Telekom Logo
2020 Corporate Responsibility Report

Data protection and data security

Our approach to data protection

Our contribution to the SDGs

The highest standards of data privacy and data security are part of our brand identity. Our active data protection and compliance culture, which has been built up over ten years, sets national and international standards.

The Board department for Data Privacy, Legal Affairs and Compliance (DRC), established in 2008, was dissolved effective at the end of the term of office of Dr. Thomas Kremer, Board member for DRC, on March 31, 2020. As of January 1, 2020, the individual areas of this department were assigned to other Board departments (“Finance,” “Human Resources,” “Technology and Innovation”). Chief Human Resources Officer Birgit Bohle has headed up the extended Human Resources and Legal Affairs Board department since January 1, 2020.

Since 2009, the Group Board of Management has been advised by an independent Data Privacy Advisory Board comprising reputable experts from politics, science, business, and independent organizations. At the beginning of 2020, the Advisory Board took on a bigger role through the addition of new members from the Board of Management and the Supervisory Board of Deutsche Telekom AG.
Deutsche Telekom Security GmbH combines the security activities from various Group areas, thereby reinforcing our portfolio of cybersecurity solutions.

Underlying regulations
Data protection and data security at Deutsche Telekom are subject to the following regulations:

  • The Binding Corporate Rules on Privacy govern the handling of personal data.
  • The Group Security Policy includes significant security-related principles followed within the Group.

Both guidelines set forth binding standards that are in line with international standard ISO 27001. These policies allow us to guarantee an adequately high and consistent level of security and data privacy throughout the Group.

Ensuring effective data privacy

  • Consistent transparency vis-à-vis the public
    We provide comprehensive information about our data protection activities such as the implementation of the GDPR at www.telekom.com/data-protection. We have also published an annual transparency report since 2014. Moreover, in the Consumer protection section of this CR report we explain how we make our products and services safe for users.
  • Regular employee training courses
    Telecommunications companies are obliged to provide new employees with information on data privacy regulations. We go above and beyond these legal requirements. Every two years, we train all Group employees and place them under an obligation to uphold data privacy and telecommunications secrecy.
    We have also introduced specific training in the customer and human resources departments. This training includes online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as data protection at call centers. This helps us ensure that all employees have in-depth understanding of the relevant data privacy policies.
  •  Regular review and adaptation of measures
    Every two years, we conduct an annual Group data privacy audit to measure and improve the general data privacy standards throughout the Group 15 percent of the Group employees, who are randomly selected, are asked to participate in an online survey. The Group data privacy audit is supplemented by internal and external on-site checks.
    Group Privacy assesses the results and checks whether action needs to be taken in the respective units. Where necessary, the Global Data Privacy Officer calls for improvement measures and, to this end, holds personal meetings with the responsible directors, managers, and data privacy officers at the different departments. Group Privacy offers advice on the implementation of the measures and determines whether they are effective. We take unusual audit results into consideration when planning the follow-up audit.
  • Certifications
    We have our processes, management systems, products, and services certified by external, independent organizations such as TÜV, DEKRA, and auditing firms. This reporting year, TÜV Nord once again confirmed that the IT systems used by Telekom Deutschland are safe and secure.

Our approach to big data and artificial intelligence
When very large volumes of data are being processed, we must take precautionary measures to protect citizens’ privacy, which is why, back in 2013, we approved eight mandatory principles for handling big data. In 2015, we also approved specific measures to protect data and infrastructure in our “Ten-point program for increased cybersecurity.” Against this background, we have developed special protective products, including our Mobile Encryption app, which ensures end-to-end encryption of mobile communication for smartphone users. Furthermore, in 2018 we published a Guideline for designing artificial intelligence (AI) in compliance with data privacy requirements.

Reviewing our products
Data privacy and security play an important role that starts during the development of our products and services. Our Privacy and Security Assessment (PSA) procedure allows us to review the security of our systems in each step of the development process. This procedure applies to newly developed systems as well as existing systems that undergo changes in technology or in the way data is processed. We use a standardized procedure to document the data privacy and data security status of our products throughout their entire life cycle.

Reporting against standards

 

Sustainability Accounting Standards Board (SASB)

  • Code TC-TL-220a.1 (Data Privacy)
  • Code TC-TL-230a.2 (Data Security)

Transparency report

As a telecommunications company, we are legally obliged to assist security agencies. This includes, for example, monitoring and recording telecommunications connections of certain criminal suspects or providing information about subscriber­s.

International legal framework conditions differ considerably. In some countries it is illegal to disclose security measures, while in others surveillance is directly conducted by the authorities without the involvement of telecommunications companies.. You can find details of the different situations in the relevant countries on our website.

