Data protection

Management approach and targets

Data protection and autonomy should be championed as ­the foundation for free and democratic societies. Throughout DB Group, we aim to establish exemplary, innovative and sustainable data protection processes and set a high level ­of data protection as a mark of quality, allowing employees, customers and business partners to associate DB Group with trust, respect, transparency and integrity in relation to data protection. In doing so, we fulfill data protection regulations, particularly those of the EU General Data Protection Regulation (GDPR) and in-house data protection policies.

In order to suitably implement our vision, we are firmly committed to meeting the overarching target of ensuring that the flow of data, both within DB Group and with external entities, is compliant with data protection regulations. We are working toward achieving this by raising awareness of data protection issues throughout DB Group, in particular by informing and training employees and by having a variety of digital and analog awareness-raising measures in place as well as high-quality data protection consulting expertise. Another focal point is the expansion of internal and external networks to improve DB Group’s public image with regard to data protection.

We are also committed to innovation, the further development of existing instruments and methods, and the standardization of processes for professional data protection management. In order to ensure that data protection is applied and implemented reliably within DB Group, we operate a data protection management system that enables us to fulfill information and disclosure rights and obligations to furnish evidence at any time in a transparent and legally admissible manner. In addition, regular data protection audits ensure a high standard of data protection.

We work toward achieving these objectives through a highly effective data protection organization, which is divided into central and local units within DB Group:

  • DB Group’s central data protection team supports and advises the Group companies regarding compliance with data protection, especially in regard to data protection issues that are relevant to the Group. There are four departments within the central data protection organization, two of which work in different areas of responsibility within employee and customer data protection (one in administration or training, and the other in communication and management of the Group data committee). Another department deals with audits, technical data protection and the internal data protection systems. The fourth is responsible for the national and international data protection directives and manages the entire local data protection organization. At the national level, this consists of data protection experts, data protection officers and, at the international level, data protection managers.
  • Local data protection experts in DB companies all over the world are available to employees and responsible persons if they have any questions and concerns about data protection. These experts ensure that the rules are implemented and enforced in accordance with the law.

DB Group’s Data Protection Advisory Board consists of renowned figures from science, politics, associations, independent organizations and employee representatives, ensures that data protection interests are taken into account, and advises the Management Board on strategic and central data protection issues.

Customers, employees and applicants can therefore rely on us to ensure a high level of data protection, for example when developing new business models and when introducing and making changes to the processing of personal data.

Data protection in DB Group

In addition to the General Data Protection Regulation (GDPR), there were new or planned laws and regulations with requirements and effects on data protection on national and international levels. This increased the degree of regulation and made it more complex. In particular, the structure of the content of the GDPR by data protection supervisory authorities and courts in Germany and Europe, as well as the decision of the ECJ ruling on cross-border data transfer (“Schrems II”) led to an increased need for internal consultation by the data protection organization.

Optimizing and further developing DB Group’s Data Protection Management System (DPMS) are among the core responsibilities of the Group Data Protection function. The DPMS provides for systematic coordination between roles and responsibilities for data protection, systematic processes, detailed specifications, intensive training, advising business departments, and monitoring implementation. It comprises many small and large components, from one-page guidance documents to top consulting projects.

In order to further simplify the integration of data protection into business processes, the DPMS think tank once again focused on implementing the annual key issues in 2022. The think tank provides support as a source of ideas and supports the continuous improvement process of the DPMS, for example by helping decide the key topics (2022: customer data protection).

One of the focuses of the 2022 data protection program was customer data protection. Many different measures were advised, supported and implemented with those responsible for this. In particular, the focus was on “Structuring and dealing with data subject rights from a central governance and operational perspective.” The focus of our consulting was on “Group-wide standardized consent and analysis management on Web sites and mobile apps” and the use of cloud service providers for intra-Group and external processes, procedures, services and IT applications. Although 2022 was marked by the gradual withdrawal of legal obligations in connection with the Covid-19 pandemic, a variety of legislative changes, particularly at Federal states level, demanded a response in order to give legal certainty in the implementation of the Covid-19 regulations within DB Group. In addition, we continue to consistently look at our internal processes and adapt them to developments and circumstances in order to be optimally positioned in the areas of customer and employee data protection.

