Lumen Privacy Notice

September 15, 2020

This Privacy Notice applies to our privacy practices related to our business customers’ products and service offerings. In the event of any conflicts between this Privacy Notice and a separate agreement between you and us, the terms of the separate agreement shall apply to the extent permitted by law.

What does this Privacy Notice cover?

Like most companies that provide services to other companies, we have certain information about employees of our current and potential business customers and use that information to market our products and services, enter contracts for services, install, support and bill for services, and otherwise carryout our commercial relationship with such customers.  This Privacy Notice sets out the types of Personal Information we may collect, the ways that Personal Information is used and why we use that Personal Information.

This Privacy Notice describes the processing activities we may undertake with your Personal Information to administer our commercial relationship and market our business products and service offerings.  It describes the security measures to protect Personal Information, the circumstances under which we may disclose Personal Information to a third party, and how to exercise your rights to access Personal Information in our possession.

As used in this Privacy Notice, “Personal Information” refers to any information relating to you as a person.  It may be information that by itself can identify you, such as your name, or it may be information that identifies you only when combined with other available information, such as your social media username when combined with your email address.

What Personal Information do we collect?

We may collect the following types of Personal Information from you:

• Name and contact data. We may collect your first name, middle name, last name, salutation, business email address, business postal address, business phone number and similar business contact data.
• Employment information. We may collect information about your job title, job function, employer and similar information related to your employment and job function.
• Portal activity information. If you have placed information in a LUMEN portal, we collect information about your interaction with LUMEN including changes you made to the business customer account(s) you are authorized to manage, inquiries you submit, feedback and similar commercial activity information.
• Background information. We may collect information about degrees you have earned, where you attended school, licenses you hold, your membership in professional associations and similar background information.
• Additional information. We may collect your gender, language skills, hobbies, survey responses, professional engagements, and similar Personal Information. If you visit LUMEN’s public-facing websites, we and third parties may analyze your activity on the LUMEN website and place cookies on your browser or device that collect Personal Information. If you receive LUMEN electronic marketing materials, we and third parties may analyze your interaction with those materials.

There may be circumstances where we request Personal Information other than as identified above.  We will do this only where necessary or justified to improve the services we provide and to increase the relevance of your service portfolio. That Personal Information will be treated the same as the other Personal Information identified in this Privacy Notice.

How do we use your Personal Information?

We use your Personal Information to provide the services and allow you to manage the business customer account(s) and functions for which you are authorized.  We also use your Personal Information to contact you about our business products and service offerings that may interest your employer. 

We use your Personal Information only for the purpose for which it was obtained and keep it only as long as necessary. We do not sell your Personal Information to third parties. We seek to collect only Personal Information that is relevant and necessary and to collect it from reputable sources.  We do not use your Personal Information for purposes unrelated to marketing and providing our business products and services.

How do we protect your Personal Information?

We use a variety of security and operational measures to help prevent your Personal Information from unauthorized access, use or disclosure. We limit our collection and use of your Personal Information to the minimum necessary.

We limit the availability of your Personal Information to those who use that information for the purposes specified in this Privacy Notice.  We have procedures in place to ensure that your Personal Information cannot be accessed by others. We collect the Personal Information we need for the legitimate purpose to contact you about business products and service offerings your employer purchases or may be interested in purchasing. We provide an option to opt-out of any future communications in every marketing communication we send out. We endeavor not to call phone numbers registered with the appropriate do-not-call registries.

Who do we share Personal Information with and why?

We may share your Personal Information with other entities, including our affiliates, subsidiaries and third parties that provide certain functionalities for some of our business products and service offerings to the extent applicable to your interaction with LUMEN and your management of the business customer account(s) or functions for which you are authorized.  We may also share your Personal Information with other entities, including our affiliates and subsidiaries, to the extent applicable to our marketing activities related to our business products and service offerings.

We provide services in more than 60 countries around the globe, and, as such, operate through multiple affiliates and subsidiaries. We partner with other parties to provide certain business products and service offerings. We use channel partners to engage in sales and marketing activities on our behalf to provide our business products and service offerings.  In order to engage in those activities, we may provide your Personal Information to those parties to contact you about our business products and service offerings your employer may be interested in.

Where do we send your Personal Information?

LUMEN provides business products and services around the world. In certain circumstances, we transfer your Personal Information outside of your country or region or to international organizations as necessary to conduct our business operations, provide our services, and engage in our marketing activities.  These areas and international organizations may not be subject to laws that provide the same level of protection for Personal Information as the country in which you work.  Accordingly, when transferring your Personal Information to any such area or international organization we use safeguards to ensure the security and protection of your Personal Information, including the use of standard agreements approved by various country and regional governments.

