The highest standards of data privacy and data security are part of our brand identity. We have developed our active data privacy and compliance culture over many years.
The company’s Human Resources and Legal Affairs Board department, headed by Board of Management member Birgit Bohle, has responsibility for the area of data privacy. The Technology and Innovation Board department, headed by Board of Management member Claudia Nemat, is responsible for the area of data security.
Since 2009, the Group Board of Management has been advised by an independent Data Privacy Advisory Board comprising reputable experts from politics, science, business, and independent organizations. The Advisory Board is also strengthened through the addition of new members from the ranks of the Board of Management and the Supervisory Board of Deutsche Telekom AG.
Ensuring effective data privacy:
Global data privacy organization With the help of our globally operating data privacy organization, we work constantly to maintain transparent, high data privacy standards in all of our companies. To achieve this, Deutsche Telekom’s data privacy must be highly organized on both a national and international level.
Policies on data privacy and information security To the extent legally possible, our Group companies conform to our Binding Corporate Rules Privacy (BCRP), which define common, high data privacy standards for our products and services. The Group Security Policy includes significant information security and data privacy-related principles followed within the Group, which are based on the international ISO 27001 and ISO 27701 standards. The Policy ensures that adequate, consistent security standards are maintained throughout our entire Group.
Consistent transparency vis-à-vis the public At www.telekom.com/data-privacy-and-security we provide comprehensive information about our data privacy activities. We have also published an annual transparency report since 2014. Moreover, in the Consumer protection section of this CR report we explain how we make our products and services safe for users.
Information on data handling We provide transparent information regarding which personal data is processed and for what purposes, as well as the length of time it will be stored. As a rule, personal data is not forwarded to third parties. We sometimes use anonymized data for analyses, so we can continually improve the quality of our offering. These analyses help us spot certain trends better, for example, showing us where to improve network coverage.
Regular employee training courses Telecommunications companies are obliged to provide new employees, at the beginning of their employment relationships, with information on data privacy regulations. We go above and beyond these legal requirements. Every two years, we provide training in this area to all Group employees and place them under an obligation to uphold data privacy and telecommunications secrecy. The training courses for our employees also cover risks and procedures relating to data security and privacy protection. We have also introduced specific training in the customer and human resources departments. This training includes online courses for independent learning, presentations on data privacy, and face-to-face courses on specific topics such as data protection at call centers. This helps us ensure that all employees have in-depth understanding of the relevant data privacy policies.
Regular review and adaptation of measures We carry out a Group data privacy audit every two years, to measure and improve the general data privacy standards throughout the Group. For each such audit, we conduct an online survey of a total of 15 percent of our Group employees, chosen at random. The Group data privacy audit is supplemented by internal and external on-site checks. Group Privacy assesses the results and checks whether action needs to be taken in the respective units. Where necessary, the Global Data Privacy Officer calls for improvement measures and, to this end, holds personal meetings with the responsible directors, managers, and data privacy officers at the different departments. Group Privacy offers advice on the implementation of the measures and determines whether they are effective. We take any unusual audit results into consideration when planning the follow-up audit.
Certifications We have the security of our processes, management systems, products, and services certified by external, independent organizations such as TÜV, DEKRA, and auditing firms.
How we handle big data and artificial intelligence When we process very large volumes of data, we need to take special measures to protect citizens’ privacy, To this end, we created in 2013 mandatory principles for handling big data. In parallel to the technological further development, we have since also updated our arrangements governing the processing of very large quantities of personal data – and in 2018 published guidelines on the data privacy-compliant design of artificial intelligence (AI). In addition, we apply a “Ten-point program for better online security” that defines specific measures to protect data and the network infrastructure. We introduced the program in 2015. In this framework, we have developed a number of special protection products – including the “Telekom Mobile Protect Pro”, which looks for any risks in the mobile network that the smartphone is using.
Reviewing our products Data privacy and security play an important role that starts during the development of our products and services. Our Privacy and Security Assessment (PSA) procedure allows us to review the security of our systems in each step of the development process. This procedure applies to newly developed systems as well as to existing systems that undergo changes in technology or in the way data is processed. We use a standardized procedure to document the data privacy and data security status of our products throughout their entire life cycle.
Telecommunications companies are legally obliged to support security authorities in their efforts to uphold security. Companies’ obligations in this regard include permitting surveillance/monitoring measures, and providing certain data, when they are ordered to do so by authorities.
Internationally, the legal framework for a transparency report in this area differs widely from country to country. In some countries, we are legally prohibited from providing any information about security measures, while in others authorities may directly conduct surveillance without any participation on the part of telecommunications companies. The support we provide for authorities in this area is always provided solely on the basis of an unambiguous, legally binding legal foundation in the relevant country. Details on the different situations in the relevant countries are available on our website.
We place great priority on transparency in this area. Since 2014, we have published an annual transparency report for Germany; since 2016, we have also published an international transparency report. In these reports, we reveal – to the extent legally permitted – the nature and extent of any information we had to disclose to security authorities.
