Data Privacy

9.3. Data Privacy

9.3.1. Commitment
The protection of personal data is fundamental to preserving the trust of customers and employees. The division is committed to safeguarding and protecting the personal data of its customers and employees. Employees must only collect and use personal data in accordance with applicable data protection laws, as well as the Group’s policy on Personal Data Governance and local policies and procedures of the Telecommunications division. 

9.3.2. The Challenges
In the telecommunications industry, data privacy and protection is a key issue due to the regulatory obligations and the increasing customer concern on how their personal data are used, in the context of an extremely dynamic environment in which its business model and related technologies are changing constantly.

Each business unit handles an immense amount of customer information in varied systems and platforms. Any significant loss of data would entail considerable risk for the Telecommunications division in terms of customer concern, reputational damage and economic loss. Therefore, the division’s management is directly responsible for managing and protecting customers’ personal and non-personal data. 

9.3.3. Initiatives

9.3.3.1. Enhancement of Data Privacy Policies and Control Systems
The Telecommunications division’s policies on data privacy and security are primarily designed according to relevant regulatory requirements. Also, a Privacy Notice was developed and made available on the business units’ websites or included in the sales agreement to clearly state the type of personal data processed and rights of customers.

In addition, the division’s business in Europe has been adopting a new control system to strengthen governance, risk management and compliance to minimize the risk of data privacy breach.

For example, Wind Tre has adopted a Governance, Risk Management and Compliance system (eGRC) that allows it to monitor the entire data processing chain, as well as to analytically assess the level of compliance of each system involved. In consideration of the provisions of the General Data Protection Regulation, new analysis and verification processes were developed (e.g. Privacy by Design and by Default) in 2018 and have been implemented on a company-wide scale. As a response to securing data and supporting customer needs, a privacy and customer protection unit, information security unit and corporate security governance unit are established to handle data privacy related matters.

3 Denmark and 3 Sweden have adopted a new central data protection system, introduced new governance controls, conducted processing mappings and increased the information flow about personal data processing to customers through direct channels.

In other business units, they have also amended their policies and strengthened controls to ensure compliance with relevant data privacy laws. Customers are also able to exercise their rights to access and correct any personal data which they have provided via multiple application channels.

9.3.3.2. Data Privacy Training and Campaign
Employees handle customers and company data on a daily basis. To ensure employees understand relevant data privacy laws, the division provides related trainings regularly.

Every business unit has regular internal communications and workshops for customer-facing employees to reinforce the importance of customer data protection and to ensure employees stay up-to-date with the latest requirements and development of the relevant rules and regulations. Similar trainings were also provided to subcontracting staff who handle customer personal data.

The division also uploads its data privacy related operational guidelines, handbooks and procedures to the intranet or dedicated website for easy access by employees.

9.3.3.3. Incident Management
When a Data Security Incident (“DSI”) occurs which involves personal data, the division aims to mitigate the potential consequences and to secure personal data from further unauthorised access, use or damage as quickly as possible.

The division responds rapidly and in accordance with applicable DSI procedures, which may include notifying the Privacy Authorities and/or affected individuals if required. In the event of a DSI involving personal data, the Legal Department is alerted immediately. Further guidance on notification and handling of DSI is issued from time to time.