We may transfer your Personal Information to our affiliates and subsidiaries throughout the world for storage and use related to your interaction with LUMEN.  In particular, the Personal Information used to confirm and enable those individuals who have been authorized by our business customers to interact with LUMEN on their behalf and Personal Information contained in our systems, records and activity logs may be accessible by our affiliates and subsidiaries located in the United States and other countries around the world.  Where appropriate, our affiliates and subsidiaries that are located in countries that do not have legal requirements to provide adequate protection for Personal Information have signed a contract and agreed to other terms to ensure that Personal Information is adequately protected in accordance with global data protection requirements.

We also may transfer your Personal Information to our business customers, suppliers, partners and other third parties throughout the world to the extent applicable to your interaction with LUMEN and your management of the business customer account(s) and functions for which you are authorized. We will not transfer your Personal Information to organizations located outside the country or region in which you work unless they have adequate data protection mechanisms in place, unless there is a proper legal basis for making such a transfer. We further restrict any third party from using the Personal Information we provide them related to your interaction with LUMEN and management of the business customer account(s) and functions you are authorized to manage for any purpose other than as described in this Privacy Notice.

Personal information held in our company marketing databases may be accessible by our affiliates, subsidiaries, and business partners located in the United States and other countries around the world.  Where appropriate, our affiliates, subsidiaries, and business partners have signed a contract and agreed to other terms to ensure that Personal Information is adequately protected in accordance with global data protection requirements.

How can you access and control your Personal Information?

In certain countries or regions, you have the right to ask us to provide you access to the Personal Information we have about you, to request correction and erasure of your Personal Information, the right to ask us to restrict our use of your Personal Information, to object to our use of your Personal Information, including selling Personal Information, and, in certain circumstances, the right to direct us to send your Personal Information to another entity.

If you would like to request us to do any of the preceding, send your request to our Data Protection Officer at DPO@centurylink.com.  Please identify the right(s) you wish to exercise, and the Personal Information involved, and why you believe LUMEN possesses your Personal Information.  We may request additional information to help us search for the Personal Information you requested, so you should be as precise as possible in making your request.  We will provide you with one copy of Personal Information we have about you free of charge.  For any further copies requested, we may charge a reasonable fee based on administrative costs.  For any request made by email, unless you request otherwise, we will provide the information via email in a commonly used form, such as a Word document, Excel sheet or PDF as appropriate.

We will respond to your request within one month but may extend that period by an additional 2 months, considering the complexity and number of requests we receive.  If we extend the time to respond, we will let you know of that extension within one month of your request.

Cookies and Web Beacons

This section of the Privacy Notice applies only to California and non-U.S. visitors to the LUMEN website.  In this section, we describe the type of Personal Information LUMEN may collect, the ways that data is used and why we use it. At LUMEN, we have information about employees of our current and potential business customers to carry out our commercial relationships. We also honor browser-based blocking, so if a visitor has a blocker on their browser, the visitor will be able to block all but “strictly necessary” cookies.

What are Cookies and Web Beacons?

A cookie is a small text file that many web publishers place on your computer when you visit their sites. Cookies ask your browser to store on your device to remember information about you, such as login information.

We may also use web beacons. A web beacon, also known as a “web bug”, is usually a pixel on a website that can be used to track whether a user has visited a particular website to deliver targeted advertising. Web beacons are used in combination with cookies, so if you turn off your browser’s cookies, the web beacons will not be able to track your activity. The web beacon will still account for a website visit but will not record your unique information. For more information, see Wikipedia’s entry on web beacons.

Disabling Cookies:

Because we respect your right to privacy, you may disable these cookies, except strictly necessary cookies. You may set your computer preferences to (1) notify you each time a website tries to place a cookie on your computer and give you the option of accepting or rejecting it, (2) accept cookies from sites you visit (often referred to as first party cookies) but not from other sites (often referred to as third party cookies), or (3) block all cookies. Refer to the Cookie Settings to set your cookie preferences for this LUMEN website.

The Network Advertising Initiative (NAI)  also has a tool that lets you opt-out of several third-party ad servers' and networks' cookies simultaneously. The tool will not block ads. It will only prevent the ads that appear on your computer from being selected based on the ad server's analysis of cookies on your computer. Also, this opt-out itself relies on cookies. That means that you will have to opt-out again if you delete cookies, change browsers, or buy a new computer.

How do we use Cookies?

