Data privacy and data security are very important to us. In 2008 we created a Board of Management department for Data Privacy, Legal Affairs and Compliance as well as the Group Privacy unit. Since 2009, the Board of Management has been advised by an independent Data Privacy Advisory Council comprising reputable experts from politics, science, business, and independent organizations. In addition, we were the first DAX company to have our data privacy organization reviewed and certified according to the IDW PS 980 standard in September 2014. At Deutsche Telekom, data protection and data security are subject to the Group’s Binding Corporate Rules on Privacy and the Group Policy on General Security. The Binding Corporate Rules on Privacy govern the handling of personal data. The related document Binding Interpretations contains specific recommendations and best practice examples for implementing the EU General Data Protection Regulation, which was enacted in May 2018. The Group Policy on General Security includes significant security-related principles followed within the Group. Both guidelines set forth binding standards that are in line with international standard ISO 27001. These policies allow us to guarantee an adequately high and consistent level of security and data privacy throughout the Group. Deutsche Telekom has been publishing an annual transparency report for Germany since 2014, which covers the types and amount of information we disclose to security agencies. In doing so, we are fulfilling our statutory duty as a telecommunications company. We also provide up-to-date and transparent information about all of our activities and measures regarding data protection and data security on our Group website.
Our products and services have always provided a high degree of data privacy and data security. Growing volumes of data require special precautions to protect the privacy of citizens, which is why we approved eight mandatory principles for handling big data, or large amounts of personal data, in 2013. In 2015, we also approved specific measures to protect data and infrastructure in our “Ten-point program for increased cyber security.” We also developed new protective products including our Mobile Encryption app designed to ensure end-to-end encryption of mobile communication.
Data privacy and security also play a key role in the development of our other products and services. Our Privacy and Security Assessment (PSA) procedure allows us to review the security of our systems in each step of the development process. This procedure applies to newly developed systems as well as existing systems that undergo changes in technology or in the way data is processed. We use a standardized procedure to document the data privacy and data security status of our products throughout their entire life cycle. Youth protection aspects are also taken into consideration in our product and service design. In Germany we involve our youth protection officer in all issues regarding planning and designing offers for young people. The youth protection officer can then recommend restrictions or changes. We have appointed a Child Safety Officer (CSO) at each of our national companies within the EU who is responsible for issues pertaining to the protection of minors. The CSO acts as a central contact for members of the community in the respective market. The CSO also plays a key internal role in coordinating topics related to the protection of minors. These measures increase the consistency and transparency of Deutsche Telekom’s involvement in protecting minors.
Strategic approach to protecting minors from unsuitable media content
Our strategy to protect children and young people from harm when using digital media is based on three pillars:
We also collaborate closely with prosecuting authorities and NGOs as well as other partners from business, politics, and society to ban online content that is harmful to children and young people. We have documented our commitment to protecting minors from unsuitable media content in Germany in relevant codes and introduced minimum standards. In 2007, we committed ourselves to fighting child pornography on the internet throughout the European Union. At a global level, we have been a member of the global association of mobile providers, GSMA, since 2008, which pursues the same objectives. In order to better coordinate our activities within the Group, we also approved a list of general guidelines in 2013 for our activities to help protect minors from unsuitable media content and made these guidelines mandatory at international level, thereby setting new standards in our markets. In consideration of their particular cultural situation and business model, each international subsidiary in the European Union can further specify these measures, adopt additional measures, and also determine their own strategic focal points.
Because protecting minors from unsuitable media content poses a challenge that affects many industries, we cooperate with different organizations for the protection of minors and participate in coalitions that coordinate the involvement of companies and organizations from the internet and media sector. For example, we are a member of the “Alliance to better protect minors online”, whose goal is to make the internet a safer place for kids. We have also taken a leading role in the “ICTCoalition for Children Online”. In this coalition, we pursue a comprehensive cross-industry approach based on six principles that expressly includes helping young people learn media skills.
