Data protection
Management approach and targets
Data protection is a fundamental right. After all, data protection and informational self-determination are the cornerstones of our free and democratic society. That is why protecting the personal rights of our customers, employees and business partners when processing their personal data is one of our most important duties at DB Group. The term employee data protection is to be understood within the meaning of the data protection law term “employee data protection.” Accordingly, this also includes the time of data collection from the application onwards, among other things.
We are aware of our special responsibility for the data entrusted to us and have adopted numerous measures to protect it. We pursue this through uniform and binding data protection regulations, our processing directory, a Group-wide data protection organization, communication and training measures as well as our submission and complaints management. In that respect, we comply with data protection regulations, in particular those of the EU General Data Protection Regulation (GDPR), as well as internal data protection regulations.
Our overriding objective is to ensure that data transfer within DB Group and involving entities outside DB Group complies with data protection regulations. At the same time, we are committed to ensuring that our customers, employees and business partners retain control over the use of their data. This also requires transparency about our legally compliant and ethical data processing practices, both in relation to our products and in informing our customers about exercising their digital sovereignty.
We aim to achieve this by raising awareness of data protection issues throughout DB Group, in particular by informing and training employees and providing a wide range of digital and analog awareness measures as well as a high level of professional quality in our data protection advisory. Another focal point is the expansion of internal and external networks to improve the public image of DB Group with regard to data protection. This includes, for example, regular dialog formats with data protection supervisory authorities, passenger associations and data protection officers from other companies.
We also focus on innovation, automation, the further development of existing instruments and methods and the standardization of processes for professional data protection management. We operate a data protection management system to ensure the reliable application and implementation of data protection at DB Group and to fulfill the information and disclosure requirements and obligations to furnish information in a transparent and legally compliant manner at all times. In addition, regular data protection audits are aimed at ensuring a high level of data protection quality.
We pursue our data protection objectives on the basis of four guidelines:
- We aim to protect the personal rights of our customers, our employees and our business partners at all times.
- We want to provide innovative yet legally compliant data protection solutions that advance DB Group. Together, we want to ensure that the legal and technical requirements are implemented successfully from the perspective of protecting natural persons, from development through to the realization of digital business models, products and services.
- Data protection advisory is designed to enable us to ensure legally compliant and ethical data processing within DB Group and with our external interfaces.
- We aim to help prevent damage to DB Group as part of corporate risk management. By providing advice on how to handle personal data in compliance with data protection regulations, we aim to continually ensure compliance with legal requirements so that the company’s objectives are not jeopardized.
We want to implement our objectives through an efficient data protection organization with a clear structure of responsibilities and uniform standards for our products and services. The data protection organization at DB Group is divided into a central and decentralized organization:
- Centrally, Group Data Protection supports and advises the Group companies. There are five departments within the central data protection organization:
- two are for employee and customer data protection with different areas of responsibility (including managing the Group data committee, training and communication, coordinating legal proceedings relating to data protection, processing submissions from customers, external parties and employees as well as providing support for hearings by data protection supervisory authorities),
- one is responsible for auditing and the internal data protection systems,
- one provides data protection advice on the digitalization of processes and the use of the latest technologies, and
- the fifth is responsible for the global and national data protection directives, controlling the identification and implementation of digitalization and automation projects in data protection and managing the entire decentralized data protection organization. At the national level, this consists of data protection specialists, data protection trusted persons and, at the international level, privacy managers.
- Decentralized data protection experts at Group companies all over the world are available to employees and responsible persons if they have any questions and concerns about data protection. The purpose of these experts is to ensure that data protection is implemented and enforced in accordance with the law at the Group companies and in the business units.
Integrated interface management and various communication formats are intended to ensure the exchange of information and targeted technical management of the decentralized data protection organization, especially in light of the wide range of services and products within DB Group and the associated wide-ranging advice requirements.
In 2010, a Data Protection Advisory Board was established, consisting of representatives from the fields of society, politics and science. It advises the Management Board on data protection matters, is intended to ensure that the legitimate data protection interests of the represented groups are taken into account and, at the same time, contributes to DB Groupʼs stakeholder dialog on data protection.
Based on the Strong Rail strategy, a five-year data protection strategy was drawn up in 2023, focusing on the structure of the GDPR and digitalization. Legal developments, in particular by data protection supervisory authorities and courts in Germany and Europe, as well as increasing digitalization, such as in the field of artificial intelligence, are leading to an increased need for internal advice. The objective is to minimize legal uncertainties, for example when using new technologies. The focal points are anchored in the Data Protection Management System both in terms of structure and process organization, including through the use of simple processes and clear responsibilities.
