Safeguarding privacy

[G4-Dma Customer Privacy], [G4-PR8] In order to ensure that personal data is protected in the performance of business activities, Telecom Italia has applied an organisational model, since 2003, which includes a Privacy Function supervising correct application of the relevant regulations throughout the Group (according to Legislative Decree 193/03, known as the “Privacy Code”). In this context, when it establishes or acquires new companies, the Parent Company also provides the support required to identify and carry out the formalities required.

The adoption of legal measures and the instructions of the Privacy Guarantor for personal data protection is assured by constantly updating the Group regulations and policies. Among these, the “System of rules for the application of the privacy regulation in the Telecom Italia Group” is particularly important, which defines the provisions and operating instructions for each commitment concerned and which in 2015, was completely revised and updated, according to the regulatory evolution and the introduction of new customer services.

In 2015, the framework of the Company’s personal data processing provisions was enhanced with a policy on compliance requirements for the processing of anonymised or pseudonymised data, under the scope of big data type analyses. This policy also considers the opinions on the matter issued by the Group of European Privacy Guarantors (article 29 Working Party) and the indications given by the Italian Data Protection Authority regarding the examination and approval of the procedures established by Telecom Italia to protect the personal data of its customers in the context of a project to analyse the mobility of the population devised to respond to the information requirements expressed by public organisations and government offices that manage land and transport infrastructure.

The Company policy has also been updated, which defines the compliance requirements for the systems dedicated to the supply of ICT services (e.g. storage, disaster recovery, systems management, etc.) for business customers.

Also during the course of 2015, Telecom Italian continued to take the steps required to implement provisions in its internal processes to deal with any violation of personal data security relating to electronic communication services (so-called “data breaches).

In particular, 9 training meetings were organised involving over 220 officers and managers, to disseminate and illustrate the specific internal procedure, which describes the activities to be undertaken and the related responsibilities should events defined as data breaches occur.

The constant training activity, carried out in order to disseminate and ensure the correct application of internal privacy legislation, in 2015 took concrete form in a specific update for the operators involved in the compulsory procedures for the judicial authorities and in investigations of privacy aspects as part of a cycle of seminars for employees on big data matters. Other training interventions involved the sales network, as regards matters relating to the possibility of contacting customers and the resources appointed for staff recruitment. Furthermore, meetings centred on the management of telephone and electronic traffic data were held both during periodic training seminars to train conciliators, which are attended by representatives of Telecom Italia and consumer protection associations - and also during specific activities dedicated to the external sales force of Business Department and to commercial compliance.

The effective application of the regulations is monitored through a control system based on regular self-assessment procedures by those responsible for handling the data, and on sample checks carried out by the relevant central departments, based on established procedures and methodologies. In consideration of these activities, a Report has been prepared on the status of adoption of the security measurements envisaged by privacy legislation that, in a company document, formalises the activities carried out to guarantee compliance with the provisions on personal data processing, the results achieved and the status of plans for improvement.

With regard to privacy protection relating to new technologies, Telecom Italia is also involved in initiatives of the European Commission (EU) to promote in the EU the development of cloud computing services that fulfil the requirements of EU law. In particular, Telecom Italia is actively involved in international working groups assigned by the European Commission to develop standards for establishing service levels (https://ec.europa.eu/digital-agenda/en/news/cloud-service-level- agreement-standardisation-guidelines), model contracts and a reference code of conduct (https://ec.europa.eu/digital- agenda/en/cloud-select-industry-group-code-conduct) for the suppliers of these services.

The following table shows:

  • the information requests made to Telecom Italia, in Italy, by the Italian Data Protection Authority, including those made following reports from customers;
  • the percentage of such requests filed by the Italian Data Protection Authority based on explanations supplied by Telecom Italia1

Description201520142013
Requests received 220 435 368
Percentage of requests filed >98% >98% >99%

With regard to Brazil, in accordance with the Federal Constitution, article 3 of the general law on telecommunications no. 9.472 of 1997 establishes the right of customers to the confidentiality of their personal data. The personal mobile service regulation, in articles 89, 90 and 91 of Resolution 477 of the national telecommunications agency (ANATEL), requires companies to take responsibility in this respect and establishes that any waiver of confidentiality must take place only if requested by the relevant authority in the cases provided for by law.

In order to ensure the confidentiality of its customer information, in accordance with national legislation (including Articles 10 and 11 of the “Marco Civil”), TIM Brasil has issued relevant internal policies and procedures based on the “need to know” (personal data processing is restricted to the minimum required to carry out the work) and separation of functions principles. These policies and procedures recall the methods for the classification and management of information in order to guarantee suitable protection levels. In Brazil, no violations have been noted in relation to privacy in 2015 and 2013 and only 1 case in 20142. It should be noted that the difference between the legislations of Italy and Brazil does not allow for any comparisons to be drawn between homogeneous data.

           

1 Other reports received regarding alleged small breaches of privacy are handled by the 187 service and relate for the most part to unsolicited inclusion in the telephone directory.

2 The 2014 case refers to an extraction of telephone data without legal authorisation. The penalty applied was 5,000 reais.