round Table” (made up of the Department, Compliance, Internal Audit and relevant departments) in order to analyse the Corporate Ethics and Sustainability. The Trans- situation, design and apply a response strategy, parency Committee analyses the reported data report to the Executive Committee and conduct in this report and may make such observations further analysis in order to prevent such risks in as they deem relevant, both in general terms or the future. 5 INTRODUCTION AND SCOPE OF OUR OUR DUE POLICIES AND REPORT BY 2020 REPORT ON TRANSPARENCY IN COMMUNICATIONS THE REPORT GOVERNANCE DILLIGENCE PROCESSES INDICATORS COUNTRY GLOSSARY Our Human Rights Due Diligence Since 2006 human rights have been an integral part of our Business Principles. The UN Guiding Human Abolition of child/ Working Non- Privacy Principles on Business and Human Rights have rights issues forced labour conditions Discrimination served as a fundamental guide to promote the guarantee of and respect for