Privacy notice - Efforts to prevent fraud on our network and through our services

1. Scope in general

This Privacy notice applies for the processing activities of Proximus (hereinafter: “we” and “our”) when processing personal data of customers or end-users to prevent and combat fraud such as phishing, nuisance calls, fluBot, signalling abuse and e-mail spams.

Through this Privacy notice we want to inform you in a transparent manner about these processing activities where we act in the capacity of responsible for the processing (“data controller”). We've gone a step further and made a special privacy policy just for fraud prevention on our network and through certain services such as our E-mail service. To complete the information contained here, and to understand how we handle your data in other situations, you can review our general privacy notice.

We can adapt this Privacy notice from time to time by publishing a new version. You can find the date of the current version above (“Last modified on”). This can be necessary when we change things in a manner that can influence the processing of personal data, or when this would be necessary to comply with applicable data protection rules.

2. Who are we and how to contact us?

The services are offered by Proximus NV under Belgian Public Law (Boulevard du Roi Albert II 27, 1030 Brussels).

If you have questions regarding the processing of your personal data, you can contact the Proximus Data Protection Officer.

How do you contact the Proximus Data Protection Officer?

E-mail : privacy@proximus.com 

Address: Boulevard du Roi Albert II 27, 1030 Brussels 

Web form

3. How do we process your personal data?

3.1. Actions to combat fraudulent messages over mobile text messages (SMS/MMS)

Background importance:

Over the past few years, Proximus observed a substantial increase in the volume of smishing attacks. Smishing attacks are phishing attacks carried out over mobile text messages.

Criminals fake SMS messages claiming to be from a person or financial institution that the recipient trusts (e.g., a bank) in order to convince recipients to take actions that lead them to disclose their sensitive information. Successful smishing attacks can lead to financial loss, poor customer experience and violations of subscriber’s privacy.

Attackers that are able to compromise smartphones, can perform actions on behalf of the end-user and exfiltrate any data from that device. In other words, if these attackers get into your smartphone, they can act like they're you and steal data. Complementary to the impact on customers, smishing attacks impose a risk to operational availability and performance of Proximus’ messaging platforms or other systems linked to it.

To combat smishing and other types of SMS and MMS based scams, Proximus has extended its capability to detect and block fraudulent text messages by developing and using algorithms that support the decision making to block messages and automate the processes around these capabilities. That means you may not receive certain messages that were intended for you because they have been identified as smishing attacks. In the scope of its cybersecurity program, Proximus therefore set up a new anti-smishing platform that supports the following objectives:

• Protect mobile subscribers from various types of smishing attacks that are used to trick individuals to disclose personal information that is then abused by fraudsters to gain unauthorized access to, for instance, bank account and payment card details.
• Protecting Proximus subscriber’s mobile devices from becoming compromised by mobile malware, which may be used to exfiltrate personal data.
• Protect Proximus telecom infrastructure against Denial-of-service (DoS) attacks, which aim to disrupt services for millions of users by targeting the infrastructure that enables telco communications.

What categories of personal data will we use?

Following recent legislative changes in Belgium, and depending on the applicable legal disposition, we're either required or allowed to handle certain data to fight fraud. This includes traffic & location data, technical identifiers, volume usage details, and message content.

What is the source of the personal data? 

The personal data is observed through the use of our mobile service.

For what purposes will your personal data be processed?

To combat fraud committed through messages using telephone numbers.

What justifies this processing activity (legal basis of Proximus)?

In general, Proximus has a legal obligation to combat fraud on its network (art. 121/8 of the Belgian Electronic Communications Act. It also has a legal obligation to process certain categories of traffic data for this purpose (art. 122§4 of the Belgian Electronic Communications Act).

On top of these legal obligations, the Belgian Electronic Communications Act authorizes all telecommunications operators to process other categories of personal data to combat specific cases of fraud. In this case, Proximus has a legitimate interest, particularly to prevent fraud committed by means of messages using telephone numbers, such as SMS or MMS messages, as authorized by article 125, para. 1, 7° of the Belgian Electronic Communications Act.

With whom do we share this data?

• Within Proximus: your data is only processed by Proximus collaborators in charge of combating fraud.
• External processors: To support Proximus in achieving this purpose, Proximus relies on certain processors, amongst which Mavenir Systems LTD. A processor is a natural person or legal entity who processes personal data under our instructions. To support Proximus combatting fraud, Proximus relies on processors for IT or technical support. We have concluded a written agreement with such processors to protect your personal data.
• Official authorities: In certain cases, the BIPT or other official authorities may request access to data related to electronic communications. However, they can't just access everything:
  • If there's a confirmed case of smishing, we might share specific details related to confirmed cases of smishing (such as detected malicious domains) to Centre for Cyber Security Belgium (CCB)
  • Requests from the BIPT will only be answered in specific situations with a screenshot that includes message content linked to confirmed smishing cases.

