MTN POSITION STATEMENT

Data protection and privacy

Introduction

MTN processes large volumes of personal information across multiple systems and processes across the MTN Group. We strive at all times to conduct our business in accordance with the letter and spirit of the applicable regulatory and legislative requirements in our markets and drive a culture of protecting the personal information for which we are responsible. We are committed to fair dealing when conducting business and strive to always act with due skill, care and diligence.

Purpose

• The purpose of this position statement is to ensure:
• The privacy rights of data subjects are protected.
• Personal information processed within the MTN Group is protected.
• MTN complies with all applicable regulatory and legislative requirements.
• MTN will fulfil all its responsibilities to relevant data protection and other
regulatory authorities, where applicable, to conduct business in an ethical, open and transparent manner.
• Third parties comply with the privacy principles as contained in this position.

MTN’s approach

• ISO/ IEC 27001:2013.
• Critical security controls (CSC).
• NIST cybersecurity framework.
• General data protection regulation (GDPR).
• Protection of Personal Information Act (POPIA).
• King IV on Corporate Governance for South Africa 2016.

MTN’s approach to data protection and privacy

• We are committed to protecting the privacy of all our stakeholders and ensuring the security of their personal information. We collect information to provide our customers with the most effective products and services. We aim to limit the collection of personal information to what is relevant and necessary to accomplishing this purpose. Personal information is collected, processed lawfully, stored securely and not disclosed unlawfully to any third party.
• We endeavour to comply with applicable privacy and data protection laws, including the GDPR and POPIA. GDPR is the European Union law on data protection and privacy, which is considered the international gold standard for protecting personal information. We strive to comply with the obligations such as appointing a data protection officer to assist with monitoring internal compliance, informing and advising on our data protection obligations, providing advice regarding data protection impact assessments and its explicit procedures for reporting a data breach.
• POPIA is South Africa’s privacy and data protection law which derives its foundational principles from the GDPR. This Act requires the appointment of an information officer and the development of a POPIA compliance framework. The framework outlines the regulatory compliance standards relevant to MTN and the business processes and internal controls that embed these standards. The Information Officer continually monitors the framework to ensure that it is kept up to date with changes in legislation, as well as ongoing compliance within MTN.

Key principles of MTN’s data privacy and protection approach

• We assign accountability for our data protection and privacy policies and procedures across the MTN Group in each jurisdiction.
• We process personal information lawfully, and in a manner that does not infringe the privacy rights of a data subject.
• We obtain consent from the data subject when required.
• We do not retain records of personal information any longer than is necessary for achieving our intended purpose, other than what is permitted by relevant legislation.
• We take reasonably practicable steps to ensure that all personal information we process is complete, accurate, not misleading and updated, where necessary, taking into consideration the purpose or any lawful further processing.
• We adopt an open and transparent approach when processing personal information, recognising the rights of a data subject to gain access to all personal information that MTN may process about the data subject.
• We endeavour to safeguard and secure all personal information under our control by implementing technical and organisational measures to prevent loss of, damage to, unauthorised destruction of, unlawful access to, or unlawful processing of personal information.
• We ensure the protection of personal information that is processed by third parties contracted to MTN.
• We ensure that personal information is not transferred cross-border unless agreed conditions are met.
• We conduct direct marketing to data subjects in compliance with relevant legislation.
• We undertake ongoing risk assessments and audits on data protection and privacy.

What personal information does MTN collect and use?

Personal information collected and held by us may include, but not limited to: name, sex, date of birth, addresses, telephone number, mobile phone number, email address, occupation and information contained in supporting documents such as proof of identity and proof of address.

• MTN and our authorised third parties may collect, store, and process certain types of personal information. This information includes: biometric data, ethnic origin and financial data, for providing products, services, use of our website and information related to our customers’ utilisation of our services (which may include our customers’ call patterns, our customers’ browsing history on our website, location details and additional information provided while using our services). Customers browsing our site, who do not wish to share their location details, may adjust their preferences by making appropriate changes to their browser privacy settings

How does MTN collect and use customers’ data?

