Our approach to data protection
The highest standards of data privacy and data security are part of our brand identity. Our active data protection and compliance culture, which has been built up over the past decade, sets national and international standards.
The company’s Human Resources and Legal Affairs Board department, headed by Board of Management member Birgit Bohle, has responsibility for the area of data privacy. The Technology and Innovation Board department, headed by Board of Management member Claudia Nemat, is responsible for the area of data security.
Since 2009, the Group Board of Management has been advised by an independent Data Privacy Advisory Board comprising reputable experts from politics, science, business, and independent organizations. At the beginning of 2020, the Advisory Board took on a bigger role through the addition of new members from the Board of Management and the Supervisory Board of Deutsche Telekom AG.
Deutsche Telekom Security GmbH combines the security activities from various Group areas, thereby reinforcing our portfolio of cybersecurity solutions.
Data protection and data security at Deutsche Telekom are subject to the following regulations:
- The Binding Corporate Rules on Privacy govern the handling of personal data.
- The Group Security Policy includes significant security-related principles followed within the Group.
Both guidelines set forth binding standards that are oriented to the international standards ISO 27001 and ISO 27701. These policies allow us to guarantee an adequately high and consistent level of security and data privacy throughout the Group.
Ensuring effective data privacy
- Consistent transparency vis-a-vis the public
At www.telekom.com/data-protection, we provide comprehensive information about our data protection activities, such as our implementation of the GDPR. We have also published an annual transparency report since 2014. Moreover, in the Consumer protection section of this CR report we explain how we make our products and services safe for users.
- Regular employee training courses
Telecommunications companies are obliged to provide new employees, at the beginning of their employment relationships, with information on data privacy regulations. We go above and beyond these legal requirements. Every two years, we train all Group employees and place them under an obligation to uphold data privacy and telecommunications secrecy.
We have also introduced specific training in the customer and human resources departments. This training includes online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as data protection at call centers. This helps us ensure that all employees have in-depth understanding of the relevant data privacy policies.
- Regular review and adaptation of measures
We carry out a Group data privacy audit every two years, to measure and improve the general data privacy standards throughout the Group As part of the audit, we ask a randomly selected group, accounting for a 15 percent share of the Group’s employees, to participate in an online survey. The Group data privacy audit is supplemented by internal and external on-site checks.
Group Privacy assesses the results and checks whether action needs to be taken in the respective units. Where necessary, the Global Data Privacy Officer calls for improvement measures and, to this end, holds personal meetings with the responsible directors, managers, and data privacy officers at the different departments. Group Privacy offers advice on the implementation of the measures and determines whether they are effective. We take unusual audit results into consideration when planning the follow-up audit.
We have our processes, management systems, products, and services certified by external, independent organizations such as TÜV, DEKRA, and auditing firms. The IT systems at Telekom Deutschland were most recently certified as secure in 2020 by the testing institute TÜV Informationstechnik (TÜViT) of the TÜV Nord Group. This certification has a validity of two years.
How we handle “big data” and “artificial intelligence”
When we process very large volumes of data, we need to take special measures to protect data subjects’ privacy. In keeping with this requirement, we have had eight relevant, mandatory principles for handling big data in place since 2013. In addition, in 2015 we adopted a “Ten-point program for better online security,” which includes specific measures to protect data and the network infrastructure. In this framework, we have developed a number of special protection products – including the “Protect Mobile App ,” which looks for any risks in the mobile network one’s smartphone is currently connected to. Furthermore, we have published a guideline for designing artificial intelligence (AI) in compliance with data privacy requirements.
Review of our products
Data privacy and security begin playing an important role in connection with our products and services right from the start of the products’ and services’ development. Our Privacy and Security Assessment (PSA) procedure allows us to review the security of our systems in each step of the development process. This procedure applies to newly developed systems as well as existing systems that undergo changes in technology or in the way data is processed. We use a standardized procedure to document the data privacy and data security status of our products throughout their entire life cycle.
- Code TC-TL-220a.1 (Data Privacy)
- Code TC-TL-230a.2 (Data Security)
As a telecommunications company, we are legally obliged to assist security agencies. This includes, for example, monitoring and recording telecommunications connections of certain criminal suspects or providing information about subscribers.
International legal framework conditions differ considerably. In some countries it is illegal to disclose security measures, while in others surveillance is directly conducted by the authorities without the involvement of telecommunications companies.. You can find details of the different situations in the relevant countries on our website.
