Our approach to data protection
The highest standards of data privacy and data security are core characteristics of our brand identity. Back in 2008, we therefore set up a dedicated Board department for Data Privacy, Legal Affairs, and Compliance and established the Group Privacy unit. The responsible Board member is supported by the independent Data Privacy Advisory Board, which comprises renowned experts from politics, science, business, and independent organizations. The Board was founded in February 2009.
In its meeting on May 22, 2019, the Supervisory Board of Deutsche Telekom resolved to restructure the Group Board of Management. As of March 31, 2020, the current Board of Management member responsible for Data Privacy, Legal Affairs, and Compliance is leaving the Company for reasons of age. At the start of 2020, the Board department for Data Privacy, Legal Affairs, and Compliance and the Board department for Human Resources are being merged under the responsibility of the Chief Human Resources Officer. Our Data Privacy Advisory Board is taking on a bigger role, with more members from the Group Board of Management and the Supervisory Board joining.
The Telekom Security business unit commenced operations in 2017. The new unit combines the security activities from various Group areas, thereby reinforcing our portfolio of cybersecurity solutions.
Data protection and data security at Deutsche Telekom are subject to the following regulations:
- The Binding Corporate Rules on Privacy govern the handling of personal data. The related Binding Interpretations document contains specific recommendations and best practice examples for implementing the EU General Data Protection Regulation, which was enacted in 2018.
- The Group Policy on General Security includes significant security-related principles followed within the Group.
Both guidelines set forth binding standards that are in line with international standard ISO 27001. These policies allow us to guarantee an adequately high and consistent level of security and data privacy throughout the Group.
Ensuring effective data privacy
- Consistent transparency vis-à-vis the public
We provide comprehensive information about our data protection activities such as the implementation of GDPR – at first in regular data protection reports and since 2016 online at www.telekom.com/data-protection. We have also published an annual transparency report since 2014. Moreover, in the Consumer protection section of this CR report we explain how we make our products and services safe for users.
- Regular employee training courses
Telecommunications companies are obliged to provide new employees with information on data privacy regulations. We go above and beyond these legal requirements. Every two years, we train all Group employees and place them under an obligation to uphold data privacy and telecommunications secrecy.
We have also introduced specific training in the customer and human resources departments, where the risk of data misuse is higher. This training includes online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as data protection at call centers. This helps us make sure that all employees have an in-depth understanding of the relevant data privacy policies.
- Annual review and adaptation of measures
Every two years, we conduct an annual Group data privacy audit to measure and improve the general data privacy standards throughout the Group. 15 percent of the Group employees, who are randomly selected, are asked to participate in an online survey. The Group data privacy audit is supplemented by self-assessments by the data privacy officers at the national companies to determine to what extent these companies are implementing the requirements defined in our Binding Corporate Rules on Privacy.
The Group Privacy unit assesses these surveys, checks whether action needs to be taken in the respective units, and calls for improvement measures where necessary. To this end, the Global Data Privacy Officer holds personal meetings with the responsible directors, managers, and data privacy officers at the different departments. The unit also helps implement the measures by providing information and advice, and checks they are effective. Unusual audit results are taken into consideration when planning the follow-up audit.
We have our processes, management systems, products, and services certified by external, independent organizations such as TÜV, DEKRA, and auditing firms. This reporting year, TÜV Nord once again confirmed that the IT systems used by Telekom Deutschland are safe and secure. In addition, in 2014, we were the first DAX company to have our data privacy organization reviewed and certified according to the IDW PS 980 standard.
Our approach to big data
Growing volumes of data call for particular precautionary measures to protect citizens’ privacy, which is why, back in 2013, we approved eight mandatory principles for handling big data. In 2015, we also approved specific measures to protect data and infrastructure in our “Ten-point program for increased cybersecurity.” On top of that, we developed special protective products, including our Mobile Encryption app designed to ensure end-to-end encryption of mobile communication.
