HTML Editor Component
*Contents may not have visible height
At AT&T, our relationship with our customers is built on a foundation of respect and trust. These principles extend to the careful and responsible way that we handle your Personal Data. This AT&T Business Customer Most of World Privacy Notice outlines the types of Personal Data that we Process, why we Process it, who has access to it, when we delete it, and individual rights with respect to the Personal Data. If you have questions after you’ve reviewed this Notice, please contact your account team or you can contact AskPrivacy@att.com. Additional information is also available at AT&T’s Privacy Center.
AT&T collects, stores, and uses information – including Personal Data – from and about users in delivery of Services to AT&T Business Customers. The laws of the many jurisdictions in which AT&T offers Services to AT&T Business Customers impose differing requirements on how and why AT&T may Process this Personal Data. This AT&T Business Customer Most of World Privacy Notice furthers AT&T’s commitment to compliance with applicable Data Privacy Laws. This Notice defines key terms and answers important questions about the AT&T’s Processing of Personal Data.
AT&T’s Commitment to Privacy and Data Protection
AT&T is committed to fulfilling our responsibilities in relation to collection, retention, use, and other Processing of Personal Data that is within the scope of the Data Privacy Laws. Such Personal Data will be Processed only for lawful and appropriate purposes. AT&T has implemented measures designed to secure Personal Data and to help prevent its unauthorized or accidental access, erasure, or other misuse. AT&T will facilitate the exercise of Customer Data Subject rights in an effective and transparent manner.
Term Meaning AT&T Business Customer A legal entity (excluding AT&T affiliates) that has contracted with AT&T to provide Services Customer Data Subject An identified or identifiable individual authorized by an AT&T Business Customer to use the Services or to interact with AT&T on behalf of the AT&T Business Customer Data Controller An entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Depending on the Processing activity, there may be more than one Data Controller. Data Privacy Laws Applicable country or regional laws or regulations in relation to Processing of Personal Data. The standards of AT&T’s MOW privacy program are primarily based on the European Union’s General Data Protection Regulation (GDPR), AT&T Business Customer MOW Privacy Notice (May 2021) 2 but incorporate provisions of other laws that are stricter than or supplemental to GDPR requirements. Most of World or MOW Includes all countries in which AT&T provides Services to AT&T Business Customers, other than the United States of America Personal Data Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. Processing Any operation(s) performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Services The products and services provided by AT&T under a contractual agreement between AT&T and the AT&T Business Customer Sensitive Personal Data Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person`s sex life or sexual orientation, as well as Processing of Personal Data relating to criminal convictions and offenses.
Who is covered by this Notice?
This AT&T Business Customer MOW Privacy Notice (Notice) applies when:
What Personal Data about Customer Data Subjects does AT&T Process?
AT&T generally Processes the following categories of data, which may include Personal Data of Customer Data Subjects:
- Business Contact Data: Data for general contact or administration purposes, which may include name, job title, employer, address, phone number, email address, instant messaging username, and similar data.
- Device Identification Data: Data that identifies a device from which (or to which) electronic communications are sent (or received); may include Internet Protocol (IP) address, Media Access Control (MAC) address, International Mobile Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI) number, Serial Number, and Unique Device Identifier (UDID).
- Electronic Communications Metadata: Data Processed in an electronic communications network for the purposes of transmitting, distributing, or exchanging electronic communications content (but not including electronic communications content); includes data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration, and type of communication.
- Authentication Data: Username, password, personal identification number, password hints, and similar data to authenticate users in connection with either use of the Services or access to information related to the Services.
Why does AT&T Process Personal Data about Customer Data Subjects?
AT&T Processes Personal Data when a Customer Data Subject uses the Services or when the AT&T Business Customer provides the Personal Data to AT&T in relation to the Services. In connection with the provision of Services, AT&T will generally Process Personal Data of Customer Data Subjects for the purposes of:
- Providing the Services to the AT&T Business Customer;
- Performing obligations and exercising rights with respect to the Services and AT&T’s contract with the AT&T Business Customer, including performing related activities and functions;
- Complying with legal obligations; and/or
- Evaluating, supporting, and enhancing the performance, efficiency, and security of the Services and the network infrastructure / operations./li>
Applying the principle of data minimization, AT&T will Process only the Personal Data necessary for the above purposes.