In 2013, as part of both coalitions, we announced plans to implement an EU-wide set of measures based on the principles of the ICT Coalition. We provide regular and transparent updates regarding implementation of the set of measures adopted in 2013; our most recent report was in 2017. The ICT Coalition published an annual report in 2014 on the implementation of corresponding measures at all of the companies represented in the ICT coalition. The report, which was written by an independent expert from the Dublin Institute of Technology, comes to the conclusion that Deutsche Telekom’s approach to implementing the ICT Coalition’s principles is exemplary.
New strategic Cyber Defense and Security Operation Center
In 2017, the Telekom Security unit expanded the Cyber Defense Center in Bonn into an integrated Cyber Defense and Security Operation Center (SOC). This new defense center is one of the largest and most modern of its kind in Europe, analyzing one billion pieces of security-relevant data from 3,000 data sources every day in a nearly fully automated process. It currently registers up to 16 million cyber attacks.
Protecting our customers’ data is one of our top priorities. We also provide up-to-date information about all of our data protection activities on our Group website under data protection and data security. The following examples serve as a brief excerpt of our recent activities: The GDPR took effect in May 2016. After a two-year transition period, the regulation has been binding since May 25, 2018.
International cooperation for cyber security
In 2018, we once again promoted data security on an international level. Among other things, we are a founding partner of the Charter of Trust, which was signed at the Munich Security Conference in February. One of its objectives is to establish general minimum standards for cyber security that are aligned with state-of-the-art technology. Together with our partners, we have identified ten action areas which call for more activity in order to ensure cyber security.
Furthermore, in November 2018 we underscored our commitment to security in the digital world by signing the Paris Call for Trust and Security in Cyberspace. We thereby pledge to intensify and actively shape collaboration in support of integrity and security in the digital world.
Commendation for handling of customer data
For the third time, in 2018 we were commended by the independent testing authority TÜV Informationstechnik (TÜViT) for our handling of customer data. TÜViT certified that our processing of customer data, as it relates to billing, for example, is done in a secure and careful manner.
Security on the go
Since November 2017, we have partnered with the company Check Point Software Technologies to offer the Protect Mobile security solution for smartphones to our consumer customers. Protect Mobile provides reliable protection from cyber attacks through a combination of network protection and app on the smartphone – for downloading apps, doing online banking or surfing in the browser. Deutsche Telekom customers can add this option free of charge to their existing mobile phone contract. For the most complete protection, the app is available for Android and iOS from app stores.
Simple data privacy statements for everyone
Data Privacy Notices are often incomprehensible to the layperson. Our one-pager provides our customers with an easy-to-read overview of data privacy at our company. It contains simple, condensed information on the basics behind our data processing activities. It does not replace our formal data privacy statement, to which we link in the document and which complies with legal requirements. Instead, it provides users with transparent information on how and to what extent we process and use personal data. With this one-pager, we have followed an initiative launched by the National IT Summit, supported by the Federal Ministry of Justice and Consumer Protection.
Encryption for all
Together with the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT), we launched the “Volksverschlüsselung” encryption solution in 2016. It is a simple, free way to encrypt emails. We operate the solution at a high-security data center. The keys are generated on the user’s device. The user is the only person with access to them; they are not sent to the infrastructure operator. To use the encryption, users only need to install the software and identify themselves as part of a simple one-time process. This product supports the federal government’s digital agenda. What’s more, we fulfill the requirements of the Charter for the Promotion of Trustworthy Communications (“Charta zur Stärkung der vertrauenswürdigen Kommunikation”), which was proposed and signed by representatives from the business and scientific communities as well as by political representatives.
Other examples of our comprehensive data protection and security services:
Laws have to be interpreted in order to be enforced in everyday situations. Group Privacy has drawn up a set of standardized rules for the Group as a whole; they are called Binding Interpretations. They were developed in collaboration with data privacy experts in the national companies. The Binding Interpretations include recommendations and best practice examples to implement the EU regulation. For example, they explain what a customer consent must entail, or how customer data has to be deleted, if this is requested by the customer. From January 2017 to May 25, 2018, the new requirements based on the Binding Interpretations were introduced throughout the Group. This involved checking and, where necessary, adjusting all the IT systems. All employees have been informed about the GDPR and numerous training sessions have been conducted. Once implementation was complete, the monitoring phase began. Affected entities of the Group were asked whether they had implemented all relevant requirements. In addition, spot checks for compliance with the GDPR were carried out at 28 entities. They confirmed that the requirements had been implemented.