Since 2014, we have published an annual transparency report for Germany; since 2016, we have also published an international transparency report. Here, we reveal the nature and extent of information we had to disclose to security authorities to the extent legally permitted. We consider it the responsibility of the authorities to ensure transparency regarding security measures, Until state authorities meet our demands in this regard, we will strive to provide the necessary transparency ourselves to the extent legally possible.Reporting against standards
- Code TC-TL-220a.4 (Data Privacy)
Deutsche Telekom Security GmbH is our security specialist. It has years of experience in safeguarding the Group’s internal security. In addition, it offers our customers suitable security products and services throughout the entire value chain – from product development and applications to secure, high-performance networks and high-security data centers.
Increasing connectivity and digitalization can also harbor risks, which is why we develop targeted measures for combating potential new security risks and preventing some threats from even arising in the first place.
We want to enhance collaboration in the area of digital defense and therefore regularly host the Cyber Security Summit together with the Munich Security Conference.
In addition, we collaborate with research institutes, industry partners, initiatives, standardization committees, public institutions, and other internet service providers on a global scale. Together, we want to fight cybercrime and improve online security. We collaborate, for example, with the German Federal Office for Information Security (BSI) throughout Germany and with the European Union Agency for Network and Information Security (ENISA) at a European level.
We also provide up-to-date information about all of our security and data protection activities on our Group website.Reporting against standards
Our cybersecurity infrastructure
Cyber Emergency Response Team
We are always working to develop new ways to defend against attacks. We launched a Cyber Emergency Response Team (CERT) in the mid-1990s, which is responsible internationally for managing security incidents for our information and network technologies. Since then, we have continued to expand our activities in relation to cyberdefense, and promote more information and information sharing. Since 2020, our CERT has been officially certified according to the SIM3 standard (Security Incident Management Maturity Model). It is now one of only three German CSIRT (Computer Security Incident Response Team) / CERT organizations that comply with this standard.
Cyber Defense Center
At our Cyber Defense and Security Operations Centers (SOCs), we monitor the security situation 24/7, 365 days of the year, for ourselves and our customers. With the aid of artificial intelligence (AI), the SOCs analyze about a billion security-relevant data items, from some 3 000 data sources, every day. Our security specialists detect attacks in real time, and immediately initiate the steps necessary to neutralize them or even ward them off completely. In 2021, we registered peaks of up to 90 million attacks per day against Deutsche Telekom’s “honeypot” systems – systems intentionally designed to lure attackers. In addition, we actively combat botnets (interconnected computers infected with malware) in the Deutsche Telekom AG network. We are the only internet provider in Europe that safeguards its network in this way. This is how we protect our infrastructure, and hence also our customers’ data.
Threat Intelligence Team
When we register an attack, our Threat Intelligence team studies it to determine precisely how it has been perpetrated. To such ends, our Threat Intelligence team consults with, and shares findings with, researchers throughout the world. In this way, our team always stays abreast of the latest scientific findings – and well informed about the threats and perpetrators it faces. Even if we cannot always stay a step ahead of cybercriminals, we always try to ensure they are well aware of our presence.
In the same way, we also provide other companies with our measures to fight cyberattacks: More than 30 German DAX companies and SMEs employ our services for their own protection.Reporting against standards
Protection of personal data
Protecting our customers’ data is one of our top priorities. On our Group website, under “Data protection and data security,” we provide regular – daily, in some cases – information about our commitment in this area.
Although we take a wide range of preventive measures, we cannot completely prevent data breaches. In 2021, we recorded a total of 257 data breaches in Germany. We investigated 151 of these breaches as a result of customer complaints, and six as a result of complaints of supervisory authorities. All in all, some 334 customers were affected by the data breaches. In none of the cases did the breach amount to a critical violation.
We participate in various projects aimed at continually improving data privacy and data security. The following are just a few examples of our recent activities during the reporting period.
In 2020, we joined with the software company SAP to develop our contact tracing app, the Corona-Warn-App . It informs users in Germany and several other countries about possible contact with people infected with the coronavirus. Even before development of the app began, the underlying data protection and security concept for it was discussed intensively. To ensure maximum protection of personal data, the German Federal Government opted for a decentralized approach; the data remains on the user’s own phone and is not stored centrally. This concept has paid off: In Germany alone, the app has been installed as often – more than 39.5 million times through December 2021 – as all other similar apps, combined, have been installed in other European countries.
International cooperation for cybersecurity
In 2021, we once again promoted data security at the international level.
Since 2014, we have been a member of the “Cyber Security Sharing & Analytics” (CSSA) association. The association provides a technical and organizational framework for secure sharing of sensitive information, to enable the members’ experts to interact with and support each other. Also, in 2018 we underscored our commitment to security in the digital world by signing the Paris Call for Trust and Security in Cyberspace. We thereby pledge to intensify collaboration in support of integrity and security in the digital world.
