Privacy governance in Telenor

The telecommunications sector is also heavily regulated, either through various kinds of legislation or operating licences, in all the countries where Telenor is present.

We are committed to creating and maintaining secure and privacy-friendly services that you can use without having to worry about having your integrity and personal sphere compromised. This is a basic human right.

Telenor’s subsidiaries are all expected to abide by local privacy legislation. In our European subsidiaries, the most relevant sets of rules are the GDPR and the respective national implementations of the ePrivacy Directive. In our Asian subsidiaries, local legislation varies from country to country. Because the local requirements vary across the jurisdictions in which Telenor is present, we have implemented a set of minimum requirements for all subsidiaries to meet through a Group-wide Code of Conduct for employees and a Group Privacy Policy which is implemented together with a more detailed manual for the subsidiaries to follow.

The Code of Conduct is the foundation of our corporate culture and sets out high standards of integrity on how we do business. Everyone in Telenor must follow these standards. The Code Principles set out the core requirements for our conduct in Telenor, and it applies to all employees and everyone acting on behalf of Telenor, including the Board of Directors. The Code has specific requirements and guidance also in the area of privacy, including on legitimate access and sharing of personal data, transparency about personal data processing and security.

Our governance structure also includes more detailed policies and manuals on critical areas, including privacy, that all Telenor’s subsidiaries agree to adhere to as a minimum standard in addition to local legal requirements. The Telenor Group Privacy Policy sets high-level requirements for all subsidiaries to follow, in addition to requirements related to reporting to the Group function.

Among the requirements are:

• The formal allocation of responsibility and resources for privacy management

• Implementation of effective internal controls that verify the privacy compliance

• Maintenance of up-to-date processing activity inventories and documentation of legal basis for processing activities

• Transparency towards data subjects

• Performance of privacy impact assessments for high-risk processing activities

• Maintaining an overview of cross-border transfers and their legal basis

• Third-party privacy management

• Provision of general and role-based privacy training to employees

• Detection, prevention and mitigation of privacy incidents

Firstly, all managers throughout Telenor are accountable for the privacy compliance of their operations. We have implemented general and mandatory privacy training for all Telenor employees, and those that work more directly with personal data are also provided with more role-based training.

We also have an active community of excellent privacy professionals that share experiences and support each other on difficult tasks. Each subsidiary has a dedicated Data Protection Officer that advises and supports the business to ensure we maintain a high standard on privacy. The bigger companies also have larger teams of privacy advisors and coordinators. The Data Protection Officers are tasked to monitor privacy compliance and report on any issues so they may be managed.

Telenor has implemented a Compliance Management System which is based on the ISO standards for quality and compliance management systems, the COSO framework for integrated internal control and the Three Lines of Defence model. The Group Privacy Policy is followed up using this system, and our Group Privacy Compliance team works systematically with its different elements, including the assessment of privacy risk, providing training and awareness activities and monitoring that the requirements of the policy are complied with across Telenor.

In addition to the monitoring conducted by our Group Privacy Compliance team, Telenor also has a Group Internal Audit team that performs privacy audits in our subsidiaries on a regular basis. The Group Internal Audit team is an independent function that reports directly to the Telenor Group Board of Directors.

The Telenor company that provides you with service(s) (that you use) is legally responsible for ensuring that your personal information is processed in accordance with our Privacy Policy and applicable law.

Because we operate in several jurisdictions and have different services on offer in our various subsidiaries, you will need to consult the website of the Telenor company where you are a customer in order to get more detailed information about the processing activities they perform using your personal data. All of Telenor’s subsidiaries have their own privacy notices posted on their websites, and you will also find local contact information there should you have any further questions or inquiries.