If you visit LUMEN’s public-facing websites, we and third parties may analyze your activity on the LUMEN website and place cookies on your browser or device that collect Personal Information. If you receive LUMEN electronic marketing materials, we and third parties may analyze your interaction with those materials. We may also use your Personal Information to provide services and allow you to manage the business customer account(s) and functions for which you are authorized.  We may use your Personal Information to contact you about our business products and service offerings that may interest your employer. We do not sell your Personal Information to third parties. We also do not use your Personal Information for purposes unrelated to marketing and providing our business products and services.

LUMEN provides services in more than 60 countries around the globe, and, as such, operate through multiple affiliates and subsidiaries. As a result, we may share your Personal Information with other entities, including our affiliates, subsidiaries and third parties that provide certain functionalities for our business products and service offerings to the extent applicable to your interaction with LUMEN and your management of the business customer account(s).

Types of Cookies we use:

We classify our cookies in the following categories:

• Targeting Cookies
• Performance Cookies
• Functional Cookies
• Strictly Necessary Cookies

Targeting Cookies: These cookies are set by our advertising partners. They may be used by those companies to build a profile of your interest and show you relevant advertisements on other sites. They uniquely identify your browser and internet device.

Performance Cookies: These cookies allow us to count visit and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated.

Functional Cookies: These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages.

Strictly Necessary Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.

California Consumer Privacy Act (CCPA)

If you are a California resident, please review these additional privacy disclosures, which provide a summary of how we collect, use, and disclose Personal Information about you and explain your rights under the CCPA. 

Categories of Information We Collect, Use, and Disclose for Business Purposes

We collect the information as described in our Privacy Notice in the section “What Personal Information do we collect?”  and “How do we use your Personal Information?” In the prior 12 months, we may have collected the following categories of Personal Information:

• Identifiers, such as name, email address, mailing address, social security number, cookie and device identifiers, and IP address.
• Demographic information, such as your gender and age.
• Commercial information, such as records of purchases and payment information.
• Internet or other electronic network activity information, such as log data and information about the devices and computers you use to access our websites.
• Geolocation data, such as GPS, Bluetooth, or Wi-Fi signals, where you have allowed access to that information.
• Electronic, visual, or similar information, such as recorded conversations with our customer service agents and recorded online sessions.
• Other information you provide, such as responses to surveys or messages to customer service.
• Inferences drawn from any of the above, including the content or ads that may be of interest to you.

We collect and use these categories of information from you, your devices, third parties, or as otherwise described in this Privacy Notice. We disclose these categories of Personal Information for the business purposes described in “Who do we share Personal Information with and why?”. 

Your Rights as a California Resident

Under CCPA, California residents have the right to request access to or deletion of their Personal Information, to request additional details about our information practices, to opt out of the “sale” of Personal Information (if applicable), and to not be discriminated against for exercising their rights. To request to exercise your access or deletion rights, please contact us by submitting our online form or emailing us at privacy@centurylink.com with general privacy questions. Upon receipt of your request to exercise your rights to access or delete your Personal Information, we will verify your identity to protect your security and privacy. Note that even if we honor your request to delete your information, we may retain certain information as required or permitted by law. If your request relates only to your marketing preferences and how LUMEN may contact you, including opt-out requests, please use the form located here.

General Data Protection Regulation (GDPR)

LUMEN is committed to compliance with data protection requirements within the European Union (EU) and the European Economic Area (EEA), to include the United Kingdom (UK). LUMEN processes Personal Information from the EU and EEA only for lawful and appropriate purposes; it has implemented adequate technical and organizational measures to secure this information; and it has provided the means for data subjects to exercise their rights to access, rectification, and erasure. For more information on EU data protection rules generally, please click here.

GDPR FAQs

Q: What is covered under this section of the Privacy Notice?

A: This notice covers the following:

• Visitors from the EU or EEA, including the UK, who access a LUMEN website.
• When LUMEN processes Personal Information of or for business customers within the scope of Article 3 of GDPR and LUMEN is acting as a Data Controller when processing that Personal Information.
  
  

Q: What is LUMEN’s approach to cross-border data flows and the transfer of personal data outside the EU?

LUMEN’s cross-border transfers of Personal Information from within the EU to other countries generally are covered under EU Standard Contractual Clauses. Whenever our services require us to transfer Personal Information subject to GDPR, LUMEN will make the necessary contractual arrangements with our customers to ensure compliant data transmission. If necessary, LUMEN will implement supplementary measures to reduce or eliminate any risks to transfers of EU Personal Information.

Q: How will LUMEN handle requests for summaries and diagrams of data flows?