Deutsche Telekom Security GmbH is among the world’s largest digital security providers. This company, the market leader in Germany, Austria, and Switzerland, marshals the cybersecurity expertise available throughout the entire Deutsche Telekom Group. For many years now, it has been successfully protecting our own infrastructure – and offering our customers the same security solutions that protect the Deutsche Telekom Group worldwide. Also, Deutsche Telekom Security is working to continually improve cooperation in the area of protection against digital threats. To this end, it works with many different organizations and associations, often as an active member, in Germany and at the EU level. The organizations it collaborates with include the German Federal Office for Information Security (BSI), Germany’s Bundeskriminialamt (Federal Criminal Police Office, BKA) and the European Union Agency for Cybersecurity (ENISA).
In addition, the company collaborates with research institutes, industry partners, initiatives, standardization bodies, public institutions, and other internet and telecommunications service providers worldwide. Together, we want to fight cybercrime and improve online security.
We also provide up-to-date information about all of our security and data protection activities on our Group website.
We are always working to develop new ways to defend against attacks. We launched a Cyber Emergency Response Team (CERT) in the mid-1990s, which is responsible internationally for managing security incidents for our information and network technologies. Since then, we have continued to expand our activities in relation to cyberdefense, and promote more information and information sharing. Since 2020, our CERT has been officially certified according to the SIM3 standard (Security Incident Management Maturity Model). It is now one of only three German CSIRT (Computer Security Incident Response Team) / CERT organizations that comply with this standard.
Cyber Defense Centers At our Cyber Defense and Security Operations Centers (SOCs), we monitor the security situation 24/7, year-round, for ourselves and our customers. With the aid of artificial intelligence (AI), the SOCs analyze about a billion security-relevant data items, from some 3 000 data sources, every day. Our security specialists detect attacks in real time, and immediately initiate the steps necessary to neutralize them or even ward them off completely. In 2023, we registered peaks of almost 50 million attacks per day against Deutsche Telekom’s “honeypot” systems – systems intentionally designed to lure attackers. In addition, we actively combat botnets (interconnected computers infected with malware) in the Deutsche Telekom AG network. We are the only internet provider in Europe that safeguards its network in this way. This is how we protect our infrastructure, and hence also our customers’ data.
Threat Intelligence Team When we register an attack, our Threat Intelligence team studies it to determine precisely how it has been perpetrated. To such ends, our Threat Intelligence team consults with, and shares findings with, researchers throughout the world. In this way, our team always stays abreast of the latest scientific findings – and well informed about the threats and perpetrators it faces. Even if we cannot always stay a step ahead of cybercriminals, we always try to ensure they are well aware of our presence.
In the same way, we also provide other companies with our measures to fight cyberattacks: More than 30 German DAX companies and SMEs employ our services for their own protection.
Print
Protection of personal data
Protecting our customers’ data is one of our top priorities. On our Group website, under “Data protection and data security,” we provide regular – daily, in some cases – information about our commitment in this area.
Although we take a wide range of preventive measures, we cannot completely prevent data breaches. In 2023, we recorded a total of 154 data breaches in Germany. We investigated 32 of these breaches as a result of customer complaints, and three as a result of complaints of supervisory authorities. On account of an incident at a subsidiary, these breaches affected a total of 63,295 customers. In none of the cases did the breach amount to a critical violation.
We participate in various projects aimed at continually improving data privacy and data security. The following are just a few examples of our activities.
International cooperation for cybersecurity We have been a member of the “Cyber Security Sharing & Analytics” (CSSA) association since 2014. The association provides a technical and organizational framework via which members’ experts can share sensitive information securely – and thereby interact with and support each other.
Knocking out botnets Botnets are illicit networks of hijacked devices, created for various criminal purposes. The bigger a botnet is, the greater its cyberattack impacts can be. To keep hackers from controlling hijacked devices within a botnet, Deutsche Telekom Security GmbH experts analyze the botnet’s structures and suppress communications with its controlling servers. Botnets have frequently hijacked devices of our customers. In over 670 000 instances in 2023, we informed customers of botnet problems and helped them remove bots from their devices.
Uncovering stolen identities Identity theft, hacked customer accounts, or malware on a smartphone: All these are not isolated events, but have now become a mass phenomenon – affecting all internet and mobile communication providers. To provide customers with the best possible protection, our fraud scouts (experts from the Deutsche Telekom security team) use a special application to search the entire world wide web for stolen identities, track down the sale of offered customer accounts, and detect the latest malware. When they find such identities, we warn the relevant customers immediately and help them address the problem. If necessary, we block affected accounts. We also inform our customers in connection with other types of security incidents, such as “smishing” (sending of fraudulent text messages (SMS)), malware infections of mobile devices, as well as viruses and spam. In 2023, we provided such warnings about 900 000 times. When our customers require personal assistance, specially trained customer advisors are just an email (abuse@telekom.de) or phone call (0800 55 44 300) away.
Smart can also be safe and transparent We not only want to comply with legal guidelines, we also want to actively ensure that our customers’ data is protected. To do so, we continue to enhance technical standards, and promote maximum transparency.
