[G4-DMA Customer Privacy], [G4-PR8]
In order to ensure that personal data is protected in the performance of business activities, TIM has applied an organisational model, since 2003, which includes a Privacy Department supervising correct application of the relevant regulations throughout the Group (according to Legislative Decree 193/03, known as the known as the “Privacy Code”). In this context, when it establishes or acquires new companies, the Parent Company also provides the support required to identify and carry out the formalities required.
The adoption of legal measures and the instructions of the Privacy Guarantor for personal data protection is assured by constantly updating the Group regulations and policies. Among these, the “System of rules for the application of the privacy regulation in the TIM Group” is particularly important, which defines the provisions and operating instructions for each commitment concerned and which in 2015, was completely revised and updated, according to the regulatory evolution and the introduction of new customer services.
An important development in the regulatory framework of reference is the publication of the EU Regulation 2016/679, on 4 May 2016, on the protection of natural persons with regard to the processing of personal data (known as the “General Data Protection Regulation” or GDPR), which will come into force in Member States from 25 May 2018. This Regulation will introduce various innovations, including:
- harmonisation of legislation, with common rules directly applicable across the EU;
- applicability also to non-EU parties that process the data of people in the EU for specific purposes;
- accountability of parties that treat the data (requirements regarding privacy impact assessment, privacy by design, documentation of activities, etc.);
- introduction of the concept of pseudonymisation of the data and the respective rules;
- introduction of the Data Protection Officer figure;
- economic significance of the sanctions applicable in case of violation.
In the second half of 2016, TIM started planning adjustment measures in order to comply with the new requirements and ensure conformity in the processing of personal data by the established deadline of May 2018. In particular, there is a plan to set up an inter-department working team to determine the adaptation measures in detail, considering the technological and organisational context and business activities. Furthermore, TIM is actively involved in the dedicated GSMA and Confindustria task forces.
In operational terms, during 2016, particular attention was paid to the subject of telemarketing, which is an important tool for TIM’s business activity. TIM has always been committed to ensuring that telemarketing is carried out in compliance with the rules: TIM has no interest in contacting people who have stated that they do not want to receive promotional calls, given the negative impact this can have on its relationship with customers and, more generally, its reputation.
To this end, TIM has revised the relevant company processes, implementing a series of improvements to the activities associated with contacting people by telephone for commercial purposes, including:
- strengthening of controls on contact centres and the production of contact lists;
- optimisation of internal processes and procedures for recording objections to further data processes for marketing purposes expressed by the people contacted.
Furthermore, a training plan was implemented for the internal staff and commercial partners, in order to ensure the full understanding and application of the privacy rules, particularly with regard to sales and marketing activities. 23 local meetings were held in total, involving around 500 people. The ongoing training activity on privacy in 2016 also included an in-depth analysis of privacy aspects in the context of projects based on the analysis of big data.
The effective application of the regulations is monitored through a control system based on regular self-assessment procedures by those responsible for handling the data, and on sample checks carried out by the relevant central departments, based on established procedures and methodologies. In consideration of these activities, a Report is envisaged on the status of adoption of the security measurements envisaged by privacy legislation that, in a company document, formalises the activities carried out to guarantee compliance with the provisions on personal data processing, the results achieved and the status of plans for improvement.
Finally, also during the course of 2016, TIM continued to take the steps required to implement provisions in its internal processes to deal with any violation of personal data security relating to electronic communication services (so-called “data breaches”).
The following table shows the information requests made to TIM, in Italy, by the Italian Data Protection Authority, including those made following reports from customers.
(*) the percentage of requests filed in 2014 and 2015 was higher than 98%, the data for 2016 will be published as soon as it is made available by the data protection authority.
With regard to Brazil, as pursuant to article 5 of the Federal Constitution, and article 3 of the General Law on Telecommunications no. 9.472 of 1997 the right of customers to the confidentiality of their personal data is established (except the cases provided for by the law). The personal mobile service regulation, in articles 89, 90 and 91 of Resolution 477 of the national telecommunications agency (ANATEL), requires companies to take responsibility in this respect and establishes that any waiver of confidentiality must take place only if requested by the relevant authority in the cases provided for by law. Federal Law no. 12,965 (Marco Civil) of April 2014, articles 10 and 11, ensures the privacy and protection of personal data for Internet users.
In order to ensure the confidentiality of its customer information, in accordance with national legislation (including Articles 10 and 11 of the “Marco Civil”), TIM Brasil has issued relevant internal policies and procedures based on the “need to know” (personal data processing is restricted to the minimum required to carry out the work) and separation of functions principles. These policies and procedures recall the methods for the classification and management of information in order to guarantee suitable protection levels. In 2016, TIM Brasil received 14 complaints1 of alleged violations of privacy from customers (the process is in the initial stages). There were no complaints in 2015 and only 1 case in 20142.
It should be noted that the difference between the legislations of Italy and Brazil does not allow for any comparisons to be drawn between homogeneous data.
1 Eleven cases related to a fraudulent SIM card swap which allowed the perpetrator to obtain confidential information used to commit blackmail and theft. Two cases related to a request for confidential information without legal authori- sation. The last case relates to the transfer of a line from one customer to another.
2 The 2014 case refers to an extraction of telephone data without legal authorisation. The penalty applied was 5,000 reais.