Privacy Policy

We know that your privacy is very important to you; it is a fundamental right. Therefore, we want to explain our privacy policy to you, so you have control and understand how we manage the use of your personal data as a customer and user of eSimFLAG services.

1. Glossary of terms

2. Principles of our Privacy Policy

3. Who processes your data?

4. What data do we process?

5. Why do we process your data?

6. How do we process your data?

7. What are your rights?

8. Information we share: destinations or categories of destinations

9. Scope and updates to this privacy policy

To make it easier for you to understand our Privacy Policy, we have defined the important concepts we will use later.

Legitimising basis: any data processing, as established by the GDPR, needs to be supported by a legitimising basis. In our Privacy Policy you will find these legitimising bases: execution of the contract, legitimate interest, consent and legal obligation.

Customer Service Channels: any channel we make available to assist you, such as telephone, WhatsApp, email, and any other channel we may use in the future to assist you.

eSimFLAG Customer: holder of the contractual relationship.

Potential Customer: not yet a customer, but has shown interest in eSimFLAG.

Personal data: any information that can identify a natural person, directly or indirectly.

Advertising media: media we use, including electronic and digital media, to recommend news and commercial offers to you. For example, SMS, email or other equivalent means of communication.

Business Profile: automated processing of Data with which we evaluate certain aspects of you as a Customer or User (for example, frequency of contracting plans, countries for which you have contracted plans, location or information about your travels) with the aim of adapting the commercial offer to your tastes and usage preferences. At eSimFLAG, we will create a basic profile using the data you provide, usage and billing data, together with data generated when you use the eSimFLAG app and website (including cookies if you have accepted them) to learn more about you and offer you personalised recommendations. To learn more about the profiling carried out by eSimFLAG, you can consult more details in the Additional information section of this privacy policy.

eSimFLAG Service: refers to eSimFLAG brand services that we market and provide. For example, mobile telecommunications services and information technology services.

Rich Communication Service or RCS: an advanced mobile messaging communication standard that enhances traditional text messaging (SMS) by incorporating richer features, including sharing images, videos, audio, location, and real-time group chats, as long as your device is compatible.

Collaborators: companies that may be part of the Telefónica Group or that are not part of the Telefónica Group but which work with us to send you, if your privacy preferences allow, recommendations for news, products and services.

eSimFLAG User: person using eSimFLAG services.

Advanced Verification: advanced identity verification system that aims to increase your digital security.

eSimFLAG Web and App: digital web environments or apps that we make available to you so that you can manage your services and access them easily.

These are the key principles that guide our commitment to your privacy and the protection of your data, and which form the basis of our privacy policy.

• Legality, loyalty and transparency: we will always keep you informed about how we use your data, and you will always have control.
• Limitation of purpose: we will only use your data for the specific and legitimate purposes authorised, never for anything else.
• Data minimisation: we will only collect the data necessary for the processing, no more and no less.
• Accuracy: to avoid any errors or issues, we will do everything in our power to keep your information up-to-date and correct.
• Limitation of the storage period: we will process your personal data only for the period strictly necessary to fulfil the stated purposes.
• Integrity and confidentiality: we will implement all security measures within our power to protect your data, in order to ensure that it is always safe and that only authorised persons have access to it.
• Proactive responsibility: we comply with the above principles responsibly, anticipating potential risks to ensure the protection of your data at all times.

Depending on the Products and Services you have contracted, the following Telefónica Group companies are jointly responsible for processing your data:

• Telefónica de España S.A.U., with Tax ID number A82018474 and registered office at C/ Gran Vía no. 28, 28013, Madrid, registered in the Madrid Mercantile Registry in volume 13,170; book 0; section 8; sheet M-213,180.
• Telefónica Móviles España S.A.U., with Tax ID number A78923125 and registered office at Ronda de la Comunicación s/n, Distrito C, Edificio Sur 3, 2nd floor, 28050, Madrid, registered in the Madrid Mercantile Registry in book 8958, General 7804, section 3, of the Companies Register, document 92, sheet H-85226.

