Optimizing and further developing DB Group’s Data Protection Management System (DPMS) are among the core responsibilities of the Group Data Protection function. The DPMS provides for systematic coordination between roles and responsibilities for data protection, systematic processes, detailed specifications, intensive training, advising business departments, and monitoring implementation. It comprises many small and large components, from one-page guidance documents to top consulting projects.

In order to further simplify the integration of data protection into business processes, the DPMS think tank once again focused on implementing the annual key issues in 2022. The think tank provides support as a source of ideas and supports the continuous improvement process of the DPMS, for example by helping decide the key topics (2022: customer data protection).

One of the focuses of the 2022 data protection program was customer data protection. Many different measures were advised, supported and implemented with those responsible for this. In particular, the focus was on “Structuring and dealing with data subject rights from a central governance and operational perspective.” The focus of our consulting was on “Group-wide standardized consent and analysis management on Web sites and mobile apps” and the use of cloud service providers for intra-Group and external processes, procedures, services and IT applications. Although 2022 was marked by the gradual withdrawal of legal obligations in connection with the Covid-19 pandemic, a variety of legislative changes, particularly at Federal states level, demanded a response in order to give legal certainty in the implementation of the Covid-19 regulations within DB Group. In addition, we continue to consistently look at our internal processes and adapt them to developments and circumstances in order to be optimally positioned in the areas of customer and employee data protection.

Various international issues were also discussed in 2022. On the one side, the focus was on Chinese data protection laws and the extent to which, due to their strict requirements, adjustments to important systems and processes of DB Group and the relevant Group companies are necessary. Appropriate adjustments have been identified and addressed to those responsible and are now in the process of phased implementation and ongoing review. On the other hand, one focus remained on the impact of the ECJ ruling on cross-border data transfer (“Schrems II”). These effects were expressed in the fact that, Group-wide, necessary updates had to be implemented where cross-border data transfer takes place by the end of 2022. This concerned both contractual agreements and the implementation of stronger technical and organizational measures. The necessary updates, in particular in the form of a replacement of the EU standard contract clauses, were addressed to all responsible parties and those involved. At the same time, templates for the new EU standard contract clauses, transfer impact assessments and checklists were created and distributed for reviewing the supplementary measures. Training was also carried out on how to deal with these standard clauses so that all parties involved were able to make the necessary adjustments in due time.

In addition, the focus was on raising awareness among all employees. For example, increased focus was placed on raising employee awareness through Group-wide campaigns in cooperation with the areas of Group security, information security and compliance (for example the digital “Security Day” and “Data and Cyber Snacks” one-day events, or the lecture series “Simply Safe ...”). The provision of a new e-learning on the topic of “data protection for mobile working” also helps here. In addition, employees were made aware of the topic of “data protection for mobile working” in various formats (e.g. Lunch&Learn).

In 2022, technical data protection consulting focused, among other areas, on big data, tracking and analytics. In addition, the topic of Microsoft Office 365 is associated with ongoing technical advice through the further development and introduction of new functions, particularly internally. The support of tenders for telecommunications service providers, the advocacy tool in HR marketing, for media and market research agencies and the awarding of cloud contracts presented challenging consulting tasks for technical data protection. Data protection support for the new SEMYOU platform for employee surveys was also a key focus of consultation. The latter was also reviewed by the data protection audit team in the run-up to its Group-wide introduction. In 2022, further focus was on auditing central processes in customer data protection (BahnCard, marketing analysis tool at MarTech) and employee data protection (KANDIS time recording system and personnel postal processes). The new HR management system SMART HR will be continuously ­audited with supervision until its introduction in 2023.

Numerous apps were also reviewed, which were developed for customers and employees (e.g. DB Navigator, BahnBonus, Flinkster). The focus of the app checks was on the use of cookies, the scope and processing of personal data as well as the technical safeguards in place for data transmission and storage. In this case, the intensive cooperation with the Mobile Security team in the area of checks for apps has proven itself, and the testing process for mobile apps has been updated. Advice was given on the app provision and quality assurance process was from a data protection and technical perspective. Particular attention was given to the improvement of processes and the empowerment regarding data protection issues of responsible bodies.

In addition, cooperation with the various audit units of IT auditing and the Information Security division was intensified, so that regular coordination on audit programs and current trends took place. The focus was on exchanges on relevant findings on the audits between departments and ensuring advice (for example identity access management, AIP – handling highly confidential documents – and managing access management to the individual company tenants).

The Advisory board on data protection supports the stakeholder dialog on data protection in DB Group. The members of the Advisory board advise the Management Board on ­the current strategic and central data protection issues. The objective is to promote the data protection interests of all parties involved, in particular employees and customers. The Advisory board makes an important contribution to the most exemplary data protection in DB Group.

The consultations on the data protection-related aspects of the digital transformation, as well as the specifications and measures derived from the Strong Rail strategy serve to protect the legitimate interests of the data subjects. The focus is on the challenges of modern, efficient and, among other things, good data protection in DB Group. As part of the discussions and consultations with the Management Board, the representatives of the specialist departments and the data protection organization, there is a regular and intensive exchange on the relevant data protection-related aspects. These include the numerous applications and digitalization projects in DB Group, including DB Navigator and DB Enterprise Cloud. Further consulting focuses are on the areas of communication and training, data subject rights, information security and data governance in DB Group.

For the eighth time in a row, the Advisory board on data protection presented the Data Protection Award, a prize for employees who make an outstanding contribution to innovative and exemplary data protection in DB Group. In 2022, the Gold Data Protection Award was awarded to the Covid-19 pandemic project team. Under particularly challenging conditions, the team succeeded in ensuring an optimal connection between health protection and employee data protection during the Covid-19 pandemic. The Data Protection Award makes an important contribution to raising awareness about data protection issues within DB Group.