Data protection
Management approach and targets
Data protection is a fundamental right. After all, data protection and informational self-determination are the cornerstones of our free and democratic society. That is why protecting the personal rights of our customers, employees and business partners when processing their personal data is one of our most important duties at DB Group.
We are aware of the acute responsibility we bear for the data entrusted to us and take numerous measures to protect it. These include, for example, binding data protection regulations, our processing directory, communication and training measures as well as our input and complaints management systems. In the process, we comply with data protection regulations, in particular those of the EU General Data Protection Regulation (GDPR) and internal data protection regulations, in order to ensure exemplary, innovative and sustainable data protection practices.
Our overriding objective is to ensure that data transfer within DB Group and involving entities outside DB Group complies with data protection regulations. We ensure this with a high level of data protection. At the same time, we are committed to ensuring that our customers, employees and business partners retain control over the use of their data. This also requires transparency about our legally compliant and ethical data processing practices, both in relation to our products and in informing our customers about exercising their digital sovereignty.
We are working toward achieving this by raising awareness of data protection issues throughout DB Group, in particular by informing and training employees and by having a variety of digital and analog awareness-raising measures in place as well as high-quality data protection advisory expertise. Another focal point is the expansion of internal and external networks to improve DB Group’s public image with regard to data protection.
We are also committed to innovation, the further development of existing instruments and methods, and the standardization of processes for professional data protection management. In order to ensure that data protection is applied and implemented reliably within DB Group, we operate a data protection management system that enables us to fulfill information and disclosure rights and obligations to furnish evidence at any time in a transparent and legally admissible manner. In addition, regular data protection audits ensure a high standard of data protection.
We pursue our data protection objectives in accordance with the following four guidelines:
- We are committed to protecting the personal rights of our customers, our employees and our business partners at all times.
- We develop innovative and legally compliant data protection solutions that drive DB Group forward. From the perspective of protecting natural persons, we work together to ensure that the legal and technical requirements are successfully fulfilled all the way from the development to the realization of digital business models, products and services.
- Data protection advisory enables us to ensure legally compliant and ethical data processing within DB Group and with our external interfaces.
- As part of corporate risk management, we help to ensure the commercial success of DB Group and protect DB Group from harm. By providing advice on how to handle personal data in compliance with data protection regulations, we continuously ensure through compliance with legal requirements that DB Group’s business goals are not jeopardized.
We achieve our objectives by means of a robust data protection organization with a clear structure of responsibilities and uniform standards for our products and services. The data protection organization within DB Group is divided into a centralized and decentralized organization:
- Centrally, there is the Group’s Data Protection team which supports and advises the Group companies regarding compliance with data protection, especially in regard to data protection issues that are relevant to the Group. There are four departments within the data protection organization, two of which work in different areas of responsibility within employee and customer data protection (one in administration or training, and the other in communication and management of the Group data committee). Another department deals with auditing, technical data protection and the internal data protection systems. The fourth is responsible for the national and international data protection directives and manages the entire decentralized data protection organization. At the national level, this consists of data protection specialists, data protection trusted persons and, at the international level, privacy managers.
- Decentral data protection experts in Group companies all over the world are available to employees and responsible persons if they have any questions and concerns about data protection. These experts ensure that the regulations are implemented and enforced in accordance with the law.
Integrated interface management and various communication formats ensure the exchange of information and targeted technical management of the decentralized data protection organization, especially in light of the wide range of services and products within DB Group and the associated wide-ranging advice requirements.
In 2010, a Data Protection Advisory Board was also established, consisting of representatives from the fields of society, politics and science. It advises the Management Board on data protection issues, ensures that the legitimate data protection interests of the groups represented are taken into account, and simultaneously makes an important contribution to DB Group’s stakeholder dialog on data protection.
Data protection strategy
Based on the Strong Rail strategy, a five-year data protection strategy was drawn up in 2023, focusing on the structure of the GDPR and digitalization. In particular, legal changes by data protection supervisory authorities and courts in Germany and Europe as well as the increase in digitalization, for example in the field of artificial intelligence (AI), are leading to an increased need for in-house advice from the data protection organization. The objective is to minimize legal uncertainties, for example when using new technologies. The focal points are anchored in our Data Protection Management System both in terms of structure and process organization, including through the use of simple processes and clear responsibilities.
Data Protection Management System
We rely on a professional data protection management system to achieve our data protection goals. With clear responsibilities, regulations, instruments, awareness measures, intensive training, standardization and data protection audits as its basis, our Data Protection Management System (DPMS) ensures that data protection is reliably implemented and practiced within DB Group. In this way, it minimizes risk and acts as a mechanism for integrating data protection easily into existing business processes.