Additionally, at eSimFLAG we have a Data Protection Officer (DPO) responsible for ensuring the protection of your personal data. If you need to contact our DPO, you can do so by writing to them at DPO_movistar@telefonica.com.

At eSimFLAG we process the Data you provide us with throughout your contractual relationship with us and that you generate by using eSimFLAG Services for the purposes indicated in the section Why do we process your data?

The truthfulness and accuracy of the data you provide to manage and contract our Services is your responsibility. We cannot be held responsible for any consequences resulting from false, inaccurate, incomplete, or outdated data.

Although the Data processed will vary depending on the Services you have contracted, below we detail the categories of Data that we process. In general these are:

4.1. Data that you provide us as an eSimFLAG Customer or User

This is data we collect to manage your contract or that you voluntarily provide to us in these situations:

to. When contracting, registering or managing eSimFLAG Services: This is data you provide us at the time you contract the services. For example, contact information (email and mobile) or data necessary for billing (payment and/or bank card details).

Also in this category are:

• The history of eSimFLAG Services you have contracted.
• The documentation necessary to prove the contracting and compliance with the requirements associated with the contracting of Services
• The status of your preferences regarding the use of the Services that you have indicated to us throughout your relationship with eSimFLAG.
• Data shared through the profiles you have created on eSimFLAG Websites and Apps, for example, your credentials for logging in to your private area.

Furthermore, if you have expressed interest in any of the eSimFLAG Services, we will process the Data generated by your interest. If you subsequently purchase our Services, the data you indicated prior to purchasing them will become part of your Customer history.

b. In any customer identification process or Advanced Verification: We may ask you for the necessary information (such as your ID photo and your selfie or your voice recording) to generate your biometric pattern that will allow you to use biometric authentication for future processes.

c. In interactions with our Customer Service Channels: This is the data you provide us when you communicate with us through the eSimFLAG Customer Service Channels. For example, queries sent to the Customer Service Channel, identifiers or the content of complaints, incidents and queries made, including information you consult or manage through our Websites and eSimFLAG App.

d. From surveys, polls or forms: This is data that you voluntarily provide to us so we can get to know you better. For example, surveys on the functioning of the service.

4.2 Data you generate as an eSimFLAG Customer or User

This is data that you generate when using our Services, Equipment and/or Websites and Apps:

to. Usage and billing data related to our Services:

This is data generated by the regular use of the Services, as well as the concepts that are included on the bills (contracted service, billed amount, etc.).

This data will depend on the type of service contracted or billed. For example, whether the contracted plan is active or not, the days of validity counter, etc.

b. Location data:

This is data generated when you use our telecommunications services:

e) Location data: Related to the geographical position of the User's mobile line. Specifically, the identifier of the antenna associated with the communication and its geographic location, any change of antenna and/or switching the device on or off, in order to provide you with the necessary coverage, as well as the date and time of the aforementioned information.

c. Data generated when using the eSimFLAG App and Web:

This data is generated based on the website or app you use, the cookies you accept, and the usage permissions you have granted.

When you use our Websites and Apps, you share with us technical identifiers of the device you are accessing from (such as IP address, MAC address, language, version, etc.) and information about how you interact with the different elements of the Website or App (such as clicks on drop-down elements, inquiry forms, and contracting).

Additionally, to use some of the app features (such as order and payment history, checking eSIM cards associated with your customer, history of contracted plans and their status, usage/remaining days counter, checking and managing bills), or your device's storage. This data is processed instantaneously and local to your phone; we will not have continuous access to this data.

Finally, accepting cookies generates usage data that we can associate with you as an eSimFLAG Customer or User. You can also consult our Cookie Policy.

4.3 Data on customers or users under years of age

At eSimFLAG we expressly prohibit persons under the age of 14 from providing us with their personal data without the prior consent of their parents, guardians or legal representatives. In addition, we ensure the appropriate use of data pertaining to under--year-olds by taking the appropriate measures as established by the applicable laws.