We prioritize your privacy and ensure that any data sharing strictly adheres to the law.

Do we transfer your data outside the EEA?

Proximus relies only on partners established in the European Economic Area for the processing of personal data related to SMS fraud prevention. However, the international nature of telecommunication services means that certain data may be processed outside the EEA in specific situations, without necessarily qualifying as international transfers of personal data under the GDPR.

When you send/receive an international SMS, or when you are travelling outside the EEA (for example, while roaming), technical information about your communication is generated and processed by foreign operators and networks. This is inherent to how international communications work and is necessary to enable your message to be delivered.

How long do we process this data?

The data is kept for 30 days (unless otherwise required to comply with legal obligation) to allow sufficient time for potential complaints and, if needed, for Proximus to investigate.

Aggregated statistics are kept for 12 months maximum.

3.2. Actions to combat fraudulent calls

In recent years, Proximus has observed a significant increase in the volume of telecom fraud, particularly call fraud. This type of fraud involves various malicious activities carried out over voice calls, often resulting in financial loss, poor customer experience, and breaches of subscriber privacy.

Fraudsters are extremely inventive, employing a broad variety of tactics to deceive individuals. A few examples of call fraud are:

1. Impersonation Scams: Fraudsters pretend to be someone you trust, such as a bank representative or a government official. They might claim there’s an issue with your account and ask for personal information or money to resolve it.
2. Tech Support Scams: Scammers pose as tech support agents from well-known companies. They tell you there’s a problem with your computer or internet service and ask you to download software that gives them remote access to your device.
3. Number Spoofing: The caller ID shows a familiar or trusted number, but it’s actually a fraudster using technology to disguise their real number. This makes it easier for them to deceive you into sharing sensitive information.
4. Emergency Scams: A scammer pretends to be a relative or friend in urgent need of money due to an emergency, such as being stranded or in trouble with the law. They pressure you to send money quickly. They can even use generative AI to fake the sound of their voice, making it seem like your relative is really calling.
5. Wangiri Scams: This scam involves receiving a missed call from an unknown international number. When you call back, you’re connected to a premium rate number, resulting in high charges. The scammer may use tactics like playing a long-pre-recorded message to keep you on the line and increase the cost.
6. International Revenue Share Fraud (IRSF): In this sophisticated scam, fraudsters artificially inflate traffic to international premium rate numbers (IPRN). They often collude with telecom operators and premium rate service providers to generate a high volume of calls to these numbers. The fraudsters then receive a share of the revenue from the termination charges for these calls.

To address the issue of increasing telecom fraud, Proximus has implemented advanced security measures on its communication systems. These measures are designed to detect and prevent various types of call fraud in real-time.

What categories of personal data will we use?

Under Belgian law, specifically the Act on Electronic Communications of 13 June 2005, we are permitted (and in some cases required) to process certain categories of data for the purpose of combating fraud. This may include traffic and location data, technical identifiers, and information on usage volumes. However, this does not extend to intercepting or listening to the content of communications.

What is the source of the personal data?

The personal data is observed through the use of our network.

For what purposes will your personal data be processed?

To combat fraud committed through calls.

What justifies this processing activity (legal basis of Proximus)?

In general, Proximus has a legal obligation to combat fraud on its network (art. 121/8 of the Belgian Electronic Communications Act). It also has a legal obligation to process certain categories of traffic data for this purpose (art. 122§4 of the Belgian Electronic Communications Act).

On top of these legal obligations, the Belgian Electronic Communications Act authorizes all telecommunications operators to process other categories of personal data to combat specific cases of fraud. In this case, Proximus has a legitimate interest, particularly to prevent fraud committed by means of voice calls, as authorized by article 125, para. 1, 7° of the Belgian Electronic Communications Act.

With whom do we share this data?

• Within Proximus: The processing of your personal data for fraud prevention is mainly carried out through automated means, in order to minimize human access to what is strictly necessary. When human intervention is required, your data is only accessed by a limited number of authorized Proximus collaborators responsible for combating fraud.
• External processors: To support Proximus in achieving this purpose, Proximus relies on certain processors, amongst which Mavenir Systems LTD. A processor is a natural person or legal entity who processes personal data under our instructions. To support Proximus in combating fraud, Proximus relies on processors for IT or technical support. We have concluded a written agreement with such processors to protect your personal data.

We prioritize your privacy and ensure that any data sharing strictly adheres to the law.

Do we transfer your data outside the EEA?

Proximus relies only on partners established in the European Economic Area for the processing of personal data related to call fraud prevention. However, the international nature of telecommunication services means that certain data may be processed outside the EEA in specific situations without necessarily qualifying as international transfers of personal data under the GDPR.

When you make or receive an international call, or when you are travelling outside the EEA (for example, while roaming), technical information about your communication is generated and processed by foreign operators and networks. This is inherent to how international communications work and is necessary to enable your call to be delivered.

