In 2008 we created a Board of Management department for Data Privacy, Legal Affairs and Compliance as well as the Group Privacy unit. This has given us the necessary capacities for effective data protection. The responsible Board member is advised by the independent Data Privacy Advisory Council, which comprises renowned experts from politics, science, business and independent organizations. The Council was founded in February 2009.
In 2016, we established our new unit, Telekom Security, which began operations on January 1, 2017. Telekom Security brings together all of Deutsche Telekom's security departments under one roof. This gives us the capacities necessary not only to identify cyber attacks in plenty of time but also to respond quickly with countermeasures.
We are also committed to improving the political framework conditions to ensure comprehensive data privacy. At the 2015 national IT summit we signed the "Charter for the Promotion of Trustworthy Communications" together with the German Federal Minister of the Interior and other organizations. Its main purpose is to make sure that the encryption of private communications becomes standard.
Consistent transparency toward the public
In 2008 we were the first DAX-30 company to publish an annual data privacy report, which documents all relevant processes at the Group. We have been publishing an integrated report on data privacy and data security since 2011. To the Data Privacy and Data Security Report.
Since 2014, we have also been publishing an annual transparency report. In the report we disclose our obligations to cooperate with German and international security agencies.
Further details and current information regarding data security can be found under http://www.telekom.com/dataprotection. The status report, for example, includes all processes relevant to data privacy at Deutsche Telekom. We present our latest measures to improve data privacy as well as tips for keeping personal information safe.
The section on consumer and youth protection elaborates on how we ensure the safety of our products and services.
Regular employee training courses
Telecommunications companies are obliged to provide new employees with information on data privacy regulations. Deutsche Telekom goes above and beyond this legal requirement: every two years, we train all of our employees in Germany and commit them to data privacy and telecommunications secrecy. Corresponding requirements for national companies are in place. We have also introduced specific trainings in the customer and human resources departments where the risk of data abuse is higher. These trainings include online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as "Data privacy at call centers." This helps us make sure that all employees have in-depth understanding of the relevant data privacy policies.
Annual review of measures through audits and certifications
We conduct an annual Group data privacy audit to measure and improve the general data privacy standards at Deutsche Telekom in Germany and at 34 international affiliated companies. 30 percent of Group employees, who are randomly selected, are asked to participate in an online survey. The basic data privacy audit is supplemented by self-assessments completed by the data privacy officers at the national companies on implementation of the requirements defined in our "Binding Corporate Rules on Privacy."
Based on the results, the Group Privacy department identifies need for action at the respective departments and requires them to implement improvement measures. To this end, the Global Data Privacy Officer holds personal meetings with the responsible directors, managers and data privacy officers at the different departments. The Group Privacy department supports implementation of the improvement measures by providing information and advice and conducts a follow-up evaluation. Unusual audit results are taken into consideration when planning the follow-up audit.
We also have our processes and management systems as well as products and services certified by external, independent organizations such as TÜV, DEKRA and auditing firms. The technical services company TÜV NORD confirmed once again this year that Telekom's IT systems are secure.
In May 2016, the EU passed the General Data Protection Regulation, which will take effect in 2018. Laws must always be interpreted to determine how they can be implemented in everyday life. Group Privacy has now drawn up a set of standardized rules for the Group: as a whole: the Binding Interpretations. They were put together in collaboration with data privacy experts in the national companies. The Binding Interpretations include specific recommendations and best practice examples to implement the EU regulation. For example, they explain what a customer consent must entail, or how customer data has to be deleted, if this is requested by the customer. Over the next few years, we will be collecting further practical experience and further developing these interpretations. Our data privacy training will also be adapted to include the new content.
Telecommunications companies are legally obligated to cooperate with security agencies: this includes surveillance measures to record telecommunications connections or disclosure of customer information. Deutsche Telekom has been publishing an annual transparency report for Germany since 2014, which covers the types and amount of information we disclose to security agencies. In January 2016 we also published our first international transparency report for all of Deutsche Telekom's national companies.
International legal framework conditions differ considerably. In some countries it is illegal to disclose security measures, in others surveillance is directly conducted by the authorities without the involvement of telecommunications companies. You can find more information on the local situations in the various country reports at http://www.telekom.com/transparency-report.
We consider it the responsibility of the authorities to ensure transparency regarding security measures and called for improved online security in the context of a ten-point program in January 2015. Until our requests are met, we strive to provide the necessary transparency within the legal possibilities.