Menu

Respecting privacy regulations is a priority for TIM, which since 2003 has had a structured organisational model in place which is capable of overseeing the correct application of this legislation at Group level. Company departments are committed to ensuring the correct processing of personal data of data subjects, including customers and employees, in carrying out business activities.

In May 2018, the Data Protection Department was established at TIM Group level, dealing with control, consultation, training and information regarding the application of privacy legislation. The adoption of legal measures and the instructions of the Italian Data Protection Authority for personal data protection is assured by constantly updating the Group regulations and policies. Of these, the “System of rules for the application of the regulations relating to the protection of personal data in the TIM Group” is particularly important; it defines the provisions and operating instructions to comply with these provisions, completely reviewed and updated in 2018, to incorporate amendments to the law

From 25 May 2018, Regulation (EU) No. 2016/679, concerning the protection of individuals with regard to the processing of personal data (“General Data Protection Regulation” or GDPR), includes various updates on the previous legislation on the matter, such as:

  • harmonisation of legislation, with common rules directly applicable across the EU;
  • applicability also to non-EU parties that process the data of people in the EU for the purposes of sales or monitoring of their behaviour;
  • the level of significance of the obligations in relation to the privacy and accountability risk of entities that process data (e.g. provisions on the privacy impact assessment, documentation of processing, security and data breach measures, anthe introduction of the role of Data Protection Officer);
  • strengthening rights exercisable by individuals (e.g. customers, employees), such as the new rights to be forgotten and to personal data portability;
  • economic significance of the sanctions applicable in case of violation.

To ensure - within the Group Companies - conformity of personal data processing with the GDPR, TIM carried out the activities envisaged in the adjustment plan by the 25 May 2018 deadline, which was implemented by almost all departments of TIM and the Group Companies in about 18 months. Specifically, the actions have included:

  • the appointment of the Data Protection Officer and activation of related touch points for data subjects for matters relating to the processing of their personal data;
  • the appointment of internal Privacy Officers, employees with specific duties and instructions to assist the Company’s senior management in implementing the obligations;
  • the updating or issue of numerous policies and procedures, including those that define obligations relating to data breach (extended to all types of personal data), privacy impact assessment (for the processing of high privacy risk personal data), customer profiling, management of data subject requests concerning the exercise of their rights;
  • updating of the TIM compliance catalogue to render it compliant with the requirements of the processing activity register;
  • the updating of the texts of the numerous processing of personal data disclosures, provided by TIM and other Group companies to the different types of data subjects (e.g. customers, employees, visitors);
  • the review of the procedures to ensure compliance with the law in cases of activities assigned to third parties (e.g. suppliers and business partners).

A specific training project was then put in place to raise awareness in the various company departments and to illustrate the policies and procedures issued for GDPR application. Eight training programmes were carried out involving the participation of about 600 TIM and Group Company employees.

Also during the course of 2018, TIM continued to take the steps required to ensure the implementation of provisions in its internal processes to deal with any violation of personal data security (so-called “data breaches”), as well as to respond to the numerous customer requests (for example, to know what personal data is being processed by TIM or exercise other rights) and the information requests submitted to TIM by the Italian Data Protection Authority.

The table below shows the information requests made to TIM, in Italy, by the Italian Data Protection Authority, including those made following reports by customers.

 

 

 

 

 

.

  2018 2017 2016
Requests received 71 124 33