Who is covered by this Notice?
What personal data about you does AT&T process?
To access AT&T websites, certain information will be Processed, including your device’s IP identification and routing information, such as ISP, connection type, and the ISP’s location. Processing this information is necessary for certain purposes, such as authentication, security, and locality features.
We may request additional information, such as your name, email address, or mailing address, to enroll in a specific service or forum. The relevant grant of consent will be specific. This information, collectively or individually, is referred to as “Personal Data” throughout this Notice.
Why does AT&T process personal data about you?
Personal Data will be used to provide the AT&T websites you are seeking to access. AT&T Processes Personal Data pursuant to established and appropriate lawful bases for processing. These are:
- Processing necessary for the legitimate interests pursued by AT&T. AT&T has certain legitimate and lawful interests in Processing Personal Data; these could include Processing for website functionality, administrative purposes, personal and network security, and other compatible purposes.
Throughout this Notice, “Processing” (and all variants) means any operation(s) performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Who has access to personal data about you?
Personal Data may be disclosed, to the extent required for the above purposes, to appropriate and authorized recipients. Recipients may include AT&T affiliates and personnel; business partners and third-party service providers, suppliers, vendors, and subcontractors; and/or other third parties performing services for any of the AT&T companies. Third parties may also collect and Process Personal Data on AT&T’s behalf for the above purposes. A list of AT&T affiliates and the countries in which they are located may be accessed at this link.
Third parties given access to Personal Data will be required to use appropriate security measures consistent with legal requirements when Processing Personal Data. Where the third party is Processing such Personal Data on behalf of AT&T, the third party is obligated to do so only pursuant to AT&T’s instructions.
AT&T may disclose Personal Data if compelled to do so by a court of law, regulators, law enforcement agencies, governmental agencies and parties to civil lawsuits in connection with inquiries, proceedings, investigations or lawfully requested to do so by a relevant governmental authority using the appropriate means of request. These parties may be located anywhere in the world. Prior to any such disclosure, AT&T examines all such requests to determine that they are legally valid, appropriate and proportionate; and AT&T may challenge such requests if it determines that these criteria are not met. AT&T may disclose Personal Data if AT&T determines it is necessary or appropriate to comply with the law or to protect or defend AT&T’s rights, property, or employees.
Where is personal data about you processed?
AT&T is a multinational company, but has centralized business and operational activities to better manage a global business. That centralization may result in the transfer of Personal Data to, or access to Personal Data from, countries outside of the country in which you are located. The principal countries to which Personal Data is transferred include the United States of America, Brazil, Czech Republic, India, Malaysia, Poland, Singapore, and Slovakia. In some of these countries, the applicable data privacy laws may offer a lower standard of protection than the country in which you are located. As applicable, AT&T takes appropriate technical, organizational, and contractual steps to conduct cross border transfers of Personal Data in accordance with the requirements of the more stringent applicable data privacy law in order to safeguard Personal Data as set out in this Notice.
AT&T generally transfers Personal Data between AT&T affiliates on the basis of our Intra-Group Agreement (IGA), which includes standard contractual clauses for export of Personal Data to third countries. AT&T may additionally rely on other lawful bases for transfer of Personal Data. You may request to review the safeguards AT&T uses for cross border transfers by contacting the AT&T Chief Privacy Office at AskPrivacy@att.com.
Wherever Personal Data is Processed, AT&T uses appropriate security measures consistent with applicable data privacy laws.
When is personal data about you deleted?
Personal data will generally be retained as needed for business administration, tax, or legal purposes and as consistent with applicable data privacy laws. After that, Personal Data will be destroyed by making it unreadable or undecipherable. While Personal Data is retained, AT&T implements appropriate technical and organizational measures designed to secure Personal Data. Such measures may include:
- Maintaining and protecting the security of computer storage and network equipment and using security procedures that require usernames and passwords to access data;
- Applying encryption or other appropriate security controls to protect Personal Data when stored or transmitted;
- Limiting access to Personal Data to only those with jobs requiring such access; and
- Requiring AT&T personnel involved in the Processing of Personal Data to complete training and awareness programs on the requirements of applicable data privacy laws.
How may you manage processing of personal data?
You have certain rights regarding Processing of Personal Data. AT&T is committed to honoring these rights and has established clear and accessible policies and procedures. Your rights with respect to your own Personal Data may include:
- Right to Notice. AT&T provides this AT&T Website User Privacy Notice - Most of World, detailing how Personal Data is Processed.
- Right to Revoke Consent. You may withdraw your grant of consent at any time and AT&T will stop Processing and delete your data, subject to AT&T’s right to retain the data as allowed for lawful purposes, including to comply with its legal obligations and to use it exclusively on an anonymized basis.
- Right of Access. You may obtain confirmation from AT&T as to whether or not Personal Data concerning you is being Processed and, if it is, access to the Personal Data and additional information about the Processing of that data.
- Right to Correction/Rectification. You may have AT&T correct inaccurate Personal Data about you, as well as to have incomplete Personal Data made complete.
- Right to Erasure or Deletion. You may have AT&T erase or delete Personal Data concerning you in certain circumstances.
- Right to Restriction of Processing. You may have AT&T temporarily prohibit additional Processing of Personal Data while your challenge to the accuracy or Processing of the Personal Data is contested.
- Right to Data Portability. You may be able to receive from AT&T the Personal Data concerning you for the purpose of providing that Personal Data to another controller, either by you or directly by AT&T.
- Right to Object. You may object, at any time and on grounds relating to your particular situation, to AT&T's Processing of Personal Data.
- Right to Avoid Automated Individual Decision-Making. AT&T’s Processing of Personal Data generally does not include automated decision-making that produces legal effects concerning you or significantly affects you.
Whether and how a right applies will depend on the lawful basis pursuant to which Personal Data is Processed, the nature of the Personal Data requested, and AT&T's ability to determine if we hold responsive Personal Data. AT&T's provision of Personal Data in response to your request shall not adversely affect the rights and freedoms of others.
Questions about this Notice may be sent to AT&T Chief Privacy Office at AskPrivacy@att.com or to AT&T’s country and regional data protection officers (DPO) at AT&TDPO@att.com. Please include “MOW Website User Question” in the email’s subject line. You may also file a complaint with the relevant data protection regulator or national authority. The relevant national authority would likely be, but is not necessarily limited to, the one established in the country in which you are located. You may additionally or alternatively seek judicial redress for alleged infringements of applicable law by AT&T.