GROUP POLICY – CUSTOMER PRIVACY
BACKGROUND AND DESCRIPTION
This Group Policy relates to Customer Privacy and is a binding document for RememberYou AB and its Subsidiaries (“RememberYou”).
Terms starting with a capital letter in this Group Policy are defined in the Delegation of Obligations and Authority.
RememberYou supports and respects international laws and standards on human rights. In RememberYou we recognize that privacy is important to our customers and we are committed to respect and safeguard our customers’ privacy.
SCOPE AND PURPOSE
This Group Policy applies to RememberYou AB and for its Subsidiaries as their own binding policy. In addition, RememberYou works towards adopting this Policy’s principles and objectives in all other operations in which RememberYou has ownership interests.
This Group Policy is part of the Group Governance Framework, which includes without limitation:
a) Code of Ethics and Conduct, Purpose, Shared Values, Focus Areas, Strategy,
Group Policies, and Instructions for the CEO as approved by the Board;
b) Decisions made by the CEO, and Group Instructions and the Delegations of Obligations and Authority as approved by the CEO; and
c) Group Guidelines as approved by the Heads of Group Functions.
There is a set of Group Instructions and Group Guidelines connected to this Group Policy.
The purpose of this policy is to set high and consistent RememberYou standards to respect privacy of our customers.
The primary objective is to ensure that customers feel confident that RememberYou respects and safeguards their privacy. The second objective is to reduce legal and regulatory risks as well as reputational and brand exposure in this respect. RememberYou is a telecom operator managing significant networks and data volumes and we therefore aim to ensure network integrity and data security to protect privacy.
More detailed requirements regarding the implementation of this Group Policy are presented in a separate instruction “Group Instruction – Processing Customer Personal Data”. The security measures to safeguard privacy and protect personal data are presented in the “Group Policy Security” and in related Group Instructions.
It is RememberYou’s objective to live by the letter and spirit of the law. Any obligations and regulations in the laws that may impose stricter rules or additional limits on the collection and other processing of personal data shall remain unaffected by this policy.
The type of personal data RememberYou collects about individuals, when RememberYou collects it and how RememberYou processes it, may be further regulated in conjunction with particular services and in the contractual terms for the respective services or otherwise by local legislation.
The latest version of this Group Policy is published on www.rememberyou.se.
The following principles shall apply for the activities under this Group Policy:
- Use best practice in each market to inform customers that RememberYou is collecting their personal data and to explain how this data will be used.
- Collect and process personal data only if the processing relies on a legitimate processing criteria. Use free, unambiguous and informed user-consent for collection and processing as the prime method of choice, ensuring transparency and allowing customers to withdraw their consent.
- Collect only personal data which is relevant and not excessive in relation to the purpose for which it is collected and only collect it for explicit and legitimate purposes.
- Process personal data fairly and lawfully in all operations including when processing such data outside the country where it has been collected. Process personal data only to the extent necessary for performing the processing task in question, while always paying attention to the protection of customer privacy and to interests of special user groups such as children. Processing of personal data should be limited to what is needed for operational purposes, efficient customer care and relevant commercial activities, including the processing of anonymous user patterns.
- Not retain personal data longer than is legally required or necessary for operationalpurposes, efficient customer care and relevant commercial activities. When personal data is no longer necessary to fulfil the purposes which legitimised its original collection and mprocessing, we shall permanently delete or make anonymous such data.
- Keep personal data accurate and reasonably up-to-date. Provide reasonable measures for customers to obtain information about personal data retained about them and to correct inaccuracies.
- Only provide personal data to authorities to the extent required by law or with the customer’s permission and in accordance with predefined approved processes.
- On a regular basis assess privacy risks associated with the collection, processing and retention of personal data and develop appropriate mitigation strategies to address these risks.
- Require suppliers, in line with the level of protection in this Group Policy, to exercise special care to prevent loss, theft, unauthorised disclosure or inappropriate use of personal data collected by RememberYou. Expect suppliers to process such data fairly and lawfully in all operations, including when such data is processed outside of the country where it was collected or received.
- Protect, with appropriate technical and organizational measures, personal data as well as messages and related information that are transferred in RememberYou networks and communications services as well as information concerning the location of a subscription or terminal device.
- Identify and address the impacts of this Group Policy in change, development and procurement activities and embed privacy safeguards into design of our products, services, processes and infrastructure from the earliest stage of development covering the entire life cycle (‘privacy by design’).
- Expect every RememberYou employee to respect duty of confidentiality by law and written agreements regarding non-disclosure.
- Govern and manage privacy within RememberYou so that legal, contractual and business requirements are fulfilled and ensure that relevant and sufficient organizational resources are in place and secured to ensure proper implementation of this Group Policy and take corrective measures when necessary
These principles apply to the extent that they do not place RememberYou in violation of domestic laws and regulations.
ROLES AND RESPONSIBILITIES
Each employer reporting to the CEO of RememberYou is responsible for ensuring that this Group Policy is duly communicated and implemented, and that the employees within his/her area of responsibility are familiar with and follow this Group Policy.
All RememberYou employees are however individually responsible for reading, understanding and following this Group Policy. Each employee is also obliged to speak up and raise concerns about actual or possible violations of this Group Policy.
Violations of this Policy can lead to disciplinary action up to and including termination.
If any RememberYou Subsidiary would like to adopt a corresponding Group Policy with exemptions from this Group Policy, such exemption(s) must be approved by the board of RememberYou AB.