Reviewing our products
Data privacy and security play an important role that starts during the development of our products and services. Our Privacy and Security Assessment (PSA) procedure allows us to review the security of our systems in each step of the development process. This procedure applies to newly developed systems as well as existing systems that undergo changes in technology or in the way data is processed. We use a standardized procedure to document the data privacy and data security status of our products throughout their entire life cycle.
Telecommunications companies are legally obliged to assist security agencies. This includes, for example, surveillance measures to record telecommunications connections and information about account holders.
Every year since 2014, Deutsche Telekom has published a transparency report for Germany, which covers the types and amount of information we disclose to security agencies.
In 2016, the transparency report was expanded to include all the national companies. The matching international report was last published in February 2019.
International legal framework conditions differ considerably. In some countries it is illegal to disclose security measures, while in others surveillance is directly conducted by the authorities without the involvement of telecommunications companies.
You can find out more about the different situations in the relevant countries on our website.
We consider it the responsibility of the authorities to ensure transparency regarding security measures and called for improved online security in the context of a ten-point program in January 2015. Until state authorities meet our demands, we will strive to provide the necessary transparency ourselves to the extent legally possible.
We offer security products and services across Europe.
Our Telekom Security unit focuses on internal security issues and develops security solutions for consumers as well as business customers. This approach enables us to provide our customers with the right security solutions along the entire value chain – from product development and applications through to secure, high-performance networks and high-security data centers.
Technological developments can also harbor risks, which is why we develop targeted measures for combating potential new security risks – such as those associated with drones, for example. We developed the Magenta Drone Shield together with our partner Dedrone.
To enhance collaboration in the area of digital defense, we regularly host the Cyber Security Summit together with the Munich Security Conference.
In addition, we collaborate with research institutes, industry partners, initiatives, standardization committees, public institutions, and other internet service providers on a global scale. Together, we want to fight cybercrime and improve online security. We collaborate, for example, with the German Federal Office for Information Security (BSI) throughout Germany and with the European Union Agency for Network and Information Security (ENISA) at a European level.
We also provide up-to-date information about all of our data protection activities on our Group website under “Data protection and data security”.
Our cybersecurity infrastructure
Cyber Emergency Response Team
We are always working to develop new ways to defend against attacks. We launched a Cyber Emergency Response Team (CERT) in the mid-1990s, which is responsible internationally for managing security incidents for our information and network technologies. Since then, we have continued to expand our activities in relation to cyber defense, information on attacks, and information sharing.
Cyber defense center
In 2017, we opened a new cyber defense center with integrated security operation center (SOC) in Bonn. There we analyze behavioral patterns on the internet and draw up defense strategies. This new defense center is one of the largest and most advanced ones of its kind in Europe, analyzing 2.5 billion pieces of security-relevant data from 3,300 data sources every day. What’s more, the cyber defense center processes about 200 requests, filters about 5,000 viruses and malware programs, and scans on average 100 million incoming emails for spam every day. This is how we protect our infrastructure, and hence also our customers’ data. Some 200 security experts work round the clock at the new SOC in Bonn and its affiliated national and international locations.
The measures that we undertake to fight cyberattacks on our own infrastructure are also available to other companies. More than 30 German DAX companies and SMEs employ our services for their own protection.
Protection of personal data
Protecting our customers’ data is one of our top priorities. We also provide up-to-date information about all of our data protection activities on our Group website under data protection and data security. The following examples serve as a brief excerpt of our recent activities:
International cooperation for cyber security
In 2018, we once again promoted data security on an international level. Among other things, we are a founding partner of the Charter of Trust, which was signed at the Munich Security Conference in February. One of its objectives is to establish general minimum standards for cyber security that are aligned with state-of-the-art technology. Together with our partners, we have identified ten action areas which call for more activity. 2019 was characterized by the stabilization of the joit work and the infrastructure expansion.
Furthermore, in November 2018 we underscored our commitment to security in the digital world by signing the Paris Call for Trust and Security in Cyberspace. We thereby pledge to intensify and actively shape collaboration in support of integrity and security in the digital world. In this context we did not only adress this topic in the political discourse but also pushed the topic through the Internet Governance Forum 2019.
