Personal Data Protection

I.      POLICY INTRODUCTION

The protection of Personal Data is a priority and a major condition of trust of customers, employees, suppliers or partners of OOREDOO TUNISIA and the OOREDOO Group.

Our company is concerned about the protection of people and information concerning them in accordance with the national legal framework and good practices in this field that OOREDOO TUNISIA undertakes to respect.

This policy testifies to the commitments implemented as part of the daily activities of OOREDOO TUNISIE for a responsible use of personal data in compliance with the rights of individuals, freedoms and human dignity.

The objective of this Policy is to describe the principles applicable by OOREDOO TUNISIE tending to ensure the proper application of the legal and ethical framework, and brings together all the principles to be followed by and for its employees.

 In particular, it must allow its partners, customers, employees, service providers and suppliers to understand the use that OOREDOO TUNISIE makes of their data, and their rights over such data as well as the means made available to individuals to control the use of their personal data.

This data protection policy applies when personal data is processed within all OOREDOO TUNISIE structures. This Policy applies to the processing of all personal data relating to customers, employees, suppliers, or business partners, carried out by OOREDOO TUNISIE or the service providers acting or processing personal data on its behalf.

II.    LEGAL FRAMEWORK FOR PROTECTION

The protection of Personal Data must comply with national legal standards that OOREDOO TUNISIA undertakes to respect.

The provisions applicable to the protection of personal data are in particular:

·        The Constitution of the Tunisian Republic of 2022 which clearly states that the State guarantees respect for privacy and the protection of personal data;

·        Convention 108 of the Council of Europe which was ratified by Tunisia by organic law number 42 of 30 May 2017, approving the accession of the Tunisian Republic to the Convention n ° 108 of the Council of Europe for the protection of individuals with regard to the automated processing of personal data and its additional protocol n°181 concerning supervisory authorities and cross-border data flows;

·        Organic law number 63 dated 27 July 2004, on the protection of personal data;

·        Decree number 3003 of 27 November 2007, fixing the operating procedures of the National Authority for the Protection of Personal Data (INPDP);

·        Decree number 3004 of 27 November 2007, laying down the conditions and procedures for declaration and authorization for the processing of personal data;

·        The deliberation of the INPDP number 3 dated 5 September 2018 relating to the determination of the States that have sufficient and adequate protection in terms of personal data protection;

·        The deliberation of the INPDP number 4 dated 5 September 2018 relating to the processing of health-related data;

·        The deliberation of the INPDP number 5 dated 5 September 2018 relating to the determination of the conditions and procedures for the installation of video protection systems;

·        The deliberation of the INPDP number 6 dated 2 July 2019 relating to the control operations carried out by the National Authority for the Protection of Personal Data.

III.  CONCEPTS AND DEFINITIONS

The protection of Personal Data uses a specific terminology which is based on concepts generally defined in the data protection laws. This policy will use the same concepts which will be defined below:

·        Personal data: Any information, regardless of its nature and its medium, which makes it possible to identify or make a natural person identifiable directly or indirectly;

·        Processing of Personal Data: Any operation which is carried out in an automated or manual way by a natural or legal person, and which aims in particular at the collection, recording, conservation, organization, modification, exploitation, use, shipment, distribution, dissemination or destruction or consultation of personal data, as well as any operation relating to the exploitation of databases, indexes, directories, files, or interconnection.

·        Sensitive Personal Data: Any personal data whose processing is subject to a more strict derogatory regime within the framework of the Tunisian Legislation and which is delimited to data which is directly or indirectly related to racial or genetic origin, religious convictions, political, philosophical or trade union opinions, or health.

·        Data Controller: The natural or legal person who determines the purposes and means of processing personal data.

·        Data Subjects: Any natural person whose personal data is being processed. Within the framework of this policy, it is mainly the customers, the staff of OOREDOO TUNISIE, but also the subcontractors or suppliers, provided that they are natural persons;

·        Subcontractor: The person who is entrusted by the Data Controller to carry out, on his behalf and under his control, operations for the processing of personal data corresponding to the declared purpose, he is jointly and severally liable with the Data Controller.