A: LUMEN offers several products, many of which are customizable, to customers in more than 60 countries, so we do not maintain universal summaries or diagrams of data flows. Customers can gain an infrastructure-level view of how and where the data flows from the relevant product documentation and each customer’s specific network or solution design. 

Q: Under what lawful basis (e.g., obtaining consent, legitimate interests, etc.) will LUMEN process Personal Information under GDPR?

A: LUMEN may process your Personal Information under one or more of the following lawful bases:

• You have given your consent for a specific purpose. You may withdraw your consent at any time but doing so will impact our ability to provide services or information to you.
• LUMEN has certain legitimate business interests in processing your Personal Information, to include website functionality, sales and marketing (where permitted), or personal or network security.
• We process Personal Information on instructions from a customer, the data controller.
• We are processing your Personal Information as a data controller in accordance with Article 6 of GDPR or similar legal provisions.

Q: What rights do I have as a data subject?

A: In addition to the rights to receive notice and to revoke consent, data subjects also may exercise the following rights:

• Right of access to Personal Information that LUMEN has on you.
• Right to rectification of the Personal Information that LUMEN has, whether it is inaccurate or incomplete.
• Right to erasure in certain circumstances of the Personal Information that LUMEN has.
• Right to restriction of processing your Personal Information under certain circumstances.
• Right to data portability of your Personal Information under certain circumstances.
• Right to object to LUMEN processing your Personal Information under certain circumstances.
• Right to not be subjected to automated individual decision-making, under certain circumstances.

To exercise these rights, please see “How can you access and control your Personal Information?” above.

Q: What is GDPR’s effect on LUMEN’s specific products?

A: LUMEN has undertaken a review of our products to assess their potential for processing personal data. In addition, we are committed to regularly reviewing our products for this purpose. In most cases, LUMEN does not have access to personal data, including information that is transmitted, stored, hosted, or processed through a customer’s use of our products’ functions. However, whenever necessary and consistent with the nature of our services, we will assist our customers in meeting their obligations under the GDPR.

Q: What are LUMEN’s procedures for providing notice of data breaches?

A: LUMEN will provide notifications of breaches as required under Articles 33 and 34 of GDPR, and as agreed with our customers. When a breach is suspected, LUMEN takes the following steps:

1. Determine whether a breach occurred;
2. Research and identify products the breach may affect;
3. Provide notification to any supervisory authorities and/or customers affected by the breach.

LUMEN’s level of access to information affected by a breach, including the specific data and data subjects, varies from product to product. As a result, the amount of information in breach notifications will vary accordingly.

Q: What are LUMEN’s policies and procedures regarding data retention, destruction, and/or return?

A: Whether or how much personal data LUMEN can return or destroy depends on the functionalities of the product processing the data. For instance, we do not access, host, store or process the content of messages or other information traveling in our network, so we cannot return copies of such data.

However, when the data involves services where LUMEN operates as a processor, such as information storage and hosting products, we will grant customers access to the data for retrieval or destruction. In most of these cases, we do not have access to information but will help customers as appropriate to address their GDPR obligations relating to retention, destruction and retrieval of data processed by LUMEN products. Typically, customers will have full control of these activities through the tools and functionalities available with the products.

Q: What GDPR-related language will appear in LUMEN contracts with customers?

A: Depending on the specific LUMEN product and customer arrangement, LUMEN acts as a controller, processer, or both. As such, we will make the necessary contractual arrangements to comply with GDPR. We will address general GDPR obligations at the master agreement level. In specific cases of personal data processing by our services, we will address contractual language as appropriate.

How can you contact us?

LUMEN and its affiliates are controllers for Personal Information we collect from you as it relates to contacting you about our business products and service offerings that your employer may be interested in.  Our principal address for the purposes of this Privacy Notice is:

PRIVACY OFFICE
CENTURYLINK LEGAL
100 CENTURYLINK DRIVE
MONROE LA 71203

You may also send an email to our Privacy Office at Privacy@centurylink.com.

If you have a privacy concern, complaint or question as it relates to your Personal Information, please send an email to our Data Protection Officer at DPO@centurylink.com.  We will respond within 30 days.

How will changes to this Privacy Notice be communicated?

We will update this Privacy Notice when necessary to reflect changes in our business, to reflect feedback we receive and as otherwise necessary to ensure it remains accurate and complete.  When we post changes to this Privacy Notice, we will revise the date at the beginning of this Privacy Notice.  If there are material changes to this Privacy Notice or in how we collect or use your Personal Information, we will notify you either by prominently publishing a notice on our websites and/or by directly sending you an email notification if we have your contact information.  We will do this before such material changes take effect.  We encourage you to periodically review this Privacy Notice to learn how we are protecting your Personal Information.