AT&T Processes Personal Data of Customer Data Subjects only pursuant to appropriate lawful bases for Processing as necessary for:
- Performing a contract to which the AT&T Business Customer and/or the Customer Data Subject is a party;
- Complying with legal obligations to which AT&T is subject; and/or
- Legitimate interests pursued by AT&T, such as performing its contract obligations to, or exercising its legal or contract rights with, the AT&T Business Customer, or for improving services and network operations. Prior to any Processing on the basis of legitimate interest, AT&T analyzes the suitability of the Processing, including the reasonable expectations of a Customer Data Subject and the impact of the proposed Processing on a Customer Data Subject’s rights and freedoms.
In limited circumstances, AT&T may Process Personal Data as necessary for:
- Protecting the vital interests of the Customer Data Subject or another natural person; and/or
- Performing a task carried out in the public interest.
AT&T will not Process Sensitive Personal Data or similarly designated data under applicable Privacy Data Laws about Customer Data Subjects unless specifically authorized by law, for example where the Customer Data Subject has given explicit consent; as necessary for carrying out obligations and exercising specific rights in the field of employment and social security and social protection law; to protect life, physical safety or health of the Customer Data Subject or another natural person; to guard against fraud; and/or as necessary for the establishment, exercise, or defense of legal claims.
Who has access to Personal Data about Customer Data Subjects?
AT&T affiliates are part of the AT&T group of companies operating internationally. All members of the AT&T group support and interact with each other to run AT&T’s business and to set group-wide strategy. Certain Personal Data can be accessed by any of the AT&T group of companies where relevant, necessary for the purposes described and legally permitted.
Personal Data about Customer Data Subjects will be disclosed,to the extent required for Service delivery, to appropriate and authorized recipients. Recipients may include: AT&T affiliates and personnel; business partners and third-party service providers, suppliers, vendors, and subcontractors; and/or other third parties performing services for any of the AT&T companies. Personal Data may also be provided to the AT&T Business Customer and its agents. Third parties may also collect and Process Personal Data on AT&T’s behalf for the above purposes. A list of AT&T affiliates and the countries in which they are located may be accessed at this link.
Third parties given access to Personal Data about Customer Data Subjects will be required to use appropriate security measures, including AT&T’s Supplier Information Security Requirements (SISR), consistent with Data Privacy Laws and all other applicable legal requirements when Processing Personal Data. Where the third party is Processing such Personal Data on behalf of AT&T, the third party is obligated to do so only pursuant to AT&T’s instructions
AT&T may disclose Personal Data if compelled to do so by a court of law, regulators, law enforcement agencies, governmental agencies and parties to civil lawsuits in connection with inquiries, proceedings, investigations or lawfully requested to do so by a relevant governmental authority using the appropriate means of request. These parties may be located anywhere in the world. Prior to any such disclosure, AT&T examines all such requests to determine that they are legally valid, appropriate and proportionate; and AT&T may challenge such requests if it determines that these criteria are not met. AT&T may disclose Personal Data if AT&T determines it is necessary or appropriate to comply with the law or to protect or defend AT&T’s rights, property, or employees.
Where is Personal Data about Customer Data Subjects Processed?
AT&T is a multinational company, but has centralized business and operational activities to better manage a global business. That centralization may result in the transfer of Personal Data to, or access to Personal Data from, countries outside of the country in which the Customer Data Subject is located. The principal countries to which Personal Data is transferred include the United States of America, Brazil, Czech Republic, India, Malaysia, Poland, Philippines, Mexico, Singapore, and Slovakia. In some of these countries, the Data Privacy Laws may offer a lower standard of protection than the country in which the Customer Data Subject is located. As applicable, AT&T takes appropriate technical, organizational, and contractual steps to conduct cross border transfers of Personal Data in accordance with the requirements of the more stringent Data Privacy Laws in order to safeguard Personal Data as set out in this Notice.
