Privacy notice - Network fraud prevention efforts
1. Scope in general
This Privacy notice applies for the processing activities of Proximus (hereinafter: “we” and “our”) when processing personal data of customers or end-users to prevent and combat fraud such as phishing, nuisance calls, fluBot, signalling abuse.
Through this Privacy notice we want to inform you in a transparent manner about these processing activities where we act in the capacity of responsible for the processing (“data controller”). We've actually gone a step further and made a special privacy policy just for fraud prevention on our network. If you're curious about how we handle your data in other situations, you can review our general Privacy notice.
We can adapt this Privacy notice from time to time by publishing a new version. You can find the date of the current version above (“Last modified on”). This can be necessary when we change things in a manner that can influence the processing of personal data, or when this would be necessary to comply with applicable data protection rules.
2. Who are we and how to contact us?
The services are offered by Proximus NV under Belgian Public Law (Boulevard du Roi Albert II 27, 1030 Brussels).
If you have questions regarding the processing of your personal data, you can contact the Proximus Data Protection Officer.
How do you contact the Proximus Data Protection Officer?
E-mail : privacy@proximus.com
Address: Boulevard du Roi Albert II 27, 1030 Brussels
3. How do we process your personal data?
3.1. Actions to combat fraudulent messages over mobile text messages (SMS/MMS)
Background importance:
Over the past few years, Proximus observed a substantial increase in the volume of smishing attacks. Smishing attacks are phishing attacks carried out over mobile text messages.
Criminals fake SMS messages claiming to be from a person or financial institution that the recipient trusts (e.g., a bank) in order to convince recipients to take actions that lead them to disclose their sensitive information. Successful smishing attacks can lead to financial loss, poor customer experience and violations of subscriber’s privacy.
Attackers that are able to compromise smartphones, can perform actions on behalf of the end-user and exfiltrate any data from that device. In other words, if these attackers get into your smartphone, they can act like they're you and steal data. Complementary to the impact on customers, smishing attacks impose a risk to operational availability and performance of Proximus’ messaging platforms or other systems linked to it.
To combat smishing and other types of SMS and MMS based scams, Proximus has extended its capability to detect and block fraudulent text messages by developing and using algorithms that support the decision making to block messages and automate the processes around these capabilities. That means you may not receive certain messages that were intended for you because they have been identified as smishing attacks. In the scope of its cybersecurity program, Proximus therefore set up a new anti-smishing platform that supports the following objectives:
- Protect mobile subscribers from various types of smishing attacks that are used to trick individuals to disclose personal information that is then abused by fraudsters to gain unauthorized access to, for instance, bank account and payment card details.
- Protecting Proximus subscriber’s mobile devices from becoming compromised by mobile malware, which may be used to exfiltrate personal data.
- Protect Proximus telecom infrastructure against Denial-of-service (DoS) attacks, which aim to disrupt services for millions of users by targeting the infrastructure that enables telco communications.
What categories of personal data will we use?
Following recent legislative changes in Belgium, we're either required or allowed to handle certain data to fight fraud. This includes traffic & location data, technical identifiers, volume usage details, and message content.
What is the source of the personal data?
The personal data is observed through the use of our mobile service.
For what purposes will your personal data be processed?
To combat fraud committed through messages using telephone numbers.
What justifies this processing activity (legal basis of Proximus)?
In general, Proximus has a legal obligation to combat fraud on its network (art. 121/8 of the Belgian Electronic Communications Act. It also has a legal obligation to process certain categories of traffic data for this purpose (art. 122§4 of the Belgian Electronic Communications Act).
On top of these legal obligations, the Belgian Electronic Communications Act authorizes all telecommunications operators to process other categories of personal data to combat specific cases of fraud. In this case, Proximus has a legitimate interest, particularly to prevent fraud committed by means of messages using telephone numbers, such as SMS or MMS messages, as authorized by article 125, para. 1, 7° of the Belgian Electronic Communications Act.
With whom do we share this data?
- Within Proximus: your data is only processed by Proximus collaborators in charge of combating fraud.
- External processors: To support Proximus in achieving this purpose, Proximus relies on certain processors. A processor is a natural person or legal entity who processes personal data under our instructions. To support Proximus combatting fraud, Proximus relies on processors for IT or technical support. We have concluded a written agreement with such processors to protect your personal data.
- Official authorities: In certain cases, the BIPT or other official authorities may request access to data related to electronic communications. However, they can't just access everything:
- If there's a confirmed case of smishing, we might share specific details related to confirmed cases of smishing (such as detected malicious domains) to Centre for Cyber Security Belgium (CCB)
- Requests from the BIPT will only be answered in specific situations with a screenshot that includes message content linked to confirmed smishing cases.
We prioritize your privacy and ensure that any data sharing strictly adheres to the law.
How long do we process this data?
The data is kept for 30 days to allow sufficient time for the customer to make a complaint, if needed, and for Proximus to investigate it.
Blocked numbers and aggregated statistics are kept for 18 months to comply with the requirement of Proximus to report to BIPT on a yearly basis.