Our collaboration in the AUDITOR project is also representative of how we are dealing with the new legal conditions. The goal of the project is to develop and test EU-wide data protection certification of cloud services. In particular, its focus is on translating specifications of the GDPR into international data protection certifications.
We want to create a safe and positive online experience for children and young people. We offer them attractive, exciting content on age-appropriate websites.
Promotion of standardized child protection offers
In 2016, we joined the non-profit organization JusProg e.V. The organization operates the child protection program JusProg. The software protects children and young people on the internet by blocking content through filter lists or customized settings for parents.
This software is a general child protection program in Germany that has been officially recognized by Freiwillige Selbstkontrolle Multimedia-Diensteanbieter e.V. (FSM, the Association for the Voluntary Self-Monitoring for Multimedia Service Providers) pursuant to statutory requirements (Interstate Treaty on the Protection of Human Dignity and the Protection of Minors in Broadcasting and in Telemedia). The software was most recently evaluated in March 2017.
We decided in 2016 to donate the rights to the program code behind our child protection software (Windows) and our child protection app, Surfgarten, (iPhone/iPad) to JusProg e.V. in order to expand our involvement in child protection efforts.
Commitment to FSM
We are a founding member and part of the executive board of FSM, the Association for the Voluntary Self-Monitoring for Multimedia Service Providers. The association published the “Index for Youth Media Protection” for the first time in 2017. It indicates the extent to which the protection of young people from negative experiences online is anchored in the concerns, attitudes, knowledge and actions of parents, learning specialists and teachers, and young people themselves. It provides the basis for recognizing strengths and weaknesses in today’s media regulations for youth media protection and the available support measures for media education, which provide starting points for their continued development. The 2018 youth media protection report specifically addressed teachers and educational specialists.
Teachtoday in the Aktionsbund Digitale Sicherheit (Digital Security Action Alliance)
In addition to these solutions, we also promote safe and responsible media use among children and young people with our Teachtoday initiative. The initiative supports children and their families with practical and everyday tips and materials.
We consider it our obligation to take rigorous action against depictions of child abuse on the internet. We have been involved in an EU-wide fight against the depiction of child abuse since 2007 in the European Framework for Safer Mobile Use by Younger Teenagers and Children. Since 2008 we have been committed to combating the spread of such content together with other mobile providers in a global association.
Since 2013 we have been actively participating in two cross-industry coalitions committed to fighting child abuse on the internet, the “CEO Coalition to make the internet a better place for kids” and the “ICT Coalition for Children Online.”
For more than 20 years, we have been active as a founding member in the FSM, the Association for the Voluntary Self-Monitoring for Multimedia Service Providers. Together with eco, the Association of the Internet Industry, it operates the internet-beschwerdestelle.de, a website for reporting child abuse on the internet. It is the German point of contact for internet users to submit complaints and part of INHOPE, the global umbrella association of internet hotlines for complaints. A particular focus of the hotline is the fight against “gray areas”.
In 2016 we launched the Computerhilfe Plus service that offers competent support from experts in the event of cyber bullying and libel on the internet. Since its launch, the demand for support in matters related to digital security has continued to grow. That’s why we introduced the Digital Schutzpaket (Digital Protection Package) in 2018.
The Digital Protection Package combines all relevant security services in one product and offers a central point of contact for all topics related to home networks and Wi-Fi, internet and social media. A service number provides access to Deutsche Telekom experts for support on protecting the home network from external attacks, or help on the secure use of the internet, social networks and passwords. In the event of data loss, we look after recovering files where possible. Other service components include financial protection from fraudulent use of bank details, fraud in private online trading, and protection and effective countermeasures against cyber bullying or insults on the internet.