·        Beneficiary or Recipient: The natural or legal person, public authority, service or any other body that receives communication of personal data to process them for another purpose.

·        Third party: Any natural or legal person or the public authority as well as their subordinates, with the exception of the Data Subject, the Beneficiary, the Controller, the Subcontractor as well as their subordinates.

·        Authority: The National Authority for the Protection of Personal Data created by Law number 63 of 23 July 2004.

IV.  DATA PROTECTION GUIDELINES

The protection of personal data must be carried out in accordance with the Tunisian legal framework. These principles are enshrined in Organic law number 63 of July 23, 2004 and are as follows:

A.    Universality of protection

Every natural person has the right to the protection of personal data relating to his private life as one of the fundamental rights guaranteed by the constitution. Thus, every natural person benefits from the right to the protection of his personal data which are processed on the national territory. OOREDOO TUNISIE endeavors to protect personal data regardless of the nationality of the Data Subject.

B.    Transparency in Data Processing

 The first article of the organic law number 2004-63 provides that “personal data must be processed only within the framework of transparency". The primary purpose of transparency is to establish a relationship of trust between the Data Controller, OOREDOO TUNISIA and the Data Subject. Convention 108 of the Council of Europe and Article 31 of Organic Law number 2004-63 impose this obligation on the Data Controller, OOREDOO TUNISIA, who undertakes to inform any natural person whose personal data will be collected of a set of information relating to the processing of data that concerns him. This action will be carried out in accordance with the law and according to the situation either through paper forms or online on the site of OOREDOO Tunisie whenever a Data Subject is asked to provide his personal data. OOREDOO TUNISIA undertakes to resort to any means leaving a written trace. This information is in particular the following:

       The nature of the data;

       The purposes of processing;

       The mandatory or optional nature of the answer;

       The identity of the Data Controller;

       The rights enjoyed by the Data Subject and mainly that of access to his personal data, the right to opt out at any time regarding the acceptance given for the processing of his personal data, and the right to object to the processing of his personal data;

       The duration of data retention;

 

C.    Loyalty of Data Processing

 OOREDOO TUNISIE is committed to developing a relationship of trust with the Data Subjects. This is dependent on the implementation of all the necessary measures to process the data collected only within the framework of the purpose declared and consented by the Data Subject. The declared purpose of the processing limits the fields of data processing by OOREDOO Tunisie to those necessary for its realization. It will therefore not be able to collect more information than is necessary, nor beyond the time necessary to achieve the purpose or comply with legal obligations.

D.    Respect for human dignity

The first article of Organic law number 63 of 23 July 2004 clearly states that the processing must be carried out within the framework of respect for human dignity. Personal data cannot be considered by OOREDOO TUNISIE as property belonging to it. Respect for human dignity requires considering them as an attribute of the person himself. In accordance with this principle, the data processed by OOREDOO TUNISIE cannot be transferred or used to infringe the dignity of Data Subjects. OOREDOO TUNISIE undertakes to make every effort to ensure its missions while preserving the integrity and availability of this data until the declared purpose of processing is achieved.

E.     Data minimization

 Article 11 of Organic Law n ° 2004-63 states that: "Personal data must be processed fairly, and to the extent necessary with regard to the purposes for which they were collected". In application of this provision, OOREDOO TUNISIE undertakes to collect the personal data of the data subjects only within the limits of those necessary to be able to carry out the missions which are its own and the purpose (s) declared to the Data Subjects. Any processing operation will ensure that any data collected that proves superfluous to achieve the purpose is deleted. Once the purpose has been achieved, OOREDOO TUNISIE undertakes to destroy or at least anonymize the personal data, in accordance with Article 45 of Organic Law number 63 of 2004.

