Data Privacy Policy
1. OVERVIEW
Mauritius Telecom and all its subsidiaries (hereinafter referred to “Mauritius Telecom Group” or “MTG”) affirms its unwavering commitment to the protection of personal data and the ethical management of such data in all aspects of its operations.
2. PURPOSE AND BENEFITS
The purpose of this policy is to comprehensively outline MTG methodologies for data processing, designed to meet service commitments while maintaining the highest standards of transparency, integrity and compliance with relevant data protection principles and legal frameworks.
3. SCOPE AND APPLICABILITY
This policy applies to all data processing activities conducted by MTG across its diverse operational interfaces, including but not limited to digital platforms, telephone interactions, and other ancillary communication channels. The scope of this policy extends to all stakeholders within MTG’s operational ecosystem, encompassing customers, agents, employees, suppliers, partners, and prospective clients or business associates. The policy is applicable across all jurisdictions where MTG operates, ensuring that all personal data is managed in accordance with this policy regardless of geographical location.
4. REGULATORY COMPLIANCE
MTG is duly registered with the Data Protection Office of Mauritius (herein after referred to as “DPO”) as Data Controller. This registration with the DPO highlights MTG’s commitment to regulatory compliance, ensuring that our data processing activities align with the legal requirements stipulated under the Data Protection Act 2017 and other applicable international data protection laws and regulations. MTG is committed to ongoing compliance monitoring and the implementation of necessary measures to maintain adherence to all relevant legal obligations.
5. DATA COLLECTION AND PROCESSING
5.1. PERSONAL DATA COLLECTION
MTG engages in the collection of various types of personal data, including but not limited to, names, residential addresses, national identity card numbers, and other personal identifiers. The collection of such data is conducted in a manner that is strictly limited to what is directly relevant and necessary for the purposes identified. Personal data is collected based on lawful processing grounds, such as the necessity for the performance of a contract, compliance with a legal obligation, or the pursuit of legitimate business interests.
MTG’s digital platforms utilize cookies and similar technologies to enhance user experience, provide personalized services, and conduct data analytics. Users have the ability to manage their cookie preferences through their browser settings or through specific cookie management tools provided on MTG’s platforms. For further information on the types of cookies used, their purposes, and how users can manage their preferences, please refer to our comprehensive Cookie Policy.
5.2. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
In circumstances where it is necessary, MTG processes special categories of personal data with additional security protocols. The processing of such data is only carried out when there is a clear legal basis to do so, and it is subject to enhanced security measures to ensure its protection. This data is retained only for the duration of the contractual relationship or as long as required by law.
5.3. AUTOMATED DATA COLLECTION
MTG’s digital platforms are equipped with the capability to automatically collect technical data related to user equipment and browsing patterns through the use of cookies, web beacons, and other similar technologies. This automated data collection is undertaken to enhance user experience, improve service delivery, and ensure the security of our digital platforms. All automated data collection is performed in compliance with applicable laws, and users are informed of such practices through our Cookie Policy and other relevant disclosures.
5.4. DATA COLLECTION FROM THIRD-PARTY SOURCES
MTG may receive personal data from third-party providers, both within Mauritius and internationally. This data may include contact details, identity verification information, financial data, and transaction records. The acquisition of such data from third parties is carried out in compliance with relevant legal and regulatory requirements, ensuring that any data received is lawfully obtained and processed in accordance with this policy and applicable data protection laws.
6. LEGAL BASES FOR PROCESSING AND PURPOSES OF PROCESSING
6.1. LEGAL GROUNDS FOR DATA PROCESSING
The processing of personal data by MTG is conducted based on one or more of the following legal grounds:
i. Processing is necessary for the performance of a contract to which the data subject is a party or to take pre-contractual steps at the data subject’s request.
ii. Processing is required for compliance with legal obligations to which MTG is subject, including but not limited to those under telecommunications, financial, and data protection laws.
iii. Processing is necessary for the legitimate interests pursued by MTG or a third party, provided these interests are not overridden by the fundamental rights and freedoms of the data subject.
iv. Processing is necessary to protect the vital interests of the data subject or another natural person, particularly in situations where the data subject is unable to provide consent due to physical or legal incapacity.
v. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in MTG.
6.2. PURPOSES OF DATA PROCESSING
MTG processes personal data for a variety of specific, explicit, and legitimate purposes, which include but are not limited to the following:
i. Onboarding of customers and the provision of telecommunication and related services, ensuring that all data collected is essential for the delivery of these services.
ii. Compliance with regulatory obligations, including those related to SIM card registration, customer verification through biometric data, and other mandatory legal requirements.
iii. Management of customer relationships, including the provision of customer support services, billing, and the handling of complaints and inquiries.
iv. Customisation of services to meet individual customer preferences and the execution of targeted marketing and promotional activities, subject to obtaining any necessary consents where required by law.
v. Analysis of data for business optimization, including but not limited to, data analytics for improving service quality, developing new products and services, and enhancing operational efficiency.
vi. Management and protection of digital assets to provide you with support services, including dealing with any complaint you may have
vii. Conduct of market research and promotional campaigns aimed at understanding market trends and customer preferences, thereby informing MTG’s business strategies.
viii. Management of human resources, including the recruitment, employment, and administration of MTG’s workforce, in compliance with applicable employment laws and regulations.