If, as an eSimFLAG customer, you allow a minor under the age of 14 to use our services, you are responsible for authorising this and making decisions regarding the processing of their data with eSimFLAG, in accordance with this Privacy Policy. Likewise, if as a parent, guardian or legal representative of a child you detect unauthorised data processing, you can send your queries or complaints to us at help@esimflag.com.

At eSimFLAG, we process your data to provide you with the best possible service and for other legitimate or authorised purposes, in accordance with our privacy policies and applicable terms. Whenever we process your Data, we do so transparently and you are in control.

Below, we present the purposes of the various Data processing operations and provide details of the applicable legitimising bases.

5.1. To provide you with the best possible service

At eSimFLAG we want to provide you with the best possible service. For this reason, we process the data collected in the section What data do we process? to correctly execute the contract that you have signed with us (for example, verifying your identity, formalising the contract, managing the contractual relationship, assisting you, activating services, issuing bills, etc.) (see more details in the Additional Information section).

We also process your data to improve efficiency and maintain the highest levels of security, quality and trust, based on our legitimate interest and taking into account your reasonable expectations. We give you the details:

to. To improve our Services:

• To understand how our Services, Websites and Apps are used we conduct analyses, studies, and evaluations that allow us to predict your needs and make better business decisions.
• To verify the correct operation from our technological and Service development processes, we develop and train analytical models.

To improve our customer service and your experience:

To find out the quality, suitability and satisfaction levels for the services provided by the eSimFLAG brand

• To evaluate the quality of our Services, we carry out surveys and analyses. Even if you stop being a Customer, we may contact you within three months to understand the reasons for your cancellation and to continue improving your experience.
• To offer you personalised care, we conduct analyses to determine your satisfaction level and the quality of the service you receive.

c. To improve our processes

• To offer you more efficient customer service, we perform analyses that help us automate our processes.
• To make information more understandable, useful and appropriate for all other purposes, we organise and structure the available data.

d. To ensure the security and proper use of our Services:

• To maintain network security, we detect and prevent security incidents and technical failures or errors relating to the transmission of electronic communications.
• To detect and prevent irregular contracts and abusive or fraudulent uses of our Services, we carry out analyses and take the actions we consider necessary to take corrective action as needed.

5.2 To get to know you better and make recommendations

At eSimFLAG we want to offer you the best and ensure that you are always up to date with what really interests you. To do this, based on our legitimate interest, taking into account customers' reasonable expectations and unless they object, we process their data to create a commercial profile and make personalised recommendations through our channels or by sending commercial campaigns, for which we will make eSimFLAG recommendations based on the data provided to us, the consumption and billing data of our Products and Services, data generated when using eSimFLAG Apps and Websites (including ‘cookies’ if these have been accepted), as well as data calculated to create a basic profile and offer our customers, by any means, eSimFLAG recommendations tailored to their needs.

For example, if you are interested in a particular service, when we have a promotion, we may recommend it to you.

If you give us your consent, we may process your data for the specific purposes detailed below:

to. Data processing for Collaborator advertising: We may send you personalised commercial communications, including electronically, about our Partners' products and services that may be useful to you when travelling to other countries.

b. Using biometrics to verify your identity: Your digital security is our priority. So that your digital identity is more protected, if you give us your consent, we will use the biometric pattern provided by Advanced Verification to authenticate you quickly and safely.

For example, if someone tries to impersonate you to carry out a fraudulent action in your name, we can prevent it by using your biometric pattern. Your identity will be more thoroughly and securely protected

You are always in control. You may exercise your right to object or withdraw your consent to this processing at any time, as detailed in the Exercising your rights section.

5.3. Collaborations with third parties

At eSimFLAG, we may share limited information about your communications service with third parties based on legitimate interest (for example, when the purpose of the processing is to prevent fraud), or by informing you and obtaining your consent —either by eSimFLAG or by the third parties themselves— for promotions or offers in countries you may travel to (such as promotions in hospitality or dining, leisure activities, insurance, car rentals, etc.).