For example, with our “VoiceID” (“SprachID”) service, we do not save a customer’s voice file. Instead, we save a mathematical pattern that is calculated from characteristics in the voice. The original voice – and the customer behind it – cannot be identified via such a pattern. At the end of the reporting year, we suspended the service for the time being due to current developments in speech biometrics.
Strengthening trust in the cloud Since 2021, T-Systems has been a member of the “EU Cloud Code of Conduct General Assembly” of SCOPE Europe, an association for the development of a common regulatory framework for the digital economy. With this membership, we express our commitment to the “EU Cloud Code of Conduct,” the first cloud-services standard to be accepted by European data protection authorities. T-Systems now structures all of its cloud services accordingly. T-Systems and Google Cloud also signed a long-term cooperation agreement in 2021. The joint “T-Systems Sovereign Cloud powered by Google Cloud” combines since April 2022 the open-source expertise of both providers, enabling customers to manage workloads in compliance with German and European regulatory requirements (GDPR and Schrems II). T-Systems continually monitors compliance with all three aspects of digital sovereignty (data sovereignty, operational sovereignty and software sovereignty) so that enterprises from regulated industries can process their sensitive data in the cloud in line with sovereignty requirements.
For information about other projects, please refer to our CR facts.
A random sample of 50 000 Deutsche Telekom employees are surveyed on the topics of data protection and data security awareness every two years. The findings of the survey are used, for example, to determine the Security Awareness Index (SAI) and the Data Protection Award indicator. The indicators help us to review the effectiveness of our measures in the areas of IT security and data protection. The Data Protection Award indicator was last measured in 2022 and stood at 88 percent (excluding T‑Mobile US). In 2023, security awareness index reached 80.6 (excluding T‑Mobile US) of a maximum of 100 points (which is higher than for all other companies in the benchmark).
The Security Awareness Index measures our employees’ perception of IT security at Deutsche Telekom. The assessment is based on Deutsche Telekom employee answers on management awareness of the topic, the security culture, the influence of security requirements on their own work, and their personal responsibility for and attitudes toward IT security. The index includes a scale from 0 to 100 – the higher the value, the higher IT security is rated at Deutsche Telekom.
Print
T-Mobile US: data privacy and cybersecurity
T-Mobile US is committed to being a responsible steward of customers’ personal data, and giving customers choices over how their information is collected and used. At T-Mobile US, data privacy focuses on five principles: trust, transparency, control, education, and protection. The segment’s Privacy Center explains how customer data is used and how customers can manage it within the Privacy Dashboard. T-Mobile US provides annual data privacy training and year-round awareness programs so employees keep customer data confidential.
T-Mobile US continues make it even easier for customers to make choices about the use of their data with updated privacy tools and more choices. For example, the Privacy Center was updated to be mobile-friendly and simpler to navigate with a new Privacy Dashboard. This provides customers the ability to choose how their data is used for analytics reporting, , and marketing, and highlights how customers can ask T-Mobile US about the personal data collected.
Cybersecurity T-Mobile US, like any other company, is not immune to criminal cyberattacks and is continuing to make substantial, multi-year investments in strengthening its cybersecurity program. As the cybersecurity landscape evolves, T-Mobile US continues to accelerate investments and upgrades to infrastructure in order to keep its network and digital systems safe. To further build on its robust cybersecurity oversight framework, T-Mobile US continues to improve its cybersecurity management, including cybersecurity technology, security protocols, monitoring and response operations, and compliance.
Print
Through our interactive benchmarking tool, important facts and figures of our national companies can be analysed and compared.
At Deutsche Telekom, everything starts with
the network. Having access to state-of-the-art
technologies is a precondition for economic
performance and participation in a
knowledge and information society.
That is why we are continuing to rapidly expand our infrastructure and improve transmission speeds with new, secure technology. We invested more than EUR 16 billion Group-wide in 2023, primarily in setting up and operating networks. This is in addition to the investments that we make in acquiring mobile spectrum.
At Deutsche Telekom we put people front and center, especially our customers and our employees. Worldwide, Deutsche Telekom employees ensure that our networks run smoothly and our customers receive the best service. In this way, we made it into the top 10 of the world’s most valuable brands in 2023. When it comes to telecommunications companies, we occupy the number 1 spot worldwide, remaining Europe’s most valuable corporate brand.
When rating agencies give high marks to our social and ecological commitment, the T-Share is included in the financial market’s sustainability indexes. In 2023, the T-Share was once again listed in indices such as the renowned CSA-based DJSI World and DJSI Europe.
Further detailed examples of the progress we made in 2023 can be found in the subchapters – from the Group’s perspective and from that of our segments.
Highlight numbers
Highlight numbers
Progress of selected KPIs in 2023
20222023
Investments in building and operating networks Group-wide21bn.16bn.
Customer satisfaction TRI*M75.0 points76.2 points
Sustainable revenue share42%43%
Proportion of T-Shares held by investors with ESG criteria31.3%32%
Procurement volume verified as non-critical64.1%66.2%