Knocking out botnets
An international comparison shows that Deutsche Telekom AG is a leader, among network operators in Europe, in the area of detection and suppression of botnets (as of December 2021). Botnets are illicit networks of hijacked devices, created for various criminal purposes. The bigger a botnet is, the greater its cyberattack impacts can be. To keep hackers from controlling hijacked devices within a botnet, Deutsche Telekom Security GmbH experts analyze the botnet’s structures and suppress communications with its controlling servers. Botnets have frequently hijacked devices of our customers. In over 420 000 instances in 2021, we informed customers of botnet problems and helped them remove bots from their devices.
Uncovering stolen identities
Our “fraud scouts” (experts from the Deutsche Telekom security team) use a special application to search the world wide web and the dark web for stolen identities. If they find anything, we then warn and help our customers. In 2021, we provided such assistance, for example, in a total of 30 000 cases of “smishing” – sending of fraudulent SMS text messages – in Germany alone. Overall, in these cases, the relevant customers’ malware-infected devices were responsible for 100 million unintentionally sent text messages.
Smart can also be safe and transparent
We not only want to comply with legal guidelines, we want to actively ensure that our customers’ data is protected. To do so, we continue to enhance technical standards, and promote maximum transparency.
For example, with our “VoiceID” (“SprachID”) service, we do not save a customer’s voice file. Instead, we save a mathematical pattern that is calculated from characteristics in the voice. The original voice – and the customer behind it – cannot be identified via such a pattern.
Commendation for handling of customer data
For the fourth time, in 2020 we were commended by the independent testing authority TÜV Informationstechnik (TÜViT) for our handling of customer data. The relevant seal of quality is valid through mid-2022. TÜViT certified that our processing of data – as it relates to billing, for example – is careful and secure.
Strengthening trust in the cloud
Since September 2021, T-Systems has been a member of the “EU Cloud Code of Conduct General Assembly” of SCOPE Europe, an association for the development of a common regulatory framework for the digital economy. With this membership, we express our commitment to the “EU Cloud Code of Conduct,” the first cloud-services standard to be accepted by European data protection authorities. T-Systems now structures all of its cloud services accordingly.
Also, we are participating, along with additional experts, in the AUDITOR project of the Federal Ministry for Economic Affairs and Climate Action, which is aimed at developing a standard for cloud-services certification pursuant to the General Data Protection Regulation (GDPR) (“GDPR Compliant Cloud” – GCC). The new standard is to be applied in GAIA X, a European cloud project – of which we are a founding member – for high-performance and secure data infrastructure. Also, we are reviewing options for certifying our Open Telekom Cloud and vCloud services in accordance with the standard, subject to the standard’s approval by supervisory authorities. To date, the competent supervisory authorities have not yet approved a common data protection certification of cloud services. Deutsche Telekom views such approved certification as essential for a protected data infrastructure in Germany and Europe.
Simple data privacy statements for everyone
For non-specialists, data privacy notices can be incomprehensible. We offer customers our “one-pager”: an easy-to-read, brief overview of our key data processing activities. It does not replace our formal data privacy statement, which complies with legal requirements and to which we also link in the document. With this one-pager, we have followed an initiative launched by the National IT Summit, with the support of the Federal Ministry of Justice and Consumer Protection.
For information about other projects, please refer to our CR facts.
IT security & data protection KPI
A random sample of 50 000 Telekom employees are surveyed on the topics of data protection and IT security every two years. The findings of the survey are used, for example, to determine the Security Awareness Index (SAI) and the Data Protection Award indicator. The indicators help us to review the effectiveness of our measures in the areas of IT security and data protection. The data protection award indicator was last measured in 2020 and stood at 86 percent (without T-Mobile US). In the last survey in 2021, security awareness reached 80.9 (without T-Mobile US) of maximum 100 points (which is higher than for all other companies in the benchmark).
The Data Protection Award indicator measures the level of data protection within the units on a scale of 0 to 12. It is calculated based on what the employees said they thought, did and knew about data protection.
The Security Awareness Index measures our employees’ perception of IT security at Deutsche Telekom. The assessment is based on Deutsche Telekom employee answers on management awareness of the topic, the security culture, the influence of security requirements on their own work, and their personal responsibility for and attitudes towards IT security. The index includes a scale from 0 to 100 – the higher the value, the higher IT security is rated at Deutsche Telekom.