F.     Lawfulness of processing

 In accordance with Article 10 of organic law number 63 dated 23 July 2004, OOREDOO TUNISIA undertakes to collect personal data only for lawful purposes. This commitment conditions the operations carried out on personal data to one of the following situations:

i.                 Obtaining the consent of the Data Subject;

ii.                Carry out the processing as part of the execution of a contract binding OOREDOO TUNISIE with the Data Subject;

iii.              Carry out the processing within the framework of a legal obligation which implies that OOREDOO Tunisie is legally compelled to carry out a processing;

iv.              Carry out the processing to preserve the vital interests of Data Subjects, for example in case of medical emergency.

V.    RIGHTS OF DATA SUBJECTS

The protection of personal data grants any Data Subject whose data is processed certain rights that entail obligations on the part of Ooredoo Tunisia. These rights, in accordance with Organic Law No. 63 of 23 July 2004, are as follows:

A.    Right of access to data

OOREDOO TUNISIA undertakes to make every effort to ensure that Data Subjects can have access to their personal data under the best possible conditions, either by consulting them or by obtaining an intelligible digital or paper copy of these data. This right of access applies both to the data collected relating to the Data Subject, but also to the result of the processing carried out by OOREDOO TUNISIE on this information.

In accordance with Article 38 of Organic Law No. 63 of July 27, 2004, the request for access must be submitted to Ooredoo Tunisia "in writing or by any other means that leaves a written record". Ooredoo Tunisia undertakes to respond "within a period not exceeding one month from the date of the request".

Requests for access should be addressed by the data subject to the internal data protection officer at the following email address: zied.ktari@ooredoo.tn

If the volume of personal data subject to the access request is large or requires more time to collect, the internal data protection officer may inform the data subject of the time it will take to collect the data subject to the access request.

In the event of abusive access requests, Ooredoo Tunisia reserves the right to refuse to comply. However, Ooredoo Tunisia must justify its decision in writing.

If a dispute arises between Ooredoo Tunisia and the data subject in connection with the exercise of the right of access, the latter may refer the matter to the National Data Protection Authority within "a maximum period of one month from the date of the refusal", in accordance with the second paragraph of Article 38 of Organic Law No. 2004-63.

B.    Right of rectification and erasure

When the Data Subject accesses his personal data, he may realize that certain information should not have been collected and processed mainly because it is not necessary to meet the declared purpose.

In such case, the Data Subject is entitled to request the destruction of the Data.

 If necessary, OOREDOO TUNISIE undertakes to delete the concerned personal data without delay.

 Otherwise, it must inform the Data Subject that the data is necessary to achieve the purpose and therefore that it will not be able to respond positively to the request.

In this case, Ooredoo Tunisia will consider the data to be disputed and, in accordance with Article 39 of the Organic Law of 2004, undertakes to mention the existence of this dispute in its files until the INPDP (National Institute for the Protection of Personal Data) has ruled on it.

In accordance with Article 37 of the aforementioned Organic Law, Ooredoo Tunisia will "implement the technical means necessary to enable the data subject, their heirs or their legal guardian to send by electronic means their request for rectification, modification, correction, or erasure of personal data".

Data subjects may also request the rectification of data processed by Ooredoo Tunisia if it is found to be inaccurate, erroneous or not up to date. Ooredoo Tunisia undertakes to comply without delay with the same rules presented above regarding the request for deletion of data.

C.    Right to object

Any Data Subject may, either at the time of data collection or at any time thereafter, express their opposition to the processing of such data.

Unless the processing of personal data is required by law or is necessary for the performance of a legal obligation, Ooredoo Tunisia undertakes to respect this expression of will if the reasons are "valid, legitimate and serious" in accordance with Article 42 of Organic Law No. 63 of 2004.

Ooredoo Tunisia may, in certain situations, where the proper functioning of its services requires it, disregard the Data Subject's opposition after obtaining authorization from the INPDP (National Institute for the Protection of Personal Data) in accordance with Article 43 of the aforementioned law.

