The highest standards of data privacy and data security are core characteristics of our brand identity. In 2008 we created a Board of Management department for Data Privacy, Legal Affairs and Compliance as well as the Group Privacy unit. This has given us the necessary capacities for effective data protection. The responsible Board member is advised by the independent Data Privacy Advisory Board, which comprises renowned experts from politics, science, business and independent organizations. The Board was founded in February 2009.
At the beginning of 2017 the new Telekom Security business unit commenced operations. The new unit combines the security activities from various Group areas, thereby reinforcing our portfolio of cyber security solutions.
We are also committed to improving the political framework conditions to ensure comprehensive data privacy. At the 2015 national IT summit we signed the "Charter for the Promotion of Trustworthy Communications" together with the German Federal Minister of the Interior and other organizations. Its main purpose is to make sure that the encryption of private communication becomes standard.
Consistent transparency toward the public
In 2008 we were the first DAX-30 company to publish an annual data privacy report. In 2016, we decided to stop publishing this report and instead provide the relevant information on the Internet at www.telekom.com/en/corporate-responsibility/data-protection-data-security/data-protection, where we now provide up-to-date and important information about developments related to data protection and secure handling of personal data.
Since 2014, we have also been publishing an annual transparency report. In the report we disclose our obligations to cooperate with German and international security agencies.
The section on protecting consumers and minors elaborates on how we ensure the safety of our products and services.
Regular employee training courses
Telecommunications companies are obliged to provide new employees with information on data privacy regulations. We go above and beyond these legal requirements. Every two years, we train all of our employees in Germany and commit them to data privacy and telecommunications secrecy. Corresponding requirements for our national companies are in place. We have also introduced specific training in the customer and human resources departments, where the risk of data abuse is higher. This training includes online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as data protection at call centers. This helps us make sure that all employees have in-depth understanding of the relevant data privacy policies.
Annual review of measures through audits and certifications
We conduct an annual Group data privacy audit to measure and improve the general data privacy standards throughout the Group. 30 percent of the Group employees, who are randomly selected, are asked to participate in an online survey. The Group data privacy audit is supplemented by self-assessments completed by the data privacy officers at the national companies on implementation of the requirements defined in our "Binding Corporate Rules on Privacy."
Based on the results, the Group Privacy department identifies need for action at the respective departments and requires them to implement improvement measures. To this end, the Global Data Privacy Officer holds personal meetings with the responsible directors, managers and data privacy officers at the different departments. The Group Privacy department supports implementation of the improvement measures by providing information and advice and conducts a follow-up evaluation. Unusual audit results are taken into consideration when planning the follow-up audit.
We also have our processes and management systems as well as products and services certified by external, independent organizations such as TÜV, DEKRA and auditing firms. The technical services company TÜV Nord confirmed once again this year that Deutsche Telekom's IT systems are secure.
Implementation of the EU General Data Protection Regulation
The EU General Data Protection Regulation took effect in May 2016. After a two-year transition period, the regulation will be binding as of May 25, 2018. Since laws always require interpretation as to how they should be implemented in day-to-day life, the Group Privacy department has now prepared uniform rules for the entire Group: the Binding Interpretations. They were compiled in collaboration with data privacy experts in the national companies. The Binding Interpretations include specific recommendations and best practice examples to implement the EU regulation. For example, they explain what a customer consent must entail, or how customer data has to be deleted, if this is requested by the customer. Over the next few years, we will be collecting further practical experience and further developing these interpretations. Our data privacy training will also be adapted to include the new content.
Publication of international transparency report
Telecommunications companies are legally obligated to cooperate with security agencies. This includes surveillance measures to record telecommunications connections or disclosure of customer information. Deutsche Telekom has been publishing an annual transparency report for Germany since 2014, which covers the types and amount of information we disclose to security agencies. The transparency report was expanded to include all the national companies in 2016. The international transparency report was last published in February 2017.
International legal framework conditions differ considerably. In some countries it is illegal to disclose security measures, while in others surveillance is directly conducted by the authorities without the involvement of telecommunications companies. You can find more information on the local situations in the various country reports at www.telekom.com/transparency-report.
We consider it the responsibility of the authorities to ensure transparency regarding security measures and called for improved online security in the context of a ten-point program in January 2015. Until our requests are met, we strive to provide the necessary transparency within the legal possibilities.