Menu

In order to ensure that personal data is protected in the performance of business activities, TIM has applied an organisational model, since 2003, which includes a Privacy Department supervising correct application of the relevant regulations throughout the Group (according to Legislative Decree 193/03, known as the "Privacy Code"). In this context, when it establishes or acquires new companies, the Parent Company also provides the support required to identify and carry out the formalities required.

The adoption of legal measures and the instructions of the Privacy Guarantor for personal data protection is assured by constantly updating the Group regulations and policies. Among these, the "System of rules for the application of the privacy regulation in the TIM Group" is particularly important, which defines the provisions and operating instructions for each commitment concerned and which in 2015, was completely revised and updated, according to the regulatory evolution and the introduction of new customer services.

A major evolution of the regulatory framework of reference is represented by the European Union (EU) Regulation No. Regulation 2016/679 on the protection of individuals with regard to the processing of personal data (so-called "General Data Protection Regulation" or EU GDPR), which will be applicable in Italy and in the other Member EU starting on 25 May 2018.

This regulation will introduce various innovations, including:

  • harmonisation of legislation, with common rules directly applicable across the EU;
  • applicability also to non-EU parties that process the data of people in the EU for specific purposes;
  • the gradual introduction of the obligations in relation to the risk privacy and accountability subjects that process interception data (for example, provisions on privacy impact assessment, documentation activities, security measures and data breach and introduction of such a figure of the Data Protection Officer);
  • economic significance of the sanctions applicable in case of violation.

TIM has defined a plan of adaptation to EU GDPR, in order to create the new obligations and guarantee as part of the Group Companies the compliance of data processing of personal data by the deadline of 25 May 2018, taking account of the technological and organizational and business activities. In particular, the adjustment plan was achieved through a prior analysis of the provisions of EU GDPR and the subsequent identification of areas of intervention that had led to the establishment of work groups, whose activities are periodically monitored. These working groups guide the main changes of interests of TIM introduced by EU GDPR, including those relating to: registers of treatment (envisaged for document all processing activities on personal data carried out by TIM), privacy impact assessment (for the processing of personal data at high risk "Privacy"), data breach (extended to all types of personal data), rights to those concerned (following the introduction of new rights to oblivion and to the portability of personal data) and Data Protection Officer (figure obligatory for TIM, whose role is designed to facilitate compliance with the provisions of the EU GDPR to guarantee the company's Executive Directors, called to ensure and demonstrate compliance with the provisions in accordance with the principle of accountability).


Also during the course of 2017, TIM continued to take the steps required to respond to the information requests TIM received from the Italian Data Protection Authority, as well as to ensure the implementation of provisions in its internal processes to deal with any violation of personal data security relating to electronic communication services, so-called “data breaches”.

The table below shows the information requests made to TIM, in Italy, by the Italian Data Protection Authority, including those made following reports by customers.        

  2017 2016 2015
Requests received 124 (*) 33 220
       
(*) 51 refer to identified leaks, thefts, losses of customer data

In respect of the provisions laid down by the Italian Data Protection Authority, TIM will also comply with the obligation prescribed by art. 96 of the Electronic Communications Code to provide the services to be provided for the purposes of justice to the Judicial Authority and the Judicial Police which it has delegated.

Over the course of 2017, 1,203,149 requests of this type were received and processed.