Every year since 2014, Deutsche Telekom has published a transparency report for Germany; since 2016, we have also published an international transparency report. Here, we reveal the nature and extent of information we had to disclose to security authorities to the extent legally permitted. We consider it the responsibility of the authorities to ensure transparency regarding security measures, a claim we also made in our ten-point program in 2015. Until state authorities meet our demands, we will strive to provide the necessary transparency ourselves to the extent legally possible.

Reporting against standards

 

Sustainability Accounting Standards Board (SASB)

  • Code TC-TL-220a.4 (Data Privacy)

Cybersecurity

Effective July 1, 2020, we transitioned our Telekom Security unit into an independent company - Deutsche Telekom Security GmbH. This company with its many years’ experience in the Group’s internal security processes also provides our customers with the perfect security solutions along the entire value chain – from product development and applications through to secure, high-performance networks and high-security data centers.

Increasing connectivity and digitalization can also harbor risks, which is why we develop targeted measures for combating potential new security risks and preventing some threats from even arising in the first place.

We want to enhance collaboration in the area of digital defense and therefore regularly host the Cyber Security Summit together with the Munich Security Conference.

In addition, we collaborate with research institutes, industry partners, initiatives, standardization committees, public institutions, and other internet service providers on a global scale. Together, we want to fight cybercrime and improve online security. We collaborate, for example, with the German Federal Office for Information Security (BSI) throughout Germany and with the European Union Agency for Network and Information Security (ENISA) at a European level.

We also provide up-to-date information about all of our security and data protection activities on our Group website.

Reporting against standards

 

Sustainability Accounting Standards Board (SASB)

  • Code TC-TL-230a.2 (Data Security)

Our cybersecurity infrastructure

Cyber Emergency Response Team
We are always working to develop new ways to defend against attacks. We launched a Cyber Emergency Response Team (CERT) in the mid-1990s, which is responsible internationally for managing security incidents for our information and network technologies. Since then, we have continued to expand our activities in relation to cyberdefense, and promote more information and information sharing. Since 2020, our CERT has been officially certified according to the SIM3 standard (Security Incident Management Maturity Model). It is now one of only two German CSIRT (Computer Security Incident Response Team) / CERT organizations that comply with this standard.

Cyber Defense Center
The defense center of Deutsche Telekom Security GmbH is the largest integrated cyber defense and security operations center (SOC) in Europe, analyzing around one billion pieces of security-relevant data from 3,000 data sources, almost fully automatically. Our security specialists identify attacks in near real-time, defend against them, and analyze the approach adopted by the attackers. Up to 70 million attacks on Deutsche Telekom honeypot systems – traps deliberately set for attackers – are not uncommon nowadays. In addition, we are the only internet provider in Europe to actively tackle botnets (interconnected computers infected with malware) in the Deutsche Telekom AG network. This is how we protect our infrastructure, and hence also our customers’ data. Some 200 security experts work round the clock at the SOC in Bonn and its affiliated national and international locations.

In the same way, we also provide other companies with our measures to fight cyberattacks: More than 30 German DAX companies and SMEs employ our services for their own protection.

Reporting against standards

 

Sustainability Accounting Standards Board (SASB)

  • Code TC-TL-230a.2 (Data Security)

Protection of personal data

Protecting our customers’ data is one of our top priorities. We also provide regular, sometimes up-to-the-minute information about all of our activities on our Group website under data protection and data security. The following are just a few examples of our recent activities during the reporting period.

In 2020, we joined with software company SAP to develop our contact tracing app, the Corona-Warn-App img. It informs users in Germany and several other countries about possible contact with people infected with coronavirus. Even before development began, the data protection and security concept was a topic of intensive discussion. To ensure maximum protection of personal data, the German Federal Government opted for a decentralized approach; the data remains on the user’s own phone and is not stored centrally. This concept has paid off: In Germany alone, the app has been installed as many times as similar solutions in other European countries combined – more than 23 million times through December 2020.

International cooperation for cybersecurity
In 2020, we once again promoted data security on an international level. Among other things, we are a founding partner of the Charter of Trust. One of its objectives is to establish general minimum standards for cybersecurity that are aligned with state-of-the-art technology. Together with our partners, we have identified ten action areas in this context which call for more activity in order to ensure cybersecurity. 

We already underscored our commitment to security in the digital world by signing the Paris Call for Trust and Security in Cyberspace in 2018. We thereby pledge to intensify collaboration in support of integrity and security in the digital world.

Knocking out botnets
An international comparison shows that Deutsche Telekom AG is the only network operator in Europe to actively suppress botnets (as of December 2020). Botnets are countless devices interconnected by an unauthorized entity that misuses them for a variety of criminal attacks. The bigger the network, the more extreme the impact of a cyberattack. To keep hackers from controlling the devices, Deutsche Telekom Security GmbH experts analyze the structures of the network and suppress communication with the controlling servers. It is possible for botnets to take over the devices of our customers. In 2019, we helped our customers 155,000 times in such cases and regained control of their systems.