5.4. Purposes related to regulatory compliance

At eSimFLAG, in order to comply with the applicable legal obligations, we may process your data for the following purposes:

to. to comply with the data retention obligations relating to electronic communications and public communications networks (Law 25/2007, of October 18 and any other applicable regulations), as well as the obligations to intercept electronic communications (Law 9/2014, of May 9, General Telecommunications Law and its implementing regulations).

b. to comply with the measures established against unauthorised and irregular trafficking for fraudulent purposes in electronic communications (Royal Decree 381/2015, of May 14).

c. to ensure the provision of the Spanish 112 emergency service, accessible throughout the country (Royal Decree 903/1997, of June 16, and applicable regional legislation).

d. to comply with our judicial, tax, and administrative obligations. This may involve, for example, sharing your data with competent bodies (such as consumer protection agencies or the Spanish Data Protection Agency) to respond to requests for information.

and. to maintain the security of electronic communications networks and services, detect failures or technical errors in the transmission of electronic communications, and carry out any processing necessary to properly provide the telecommunications service or comply with any other applicable sector regulations.

F. to comply with the legal obligations regarding service quality established by telecommunications legislation.

g. to comply with any other obligations necessary to perform our functions as a telecommunications operator or information society service provider.

5.5 Additional reasons

If at any time we need to further process your personal data for a purpose other than those indicated, we will inform you in advance, including the details and reasons for the processing, as established by law.

6.1 Security and confidentiality

At eSimFLAG, we understand how important your privacy is to you. Therefore, as part of our commitment, we guarantee the security, secrecy, and confidentiality of your personal data and adopt the most appropriate security measures and technical means to prevent loss, misuse, or unauthorised access.

When you entrust us with your personal data, we protect it with rigorous procedures and security measures to prevent unauthorised access. Furthermore, all the personal data you provide when you communicate with us is treated with absolute confidentiality, and we commit to maintaining its confidentiality and adopting all necessary measures to prevent its alteration, loss, misuse, or unauthorised access, in accordance with current legislation.

In the event of a security breach that puts your rights and freedoms at risk, we will take the necessary steps to correct the situation and mitigate any potential negative impacts. In addition, when required by current regulations, we will notify those affected and the competent national authority.

6.2 Information retention periods

At eSimFLAG, we process your data solely and exclusively for the time necessary to fulfil the purposes for which we collected it at any given time.

Unless otherwise specified in this Policy or in the terms and conditions of the provision of the eSimFLAG Services, the following are the maximum retention periods defined by the type of Data:

• The Data provided by the Customer or User, for example, identifying data to manage your contract or the history of contracted Services, etc., will be kept while you are registered and for up to 10 years after cancellation, as established by consumer legislation and other applicable regulations.
• The Billing information will be kept for a maximum period of up to 10 years, regardless of whether you remain registered, as established by civil, commercial and tax legislation.
• The Data generated by the use of the services will be kept for a maximum period of 12 months, unless a longer period is necessary to fulfil the various purposes explained in this Policy. For example, to comply with the data retention obligation established by Law 25/2007 regarding traffic and location data that may be requested by court order.
• The Data calculated or estimated by eSimFLAG is stored and processed for a maximum period of 12 months, unless a longer period is necessary to fulfil the purposes of providing service and to better understand you as provided in this Policy.

After the indicated periods have elapsed, we may destroy, block, or anonymise the data, as required by law.

6.3 International data transfers

At eSimFLAG, we outsource the management of some functions necessary to provide our services to data processors located outside the European Economic Area, which guarantee an adequate level of data protection. You can consult the list in the Additional Information section of this document.

7.1. These are your rights

As an eSimFLAG customer and user, you have the following rights over your personal data:

• Access: You have the right to know whether we are processing your personal data and, if so, to receive information about which data we are processing.
• Rectification: If any of your data is inaccurate or incomplete, you have the right to correct or modify it.
• Deletion: Unless we are required to retain it by law or for legitimate reasons, you have the right to request that we delete your data. For example, if it is no longer necessary for the purposes for which it was collected, you have the right to request that we delete it as soon as possible.
• Limitation: In the cases established by law, you can ask us to stop using your data, so that we only retain it for the exercise or defence of potential claims.
• Opposition: In some circumstances, motivated by your particular situation, you can object to us processing your data, and we will stop processing it, unless there are legitimate reasons that justify it or we need it to exercise or defend potential claims.
• Portability: In order to transmit your data to another data controller, you have the right to receive your data in a structured, commonly used, and machine-readable format, provided you provide us with a valid email address.