• MTN processes customers’ personal data based on:
  1. Our legitimate business interests, for example, direct marketing and improvement of our services. Whenever we rely on this lawful basis to process our customers’ data, we assess our business interests to make sure they do not override our customers’ rights. Additionally, in some cases the customer has the right to object to this processing. See “Our customers’ rights” section of the statement.
  2. Consent customers provide, where MTN does not rely on another legal basis. Requests for consent will always be presented separately to our customers, can be withdrawn at any time and our customers will be given details on how to do so.
  3. Where the personal information of data subjects is not obtained directly from the data subject, we ensure that we have a permissible legal basis to do so.
  4. MTN collects customers’ personal information for a variety of business purposes limited to the following areas:
     • Verifying our customers’ identity.
     • Completing transactions effectively and billing for products and services.
     • Responding to our customers’ requests for service or assistance.
     • Performing market analysis and research, as well as business and operational analysis.
     • Providing, maintaining, and improving our products and services.
     • Anticipating and resolving issues and concerns related to our products and services.
     • Promoting and marketing our products and services that may benefit and be related to products and services our customers are currently enjoying.
     • Ensuring adherence to legal and regulatory requirements for prevention and detection of fraud and crime.
• MTN may keep a log of the activities performed by our customers on our network and websites by using various internet techniques such as web cookies, web beacons, server log files, etc., for analytical purposes, for analysis of the agreeableness of various features on our site and in accordance with requisite legal requirements. This information may be used to provide our customers with a better experience on our platforms.
• At any time while our customers are browsing our site, if our customers do not wish to share browsing information, our customers may opt out of receiving the cookies from our site by making appropriate changes to our customers’ browser privacy settings.
• If our customers do not provide consent for usage of personal information or later withdraw consent for use of the personal information collected, MTN may not be able to provide certain products and services to them.
• The MTN Conduct Passport emphasises our commitment to our operation and demonstrates the standard of ethics and conduct to be met by individuals employed by MTN.
• The Conduct Passport reiterates to our employees that we are committed to protecting the rights of all people to freely communicate and share information, and to privacy in their use of digital, telephonic and internet-based communications. Therefore, all employees must protect, respect and ensure these rights of all customers using our ICT solutions, where laws and licence conditions may not appropriately recognise the rights of our customers.

Disclosure and transfer of personal information

• Collection of personal information: We will obtain our customers consent for sharing their personal information in several ways, for example, as in: writing; online; through ‘click- through’ agreements; orally, including through interactive voice response; or when their consent is part of the terms and conditions that apply to our products and services.
• Internal use: MTN and our employees may utilise some or all available personal information for legitimate business purposes and related activities within the parameters mentioned above.
• Third parties: We may have to share our customers’ personal information with third parties, including third-party service providers, subcontractors, or other entities within the MTN Group. These third parties are expected to uphold the same standards as MTN on data protection and privacy. A ‘third party’ is a service provider who is contracted by MTN to provide a service or product, which may include the handling, managing, storing, processing, protecting and transmitting information of and for MTN. This includes all subcontractors, consultants and/or representatives of the third party. We require third parties to ensure the security of our customer’s data and to treat it in accordance with applicable laws.
• Government and law enforcement agencies: We may also share our customers’ personal information with government agencies or other authorised law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection and investigation, including, but not limited to, cyber incidents, the investigation and prosecution of crime and as is required by law.
• Transfer: MTN may transfer our customers’ personal information or other information or data collected, stored and processed by us to any other entity or third party located outside our customers’ country of service, only if necessary, for legitimate business purposes for providing services to them. This may also include sharing of aggregated information with third parties contracted to MTN for them to understand our environment and consequently, provide our customers with better services. While sharing our customers’ personal information with third parties, reasonable organisational, technical and security measures shall be taken to ensure that reasonable security practices are followed by the third party and are in line with the law.

