The Principles of Data Protection at Telesign
Published on: April 23, 2024
Telesign’s Privacy Compliance Program is based on compliance with several different data privacy laws, including the following:
- EU General Data Protection Regulation (“GDPR”)
- California Consumer Privacy Act (“CCPA”)
- Serbian Personal Data Protection Law (“ZZPL”)
- Brazilian General Data Protection Law (“LGPD”)
- Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”)
- Chinese Personal Information Protection Law (“PIPL”)
- Singapore Personal Data Protection Act (“PDPA”)
We follow a “one privacy framework” approach, meaning we generally adopt the strictest standard mandated by applicable data privacy law, but still allowing for specific legal requirements to be addressed and implemented separately. For example, where GDPR imposes stricter rules than the CCPA, we choose to follow the GDPR, but specific requirements unique to the CCPA are still adopted within our framework.
Our privacy framework is based upon, and we conduct all business in line with, the 7 principles of data protection, as set out in the EU General Data Protection Regulation (“GDPR”). These are as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Telesign is guided by these principles in the lawful processing of personal data throughout all our operations and at every level of our business.
Lawfulness, fairness, and transparency
Telesign identifies a valid lawful basis for all processing of personal data and does not do anything unlawful with personal data. Throughout all our operations we consider how the processing of personal data may affect the individuals concerned and we aim to only handle data in ways that people would expect. Where there may be unexpected processing, we carry out Data Protection Impact Assessments (“DPIA’s”) and ensure that we are able to explain why such processing is justified – for example for purposes of fraud detection or compliance with laws and regulations.
Telesign is open and honest throughout all our personal data processing activities and are fully compliant with the obligations of the right to be informed – please see our Privacy Notice.
Purpose limitation
Telesign holds and maintains a Record of Processing Activities (ROPA) which records the purposes of our processing activities across the organization and is updated as and when such purposes change. Additionally, our purposes for processing are specified in our Privacy Notice which is publicly accessible.
Where Telesign does seek to process personal data for a new purpose, we only do this where either (a) such purpose is compatible with the original purpose; (b) we get individuals’ consent for such processing; or (c) we have a clear obligation or function to do so mandated by law.
Data minimization
Telesign ensures that we only hold the minimum amount of personal data needed to fulfill our purposes for processing – whether this be for the purposes of fraud prevention, compliance with legal obligations, or any other identified purpose. We ensure that the personal data we process is sufficient to fulfil our stated purpose (and no more), has a rational link to that purpose, and is limited to what is necessary.
Accuracy
Whether Telesign is acting as a data controller, or a data processor, we take steps to ensure that the personal data we hold is not incorrect or misleading. Where we are not receiving personal data directly from individuals but via a third party, we do this by the inclusion of contractual provisions with our partners which mandate that they will provide us with personal data in line with applicable data privacy laws, and therefore that is not incorrect or misleading. Such a contractual provision also means our partners are obligated to keep the personal data updated, where applicable.
Telesign’s ROPA is maintained such that we accurately record information that is provided to us, including an accurate reflection of the source of the information. Additionally, Telesign complies with individuals’ right to rectification under GDPR, and carefully consider any challenges to the accuracy of personal data.
Storage limitation
Telesign does not keep any personal data for longer than we need it. We ensure we erase or anonymize data once there is no longer a lawful basis for its retention in line with our Retention Policy. We keep a record of the period for which we keep personal data in our ROPA, along with the reasons why the data is kept for such a period. More information can be found in our Privacy Notice.
Integrity and confidentiality (security)
Telesign protects all personal data by implementing appropriate technical and organizational measures and our Information Security Management System is certified compliant with ISO 27001:2013. For more information on our security measures see our Security Whitepaper.
Accountability
Telesign’s privacy compliance program is based on the recognized principles of Privacy by Design and Default and on the ability to establish a relationship of trust with individuals. Telesign has a dedicated Privacy Team who work to maintain and implement our privacy program and embed accountability and a culture of privacy throughout the organization.
We take our obligation to comply with the requirements of accountability seriously and recognize that such obligations are ongoing. We regularly review and where necessary, update the measures we have in place.
More generally, the following measures demonstrate Telesign’s commitment to the principle of accountability:
- Organization-wide Privacy Compliance Program.
- Appointment of a Data Protection Officer.
- Dedicated Privacy and Security Teams.
- The adoption and implementation of a full suite of data protection policies, including concerning data breaches.
- A data protection by design and default approach to everything we do.
- Written contracts in place with all third parties who process personal information on our behalf.
- Carrying out DPIA’s where necessary.
- Organization-wide privacy training.
- Maintenance and update of ROPA.
Conclusion
Telesign has built a privacy program that we are proud to share, and that we will continue to improve on. For us, compliance with applicable data privacy laws isn’t simply about avoiding penalties. In the world of ever rising threats to individual liberties, commitment to personal information privacy is one of the main pillars of customer trust and competitive advantage.
For further information on Telesign’s privacy practices please see the Privacy Hub