7. DATA SHARING AND DISCLOSURE PRACTICES
7.1. AUTHORIZED SHARING OF PERSONAL DATA
MTG may share personal data with carefully selected third parties, including but not limited to, government authorities, regulatory agencies, law enforcement bodies, advertising partners, and MTG affiliates. Such sharing is conducted in accordance with stringent contractual obligations that bind these third parties to uphold the highest standards of data protection and confidentiality. MTG ensures that all third-party processors and controllers with whom data is shared have implemented appropriate technical and organizational measures to protect the data.
7.2. SPECIFIC THIRD-PARTY DISCLOSURES
In specific instances, MTG may share customer data with specific/legitimate third parties, such as MC Vision, in situations where there is an issue of source IP address overblocking following a legitimate complaint lodged by the customer with MTG. Such disclosures are made under strict protocols designed to address the specific issue while ensuring the security and confidentiality of the shared data. MTG takes all necessary steps to ensure that such data sharing is limited to what is strictly necessary for the intended purpose.
7.3. INTERNATIONAL TRANSFERS OF PERSONAL DATA
Where personal data is transferred to a country outside the European Economic Area (EEA) or to any other country that does not provide an adequate level of data protection, MTG implements appropriate safeguards to ensure the protection of the data. These safeguards may include standard contractual clauses, binding corporate rules, or other legal mechanisms that ensure adequate protection. Additionally, MTG may employ supplementary technical measures, such as encryption, to further secure the data during international transfers.
8. DATA RETENTION AND DISPOSAL
MTG adheres to a strict data retention policy, ensuring that personal data is retained only for as long as is necessary to fulfill the purposes for which it was collected, including amongst others the fulfillment of legal, accounting, and reporting obligations. Customer data is typically retained for a period of ten years following the termination of the business relationship, in compliance with relevant legal requirements. Upon the expiration of the retention period, MTG ensures that the data is securely disposed of, either by permanent deletion or by anonymization, in a manner that prevents any unauthorized access or use of the data.
9. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
MTG has implemented a comprehensive security infrastructure designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. This infrastructure includes state-of-the-art technical security measures, such as firewalls, encryption, access controls, and intrusion detection systems, as well as organizational measures, such as employee training, data protection policies, and incident response procedures. Access to personal data within MTG is strictly limited to authorized personnel who require access to the data to perform their job functions. All employees and contractors with access to personal data are subject to confidentiality obligations and are trained on the importance of data protection and the need to adhere to MTG’s data protection policies and procedures.
10. RIGHTS OF DATA SUBJECTS
As a data subject, you are entitled to exercise a range of rights under applicable data protection laws, including:
i. The right to access your personal data and obtain a copy of it, along with information about how it is processed.
ii. The right to request the rectification of inaccurate or incomplete personal data.
iii. The right to request the erasure of your personal data, subject to certain conditions, such as where the data is no longer necessary for the purposes for which it was collected.
iv. The right to object to the processing of your personal data, particularly where the processing is based on legitimate interests or is carried out for direct marketing purposes.
v. The right to request the restriction of processing of your personal data, for example, where you contest the accuracy of the data or object to its processing.
vi. The right to withdraw your consent to the processing of your personal data, where the processing is based on your consent, without affecting the lawfulness of processing based on consent before its withdrawal.
vii. The right to request the transfer of your personal data to you or to a third party.
viii. The right to lodge a complaint with a supervisory authority, such as the Data Protection Office of Mauritius, if you believe that your rights have been violated.
ix. These rights can be exercised by contacting MTG’s Data Protection Officer (DPO) at the contact details provided below.
MTG is committed to responding to such requests in a timely and transparent manner, ensuring that data subjects are fully informed of the actions taken in response to their requests.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
11. CONTACT INFORMATION FOR DATA PROTECTION INQUIRIES
For any inquiries regarding this Data Privacy Policy or to exercise your data protection rights, please contact our Data Protection Officer at:
Email: dataprotection@telecom.mu
Postal Address: 18th Floor, Telecom Tower, Edith Cavell Street, Port Louis, Mauritius.
Should you have any complaint at any time, we shall be available as your first point of contact to deal with your concerns. Nothing precludes you from contacting the Data Protection Office.
Email address: dpo@govmu.org
Postal address: The Data Protection Commissioner, Data Protection Office, 5th Floor, SICOM Tower, Wall Street, Ebène, Mauritius
12. POLICY REVIEW AND AMENDMENTS
This Data Privacy Policy is subject to regular review and may be amended from time to time to reflect changes in MTG’s data processing practices, legal requirements, or advancements in data protection technology. The most recent revision date is October 2024. Stakeholders are encouraged to consult this policy periodically to stay informed of any updates or changes. MTG is committed to maintaining the transparency and accessibility of this policy to ensure that all stakeholders are aware of their rights and our obligations regarding data protection.
13. GOVERNING LAW AND JURISDICTION
This policy is governed by the laws of the Republic of Mauritius. Any disputes arising in connection with this policy or the data protection practices of MTG shall be subject to the exclusive jurisdiction of the courts of Mauritius. This policy forms an integral part of the contractual relationship between MTG and its customers, employees, and other stakeholders, and shall take precedence over any conflicting terms in related agreements.