The highest standards of data privacy and data security are core characteristics of our brand identity. In 2008 we created a Board of Management department for Data Privacy, Legal Affairs and Compliance as well as the Group Privacy unit. This has given us the necessary capacities for effective data protection. The responsible Board member is supported by the independent Data Privacy Advisory Board, which comprises renowned experts from politics, science, business and independent organizations. The Board was founded in February 2009.
The Telekom Security business unit commenced operations at the beginning of 2017. The new unit combines the security activities from various Group areas, thereby reinforcing our portfolio of cyber security solutions.
Consistent transparency toward the public
Transparent communication on the topic of data protection is a long-standing tradition at our company: We have been providing information about our activities since 2008, initially in regular data protection reports and, since 2016, on our data protection website www.telekom.com/en/corporate-responsibility/, where we now provide up-to-date and important information about new developments related to data protection and secure handling of personal data.
Since 2014, we have also been publishing an annual transparency report. In the report we disclose our obligations to cooperate with German and international security agencies. The section on protecting consumers and minors elaborates on how we ensure the safety of our products and services.
Regular employee training courses
Telecommunications companies are obliged to provide new employees with information on data privacy regulations. We go above and beyond these legal requirements. Every two years, we train all of our employees in Germany and commit them to data privacy and telecommunications secrecy. Corresponding requirements for our national companies are in place. We have also introduced specific training in the customer and human resources departments, where the risk of data abuse is higher. This training includes online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as data protection at call centers. This helps us make sure that all employees have in-depth understanding of the relevant data privacy policies.
Annual review of measures through audits and certifications
We conduct an annual Group data privacy audit to measure and improve the general data privacy standards throughout the Group. 30 percent of the Group employees, who are randomly selected, are asked to participate in an online survey. The Group data privacy audit is supplemented by self-assessments completed by the data privacy officers at the national companies on implementation of the requirements defined in our "Binding Corporate Rules on Privacy."
Based on the results, the Group Privacy department identifies need for action at the respective departments and requires them to implement improvement measures. To this end, the Global Data Privacy Officer holds personal meetings with the responsible directors, managers and data privacy officers at the different departments. The Group Privacy department supports implementation of the improvement measures by providing information and advice and conducts a follow-up evaluation. Unusual audit results are taken into consideration when planning the follow-up audit.
We also have our processes and management systems as well as products and services certified by external, independent organizations such as TÜV, DEKRA and auditing firms. The technical services company TÜV Nord confirmed once again this year that Deutsche Telekom’s IT systems are secure.
The EU General Data Protection Regulation (GDPR) entered into force in May 2016 and after a two-year transition period, the regulation has been binding since May 25, 2018. Since laws always require interpretation as to how they should be implemented in day-to-day life, the Group Privacy department has now prepared uniform rules for the entire Group: the Binding Interpretations. They were compiled in collaboration with data privacy experts in the national companies. The Binding Interpretations include specific recommendations and best practice examples to implement the EU regulation. For example, they explain what a customer consent must entail, or how customer data has to be erased, if this is requested by the customer. From January 2017 to May 25, 2018, the new requirements based on the Binding Interpretations were introduced throughout the Group in a second phase. This involved checking and, where necessary, adjusting all the IT-systems. All employees were informed about the General Data Protection Regulation and more than 10,000 experts received intensive training. The implementation was followed by the third and last phase of the EU-wide project: the control phase. In this phase, all affected entities of the Group were asked whether they had implemented all relevant requirements. In addition, spot checks for compliance with the GDPR were carried out at 28 entities.
Telecommunications companies are legally obligated to cooperate with security agencies. This includes surveillance measures to record telecommunications connections or disclosure of customer information. Deutsche Telekom has been publishing an annual transparency report for Germany since 2014, which covers the types and amount of information we disclose to security agencies. The transparency report was expanded to include all the national companies in 2016. The international transparency report was last published in February 2018.
International legal framework conditions differ considerably. In some countries it is illegal to disclose security measures, while in others surveillance is directly conducted by the authorities without the involvement of telecommunications companies. You can find more information on the local situations in the various country reports at http://www.telekom.com/transparency-report.
We consider it the responsibility of the authorities to ensure transparency regarding security measures and called for improved online security in the context of a ten-point program in January 2015. Until our requests are met, we will strive to provide the necessary transparency within the legal possibilities.