Data protection priorities
In 2023, the DPMS was implemented using various measures in data protection advice, processes, auditing and training.
A core element of our DPMS is the advice provided to employees and responsible parties by our data protection organization to ensure that personal data is processed in compliance with data protection regulations. In the light of national and international regulations on data protection, various measures have been discussed, supported and implemented with those responsible. For example, the increased number of rulings by the ECJ and the German Federal Supreme Court (BGH) regarding the right to information and the right to a copy provided greater legal certainty when processing data subjects’ rights. As a result of the legal requirements, adjustments were made in the relevant business units, for example in the scope of the information provided. Group Data Protection represents the company’s interests with regard to data protection in several associations. Another focal point of our advisory services was support for the launch of DB InfraGO AG. As part of this change under company law, the substantive aspects in relation to data protection law, in particular the impact on data protection information, were examined in 2023 and the necessary adjustments were initiated.
The new adequacy decision regarding the USA was the focus of international advisory. In July 2023, the European Commission adopted the adequacy decision for the EU-US Data Privacy Framework (successor to the Privacy Shield), which regulates the level of protection for data transfers to certified organizations in the USA. On this basis, the application of the EU-US Data Privacy Framework in DB Group was subjected to a critical review with the conclusion that the existing processes will be largely retained and that only adjustments within the scope of the review will be made.
In 2023, technical data protection advisory focused primarily on the topics of AI, big data and data-driven marketing. In addition, the topic of Microsoft Office 365 is associated with ongoing technical advice through the further development and introduction of new functions, particularly internally. Technical data protection was faced with challenging advisory tasks in connection with the tenders for telecommunications service providers, data protection support for the various IT security requirements placed on mobile devices and the awarding of cloud contracts.
The audit focused on central procedures in customer data protection and employee data protection. There was also a particular focus on auditing the implementation of SharePoint in 2023. Furthermore, numerous apps developed for customers and employees were reviewed (e.g. S-Bahn [metro] Berlin app, Bonvoyo app, Mosaik and the new DB Navigator). The focus of the app checks was on the use of cookies, the scope and processing of personal data as well as the technical safeguards in place for data transmission and storage. The app provision and quality assurance process in DB Group was discussed from a data protection and technical perspective and was implemented in 2023. In the communication with the audited parties, particular attention was given to the improvement of processes and the empowerment regarding data protection issues of responsible parties.
In addition, cooperation with the various audit units of IT Audit and the Information Security division within DB Group was further intensified. The focus here was on sharing relevant findings regarding the audits between the divisions and ensuring the provision of advice.
In addition to advisory, our DPMS also covers data protection-compliant process optimization. For example, the departments were assisted in implementing whistle-blower management in a data protection-compliant manner, which has been necessary since the German Whistleblower Protection Act (HinwSchG) came into force as an implementation of the Whistleblower Directive 2019/1937. This includes the development of data protection-compliant processes in the context of whistle-blower management, secure communication, protection of whistle-blowers and legally compliant enforcement of data subjects’ rights.
The increased need for advice, particularly on topics relating to digitalization and generative AI, requires the data protection organization to be informed about the latest technical developments. For its regular qualification, internal events are offered in which, among other things, the advisors pass on their knowledge in their role as disseminators.
In 2023, the focus was once again on data protection awareness among all employees. There continues to be a high demand for online awareness-raising programs due to mobile working practices. The new e-learning course “data protection for mobile working” was released in 2023 and 3,464 e-learning units have been completed to date. Group-wide online campaigns to raise employee awareness were implemented in close cooperation with the Group Security, Information Security and Compliance divisions.
Data Protection Advisory Board
DB Group’s Data Protection Advisory Board is an established advisory body to the Management Board on the latest central and strategic data protection issues. The advice serves to protect the personal rights of customers, employees and business partners. The involvement of the stakeholder groups represented on the Advisory Board ensures that the legitimate interests relevant to data protection are taken into account on a broad basis. The work of the body therefore makes an important contribution to ensuring that data protection within DB Group is as innovative and exemplary as possible.
The focus of the 2023 consultations was on advancing digitalization, particularly in the professional context. The various aspects of digitalization were discussed with the involvement of the relevant specialist departments and representatives of the data protection organization. In particular, the interplay between data protection, data security and co-determination was discussed in detail on the basis of key projects. The opportunities and risks associated with the use of AI, in particular generative AI applications, were discussed at length and from an interdisciplinary perspective. Other key advice topics included communication and training, data subject rights, video technology in infrastructure and international data protection within DB Group.