Respecting privacy regulations is a priority for TIM, which since 2003 has had a structured organizational model in place which is capable of overseeing the correct application of this legislation at Group level. Company departments are committed to ensuring the correct processing of personal data of data subjects, including customers and employees, in carrying out business activities.
In May 2018, the Data Protection Officer function was established at TIM Group level, dealing with control, consultation, training and information regarding the application of privacy legislation, in compliance with the specific provisions of Regulation (EU) no. 2016/679 on the protection of individuals with regard to the processing of personal data (so-called "General Data Protection Regulation," or GDPR), applicable in Italy and in the other countries of the European Union from May 25, 2018. The GDPR is the primary source of the applicable regulatory framework on data protection in Italy and the Personal Data Protection Code (Legislative Decree 196/2003, as extensively amended by Legislative Decree 101/2018) now contains the national provisions completing those of the GDPR.
The adoption of legal measures and the instructions of the Italian Data Protection Authority for personal data protection is assured by constantly updating the Group regulations and policies. Of these, the “System of rules for the application of the regulations relating to the protection of personal data in the TIM Group” (System of Rules) is particularly important; it defines the provisions and operating instructions to comply with these provisions. In 2020, the System of Rules was further updated with reference to regulatory developments, in particular in relation to Legislative Decree 101/2018, which adapted the Privacy Code to the GDPR, and to the additional provisions of the law and the Italian Data Protection Authority's Decisions that followed during the year.
In 2021, the work continued to adapt policies and procedures, including those setting out data breach obligations (extended to all types of personal data) and those regulating the management of the requests of data subjects concerning the exercise of their rights regarding personal data protection.
With regard to training, the online training module on GDPR, prepared for the start of GDPR application, was updated and its mandatory use was extended to all TIM Group employees; this form must also be used by newly recruited staff.
The effective application of the internal policies is monitored through an extensive control system based on regular self-assessment procedures, sample checks carried out by the relevant central and regional departments, based on established procedures and methods, as well as for planned and identified second level controls, also due to the inherent risk level of processing.
Finally, also during the course of 2021, TIM continued to take the steps required to ensure the implementation of provisions in its internal processes to deal with any violation of personal data security (so-called “data breaches”), as well as to respond to the numerous customer requests (for example, to know what personal data is being processed by TIM or exercise other rights) and the information requests submitted to TIM by the Italian Data Protection Authority.
In TIM the number of requests for customer information received from government or law enforcement agencies during 2021 is 3,137,260 and the percentage of requests which resulted in disclosure is 100%.