Privacy and Data Protection

Brazil’s General Personal Data Protection Law (LGPD in the Portuguese acronym) nº 13.709/2018, which came into force in September 2020, presented companies with challenges related to certain critical questions – data protection and customer privacy –, further increasing the responsibilities of the telecommunications segment. TIM had already anticipated the provisions of the law related to care with customer data.

Since the law was published in 2018, the company had initiated preparations on diverse fronts to ensure full compliance with its requirements. Among the main measures were training employees to be aware of the impacts and the modifications that the law introduces and to follow the guidelines for the collection, use and protection of the data of customers, employees, suppliers and other stakeholders.

To guarantee structured management of the diverse activities necessary to ensure compliance with the law, TIM:

  • Created the Privacy Committee, coordinated by the CEO with company directors as members;
  • Created the position of Data Protection Officer (DPO);
  • Updated the company’s Privacy and Cookies Policies;
  • Compliance with requests for Owners’ Rights (the law guarantees a series of personal rights, including the correction, anonymization and review of automated decisions);
  • Contracting of a digital tool for compliance with and management of Owners’ Rights, ensuring a better experience for customers in the exercise of their rights;
  • Assignment of Compliance team to lead the measures necessary for compliance with the new law and management of Owners’ Rights requests;
  • Establishment of receipt of ISO 27001 certification – information security management standard –, as a target for 2022. The standard is already used as a reference in processes;
  • Adaptation of new contracts in relation to treatment of personal data;
  • Review and adaptation of existing contracts identified and classified as having an impact on personal data;
  • Review and updating of internal documents and rules to regulate and guide the treatment of personal data by employees;
  • Creation of a Privacy Center on the TIM website;
  • Creation of an internal security flow for incidents or cases of leaks involving personal data.

TIM conducts its activities based on ISO 27001 – the international standard that sets forth the best information security management practices – and NIST (Cyber Security Framework) which supports the management and reduction of cybernetic security risk. Although the company has not yet obtained ISO 27001 certification, in 2020 it conducted an assessment of the certification requirements, identifying a level of conformance of over 90% with the requirements. The adjustments necessary to obtain certification will be conducted in 2022.

For more information about TIM’s privacy and data protection, please visit our ESG Report.

Copyright TIM S.A. 2021 - All rights reserved.