In times of increasing digitalization, protecting personal data is a high priority. Both our customers and our employees must be confident that our company complies with the legal requirements protecting their right to control their personal information and attaches great importance to ensuring this protection.
The data protection management system focuses on compliance with data protection regulations. Specific measures based on the corporate strategy serve to offer our workforce help and guidance. Using defined principles, we want to achieve the goal of creating a consistent and adequate level of data protection. These requirements are set out in internal Group regulations. They are reviewed annually and revised as necessary.
The EnBW Group’s data protection organization consists of a central Group Data Protection department and a decentralized data protection organization which work together to ensure the effective implementation and enforcement of data protection regulations. All relevant functional units, business units and Group companies bound by instructions are involved. They are instructed to take account of data protection in all relevant processes. The management system gives the data protection officers and Group Data Protection a direct reporting line to our Board of Management and a monitoring function with audit rights in accordance with the statutory mandate.
Our data protection organization
Group Data Protection reports to the Supervisory Board and the Board of Management several times a year on the current status of management activities. Our Board of Management is the primary decision-making authority for defining and implementing the data protection strategy and achieving data protection targets in line with the company strategy. It decides on the implementation of management activities, the program and enforcement by means of audits. Those with decentralized roles in business and functional units are regularly supplied with important information at a meeting of the data protection community and given guidance on how to implement any measures. Group Data Protection is involved in an interdisciplinary committee made up of the business and functional units whose role is to ensure data transparency and shape cooperation on the handling of (personal) data within the company. It is also involved in committees covering other Group management systems on an ad hoc basis.
With the aim of achieving a consistent level of data protection in the Group, we have established efficient and effective data protection standards for all Group companies bound by instructions, giving departments the tools they need to adequately implement data protection requirements in relevant processes.
The Directory of Processing Activities is the core element of effective data protection compliance. It contains all the information relevant to the assessment of data protection conformity. If personal data is processed, then processing information must be provided at the time of its collection. This includes the purpose of the processing to which this data use is linked. The collection of data is restricted to the extent necessary for such processing. The data must be deleted if there is no longer any purpose for processing it. Or its use must be restricted if there are only retention requirements, for example. We develop individual concepts for storage and retention periods as well as access rights. Appropriate organizational measures are taken to protect the data, along with measures in line with the latest technology.
In addition to regulations on data storage and backup, clear provisions have been put in place to respect the rights of data subjects under the EU GDPR, such as the right to information, updating, erasure or blocking. There are also regulations governing the right to object and data portability. We also use service providers to process personal data. When selecting the processors, their reliability is verified along with their compliance with data protection requirements in order to ensure an adequate level of data protection. They are commissioned solely on the basis of a written agreement.
Data protection compliance risks are regularly examined by Group Data Protection in a cooperative arrangement and in the logic of integrated risk management. Annual audits are conducted in line with an audit plan adopted by the Board of Management.
In addition, the Group auditing department regularly concerns itself with data protection audits. The legally required data protection impact assessments are tool-assisted. Group Data Protection provides advice on the process and the relevant department documents everything.
Processes with data protection relevance and the largely digitally managed Directory of Processing Activities are reviewed annually and updated as necessary.
New employees are required to comply with data protection and information security requirements in a standard process. A risk-based training concept has also been established, with mandatory e-learning teaching basic knowledge. This e-learning is accompanied by special training courses for employees in positions where data protection is relevant. The content of these training courses is reviewed annually to make sure it is still up to date. It is then redesigned if necessary.
Our internal media channels are regularly used to inform employees about data protection matters. This takes the form of news focused on current issues as well as detailed background information, source material and handouts.
To ensure that the data protection management system continues to evolve, dialogue is held with internal and external consultants, including the Group auditing department and independent consulting firms.
Reporting in the event of data protection incidents
We have an established reporting system for reporting any data protection breaches. It is also possible to report incidents anonymously. The data protection organization makes use of the Group’s proven instruments to investigate any incidents.
Further information on the whistleblower system and reporting breaches