Security practices and procedures

• MTN adopts appropriate and reasonable security practices and procedures, in line with international standards to include technical and organisational security safeguards in order to protect our customers’ personal information from loss, damage, unauthorised access, or disclosure while it is under our control.
• Our security practices and procedures are within industry standards. Further, our employees and service providers or partners are bound by codes of conduct and confidentiality colicies which require them to protect the confidentiality of the personal information they access.
We may retain our customers’ personal information for as long as required to provide our customers with products and services or as otherwise permitted under applicable law. When we dispose of our customers’ personal information, we use appropriate procedures to erase it or render it unreadable/anonymised.
• Internet use We take appropriate measures to maintain the security of our internet connections and observe reasonable security measures to protect our customers’ personal information against hacking and virus dissemination. However, for reasons outside of our control, security risks may still arise.
• Storage: How do we keep our customers’ information? We may store our customers’ information in hard copy or electronic format and keep it in storage facilities that we own and operate ourselves, or that are owned and operated by our third parties/ service providers. We use a combination of technical solutions, security controls and internal processes to help us protect our customers’ information and our network from unauthorised access and disclosure.
• Accuracy We endeavour to ensure that personal information is accurate and encourage our customers to update the personal information in our possession as and when it changes by contacting us via the details provided below.

Our customers’ rights

Right to access personal information

• Our customers have the right to make a request for a copy of all the personal information that MTN holds about them (including advertising audience categories and inferred information) as permitted by law.

Right to correct personal information

• Our customers have the right to correct their personal information held by us to ensure it is accurate and complete.

Right to data portability

• Our customers have the right to take with them, their personal information that was provided to us in certain circumstances as permitted by law.

Right to object to use of personal information

• Our customers have the right to object to MTN processing their personal information, in certain circumstances as permitted by law.

To opt-out of marketing messages

• MTN will not issue targeted marketing to our customers unless it is for MTN services they are already using or unless we have the requisite that they consent do so. If they no longer want to receive marketing messages from MTN, they can choose to opt out at any time using the means made available to them. If our customers have previously opted in to receive personalised content based on how and where they use our network, they can also opt out at any time.

Right to erasure

MTN strives to only process and retain our customers’ data for as long as is necessary to achieve the purpose for which it was collected. Our customers have the right to request that we erase their personal information held by MTN, provided there are no laws compelling or permitting MTN to store their personal information longer.

Reporting mechanism

• MTN encourages customers and employees to speak up and report conduct which they, in good faith, believe violates laws, regulations, or internal processes. Any employee or associated party who becomes aware of any actual or possible violation of applicable laws and regulations is required to report it MTN’s customer service lines.
• Should a customer or employee feel that their rights have been violated, then customers can contact HumanRights@mtn.com
• Matters reported will be investigated and addressed, including appropriate action being taken where there have been violations.

Roles and responsibilities

• Our Board, through the Group Risk and Compliance Committee, has oversight of the Group’s actions and performance regarding data protection and privacy.
• The Group's Executive Committee is responsible for policy implementation and for identifying, addressing, and remedying data protection and privacy risks, driven by the Group Chief Risk and Compliance function, in line with MTN’s policy.

Applicability and transparent reporting

• Our Data Protection and Privacy Policy applies to all our directors, officers, employees, and representatives of the Company, whether permanent, temporary or on contract.
• We expect our intermediaries, agents, contractors, suppliers, and business partners to uphold the same standards.
• Our supplier code of conduct outlines the minimum standards including data protection and privacy that each supplier of products or services must comply with.
• We are committed to transparency and disclosure regarding data protection and privacy at MTN.

Communication and training

• MTN’s Data Protection and Privacy Policy is shared with all employees of MTN’s operating entities, subsidiaries and partners and the policy is translated into local languages as required. Detailed training is provided to employees and partners based on an annual basis.
• We reserve the right to modify this data protection and privacy statement as and when required. We will post any changes to our privacy notice on our websites a week prior to them coming into effect. We encourage our customers to check frequently to see the current data protection and privacy statement to be informed of how MTN is committed to protecting their information and providing them with improved content on our site in order to enhance their experience.