Data protection at DB Group
Data protection and associated regulations are becoming increasingly complex, with an ever greater number of requirements and laws. Companies are also increasingly operating in international contexts, in which they need to take international regulations into account.
The data protection organization was developed further in 2021. Close communication between data protection experts at the national and international level has given rise to important synergies and valuable transfers of knowledge in all directions. In this respect, the data protection 4.0 concept remains applicable and goes directly hand in hand with the data protection management system (DPMS). The results achieved in this area are only possible with regular, rapid and diverse communication – including on interface management.
Data Protection Management System
Optimizing and further developing DB Group’s Data Protection Management System (DPMS) were among the core responsibilities of the Group Data Protection function in 2021. The DPMS provides for systematic coordination between roles and responsibilities for data protection, systematic processes, detailed specifications, intensive training, advising business departments, and monitoring implementation. It comprises many small and large components, from one-page guidance documents to top consulting projects.
To further simplify the integration of data protection into business processes, in 2021 a realignment of the annual DPMS plan was implemented and a DPMS think tank was formed. The think tank consists of representatives from the data protection organization and supports the process of continuously improving the DPMS.
Data protection priorities
The data protection program for 2021 includes the topic of empowerment regarding data protection issues for all responsible persons in DB Group. Extensive data protection information has been made available on the intranet in order to address this. In addition, data protection awareness has been continuously raised within DB Group: in cooperation with the governance divisions, Group-wide campaigns have been conducted to increase employee awareness (such as the digital “Security Day” event or the “Simply Secure…” series of talks).
Another focus point in 2021 was the implementation of standardized consultation practices. Specifically, this included initiatives such as the Group-wide projects “Mobile work of tomorrow,” “Blockchain/self-sovereign identity (SSI)” and “Smart HR.” The Group’s data protection team was involved in all three projects and played a part in the development of new, Group-wide standards.
The focus areas for technical consulting included tracking and analytics, Microsoft Office 365 and the Evergreen approach in DB Group, as well as support for cybersecurity and Group security.
In 2021, data protection consulting also included international issues. Following the European Court of Justice (ECJ) ruling on cross-border data transfers (“Schrems II”), the numerous requirements of the EU Commission and the European Data Protection Board had to be monitored and implemented. Last but not least, the EU Commission issued a new version of the standard data protection clauses, providing a much needed legal basis in data protection law practice to allow personal data to be transferred to third countries outside the EU’s borders. Within the data protection organization, the new clauses and their application were presented and discussed, and relevant training was provided. Another event with far-reaching consequences in the area of data protection is the United Kingdom’s departure from the EU, which means that the United Kingdom is no longer covered by the provisions of the EU General Data Protection Regulation (GDPR). It was therefore necessary to identify the relevant contracts for DB Group and the associated data flows and to secure the appropriate legal safeguards.
In addition, consultations were held regarding the protection of data concerning health. As personal data linking individuals to their health status was collected in DB Group during the Covid-19 pandemic, this data needs to be specially protected under article 9 GDPR. To this end, an extensive question-and-answer paper was developed to allow managers and employees to act with confidence. The data protection team was closely involved at all stages of preparing, planning and executing DB Group’s testing and vaccination strategy at all times. The drafting of these questions and answers again helped to streamline the processes and standard workflows within DB Group.
The third area of focus was the identification and description of the core processes relating to data protection law. Firstly, this involved the continuous optimization of the complaint management process for DB Group customers and employees. Secondly, the reporting process for data protection incidents was further developed in line with the provisions of the GDPR, ensuring that data protection requirements can be met even more quickly and smoothly. The aim is to implement data protection measures in a way that minimizes risks while also facilitating simple integration into existing business processes.
In 2021, the audit focus was on auditing Group-related employee data protection procedures and visual monitoring devices such as drones, cameras and bodycams. The office systems and browsers used in DB Group were also audited. In addition, checks were carried out on data processors, and numerous apps developed for customers and employees were examined. In the communication with the audited offices, particular attention was given to the improvement of processes and the empowerment regarding data protection issues of responsible bodies.
Data Protection Advisory Board
DB Group’s Data Protection Advisory Board advises the Management Board on strategic and central matters of data protection, thereby contributing to the exemplary data protection measures within DB Group.
The expertise of the stakeholder groups represented on the Board ensures that the legitimate data protection interests of stakeholders are taken into consideration and is also an important contribution to DB Group’s stakeholder dialog on data protection. The Data Protection Advisory Board discusses new, innovative and pragmatic solutions for protecting the personal rights of data subjects. The focus is on digital transformation within DB Group, including its ethical dimension. The Board seeks dialog with the competent specialist departments, for example on the work of the Data Intelligence Center and the House of AI or the activities of HR Data Science, Insights and Innovation. A further focus point of the consultation is the topic of video surveillance in stations and on trains.
The Data Protection Award, which is awarded annually by the Board to innovative and exemplary projects at DB Group, plays an important part in raising awareness. In 2021, the Gold Data Protection Award was awarded to the passenger transport customer account project team. In the course of simplifying the customer interface, the team successfully provided a transparent and data protection friendly omnichannel customer account based on terms and conditions of use.