Various international issues were also discussed in 2022. On the one side, the focus was on Chinese data protection laws and the extent to which, due to their strict requirements, adjustments to important systems and processes of DB Group and the relevant Group companies are necessary. Appropriate adjustments have been identified and addressed to those responsible and are now in the process of phased implementation and ongoing review. On the other hand, one focus remained on the impact of the ECJ ruling on cross-border data transfer (“Schrems II”). These effects were expressed in the fact that, Group-wide, necessary updates had to be implemented where cross-border data transfer takes place by the end of 2022. This concerned both contractual agreements and the implementation of stronger technical and organizational measures. The necessary updates, in particular in the form of a replacement of the EU standard contract clauses, were addressed to all responsible parties and those involved. At the same time, templates for the new EU standard contract clauses, transfer impact assessments and checklists were created and distributed for reviewing the supplementary measures. Training was also carried out on how to deal with these standard clauses so that all parties involved were able to make the necessary adjustments in due time.

In addition, the focus was on raising awareness among all employees. For example, increased focus was placed on raising employee awareness through Group-wide campaigns in cooperation with the areas of Group security, information security and compliance (for example the digital “Security Day” and “Data and Cyber Snacks” one-day events, or the lecture series “Simply Safe ...”). The provision of a new e-learning on the topic of “data protection for mobile working” also helps here. In addition, employees were made aware of the topic of “data protection for mobile working” in various formats (e.g. Lunch&Learn).

In 2022, technical data protection consulting focused, among other areas, on big data, tracking and analytics. In addition, the topic of Microsoft Office 365 is associated with ongoing technical advice through the further development and introduction of new functions, particularly internally. The support of tenders for telecommunications service providers, the advocacy tool in HR marketing, for media and market research agencies and the awarding of cloud contracts presented challenging consulting tasks for technical data protection. Data protection support for the new SEMYOU platform for employee surveys was also a key focus of consultation. The latter was also reviewed by the data protection audit team in the run-up to its Group-wide introduction. In 2022, further focus was on auditing central processes in customer data protection (BahnCard, marketing analysis tool at MarTech) and employee data protection (KANDIS time recording system and personnel postal processes). The new HR management system SMART HR will be continuously ­audited with supervision until its introduction in 2023.

Numerous apps were also reviewed, which were developed for customers and employees (e.g. DB Navigator, BahnBonus, Flinkster). The focus of the app checks was on the use of cookies, the scope and processing of personal data as well as the technical safeguards in place for data transmission and storage. In this case, the intensive cooperation with the Mobile Security team in the area of checks for apps has proven itself, and the testing process for mobile apps has been updated. Advice was given on the app provision and quality assurance process was from a data protection and technical perspective. Particular attention was given to the improvement of processes and the empowerment regarding data protection issues of responsible bodies.

In addition, cooperation with the various audit units of IT auditing and the Information Security division was intensified, so that regular coordination on audit programs and current trends took place. The focus was on exchanges on relevant findings on the audits between departments and ensuring advice (for example identity access management, AIP – handling highly confidential documents – and managing access management to the individual company tenants).

The Advisory board on data protection supports the stakeholder dialog on data protection in DB Group. The members of the Advisory board advise the Management Board on ­the current strategic and central data protection issues. The objective is to promote the data protection interests of all parties involved, in particular employees and customers. The Advisory board makes an important contribution to the most exemplary data protection in DB Group.

The consultations on the data protection-related aspects of the digital transformation, as well as the specifications and measures derived from the Strong Rail strategy serve to protect the legitimate interests of the data subjects. The focus is on the challenges of modern, efficient and, among other things, good data protection in DB Group. As part of the discussions and consultations with the Management Board, the representatives of the specialist departments and the data protection organization, there is a regular and intensive exchange on the relevant data protection-related aspects. These include the numerous applications and digitalization projects in DB Group, including DB Navigator and DB Enterprise Cloud. Further consulting focuses are on the areas of communication and training, data subject rights, information security and data governance in DB Group.

For the eighth time in a row, the Advisory board on data protection presented the Data Protection Award, a prize for employees who make an outstanding contribution to innovative and exemplary data protection in DB Group. In 2022, the Gold Data Protection Award was awarded to the Covid-19 pandemic project team. Under particularly challenging conditions, the team succeeded in ensuring an optimal connection between health protection and employee data protection during the Covid-19 pandemic. The Data Protection Award makes an important contribution to raising awareness about data protection issues within DB Group.