Based on clear responsibilities, regulations, instruments, awareness measures, intensive training, standardization and data protection audits, our data protection management system (DPMS) is designed to ensure the reliable application and implementation of data protection at DB Group. This aims to minimize risk and act as a mechanism for easy integration of data protection in existing business processes.
In 2024, various measures were implemented in data protection advisory, processes, auditing and training.
One essential core element of our DPMS is the advice provided to employees and responsible parties by our data protection organization. In the course of national and international regulations on data protection, advice was given on various measures, and the measures supported and implemented with those responsible.
In addition, the introduction of the new DB HR system was supported in terms of data protection. Comprehensive advice was given, in particular, on the establishment of new processes and the migration of existing processes and data. An accompanying series of program audits also focused on the topics of joining DB Group, qualifications and remuneration principles. Another focal point of our advisory services was support for changes under company law and organizational changes in DB Group, such as the launch of DB InfraGO AG, the sale of DB Arriva and the sale of DB Schenker.
In technical data protection advisory, activities in 2024 focused primarily on the topics of artificial intelligence (AI) and mobile apps. When the EU AI Act came into force, the requirements for the use of digital automation and decision-making were examined, the corresponding implementation measures were prepared and are to be implemented. A central office checks, consolidates and approves the introduction of GenAI systems at DB Group, such as BahnGPT. The Privacy by Design approach is intended to prevent the unauthorized handling of sensitive data and ensure that all interactions are GDPR-compliant and protect personal rights.
In addition, advice on data protection law was given for the Groupʼs internal app approval process and an interactive guide to the data protection-compliant design and development of mobile apps was provided. In this manner, Group internal developments are to be equipped with the necessary IT security and data protection standards. Another focal point in 2024 was providing advice on tracking and analysis functions used in websites and mobile apps.
In 2024, audit activities focused once again on the central processes in customer and employee data protection. One particular focus was on auditing the use of auditory and visual surveillance systems in the security area, especially the use of drones and other flying objects with video technology. Activities also focused on technology and processes for identity and access management to public sales systems as well as ticket control processes. With regard to employee data, the focus was on an accompanying audit series relating to the commissioning of the new DB HR system in 2024. With regard to app audits, the focus was on the auditing of various mobility solutions (Call a Bike, Flinkster) as well as an internal app to support personnel scheduling. All of the app audits focus on the use of cookies, the scope and processing of personal data and the technical security of data transfer and storage. The dialog with the audited bodies focused in particular on improving processes and the data protection empowerment of the responsible bodies.
Group Data Protection represents the interests of DB Group with regard to data protection in several associations. For example, the ministerial draft bill was reviewed for a law to strengthen the fair handling of employee data and for greater legal certainty for employers and employees in the digital working environment (Employee Data Act) and a statement in this respect was drawn up. It was submitted via the labor law working group of the Confederation of German Employers’ Associations (BDA).
To achieve our data protection objectives in the long term, we seek to continually improve our instruments and provide advice on data protection issues. This includes implementing a process portal, digitalizing existing and newly identified processes and optimizing submission and complaint management. On the other hand, the employees of the data protection organization must be informed about current technical developments. Internal events were offered for their regular training.
Executives have a particular role to play in ensuring compliance with data protection principles and in training employees. For simplified and effective implementation, a new e-learning module was made available to raise awareness of data protection. This supplements our comprehensive and target-group-specific training offering. In addition, Group-wide online employee awareness campaigns were implemented in 2024.
DB Groupʼs Data Protection Advisory Board advises the Management Board on central and strategic data protection issues. Discussions focus on protecting the personal rights of employees, customers and business partners. The involvement of the stakeholder groups represented in the Data Protection Advisory Board and bundled (interdisciplinary) expertise are aimed at ensuring that the legitimate data protection interests of all parties are taken into account. The work of the committee thus contributes to comprehensive data protection within DB Group. At the same time, it constitutes a special form of stakeholder dialog.
The opportunities and risks associated with advancing digitalization and use of AI systems in the work context were the subject of intensive discussion in 2024. The consultations aim to enable progress and innovation while ensuring compliance with data protection, data security and co-determination requirements and reconciling these aspects with one another. Other focal points of the Advisory Board’s work included audit and technical data protection, video technology in infrastructure, digitalization and AI in recruitment and (generative) AI for HR work, cybersecurity and quantum computing.
The Data Protection Award makes an important contribution to raising awareness of data protection at DB Group. The 2024 Data Protection Award in Gold went to the “Integrated data protection in AI projects: data protection by design and by default” project team from DB Long-Distance and the “BahnGPT data protection and innovation combined by the AI Governance Guild” project team from DB AG and DB Systel.