Commendation for handling of customer data
For the third time, in 2018 we were commended by the independent testing authority TÜV Informationstechnik (TÜViT) for our handling of customer data. TÜViT certified that our processing of customer data, as it relates to billing, for example, is done in a secure and careful manner.
Security on the go
Since November 2017, we have partnered with the company Check Point Software Technologies to offer the Protect Mobile security solution for smartphones to our consumer customers. Protect Mobile provides reliable protection from cyber attacks through a combination of network protection and app on the smartphone – for downloading apps, doing online banking or surfing in the browser. Deutsche Telekom customers can add this option free of charge to their existing mobile phone contract. For the most complete protection, the app is available for Android and iOS from app stores..
Simple data privacy statements for everyone
Data Privacy Notices are often incomprehensible to the layperson. Our one-pager provides our customers with an easy-to-read overview of data privacy at our company. It contains simple, condensed information on the basics behind our data processing activities. It does not replace our formal data privacy statement, to which we link in the document and which complies with legal requirements. Instead, it provides users with transparent information on how and to what extent we process and use personal data. With this one-pager, we have followed an initiative launched by the National IT Summit, supported by the Federal Ministry of Justice and Consumer Protection.
Highest possible transparency for our customers
Data security has the highest priority at Deutsche Telekom. We do not only want to comply with legal requirements but to actively shape data security. For this purpose we collaborate with data security experts, permanently develop technical standards and are pushing for the highest possible transparency. We are doing this to allow our customers to be always assured that we treat their data confidentially.
For example we ensured in the development of our service "Sprach ID" that not our customers voice is being saved, but mathematical patterns, which are being calculated from characeristics in the voice. Therefore, a person can not be traced back through the voice pattern.
Another example is the "Magenta Speaker", the first intelligent European Smart Speaker. We ensured highest possible transparency throughout the first time set-up of the speaker. It is being explained in simple language which data is being saved by us for which purpose. After the set-up, our costumers can access their data through the Smart-Speaker app and can delete it.
Encryption for all
Together with the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT), we launched the “Volksverschlüsselung” encryption solution in 2016. It is a simple, free way to encrypt emails. We operate the solution at a high-security data center. The keys are generated on the user’s device. The user is the only person with access to them; they are not sent to the infrastructure operator. To use the encryption, users only need to install the software and identify themselves as part of a simple one-time process. This product supports the federal government’s digital agenda. What’s more, we fulfill the requirements of the Charter for the Promotion of Trustworthy Communications (“Charta zur Stärkung der vertrauenswürdigen Kommunikation”), which was proposed and signed by representatives from the business and scientific communities as well as by political representatives.
You can find further projects in our CR-facts.
IT security & data protection KPI
A random sample of 50,000 Telekom employees are surveyed on the topics of data protection and IT security every two years. The findings of the survey are used, for example, to determine the Security Awareness Index (SAI) and the Data Protection Award indicator. The indicators help us to review the effectiveness of our measures in the areas of IT security and data protection. The data protection award indicator was last measured in 2018 and stood at 76 % (without T-Mobile US). In the last survey, security awareness reached 78.3 (without T-Mobile US) of maximum 100 points (which is higher than for all other companies in the benchmark).
The Data Protection Award indicator measures the level of data protection within the units on a scale of 0 to 12. It is calculated based on what the employees said they thought, did and knew about data protection.
The Security Awareness Index measures our employees' perception of IT security at Deutsche Telekom. The assessment is based on Deutsche Telekom employee answers on management awareness of the topic, the security culture, the influence of security requirements on their own work, and their personal responsibility for and attitudes towards IT security. The index includes a scale from 0 to 100 – the higher the value, the higher IT security is rated at Deutsche Telekom.
The information on the indicator "IT Security & Data Protection" is relevant for GRI indicator GRI 418-1 (Substantiated complaints concerning breaches of customer privacy and losses of customer data). It is also used in our reporting on Global Compact Principle 1 (Protection of international human rights).