In 2008 we created a Board of Management department for Data Privacy, Legal Affairs and Compliance as well as the Group Privacy unit. This has given us the necessary capacities for effective data protection. The responsible Board member is advised by the independent Data Privacy Advisory Council, which was founded in February 2009 and comprises renowned experts from politics, science, business and organizations.
We are also committed to improving the political framework conditions to ensure comprehensive data privacy. At the 2015 national IT summit we signed the "Charter for the Promotion of Trustworthy Communications" together with the German Federal Minister of the Interior and other organizations. Its main purpose is to make sure that the encryption of private communications becomes standard.
Consistent transparency toward the public
In 2008 we were the first DAX-30 company to publish an annual data privacy report, which documents all relevant processes at the Group. We have been publishing an integrated report on data privacy and data security since 2011.
Download the 2015 Data Privacy and Data Security Report.
In addition, we have been publishing an annual Transparency Report since 2014. In the report we disclose our obligations to cooperate with German and international security agencies.
Further details and current information regarding data security can be found under http://www.telekom.com/dataprotection. The status report, for example, includes all processes relevant to data privacy at Deutsche Telekom. We present our latest measures to improve data privacy as well as tips for keeping personal information safe.
The section on consumer and youth protection elaborates on how we ensure the safety of our products and services.s
Regular employee training courses
Telecommunications companies are obliged to provide new employees with information on data privacy regulations. Deutsche Telekom goes beyond this legal requirement: Every two years, we train all of our employees in Germany and commit them to data privacy and telecommunications secrecy. Corresponding requirements for national companies are in place. We have also introduced specific trainings in the customer and human resources departments where the risk of data abuse is higher. These trainings include online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as "Data privacy at call centers." This helps us make sure that all employees have in-depth understanding of the relevant data privacy policies.
Annual review of measures through audits and certifications
We conduct an annual basic data privacy audit to measure and improve the general data privacy standards at Deutsche Telekom in Germany and at 34 international affiliated companies. In 2015, 30 percent of Group employees were randomly selected and interviewed online. The basic data privacy audit is supplemented by self-assessments completed by the data privacy officers at the national companies on implementation of the requirements defined in the Binding Corporate Rules on Privacy.
Based on the results, the Group Privacy department identifies need for action at the respective departments and requires them to implement improvement measures. To this end, the Global Data Privacy Officer holds personal meetings with the responsible directors, managers and data privacy officers at the different departments. The Group Privacy department supports implementation of the improvement measures by providing information and advice and conducts a follow-up evaluation. Unusual audit results are taken into consideration when planning the follow-up audit.
We also have our processes and management systems as well as products and services certified by external, independent organizations such as TÜV, DEKRA and auditing firms.
In January 2015 we launched an international campaign designed to raise employee awareness of the importance of data privacy. The campaign's protagonist is the "data slob". The data slob embodies sloppiness in handling data and information and demonstrates the consequences of treating data privacy lightly. We asked our employees on the Telekom Social Network, TSN, to illustrate these risks as part of an ideas competition under the heading "Don't give the data slob a chance." Around 150 employees took part and addressed the topic in writing, graphically (see cartoons) and even through videos.
In addition, employees can always report potential abuse of data privacy at email@example.com.
Data privacy and data security are very important to us. In 2008, we created a special Board of Management department for this topic and introduced the Binding Corporate Rules on Privacy specifying how personal data is to be collected, stored, and processed at the Deutsche Telekom Group. Not only do we provide transparent information on all of our activities and measures in our annual Data Privacy and Data Security Report, we also take stock of the current situation: What has Deutsche Telekom achieved? What do politicians consider to be the areas needing the most improvement? And what do experts think about the current state of data privacy and data security?
Our products and services have always provided a high degree of data privacy and data security. Growing volumes of data require special precautions to protect the privacy of citizens, which is why we approved eight mandatory principles for handling big data, or large amounts of personal data, in 2013. In January 2015, we also approved specific measures to protect data and infrastructure in our "Ten-point program for increased cyber security." We also developed new protective products including our Mobile Encryption app designed to ensure end-to-end encryption of mobile communication.