7.2. This is how you can exercise your rights

At eSimFLAG, we will take the necessary steps to ensure that you can exercise your rights free of charge. You can do so by identifying yourself as a Customer and indicating the right you wish to exercise and the telephone numbers affected, using one of these options:

• By emailing your request to te_datos@telefonica.com, REF: eSimFLAG
• Through other means, such as the eSimFLAG App or your private area at www.esimflag.com

In general, We will respond to your request within a maximum period of one month, although, depending on the complexity of your request, full implementation could take a longer period, never exceeding two months.

On the other hand, if you are not satisfied With the resolution of your request to exercise your rights, you can:

• Contact the data protection officer by emailing DPO_movistar@telefonica.com. Use our independent online mediation system that manages Autocontrol, by emailing mediacion@autocontrol.es. For more details, you can consult the Codes we adhere to in the Codes of Conduct section of our Privacy Policy.
• If you wish, you can also submit your claim to the Spanish Data Protection Agency. Address C/Jorge Juan, 6 – 28001 Madrid | Tel.: 901 100 099 or 91 266 3517.

At eSimFLAG, to manage some of the functions necessary to provide the service, we hire trusted suppliers who may access your Data as data processors and who will have the contractual obligation to comply with their legal obligations and to maintain the confidentiality and secrecy of the information.

In addition to the above, we may share your data with third parties under the following circumstances:

to. Communications necessary for the provision of the service

Given the configuration of our service offering, the data controller may send you communications to properly provide and manage your Service or to recommend the commercial offer that best suits you (for example, a notification when your contracted plan is about to end).

b. Communications to our Collaborators

As you may have agreed to receive commercial communications from companies we collaborate with, if such communications are displayed, data may be shared within this group for internal administrative purposes. For example, to obtain aggregated statistics or results, or to centrally manage computing resources (applications, servers, systems, etc.).

You can consult the list of companies in the Additional Information section of this document. Under no circumstances will these companies have permanent access to your Data; they will only access it in specific, permitted cases.

c. Communications to credit reporting systems and fraud prevention systems:

In the event of non-payment, and in accordance with applicable regulations, we may report the debt-related data to the credit information systems we work with: ASNEF (managed by Equifax Ibérica, S.L.) and BADEXCUG (managed by Experian Bureau de Crédito, S.A.).

Furthermore, as we participate in the Hunter Telco system (for which the Spanish Association of Companies Against Fraud is jointly responsible), we may share the information provided in the contract application with the Hunter system for comparison with other data stored in the system for the sole purpose of identifying potentially fraudulent information. If we detect inaccurate, irregular, or incomplete data, it will be reviewed in greater detail and, where appropriate, included in a file to generate alerts about potentially fraudulent requests received by the Hunter system. You may exercise your rights before the Spanish Association of Anti-Fraud Companies by sending a signed request along with a copy of your identification document to P.O. Box 2054, 28002 Madrid. You can also consult the list of entities affiliated with the Hunter system at www.asociacioncontraelfraude.org

d. Communications to financial and payment entities

We share your data with credit and payment institutions to manage payments for contracted services.

and. Communications to comply with legal obligations

When necessary to comply with our legal obligations, we may disclose data to third parties such as auditors, lawyers, and court representatives, for example when required in legal proceedings.

Also, depending on the applicable regulations, we may share data with public authorities, such as tax and customs authorities, judicial authorities, authorities responsible for telecommunications, consumer protection, or data protection, law enforcement agencies, and entities providing emergency 112 call services.

