Telekom Logo
  • 2019 Corporate Responsibility Report

Our approach to data protection

Our contribution to the SDGs

The highest standards of data privacy and data security are core characteristics of our brand identity. Back in 2008, we therefore set up a dedicated Board department for Data Privacy, Legal Affairs, and Compliance and established the Group Privacy unit. The responsible Board member is supported by the independent Data Privacy Advisory Board, which comprises renowned experts from politics, science, business, and independent organizations. The Board was founded in February 2009. 

In its meeting on May 22, 2019, the Supervisory Board of Deutsche Telekom resolved to restructure the Group Board of Management. As of March 31, 2020, the current Board of Management member responsible for Data Privacy, Legal Affairs, and Compliance is leaving the Company for reasons of age. At the start of 2020, the Board department for Data Privacy, Legal Affairs, and Compliance and the Board department for Human Resources are being merged under the responsibility of the Chief Human Resources Officer. Our Data Privacy Advisory Board is taking on a bigger role, with more members from the Group Board of Management and the Supervisory Board joining.

The Telekom Security business unit commenced operations in 2017. The new unit combines the security activities from various Group areas, thereby reinforcing our portfolio of cybersecurity solutions.

Underlying regulations
Data protection and data security at Deutsche Telekom are subject to the following regulations: 

  • The Binding Corporate Rules on Privacy govern the handling of personal data. The related Binding Interpretations document contains specific recommendations and best practice examples for implementing the EU General Data Protection Regulation, which was enacted in 2018.
  • The Group Policy on General Security includes significant security-related principles followed within the Group. 

Both guidelines set forth binding standards that are in line with international standard ISO 27001. These policies allow us to guarantee an adequately high and consistent level of security and data privacy throughout the Group. 

Ensuring effective data privacy

  • Consistent transparency vis-à-vis the public
    We provide comprehensive information about our data protection activities such as the implementation of GDPR – at first in regular data protection reports and since 2016 online at www.telekom.com/data-protection. We have also published an annual transparency report since 2014. Moreover, in the Consumer protection section of this CR report we explain how we make our products and services safe for users.  
  • Regular employee training courses
    Telecommunications companies are obliged to provide new employees with information on data privacy regulations. We go above and beyond these legal requirements. Every two years, we train all Group employees and place them under an obligation to uphold data privacy and telecommunications secrecy. 
    We have also introduced specific training in the customer and human resources departments, where the risk of data misuse is higher. This training includes online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as data protection at call centers. This helps us make sure that all employees have an in-depth understanding of the relevant data privacy policies.
  • Annual review and adaptation of measures
    Every two years, we conduct an annual Group data privacy audit to measure and improve the general data privacy standards throughout the Group. 15 percent of the Group employees, who are randomly selected, are asked to participate in an online survey. The Group data privacy audit is supplemented by self-assessments by the data privacy officers at the national companies to determine to what extent these companies are implementing the requirements defined in our Binding Corporate Rules on Privacy.
    The Group Privacy unit assesses these surveys, checks whether action needs to be taken in the respective units, and calls for improvement measures where necessary. To this end, the Global Data Privacy Officer holds personal meetings with the responsible directors, managers, and data privacy officers at the different departments. The unit also helps implement the measures by providing information and advice, and checks they are effective. Unusual audit results are taken into consideration when planning the follow-up audit.
  • Certifications
    We have our processes, management systems, products, and services certified by external, independent organizations such as TÜV, DEKRA, and auditing firms. This reporting year, TÜV Nord once again confirmed that the IT systems used by Telekom Deutschland are safe and secure. In addition, in 2014, we were the first DAX company to have our data privacy organization reviewed and certified according to the IDW PS 980 standard.

Our approach to big data
Growing volumes of data call for particular precautionary measures to protect citizens’ privacy, which is why, back in 2013, we approved eight mandatory principles for handling big data. In 2015, we also approved specific measures to protect data and infrastructure in our “Ten-point program for increased cybersecurity.” On top of that, we developed special protective products, including our Mobile Encryption app designed to ensure end-to-end encryption of mobile communication.

Reviewing our products
Data privacy and security play an important role that starts during the development of our products and services. Our Privacy and Security Assessment (PSA) procedure allows us to review the security of our systems in each step of the development process. This procedure applies to newly developed systems as well as existing systems that undergo changes in technology or in the way data is processed. We use a standardized procedure to document the data privacy and data security status of our products throughout their entire life cycle.