Ooredoo Tunisia undertakes to immediately suspend the processing of personal data in the event of opposition by the Data Subject.

D.    Right to be forgotten

Ooredoo Tunisia processes the personal data of Data Subjects in order to fulfill the stated purpose. The loyalty of the relationship between the two parties thus requires that this data not be retained by Ooredoo Tunisia beyond the time necessary to achieve this purpose.

This is the aim of Article 45, which clearly states that "personal data must be deleted upon expiry of the period fixed for its retention in the declaration or authorization or specific laws or upon achievement of the purposes for which it was collected or when it becomes useless for the activities of the data controller".

The retention period for the Personal Data of Data Subjects is thus linked to the achievement of the purpose and in all cases to that which was declared by Ooredoo Tunisia at the time of informing the data subject in order to obtain their consent for the processing.

Ooredoo Tunisia undertakes to delete personal data processed in compliance with the timeframes thus set or at least to anonymize it, thereby making it impossible to irreversibly identify the Data Subject.

Ooredoo Tunisia is required by law to keep personal data beyond these periods in order to be able to respond to any requests from supervisory authorities or the tax administration or to judicial proceedings.

In all these special situations, Ooredoo Tunisia undertakes to inform the Data Subject of the timeframes necessary to achieve the purpose or those set by the applicable laws.

In the exercise of its missions, Ooredoo Tunisia will produce statistics or need to keep data in an anonymized format, which is no longer personal data, as it no longer makes it possible to identify the Data Subject, and can therefore be kept indefinitely and even made public.

E.     Right to appeal

In the event of a dispute related to the processing of personal data in connection with the rights exercised by Data Subjects or the fulfillment of Ooredoo Tunisia's obligations, any Data Subject may escalate the dispute.

The Data Subject, in relation to any dispute concerning the exercise of their right of access, opposition, rectification, or erasure of data at their request or by Ooredoo Tunisia within the framework of the right to be forgotten, may file a complaint with the National Institution for the Protection of Personal Data (www.inpdp.tn ).

VI.  OBLIGATIONS OF OOREDOO TUNISIE

The Organic Law No. 63 of July 23, 2004 on the protection of personal data imposes obligations on the data controller that OOREDOO TUNISIA, in this capacity, undertakes to respect.

OOREDOO TUNISIA therefore undertakes to respect the rights of data subjects developed in Section IV above and undertakes to facilitate the exercise of such rights by data subjects.

In this context, OOREDOO TUNISIA undertakes to respect the following obligations:

A.    Appoint an internal Data Protection Officer (DPO)

The DPO's mission is to establish a culture of personal data protection within the various structures of OOREDOO TUNISIA. He acts in order to bring OOREDOO TUNISIA into compliance with personal data protection standards. He advises OOREDOO TUNISIA structures in all decision-making related to the processing of personal data. He establishes relations in this area with Data Subjects and the National Institution for the Protection of Personal Data.

B.    Securing Personal Data

When a Data Controller undertakes to process the Personal Data of Data Subjects, it becomes the guarantor of their security. In this capacity, OOREDOO TUNISIA undertakes to take all technical and organizational measures to prevent any breach of the integrity, availability, or confidentiality of the Personal Data of Data Subjects.

OOREDOO TUNISIA undertakes to comply with the legal obligations regarding the security of information systems. it will carry out, in this regard, the mandatory periodic audit and follow the recommendations of the report of the certified auditors to ensure the security of personal data processed in information systems and will communicate the final report to the National Cybersecurity Agency.

C.    Careful selection of subcontractors and control of their processing of communicated data

The management of the missions entrusted to OOREDOO TUNISIA requires the use of subcontractors. These are responsible for carrying out certain data processing operations as part of the services they are asked to provide by the Data Controller.

In accordance with Article 20 of Organic Law No. 63 of 2004, when OOREDOO TUNISIA entrusts "to third parties certain processing operations or all of them, within the framework of a subcontracting contract", OOREDOO TUNISIA undertakes to "carefully" select the subcontractor by ensuring that it complies with the protection standards and that it will strictly limit the processing of data to the mission entrusted to it.

