Data Protection

  • GRI 418

Data Protection means Protecting Privacy

As the process of digital transformation increases, so do the volume and complexity of the information and the digital footprints we leave online. The need to protect personal data and questions as to whether data processing is compliant with the General Data Protection Regulation (GDPR), which came into force in 2018, are becoming more and more of an issue with the public at large and with individual users.

Our customers are aware of dangers such as data abuse and insufficient data security, and take data privacy factors into account when selecting products. This can also be seen from the large number of customer queries we receive on the latter issue (2020: 1,872; 2019: 1,686(1); 2018: 35,445). Since we aim to enable customers to decide for themselves what happens to their data, protecting personal data is both a basic part of how we see ourselves and a prerequisite for our business. In line with this, our products and services naturally comply with the strict data privacy standards in force in Europe and Germany.

(1) The sharp decline is due to a change in the query. Since 2019, only the adjusted number of data privacy questions from customers has been counted rather than all incoming and outgoing customer questions.

The General Data Protection Regulation (GDPR)

Following the entry into force in May 2018 of the EU’s General Data Protection Regulation and the associated revision of the German Data Protection Act (“Bundesdatenschutzgesetz” – BDSG), companies have to comply with stricter requirements regarding personal data and its processing.

In 2020 – as in the previous year – one key focus of the work performed by United Internet’s data privacy departments was on continuing and consolidating measures associated with the new EU rules and national standards. Whereas day-to-day operations continued largely to revolve around recurring work such as maintaining records of processing activities and performing data protection impact assessments for processes that are expected to entail materials risks to natural persons’ rights and freedoms, the main thrust of our work was on further expanding our data privacy organization. We also launched additional implementation projects.

Examples include implementing deletion policies, ongoing enhancements to risk management, and the implementation of “cookie layers” to obtain users’ consent to their use. We also adapted the privacy notices in the various segments.

The implementation of 2020 rulings by the European Court of Justice (ECJ), German courts, and data protection authorities was another focus of our work in the fiscal year. Particularly noteworthy decisions were taken by the German Supreme Court (BGH) on the need to obtain cookie consents, following on from a 2019 ECJ ruling and a decision by the ECJ on the validity of the Privacy Shield between the EU and the USA on the transfer of personal data to the USA. These rulings gave many enterprises clarity in concrete situations for the first time since the GDPR entered into force, and led to the need to implement associated modifications.

Ensuring Data Privacy at United Internet

  • GRI 418-1

We aim to ensure data privacy throughout the Group and to embed it in our systems and processes. Our data privacy departments ensure compliance with a uniform approach throughout the Group. At an operational level, we have strengthened data privacy by establishing data privacy coordinators and continuing to expand our local organizations. The data protection officers in the segments and the Group Data Protection Officer report to the segment management boards and to United Internet AG’s CFO respectively.

We have embedded data privacy in the enterprise in the following ways:

  • Including data privacy experts in the product development process
    The Data Privacy department and data privacy coordinators serve as internal consultants for data privacy questions that arise e.g., during product design or development (privacy by design) or when entering into contracts.

  • Comprehensive, easy-to-understand rules
    We help make it easy to comply with data privacy requirements using internal guidelines and processes that make them more understandable and more transparent. Our “Information Security and Data Protection” brochure explains to staff in clear, comprehensible language how to deal responsibly with personal data and information. This includes telling them the basic data privacy rules that they must observe, how to use e-mail and the internet securely, and what to do when there are visitors to the Company.

  • Regular data privacy training helps prevent problems
    We want each and every employee to help ensure that data is only processed lawfully, that it is not lost, and that it does not fall into the wrong hands. We do this by training staff on data privacy requirements, using both face-to-face and e-learning formats. In 2020, we evaluated a new e-learning course on the basics of data protection, which was rolled out in the Consumer Applications and Business Applications segments in the first quarter of 2021. We also held a wide range of training events on data privacy and data security, especially in relation to the GDPR. In addition to basic training for employees and managers, we held classroom-based courses for data privacy coordinators, among other people, along with events that focused specifically on managers’ responsibilities in this area.

  • Regular dialog with the supervisory authorities
    United Internet’s Data Privacy department is in regular contact with the competent supervisory authorities, particularly in relation to customer submissions that the authorities pass on to the Company. We also forward notifications of breaches of GDPR data protection requirements – of which there were 39(1) in 2020 (2019: 86(1); 2018: 49) – to the competent data protection supervisory authorities. The staff in our Data Privacy department also maintain regular contact with the authorities to discuss and liaise on topical data privacy issues.

  • (1) Including Consumer Access, Consumer Applications, and Business Applications; excluding independently managed companies. The rise in notifications in 2019 compared to 2018 was due to the GDPR’s strict notification requirements.

  • Complaints procedures ensure effective detection
    Customer questions and complaints about data privacy are handled by trained staff in special data privacy departments in close cooperation with the data protection officers for the areas concerned. We respond internally to any incidents by adapting our guidelines and raising employee awareness, if necessary. In addition, our employees can contact the Compliance and Data Privacy departments in confidence to discuss data privacy issues arising in the course of their work.

  • Effectiveness checks
    The Data Privacy department performs internal ad hoc data privacy checks. In addition, it is involved in ensuring data privacy at service providers, where it performs checks. As a supplementary measure, TÜV Rheinland successfully performed an external data protection audit for 1&1 Mail & Media GmbH and 1&1 Telecommunications SE in 2020.

  • 1&1 Service PIN offers enhanced security
    Customers entrust their data to us for processing. We enhanced our safety standards and introduced our 1&1 Service PIN in the Consumer Access Segment in December 2019 so as to protect this data even better in future. The Service PIN is a personal five-digit code that our customers can access and modify independently in their 1&1 Control Center. During calls, customer service staff ask customers for three digits of the PIN but do not know the entire number. Going forward, the 1&1 Service PIN will become the central means of authentication, replacing the three-factor authentication method previously used. Additional measures to enhance security such as the Support PIN are also being implemented in the Consumer Applications and Business Applications Segments.

  • Cookie layer
    Like almost all websites and apps, 1&1's applications use cookies – small text files that are stored on a customer’s computer or in their mobile device’s app cache and that allow the application to recognize users it has seen before. As a result of the court rulings by the ECJ in 2019 and the BGH in fiscal year 2020, we worked together with the office of the Rhineland-Palatinate Commissioner for Data Protection and Freedom of Information (LfDI) to revise the cookie settings on the segments’ home pages. The multilevel consent procedure allows visitors to protect their privacy as optimally as possible by determining for themselves what information should be stored.