Uncovering stolen identities
The “fraud scouts” (experts from the Deutsche Telekom security team) use a special application to search the world wide web and the dark web for stolen identities. If they find anything, we then warn and help our customers. 

Security on the go
Since 2017, we have partnered with the company Check Point Software Technologies to offer the „Protect Mobile“ security solution. Our consumer customers can use Protect Mobile for their smartphones: It provides reliable protection from cyberattacks through a combination of network protection and app – for instance, for downloading apps, doing online banking or surfing the browser. Deutsche Telekom customers can add this option free of charge to their existing mobile phone contract and download the app for Android or iOS for the most complete protection.

Smart can also be safe and transparent
We not only want to comply with legal guidelines, we want to actively ensure that our customers’ data is protected. To do so, we continue to enhance technical standards, and promote maximum transparency. 

For example, with our „SprachID“ service, we do not save our customer’s voice, but instead record a mathematical pattern that is calculated from characteristics in the voice. A person can therefore not be traced back through the voice pattern.

Another example is the “Magenta Speaker”, the first intelligent European voice assistant. When customers set up this smart speaker, they receive an explanation in simple language about the data we process and store and for what purpose. During use, customers can access their data in the smart speaker app at any time and delete it if needed.

Commendation for handling of customer data
For the fourth time, in 2020 we were commended by the independent testing authority TÜV Informationstechnik (TÜViT) for our handling of customer data. TÜViT certified that our processing of data, as it relates to billing, for example, is done in a secure and careful manner.

Building trust in the cloud
Together with Deutsche Telekom and other experts, the German Federal Ministry for Economic Affairs and Energy has developed a standard for the certification of cloud services in accordance with the General Data Protection Regulation (GDPR): AUDITOR. GAIA X, a European cloud project for high-performance and secure data infrastructure, will apply the standard to its project. As part of a pilot, we will also certify our cloud solutions Open Telekom Cloud and vCloud services in accordance with AUDITOR. Even though our standard is exemplary, the responsible supervisory authorities have yet to approve a uniform data protection certification for cloud services. However, Deutsche Telekom views this as essential for a protected data infrastructure in Germany and Europe. 

Simple data privacy statements for everyone
Data Privacy Notices are often incomprehensible to the layperson. We offer customers our “one-pager”: an easy-to-read, brief overview of the main data processing activities. It does not replace our formal data privacy statement which complies with legal requirements and to which we also link in the document. With this one-pager, we have followed an initiative launched by the National IT Summit, supported by the Federal Ministry of Justice and Consumer Protection.

Encryption for all
Together with the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT), we launched the “Volksverschlüsselung” IT encryption solution in 2016. It is a simple, free way to encrypt emails. The keys are generated on the user’s device. The user is the only person with access to them; they are not sent to the infrastructure operator. To use the encryption, users only need to install the software and identify themselves as part of a simple one-time process. We operate the infrastructure at a high-security data center. This product supports the federal government’s digital agenda. What’s more, we fulfill the requirements of the “Charta zur Stärkung der vertrauenswürdigen Kommunikation” (charter for the promotion of trustworthy communications), which was proposed and signed by representatives from the business and scientific communities as well as by political representatives.

Other projects can be found in our CR facts.

IT security & data protection KPI

A random sample of 50,000 Telekom employees are surveyed on the topics of data protection and IT security every two years. The findings of the survey are used, for example, to determine the Security Awareness Index (SAI) and the Data Protection Award indicator. The indicators help us to review the effectiveness of our measures in the areas of IT security and data protection. The data protection award indicator was last measured in 2020 and stood at 86 percent (without T-Mobile US). In the last survey in 2018, security awareness reached 80.3 (without T-Mobile US) of maximum 100 points (which is higher than for all other companies in the benchmark).

The Data Protection Award indicator measures the level of data protection within the units on a scale of 0 to 12. It is calculated based on what the employees said they thought, did and knew about data protection.

The Security Awareness Index measures our employees' perception of IT security at Deutsche Telekom. The assessment is based on Deutsche Telekom employee answers on management awareness of the topic, the security culture, the influence of security requirements on their own work, and their personal responsibility for and attitudes towards IT security. The index includes a scale from 0 to 100 – the higher the value, the higher IT security is rated at Deutsche Telekom.

Reporting against standards

 

Global Reporting Initiative (GRI)

  • GRI 418-1 (Customer Privacy)

Global Compact

  • Principle 1 (Support and respect for internationally proclaimed human rights)