D.    Taking the necessary precautions for the protection of data during its communication

OOREDOO TUNISIA undertakes to protect the Personal Data it processes and will implement all measures to prevent the disclosure of data at the time of its communication between its employees, its subcontractors, its beneficiaries or third parties.

In situations where the identification of the Data Subject is not necessary for the recipient, OOREDOO TUNISIA will proceed to anonymize the data prior to communication.

When the data allows the identification of the Data Subject, OOREDOO TUNISIA will resort to the pseudonymization of the data prior to its communication.

In all cases, the communication of data cannot be carried out without having been previously encrypted.

E.     Carrying out the preliminary procedures with the INPDP

In accordance with Article 7 of Organic Law No. 63 of 2004, OOREDOO TUNISIA will carry out the data processing declaration procedure for each processing purpose.

Whenever sensitive personal data is processed, video surveillance systems are installed or data is transferred abroad, OOREDOO TUNISIA will submit an authorization request to the INPDP in accordance with Article 8.

VII.                   WEBSITE DATA PROTECTION

OOREDOO TUNISIE manages a website accessible at https://www.ooredoo.tn/ The website collects and allows the processing of users' Personal Data. The processing within this framework is subject to the standards set forth by Organic Law No. 63 of 2004 in order to respect the privacy of users. No information is collected without the knowledge of visitors. An opt-in consent from the visitor is systematically requested by a checkbox.

No personal information collected is transferred to third parties. Emails, electronic addresses or other personal information collected through the site are not exploited and are not stored on the platform. They are immediately transmitted to the Data Controller and are only kept for the necessary duration.

For OOREDOO TUNISIE’S website, data is collected for the purpose of processing for pre-registration, chat or contact purposes, but also cookies which are installed on the user's terminal to improve their browsing and perform statistics.

A. Pre-registration

The information provided by the customer during their online pre-registration is essential to process their request. It must be completed carefully and accurately.

By validating the form, the user accepts the General Terms and Conditions of Use (GTC), accessible via the link provided for this purpose. These GTC include:

  • The identity of the company responsible for the processing, namely OOREDOO TUNISIA.
  • An explanation of how the information provided is used to provide the requested service.
  • The measures necessary to guarantee the security of Personal Data.
  • The recipients of the data.
  • The rights concerning Personal Data, including your right of access.

To consult the history of requests and exercise their rights, the users simply create an account. The account's identification information is confidential and must not be shared.

  • In case of acceptance: the data is kept to finalize the registration and is integrated into the OOREDOO TUNISIA information system.
  • In case of refusal: the data is deleted at the latest at the end of the current year.

B. Contact

The website provides users with a contact section that allows users and visitors of the website to get in touch with OOREDOO TUNISIE services. The data collected is all mandatory and allows the identification of the user as well as obtaining their contact details and the subject of their request. This data is kept for a period of three years. However, the user may request the deletion of this data at any time. This data is not used for e-commerce or commercial prospecting operations

C. Cookies

When browsing the site, users leave electronic traces. This set of information is collected using a connection witness called a cookie which does not collect any personal information. The consent collection interface includes a "accept all" button, but also a "refuse all" button. Audience measurement tools are used to obtain information about user navigation on the OOREDOO TUNISIE website. They make it possible, in particular, to understand how users arrive on a website or mobile application and to reconstruct their journey.

At the beginning of the connection to the OOREDOO TUNISIE website, the user is asked to either give his consent or refuse it or to configure the management of cookies. The minimum management of cookies will be used on the OOREDOO TUNISIE website to produce anonymous statistical data and will not lead to a cross-referencing of data with other processing and the data collected will never be transmitted to third parties.

In order to improve ergonomics, navigation within the site, editorial content and user service, the OOREDOO TUNISIE website's statistics management tool stores information relating to user profiles: equipment, browser used, geographical origin of requests, date and time of connection, navigation on the site, frequency of visits, etc. This connection data allows for statistical extractions and is kept for a limited period.