9.1 Scope of application

This privacy policy sets out how we protect and manage your personal data at eSimFLAG and supersedes any previous version. Furthermore, this policy is complemented by the specific privacy conditions of the eSimFLAG services, which will be applied systematically and consistently, always respecting your wishes and without modifying the specific conditions of the services.

Finally, you should keep in mind that:

• If a competent authority declares any provision of this policy invalid or unenforceable, that part will be deemed not to be included, without affecting the rest.
• If we do not immediately exercise any right or claim a breach of this policy, this does not mean that we waive that right or that we will not pursue it in the future.

9.2 Updating

This Privacy Policy may evolve and change at any time. When this happens, we will make the update public. We will also keep you informed if there are any changes that affect your rights or freedoms. For example, if we introduce new processing that requires your consent, in addition to publishing the change, we will ask for your consent before carrying out the processing. If we make any changes to the scope of our legitimate interest that affect the processing of your Data, we will notify you directly and inform you of your rights.

We will notify you of changes to this Policy with the legally required notice through the contact methods we have for interacting with you and that you have provided to us (SMS/RCS), or via your customer area on our Websites and Apps, as applicable.

Please note that if you continue to use our services after receiving notice of any changes, we will assume that you accept and agree to the new terms set out in the updated privacy policy.

1. Profiling

Profiling is a process that may involve a number of statistical inferences. It is commonly used to make predictions about people, using data from different sources to infer something about a person based on the characteristics of others who seem statistically similar. This process involves analysing a set of clients or users, encompassing various stages of research, prototyping, design, testing, training, and validation, with the goal of identifying common patterns and correlations applicable to the set of clients or users.

We will use the Data you have provided to us as a Customer or User, the Data generated by using our Services, and the Data we calculate or estimate from them perform profiling. We will always respect your privacy preferences and use profiling to learn more about you and make personalised recommendations tailored to you, or even more precisely tailored to your needs, depending on whether your profile is basic or advanced. When profiling, we distinguish between customer, household, and mobile user or line data.

In relation to the Data calculated or estimated by eSimFLAG, we distinguish between customer data and that associated with the home, and Data relating to the user or mobile line that is not identified.

Some of the Data we calculate or estimate includes: the need for and type of internet connectivity that best suits your profile (for example, changes in connection speed, the need for connectivity in second homes), the likelihood that you will contract or cancel contracted services, the need to contract new mobile lines, the need to incorporate new equipment to improve your home (for example, alarms, solar panels, etc.), age (of your contract, line or device used), your preferred purchasing channel, your customer service province and nearest store, the type of housing, the return on commercial campaigns carried out, your technological level or presence in your home.

2. Advertising media

In order to complete the information on the advertising media used by eSimFLAG (including electronic and digital media), please note that such targeted communications may be sent by any means where you have identified yourself or are identifiable, i.e., through cookies or other online identifiers, your email address or your mobile phone number. For example, we may direct these communications through the following channels:

• Email
• Own or third-party messaging services, such as SMS, RCS or WhatsApp
• Social media such as Facebook, Instagram, X (formerly Twitter), LinkedIn or YouTube
• Banners on third-party apps and websites
• Banners or advertising spaces on television, such as Movistar Plus+
• Notifications in apps and websites
• Bus shelter ads and other forms of outdoor advertising
• Postal mail

We will only send you personalized recommendations through these channels if you have not objected or if you have given your consent for the processing of the data required to carry out the advertising campaign. According to the channel used, we will respect the preferences you have indicated in the 'Privacy Preferences' section of your eSimFLAG customer area, either on the website or in the app.

Additionally, we will only use advertising cookies to send you personalised recommendations outside our website and measure the effectiveness of our online campaigns if you have given your consent via the banner on our website or the cookie settings panel. To learn more about how cookies are used, you can consult the specific section or the eSimFLAG Cookie Policy.

In addition, to monitor our commercial campaigns, we will:

With these analyses, we can get to know you better and personalise our recommendations, making them more useful and improving your experience.