Data privacy and security also play a key role in the development of our other products and services. Our Privacy and Security Assessment (PSA) procedure allows us to review the security of our systems in each step of the development process. This procedure applies to newly developed systems as well as existing systems that undergo changes in technology or in the way data is processed. We use a standardized procedure to document the data privacy and data security status of our products throughout their entire life cycle. Youth protection aspects are also taken into consideration in our product and service design. In Germany we involve our youth protection officer in all issues regarding planning and designing offers for young people. The youth protection officer can then recommend limits or changes. In 2013, we also made it mandatory for every international subsidiary within the EU to designate a child safety officer (CSO) to handle youth-protection related topics. As a result, at least one CSO was appointed in each of our European markets in 2014. The CSO acts as a central contact for members of the community in the respective EU market. They also play a key internal role in coordinating topics revolving around the protection of minors. These measures increase the consistency and transparency of Deutsche Telekom's involvement in protecting minors.
Strategic approach to protecting minors from unsuitable media content
Our strategy to protect children and young people from harm when using digital media is based on three pillars. We
- provide attractive, age-appropriate offers for children and give parents and guardians tools (filters) that they can use to restrict the access minors have to harmful content,
- work to fight child abuse and child pornography and
- promote skills to help people use the Internet safely.
We also collaborate closely with prosecuting authorities and NGOs as well as other partners from business, politics, and society to ban online content that is harmful to children and young people.
We documented our commitment to protecting minors from unsuitable media content in Germany in relevant codes and introduced minimum standards.
In 2007, we committed ourselves to fighting child pornography on the Internet throughout the European Union. At a global level, we have been a member of the global association of mobile providers, GSMA since 2008, which pursues the same objectives. In order to better coordinate our activities within the Group, we also approved a list of general guidelines in October 2013 for our activities to help protect minors from unsuitable media content and made these guidelines mandatory at international level, thereby setting new standards in our markets. In consideration of their particular cultural situation and business model, each international subsidiary in the European Union can further specify these measures, adopt additional measures, and also determine their own strategic focal points.
Because protecting minors from unsuitable media content poses a challenge that affects many industries, we cooperate with different organizations for the protection of minors and participate in coalitions that coordinate the involvement of companies and organizations from the Internet and media sector. For example, we are a member of the "CEO Coalition to make the Internet a better place for kids." We also play a leading role in the ICT Coalition for the Safer Use of Connected Devices and Online Services by Children and Young People in the EU. In this coalition, we pursue a comprehensive cross-industry approach based on six principles that expressly includes helping young people learn media skills.
In January 2013, as part of both coalitions, Deutsche Telekom announced plans to implement an EU-wide set of measures based on the principles of the ICT Coalition. The ICT Coalition published an annual report in April 2014 on the implementation of corresponding measures at all of the companies represented in the ICT coalition. The report, which was written by an independent expert from the Dublin Institute of Technology, comes to the conclusion that Deutsche Telekom's approach to implementing the ICT Coalition's principles is exemplary.
According to a survey carried out by the IfD Allensbach institute for its 2015 Security Report, Deutsche Telekom is the most trustworthy company among German telecommunications and Internet providers when it comes to data privacy. Greater value is generally placed on the protection of personal data in Germany compared to other countries, which is why the services we provide to our customers are hosted in particularly secure data centers.
We document our wide range of data protection activities in our annual Data Privacy and Data Security Report. The following are just a few examples of our activities during the reporting period.
Encrypted e-mails for everyone
As of mid-2016, Deutsche Telekom and the Fraunhofer Institute for Secure Information Technology (SIT) will begin providing Volksverschlüsselung, a simple and free e-mail encryption service for everyone. The solution is operated by Deutsche Telekom at a high-security data center. The goal is to make state-of-the-art encryption methods accessible to everyone. Cryptographic keys are created directly on the user's end device and never leave their device, making sure that they are never available to the infrastructure operator. To use the encryption, users only need to install the software and identify themselves as part of a simple one-time process. In the first step, users are identified via the established Deutsche Telekom registration processes or with the aid of an electronic ID card. Other processes for secure identification are planned at a later stage.
Testing Deutsche Telekom apps
In October 2015, Deutsche Telekom data protection and security specialists examined the security levels of 30 company apps. Focus was placed on the most popular apps in the Apple and Google download stores, including the We Care app magazine. They also checked how and when the apps provide the requested data privacy information. Can customers find sufficient information at the store - i.e., before downloading the software? How detailed is the data privacy information?