AT&T generally transfers Personal Data about Customer Data Subjects between AT&T affiliates on the basis of our Intra-Group Agreement (IGA), which includes standard contractual clauses for export of Personal Data to third countries. AT&T may additionally rely on other lawful bases for transfer of Personal Data. A Customer Data Subject may request to review the safeguards AT&T uses for cross border transfers by contacting the AT&T Chief Privacy Office at AskPrivacy@att.com.
Wherever Personal Data is Processed, AT&T uses appropriate security measures consistent with Data Privacy Laws.
When is Personal Data about Customer Data Subjects deleted?
Personal Data will be retained as needed for business administration, tax, or legal purposes and as consistent with Data Privacy Laws. In many cases, this will require retention through the administrative period of the contract between AT&T and the AT&T Business Customer, or through the period of the relationship between the AT&T Business Customer and the Customer Data Subject. After that, Personal Data will be destroyed by making it unreadable or undecipherable. While Personal Data is retained, AT&T implements appropriate technical and organizational measures designed to secure Personal Data. Such measures may include:
- Maintaining and protecting the security of computer storage and network equipment and using security procedures that require usernames and passwords to access data;
- Applying encryption or other appropriate security controls to protect Personal Data when stored or transmitted;
- Limiting access to Personal Data to only those with jobs requiring such access; and
- Requiring AT&T personnel involved in the Processing of Personal Data to complete training and awareness programs on the requirements of Data Privacy Laws.
What rights do Customer Data Subjects have to manage Processing of Personal Data?
The Customer Data Subject has certain rights under certain circumstances regarding Processing of Personal Data. AT&T is committed to honoring these rights and has established effective and transparent policies and procedures to do so. A Customer Data Subject’s rights with respect to his or her own Personal Data may include:
- Right to Notice. AT&T provides this Notice detailing how Personal Data is Processed.
- Right to Access. A Customer Data Subject may obtain confirmation of whether Personal Data is being Processed and, if it is, access the Personal Data and additional information about the Processing of that data.
- Right to Revoke Consent. A Customer Data Subject may withdraw a given consent at any time and AT&T will stop Processing and delete the Customer Data Subject’s Personal Data, subject to AT&T’s right to retain the data as allowed for lawful purposes, including to comply with its legal obligations and to use on an anonymized basis
- • Right to Rectification. A Customer Data Subject may have inaccurate Personal Data corrected and have incomplete Personal Data made complete.
- Right to Erasure. A Customer Data Subject may have Personal Data erased, in certain circumstances.
- Right to Restriction of Processing. A Customer Data Subject may have additional Processing of Personal Data temporarily prohibited while the accuracy or Processing of Personal Data is contested.
- Right to Data Portability. A Customer Data Subject may be able to have Personal Data provided to another Data Controller, either by the Customer Data Subject or directly by AT&T.
- Right to Object.A Customer Data Subject may object, at any time and on grounds relating to his or her particular situation, to Processing of Personal Data.
- Right to Avoid Automated Individual Decision-Making. AT&T’s Processing of Personal Data generally does not include automated decision-making that produces legal effects concerning the Customer Data Subject. In the event AT&T implements such automated-decision making, AT&T will provide meaningful information about the logic involved and the significance and the envisaged consequences of such Processing for the Customer Data Subject.
Whether, how, and to what extent a specific right applies and how it will be addressed by AT&T will depend upon the applicable Data Privacy Law, the lawful basis pursuant to which Personal Data is Processed, the nature of the Personal Data, and AT&T’s ability to determine that it holds responsive Personal Data. As the Personal Data is Processed as part of AT&T’s contractual obligations to the AT&T Business Customer, for applicability and authentication purposes AT&T will coordinate responses to requests of Customer Data Subjects with the AT&T Business Customer. The Customer Data Subject should directly contact the AT&T Business Customer to initiate a rights request. Business customers can submit requests on behalf of the customers they serve. AT&T will work with the AT&T Business Customer to determine the appropriate response to a request. Provision of Personal Data in response to a Customer Data Subject’s request shall not adversely affect the rights and freedoms of others.