Telekom Logo
2022 Corporate Responsibility Report

Our approach to data privacy

Our contribution to the SDGs

The highest standards of data privacy and data security are part of our brand identity. Our active data privacy and compliance culture, which has been built up over many years, sets national and international standards.

The company’s Human Resources and Legal Affairs Board department, headed by Board of Management member Birgit Bohle, has responsibility for the area of data privacy. The Technology and Innovation Board department, headed by Board of Management member Claudia Nemat, is responsible for the area of data security.

Since 2009, the Group Board of Management has been advised by an independent Data Privacy Advisory Board comprising reputable experts from politics, science, business, and independent organizations. At the beginning of 2020, the Advisory Board took on a bigger role through the addition of new members from the Board of Management and the Supervisory Board of Deutsche Telekom AG.

Ensuring effective data privacy

  • Global data privacy organization
    With the help of our globally operating data privacy organization, we work constantly to maintain transparent, high data privacy standards in all of our companies. To achieve this, Deutsche Telekom’s data privacy must be highly organized on both a national and international level.
  • Policies on data privacy and information security
    To the extent legally possible, our Group companies conform to our Binding Corporate Rules Privacy (BCRP), which define common, high data privacy standards for our products and services.
    The Group Security Policy includes significant information security and data privacy-related principles followed within the Group, which are based on the international ISO 27001 and ISO 27701 standards. The Policy ensures that adequate, consistent security standards are maintained throughout our entire Group.
  • Consistent transparency vis-a-vis the public
    At www.telekom.com/data-protection, we provide comprehensive information about our data privacy activities. We have also published an annual transparency report since 2014. Moreover, in the Consumer protection section of this CR report we explain how we make our products and services safe for users.
  • Information on data handling
    We provide transparent information regarding which personal data is processed and for what purposes, as well as the length of time it will be stored. As a rule, personal data is not forwarded to third parties. We sometimes used anonymized data for analyses, so we can continually improve the quality of our offering. These analyses help us spot certain trends better, for example, showing us where to improve network coverage.
  • Regular employee training courses
    Telecommunications companies are obliged to provide new employees, at the beginning of their employment relationships, with information on data privacy regulations. We go above and beyond these legal requirements. Every two years, we provide training in this area to all Group employees and place them under an obligation to uphold data privacy and telecommunications secrecy.
    We have also introduced specific training in the customer and human resources departments. This training includes online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as data protection at call centers. This helps us ensure that all employees have in-depth understanding of the relevant data privacy policies.
  • Regular review and adaptation of measures
    We carry out a Group data privacy audit img every two years, to measure and improve the general data privacy standards throughout the Group. For each such audit, we conduct an online survey of a total of 15 percent of our Group employees, chosen at random. The Group data privacy audit is supplemented by internal and external on-site checks.
    Group Privacy assesses the results and checks whether action needs to be taken in the respective units. Where necessary, the Global Data Privacy Officer calls for improvement measures and, to this end, holds personal meetings with the responsible directors, managers, and data privacy officers at the different departments. Group Privacy offers advice on the implementation of the measures and determines whether they are effective. We take any unusual audit results into consideration when planning the follow-up audit.
  • Certifications
    We have the security of our processes, management systems, products, and services certified by external, independent organizations such as TÜV, DEKRA, and various auditing firms.

How we handle “big data” and “artificial intelligence”
When we process very large volumes of data, we need to take special measures to protect data subjects’ privacy. To this end, we apply mandatory principles for handling big data – a total of eight principles that have been in place with us since 2013. In addition, we apply a “Ten-point program for better online security” that defines specific measures to protect data and the network infrastructure. We introduced the program in 2015. In this framework, we have developed a number of special protection products – including the “Protect Mobile App img,” which looks for any risks in the mobile network one's smartphone is currently connected to. Furthermore, we have published a guideline for designing artificial intelligence (AI) systems in compliance with data privacy requirements.

Review of our products
​​​​​​​
Data privacy and security begin playing an important role in connection with our products and services right from the start of the products’ and services’ development. Our Privacy and Security Assessment (PSA) procedure allows us to review the security of our systems in each step of the development process. This procedure applies to newly developed systems as well as to existing systems that undergo changes in technology or in the way data is processed. We use a standardized procedure to document the data privacy and data security status of our products throughout their entire life cycle.

Reporting against standards

 

Sustainability Accounting Standards Board (SASB)

  • Code TC-TL-220a.1 (Data Privacy)
  • Code TC-TL-230a.2 (Data Security)