Implementation of the EU General Data Protection Regulation
Efforts to implement the EU General Data Protection Regulation (GDPR) were a core part of Group data protection activities in the year under review. Firstly, new standards were implemented, such as more comprehensive obligations to be transparent toward customers and employees. Existing processes and sample contracts then had to be modified to comply with the new regulations and new requirements had to be proactively incorporated into everyday consulting. Finally, awareness of data protection issues was raised among data controllers through various channels.
In addition to usual processes such as recruiting and HR services, initiatives such as DB Digital Ventures, mindbox and beyond1435 are increasingly playing a role in advising and are used by DB Group to drive its digitalization efforts. The use of bodycams by DB Security received a notable response from the media as part of the focus on video surveillance. This was preceded by extensive consultation and discussion with the competent data protection supervisory authorities regarding data protection, including academic support from Prof. Dr. Jürgen Taeger from the University of Oldenburg, who is also a member of the DB Group Privacy Advisory Board.
Group data protection places great importance on communicating openly and proactively with the relevant data protection supervisory authorities for each Group company, particularly through the introduction of innovative procedures and processes.
Technical data protection and audit
The audit department focused on auditing key procedures and processes related to the implementation of GDPR requirements, especially BahnCard procedures (including an audit of the service provider) and central DB HR systems. During the year under review, the department also concentrated on auditing the new DB Group recruiting procedures that are used internationally.
The consulting focused on assessing various newly written order processing agreements in terms of implementing technical and organizational measures, as well as using expertise in data protection to supervise major projects in customer and employee data protection with regard to measures that still need to be taken to comply with GDPR. This includes the new sales system VENDO for passenger transport and procedures that have been developed especially for the occupational health service.
An innovative working group called AG SoNeT conducted research into legal advice on data protection for the use of artificial intelligence (AI) applications with the aim of creating a practical guide for DB Group companies. The DOM survey conducted at the start of the year under review had a record number of participants and its results showed them to have a good level of data protection.
Further development of professional qualifications and awareness
We increased the already high quality of consultancy provided by the data protection organization by providing tailored professional training opportunities. Increasing awareness of data protection issues among all employees and executives in a targeted way involved publishing the new online training course “fundamentals in the data protection” and regularly updating the latest data protection news at the DB Planet data protection news blog.
International data protection
During the year under review, the digital transformation at DB Group was a common theme for issues relating to international data protection laws. From fleet management systems in international logistics to digital finance solutions and international recruiting software – it is obvious that using innovative digital technologies requires personal data to be handled responsibly and securely.
Another key topic in this area was the implementation of GDPR. In cooperation with the international data protection managers, who serve as points of contact within the decentralized international data protection organization, Group data protection ensured that the new data processing requirements were implemented within EU companies as well as EU companies conducting business with non-EU companies.
In addition to EU legislation, we have also been keeping a close eye on developments in international law. Developments in data protection law that were relevant to us during the year under review included the US CLOUD Act, various domestic legislation on data localization and data protection legislation that used GDPR as an example.
DB Group Data Protection Advisory Board
DB Group Data Protection Advisory Board advises the Group’s Management Board on strategic and core data protection issues, and in doing so helps significantly to set an excellent example of data protection at DB Group. The expertise of individual stakeholder groups on the Advisory Board ensures that legitimate data protection-related interests of all stakeholders involved are taken into account, particularly in discussions on the digital transformation. The work that the Advisory Board does is therefore an important contribution to DB Group stakeholder dialog on data protection.
Useful consultation requires early and organized involvement in data protection-related deliberations, planning and projects, as well as applying this approach consistently to ensure exemplary data protection within DB Group. The Advisory Board discusses new, innovative and pragmatic solutions to protect the data protection rights of data subjects, making an important contribution to ensuring digitalization initiatives are compliant with data protection regulations while also being key to the success of these projects. Data-protection-related challenges can be handled in the best possible manner through forward-looking and constructive discussion together with trusted guidance from the Advisory Board. The annual awarding of the Advisory Board’s now well-established Data Protection Award helps to ensure that data protection is treated with the necessary care and attention within DB Group.