Data protection at DB Group
In addition to the cross-industry trend toward digitalization and networking, the Covid-19 pandemic also shaped 2020. As a result, data protection advice addressed questions relating to the Covid-19 contact tracing app, conditions while working from home and the use of video conferencing tools, data collection for follow-up contacts, and the information required for customers and employees.
To cater to the high demand for data protection advice, further progress was made on the data protection organization 4.0 concept as part of efforts to further develop the national and international decentralized data protection organization and support the Strong Rail strategy. This concept aims to professionalize data protection in DB Group. To this end, a strong regulatory organization was created using clear descriptions of tasks, roles and responsibilities, and is supported by interface management for managing data protection issues with and between corporate management, business units and Group companies.
Cooperation between the governance divisions of Data Protection, Information Security, Group Security, and Compliance is also essential for a high level of security within DB Group. By continuously improving cooperation, they can tap into synergies, and together they can help achieve
the best possible protection for employees and customers.
Data protection management system
Optimizing and further developing the Data Protection Management System (DPMS) are among the core responsibilities of the Group Data Protection function. This involves a systematic coordination between roles and responsibilities for data protection, systematic processes, detailed specifications, intensive training, advising business departments, and monitoring implementation. The DPMS aims to improve knowledge management in the entire data protection organization and for all data controllers within DB Group, to create more transparency in the area of data protection, and to implement the new legal accountability obligations for all personal data processors.
In the year under review, the DPMS monitored personal data empowerment and the further development and process optimization of the data protection organization. Various formats tailored to different target groups were developed to inform employees and executives about data protection topics using clear practical examples through self-study and online talks. These formats are used to transfer knowledge and to increase the visibility of the data protection organization in DB Group.
Previous formats for cooperation and dialog were streamlined, reorganized and standardized (complaint management, for example). The internal and external websites on data protection were redesigned and revised to make it easier to find information. A toolkit was created to ensure that everyone who gives advice has a standardized level of knowledge. The toolkit particularly supports new employees working in data protection with their day-to-day consulting work.
In 2020, the data protection advice was very much focused on European standards. In particular, the case law of the Court of Justice of the European Union (CJEU) and the changing legal situation around e-privacy influenced the advice greatly. For instance, advice focused in particular on the CJEU’s judgments regarding Privacy Shield (“Schrems II”) and the use of cookies (“Planet49”) as they then made it necessary for us to comprehensively review our current partnerships with third parties outside DB Group.
Consulting work also focused on how automation is treated under data protection law, particularly piloting self-driving vehicles, and included advice on digitalization topics, such as HR analytics, cyber security and advice for DB start-ups. Protecting employee data is an ongoing priority. Advice was sought on employee data protection in particular when virtual onboarding was quickly implemented to enable us to recruit about 25,000 new employees and to clarify all data protection issues related to working from home. Due to the Covid-19 pandemic, there was a great deal of demand for data protection advice regarding the use of collaboration tools and video conferencing systems. In addition, due to Microsoft’s “Evergreen IT” approach, the continual evolution of Office 365 is an ongoing topic for data protection advice, as is the review of cookie banner solutions used on DB websites and DB apps as well as regular, structured auditing of cloud solutions in DB Group.
In addition, the Group Data Protection function ensures that there is continuous communication and consultation with the relevant data protection supervisory authorities.
In addition to the ongoing audit of Group-related procedures for protecting customer and employee data, a priority during the year under review was to audit the use and rollout of mobile devices for all DB Group employees. In addition, audits in 2020 focused on numerous apps for customers and employees, as well as new visual observation technologies (drones, for example).
