Data Protection means Protecting Privacy
As the process of digital transformation increases, so do the volume and complexity of the information and the digital footprints we leave online. The need to protect personal data and questions as to whether data processing is compliant with the General Data Protection Regulation (GDPR), which came into force in 2018, are becoming more and more of an issue with the public at large and with individual users.
Our customers are aware of dangers such as data abuse and insufficient data security, and take data privacy factors into account when selecting products. This can also be seen from the large number of customer queries we receive on the latter issue (2020: 1,872; 2019: 1,686(1); 2018: 35,445). Since we aim to enable customers to decide for themselves what happens to their data, protecting personal data is both a basic part of how we see ourselves and a prerequisite for our business. In line with this, our products and services naturally comply with the strict data privacy standards in force in Europe and Germany.
(1) The sharp decline is due to a change in the query. Since 2019, only the adjusted number of data privacy questions from customers has been counted rather than all incoming and outgoing customer questions.
Following the entry into force in May 2018 of the EU’s General Data Protection Regulation and the associated revision of the German Data Protection Act (“Bundesdatenschutzgesetz” – BDSG), companies have to comply with stricter requirements regarding personal data and its processing.
In 2020 – as in the previous year – one key focus of the work performed by United Internet’s data privacy departments was on continuing and consolidating measures associated with the new EU rules and national standards. Whereas day-to-day operations continued largely to revolve around recurring work such as maintaining records of processing activities and performing data protection impact assessments for processes that are expected to entail materials risks to natural persons’ rights and freedoms, the main thrust of our work was on further expanding our data privacy organization. We also launched additional implementation projects.
Examples include implementing deletion policies, ongoing enhancements to risk management, and the implementation of “cookie layers” to obtain users’ consent to their use. We also adapted the privacy notices in the various segments.
The implementation of 2020 rulings by the European Court of Justice (ECJ), German courts, and data protection authorities was another focus of our work in the fiscal year. Particularly noteworthy decisions were taken by the German Supreme Court (BGH) on the need to obtain cookie consents, following on from a 2019 ECJ ruling and a decision by the ECJ on the validity of the Privacy Shield between the EU and the USA on the transfer of personal data to the USA. These rulings gave many enterprises clarity in concrete situations for the first time since the GDPR entered into force, and led to the need to implement associated modifications.
We aim to ensure data privacy throughout the Group and to embed it in our systems and processes. Our data privacy departments ensure compliance with a uniform approach throughout the Group. At an operational level, we have strengthened data privacy by establishing data privacy coordinators and continuing to expand our local organizations. The data protection officers in the segments and the Group Data Protection Officer report to the segment management boards and to United Internet AG’s CFO respectively.
We have embedded data privacy in the enterprise in the following ways:
(1) Including Consumer Access, Consumer Applications, and Business Applications; excluding independently managed companies. The rise in notifications in 2019 compared to 2018 was due to the GDPR’s strict notification requirements.