Engagement with Consumers and end-users, channels to raise concerns or needs and approaches to remedy

Processes for engaging with consumers and end-users about impacts (S4-2)

DB Group takes customer perspectives on data protection into account in the continuous development of internal processes. This is achieved via direct feedback from our customers and indirectly via consumer associations and data protection supervisory authorities. Direct feedback from our customers on data protection issues is provided via consultation procedures, data protection and data subject inquiries and complaints submitted via the designated communication channels (email and post). DB Group is also involved in industry initiatives and working groups in order to integrate practical and regulatory developments into its decisions.

This is done on an ongoing basis via the input management system and on an ad hoc basis in consultation with consumer associations and supervisory authorities. An “input” includes any data-protection-related request addressed to DB Group, regardless of whether it is a complaint, inquiry, notification or the assertion of data subject rights. Legal developments are regularly taken into account and participation in industry initiatives takes place on a topic-related basis.

The data protection organization, headed by the Group Data Protection Officer, evaluates incoming concerns and reports to the Management Board, thereby ensuring the effectiveness of involvement.

Data Protection Advisory Board

DB Group’s Data Protection Advisory Board has been an established advisory body to the Management Board on strategic and key data protection issues for more than 15 years. With its independent, interdisciplinary expertise, the advisory board helps to ensure that the data protection interests of employees, customers and business partners are incorporated into the strategic decision-making process of the Management Board. The aim of the consultations is to ensure effective and exemplary data protection within DB Group, enabling innovation and progress in compliance with data protection regulations.

The focus areas of the consultations in 2025 reflect the dynamic developments and challenges in an era of advancing digitalization and growing use of AI. As part of the consultations, the “Digital.Trend.Radar,” a structured overview of all DB-relevant digital trends, provides important impetus as a strategic tool for consultation with the Management Board, the representatives of Group Data Protection and other specialist departments. The subjects of the consultations were challenges concerning EU regulation on digitalization and AI. Another focus was on the topics of data and AI governance, AI portfolio management and modern and forward-looking IT services such as cloud and quantum computing. The range of consulting services also included projects for integrated everyday mobility (SMILE24) and developments in autonomous driving (KIRAµ ). Other key areas addressed included the use of video technology in rail infrastructure and on trains, the Berlin Südkreuz security station research project and data protection in the context of internal investigations. Data- protection-related aspects of numerous applications (including DB Navigator, Microsoft Copilot and BahnGPT) rounded off the agenda.

In its discussions, the committee emphasized the importance of expanding data protection expertise through targeted awareness measures and training initiatives. Additional challenges for the data protection organization due to transformation and restructuring projects in DB Group were emphasized and discussed.

The Data Protection Award is intended to help promote a positive data protection culture within DB Group by recognizing innovative and exemplary projects with regard to data protection in DB Group. Seven entries were nominated in 2025. The “AI framework paper” project, a Group-wide guiding document on the responsible use of artificial intelligence, received the Data Protection Award in Gold for 2025. A special prize for “DataProtection+ CyberSecurity” went to the “CyberSecurity@DB” project, which focuses on the topics of data protection, data security and co-determination.

Processes to remediate negative impacts and channels for consumers and end-users to raise concerns (S4-3)

The Group-wide data protection management system ensures the legally compliant implementation of the GDPR requirements. It includes processes for identifying, handling and resolving data protection incidents and for the transparent fulfillment of information and disclosure obligations.

Data protection incidents are recorded and evaluated centrally, remedied using suitable technical and organizational measures and, if they are subject to a reporting obligation, reported to the relevant supervisory authority. Data subject inquiries are processed according to standardized procedures.

The continuous improvement of our data protection processes is based on feedback from customers, employees and specialist departments as well as findings from data protection incidents, internal audits and reviews by data protection experts. Consumers can contact DB Group via various communication channels such as email and post. Inquiries received are treated confidentially.

Training and awareness measures enable employees to handle data protection issues properly and consistently.

Awareness of the reporting options among customers is ensured through transparent communication, for example through data protection notices provided to customers by DB Group as part of its products and services. The fact that customers know and trust the data protection procedures is reflected in particular in the use of these channels, in the targeted inquiries received and in feedback from the processing of concerns.