• Analyse SMS or RCS openings and advertising emails sent by eSimFLAG and metrics on the most impactful campaigns.
• Analyse the origin of traffic to our website www.esimflag.com or to the content to which the campaign is directed. When you visit our website or applicable content, we will analyse whether the source is a campaign received via SMS, RCS, email, or whether it is a social media campaign or an advertising banner included on other websites or media.
• Analyse campaigns sent through any channel to monitor the number of impressions delivered to the Customer or User.

3. Joint responsibility

Both Telefónica de España S.A.U. and Telefónica Móviles España S.A.U. are jointly responsible for the processing, given that we both jointly determine the purposes and means of processing customer data and offer our customers a range of products and services under different brands (Movistar, O2, eSimFLAG) or any other brand marketed by either company.

The aforementioned companies are jointly responsible for the processing of the Data pertaining to Customers or Users of Movistar Products and Services, although each company independently assumes other responsibilities.

In addition, although we jointly assume responsibility as established by the applicable regulations, we have internally distributed the individual functions derived from joint responsibility as follows:

• Specifically, communications to official bodies or to the Data Protection Agency that must be made on behalf of the companies as a result of the established joint responsibility will preferably be made by Telefónica Móviles de España SAU, although this does not prevent Telefónica de España SAU from making the communications it deems appropriate.
• We manage compliance with the principle of transparency in a unified manner through various privacy notices, privacy clauses in the terms and conditions of our Products and Services, and various Privacy Policies applicable to different types of customers.
• We manage requests to exercise rights in a unified manner through the means indicated in Movistar's Privacy Policies as well as in the 'Exercising your rights' sections of the Privacy Policies.
• Each entity will process the Data necessary to provide and maintain the services contracted by the Customer. In addition, some data will be managed jointly for permitted purposes, such as customer service, automating procedures for permitted purposes, improving technical and commercial service, verifying customer satisfaction, detecting and preventing fraud and abusive use of services, and analysing or predicting preferences and interests at a basic level in order to offer personalised recommendations to customers.

Although the general or specific conditions of each product or service indicate who is the provider of the contracted services, in general terms:

• Telefónica de España SAU provides fixed communications services (telephony, fixed internet and related services such as secure connection or rental of connectivity equipment), television, telemedicine and related services.
• Telefónica Móviles España SAU provides mobile communications services (telephony, mobile internet, roaming, and services associated with eSimFLAG (data service).

You can find more details in the terms and conditions of the Products and Services you have contracted, available at www.esimflag.com and in the Terms and Conditions section of the Transparency Centre.

4. Categories of destinations

These are the categories of trusted providers that may process your Data only to perform their functions and for the purposes indicated at any given time:

• Telecommunications services
• Customer services
• Audit, quality and consulting services
• Installation, maintenance and service provision services
• Postal, distribution and courier services
• Administrative and backoffice services
• Financial, banking and payment services
• Tax management services
• Archiving, custody and digitisation services
• Information removal and destruction services

5 International data transfers

Data processors located outside the European Economic Area will process the Data ensuring an adequate level of protection. Below, we list the services they provide, the countries they serve, and their guarantees:

• Telna-Global Connectivity Service, Canada, Standard Contractual Clauses.
• Telephone customer service, Colombia, Standard clauses

6. External sources

Depending on the purpose and in compliance with the principles established in this Policy, we may use the following external sources:

• Incident Response Centre of the National Cybersecurity Institute (INCIBE-CERT)
• Tools for detecting vulnerable systems or spam lists: these include Shodan, Uceprotect, Symantec, Bluecoat, Autofocus, MISP, etc.
• Websites that provide information about email credentials or usernames that have been subject to information leaks published on the Internet, such as: https://haveibeenpwned.com, etc.

Codes of conduct

eSimFLAG adheres to the Code of Conduct for Data Processing in Advertising and the Code of Conduct for the Resolution of Data Protection Disputes in the Electronic Communications Sector, both managed by AUTOCONTROL.

As a member entity and under the terms of both codes, the Customer may turn to AUTOCONTROL for the alternative resolution of any disputes that may arise in relation to privacy, provided that the dispute falls within the scope of application of one of these codes.