 OOREDOO TUNISIE undertakes to take the necessary measures to be able to provide, at any time, proof of the valid collection of the user's free, informed, specific and unequivocal consent. This data is kept for a limited period. Users can delete these cookies from their terminal using their browser by requesting the deletion of browsing data. In this case, the site will ask the user when they enter the OOREDOO TUNISIE website again to reconfigure the cookie management again.  

D. Chat

OOREDOO TUNISIE includes a live chat service on its website. The chat allows users to request information or to be guided through specific procedures. The chat service processes the user's Personal Data and collects certain information that allows the management and control of the quality of this service.

OOREDOO TUNISIE undertakes to transmit complaints to the relevant department and in all cases not to store the data from the discussion beyond the time necessary to respond to the concerned person.

E. Social Media

The pages of OOREDOO TUNISIE website include links to social media that allow visitors to discover the company's news. Concerned individuals can go to the OOREDOO TUNISIE Facebook page, its YouTube account as well as the Instagram or LinkedIn page. These platforms have their proper terms of use that the user must accept. OOREDOO TUNISIE does not manage personal data on these platforms.

VIII.                 GENERAL TERMS AND CONDITIONS OF USE

OOREDOO TUNISIE provides online services to visitors of its website, such as registration for interactive services. The processing of collected data is carried out in accordance with these general terms and conditions of use, which the Data Subject must accept before benefiting from these services.

A. Data Collection: OOREDOO TUNISIE collects Personal Data that you voluntarily provide when using the site. This may include information such as your name, email address, phone number, postal address, etc. This data is necessary to evaluate your application and to respond to the requested service.

B. Consent and Use of Data: By using the OOREDOO TUNISIE website or application and providing your Personal Data, you consent to its collection, processing, and use in accordance with the personal data protection policy. The collected data will be processed exclusively for the stated purpose, which is to identify you as a user, provide you with secure access to your account, send you notifications related to your services, personalize your user experience, and provide you with efficient customer support.

C. Data Retention Period: OOREDOO TUNISIE undertakes to process Personal Data only until the stated purpose has been achieved, unless the law requires or authorizes or obliges a longer retention period.

D. Data Protection: OOREDOO TUNISIE undertakes to comply with the guidelines and obligations included in its personal data protection policy in accordance with the provisions of Organic Law No. 63 of 2004. OOREDOO TUNISIE takes all necessary technical and organizational measures to protect Personal Data. OOREDOO TUNISIE is committed to implementing appropriate security measures to protect your Personal Data from any unauthorized access, disclosure, misuse, or alteration.

E. Communication of Processed Data OOREDOO TUNISIE respects the prohibition in Article 47 of Organic Law No. 63 of 2004 to communicate processed Personal Data to third parties without the prior consent of the Data Subjects or if the law provides otherwise and after having informed the data subject.

F. User Rights OOREDOO TUNISIE respects the right of data subjects to access their Personal Data, as well as to request its rectification or deletion, and even to object to its processing for legitimate reasons. To exercise the indicated rights, the Data Subject must submit a request to the internal Data Protection Officer at the following address: zied.ktari@ooredoo.tn The DPO will endeavor to respond to the request within the one-month period provided for by the aforementioned law.

G. Modifications to the General Terms and Conditions of Use OOREDOO TUNISIE reserves the right to modify these general terms and conditions of use at any time. Any modification will be published on the site with the effective date. Data Subjects are invited to consult these terms regularly to stay informed of any updates.

H. Effective Date of the General Terms and Conditions of Use OOREDOO TUNISIE will apply the general terms and conditions of use from the date of their publication on the company's official website.

 

Already have an account?
Log in instead Or Reset password
Respecting your data is our priority

This site uses cookies to guarantee you a better experience.

Cookie policy

Allow Deny
x

-10% on data bundle purchased by credit card