Overall, the testers were satisfied with the outcome. Results were particularly favorable with regard to data minimization and restriction of use to defined purposes, which means that apps do not store or use any personal user data not required to operate the app. But the testers also detected room for improvement. The most common criticism referred to shortcomings in data privacy notices, for example when it comes to contents or detectability within the app. Unfortunately, not all apps use the Deutsche Telekom privacy icon yet, a data protection icon developed by Deutsche Telekom that refers the user to privacy-by-design functions. The specialists also detected some potential for optimization in terms of data security. The Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT) got involved in the vulnerability analyses and provided Deutsche Telekom with test software to identify critical potential security gaps commonly used by attackers. Any vulnerabilities found were documented and corrected.
TÜV data privacy certification for phone bills
Telekom issues around 27 million phone bills each month in the German consumer segment alone. TÜViT once again certified the billing processes used by Telekom Deutschland in 2015, assessing both data protection and IT security. By granting this certification, TÜV technical services agency has confirmed that Telekom handles customer data securely and in compliance with legal regulations.
Beware of fake bills
Time and again, criminals try to spread malicious code on computers using fake Telekom bills. Deutsche Telekom started adding further security features to their online bills in February 2015. In addition to addressing customers personally and including the customer's account number, online bills now also include the customer's address. Customers can recognize authentic online Telekom bills by the forgery-proof e-mail seal. It appears highlighted in customer e-mail inboxes and provides a quick overview of whether the e-mail was actually sent by Telekom. We have also introduced an invisible signature that is read by Internet providers as part of the e-mail transfer. Providers can tell from the signature whether an e-mail originates from a trustworthy sender or whether it is a fake e-mail indicating Deutsche Telekom as the sender.
The online Deutsche Telekom security guide
Information on cyber criminals, malware and phishing is distributed over thousands of websites on the Net. The www.sicherdigital.de website brings this information together, providing users with easy access to security issues. Young people, adults and businesses can find useful information and specific tips concerning security and data protection.
The "Confidential" issue of our We Care app talks about how dangerous hacker attacks can be and how users can protect themselves.
Protecting our customers from online dangers is a major concern at our company. In our Cyber Security business area, we have the capacities necessary not only to identify cyber attacks in plenty of time but also to respond quickly with countermeasures. We are also developing new ways to prevent attacks on an ongoing basis. To help us do this, we opened our own Cyber Defense Center where we analyze online behavior patterns and develop defense strategies.
Collaborating in the name of security
Cyber security is a shared responsibility. We work with research institutes, industry partners, initiatives, standardization bodies, public institutions and other online service providers worldwide to fight cyber crime and improve online security. We collaborate, for example, with the German Federal Office for Information Security (BSI) throughout Germany and with the European Union Agency for Network and Information Security (ENISA) at a European level.
To support our business customer segment we entered into a partnership with the AlienVault company in 2015. Together we offer a security solution for cyber attacks developed especially for SMEs. The solution lets SMEs use a defense system that was previously only available to corporations with extensive IT resources. We presented the new offer at CeBIT 2015 for the first time.
With the aim of improving collaboration when it comes to digital security, we also regularly host the Cyber Security Summit in collaboration with the Munich Security Conference. The next conference is scheduled for 2016.
Telekom Security is pooling Deutsche Telekom's security expertise
During the reporting period the Board of Management decided to create the new Telekom Security unit. Units working on the topics of security that have been separate until now, such as the Cyber Security business area, will be brought together here under one roof. The purpose of consolidating these units is to increase our competitive edge and develop new, innovative offers for our customers. Telekom Security is to be formally established on April 1, 2016, and the new organization will officially be launched as a full-fledged separate unit on January 1, 2017.
Deutsche Telekom is the leading provider of managed security services in Germany. The analysts at Experton came to this conclusion in their Security Vendor Benchmark 2015 study. They reported that Deutsche Telekom has an attractive portfolio and proven competitive strength. The analyst firm conducted an extensive review of the offers of 450 security providers for the first time for the study. Deutsche Telekom received excellent ratings in the following categories: Security Information and Event Management, Mobile Security as a Service and Managed Security Services.