How long do we process this data?

The data is kept for 30 days (unless otherwise required to comply with legal obligation) to allow sufficient time for potential complaints and, if needed, for Proximus to investigate.

Aggregated statistics are kept for 12 months to comply with the requirement of Proximus to report to BIPT on a yearly basis.

3.3. Actions to combat fraudulent e-mails

Phishing attacks have increased significantly in recent years. Cybercriminals impersonate trusted organizations (like banks) to trick people into revealing sensitive information. Falling for such scams can lead to financial loss, identity theft, and privacy violations.

Hackers who gain access to e-mail accounts can misuse them to send more fraudulent messages and steal personal data. This threatens both our customers and the reliability of Proximus' e-mail service.

At Proximus, we are strengthening our efforts to detect and block these fraudulent e-mails. Our goal is to protect our residential subscribers from scams and prevent compromised Proximus mailboxes from being used to send fraudulent messages.

Without these measures, scammers could overwhelm our users with fraudulent e-mails, making it harder to spot real messages. Additionally, if Proximus' e-mail servers are used to send spam, they could end up on “blacklists,” causing legitimate e-mails from our users to be blocked or delayed.

How Proximus Protects You

To combat these threats, we have enhanced our ability to detect and block fraudulent e-mails using advanced algorithms. This helps us:

• Protect subscribers from phishing scams that trick people into revealing personal and financial information.
• Prevent malware infections that could steal data or take control of devices.
• Safeguard our e-mail infrastructure from cyberattacks that could disrupt services for many users.

As part of this, some e-mails identified as phishing attempts may be blocked before they reach your inbox.

What Categories of Personal Data Will We Use?

Following recent legislative changes in Belgium, and depending on the applicable legal disposition, we're either required or allowed to handle certain data to fight fraud. This includes traffic & location data, technical identifiers, volume usage details, and message content.

What is the Source of the Personal Data?

The personal data is observed through the use of our e-mail service.

For What Purposes Will Your Personal Data Be Processed?

To detect and prevent fraud in e-mails sent and received via Proximus mailboxes.

What Justifies This Processing Activity (Legal Basis of Proximus)?

Proximus has a legal obligation to implement appropriate measures to combat fraud on its network and services (art. 121/8 of the Belgian Electronic Communications Act). It also has a legal obligation to process certain categories of traffic data for this purpose (art. 122§4 of the Belgian Electronic Communications Act). Additionally, the Belgian Electronic Communications Act authorizes operators to process other categories of personal data to combat specific cases of fraud. In this case, Proximus has a legitimate interest to take measures to ensure the proper execution of the e-mail service (cfr. art. 125, para. 1, 2° of the Belgian Electronic Communications Act.)

With Whom Do We Share This Data?

• Within Proximus: The processing of your personal data for fraud prevention is mainly carried out through automated means, in order to minimize human access to what is strictly necessary. When human intervention is required, your data is only accessed by a limited number of authorized Proximus collaborators responsible for combating fraud.
• External Processors: To support Proximus in achieving this purpose, Proximus relies on certain processors for IT or technical support, amongst which Mavenir Systems LTD. We have concluded a written agreement with such processors to protect your personal data.

We prioritize your privacy and ensure that any data sharing strictly adheres to the law.

Do we transfer your data outside the EEA?

For email fraud prevention activities, Proximus mainly works with the EU based affiliates of its security partners, including Vade and Cisco. These companies are established in countries that benefit from an adequacy decision from the European Commission.

In some limited cases, and due to the technical functioning of these tools, a very small and residual portion of personal data may be transferred outside the EEA. Proximus implements strong technical and organisational measures, in compliance with applicable rules, to ensure that any such transfers are kept to an absolute minimum and only occur where strictly necessary for fraud detection purposes.

Furthermore, the international nature of electronic communications services means that certain data may be processed outside the EEA in specific situations without necessarily qualifying as international transfers of personal data under the GDPR.

How Long Do We Process This Data?

The data is kept for 30 days (unless otherwise required to comply with legal obligation) to allow sufficient time for potential complaints and, if needed, for Proximus to investigate.

Aggregated statistics are kept for 12 months.

4. Automated analysis

To prevent fraud, Proximus uses automated systems that analyse technical information and may automatically block communications identified as fraudulent. Proximus does not consider these measures to produce legal or similarly significant effects within the meaning of Article 22 GDPR. If they were nevertheless interpreted as such, these measures remain authorised under Belgian law for fraud prevention purposes. In any case, Proximus invests in measures to minimise any potential impact on individuals.

5. Data subject rights

You have several rights under data protection law, such as the right to access your personal data, to request its correction, and, in certain cases, to object to or restrict its processing. You also have the right to lodge a complaint with the Belgian Data Protection Authority. For a full overview of your rights and how you can exercise them, please consult our general privacy notice, where these rights are explained in more detail.