The EU General Data Protection Regulation (GDPR) entered into force in May 2016 and after a two-year transition period, the regulation has been binding since May 25, 2018. Since laws always require interpretation as to how they should be implemented in day-to-day life, the Group Privacy department has now prepared uniform rules for the entire Group: the Binding Interpretations. They were compiled in collaboration with data privacy experts in the national companies. The Binding Interpretations include specific recommendations and best practice examples to implement the EU regulation. For example, they explain what a customer consent must entail, or how customer data has to be erased, if this is requested by the customer. From January 2017 to May 25, 2018, the new requirements based on the Binding Interpretations were introduced throughout the Group in a second phase. This involved checking and, where necessary, adjusting all the IT-systems. All employees were informed about the General Data Protection Regulation and more than 10,000 experts received intensive training. The implementation was followed by the third and last phase of the EU-wide project: the control phase. In this phase, all affected entities of the Group were asked whether they had implemented all relevant requirements. In addition, spot checks for compliance with the GDPR were carried out at 28 entities.