Data Protection as a Human Right
As the process of digital transformation gains traction, the volume and complexity of the information and the digital footprints that we leave online increase. The need to protect personal data and questions as to whether data processing complies with the General Data Protection Regulation (GDPR), which came into force in 2018, are becoming more and more of an issue with the public at large and with internet users.
We aim to enable customers to decide for themselves what happens to their data, which is why protecting personal data is both part of our DNA and a prerequisite for our business. In line with this, our products and services naturally comply with the strict data privacy standards in force in Europe and Germany. Thus we explicitly acknowledge that data privacy is an inalienable human right and take this into account at all times in our day-to-day business.
Following the entry into force in May 2018 of the European General Data Protection Regulation and the associated revision of the German Data Protection Act (Bundesdatenschutzgesetz – BDSG), companies have to comply with stricter requirements regarding personal data and its processing. The law in this area is in a constant state of flux due to technological progress, new case law, and the issuance of more detailed specifications by the supervisory authorities.
The European Court of Justice (ECJ) judgment in the Schrems II(1)“ case resulted in the requirements governing data transfer to third countries being rewritten, or explained in greater detail, in the course of the fiscal year. As a result, both society in general and the market focused mainly on data transfer outside Europe in 2021. Day in, day out we meet the growing demand for European internet solutions and the increasing responsibility for ensuring that customer data is handled as securely and sustainably as possible. The requirements associated with the legal situation after the Schrems II case are being addressed in Group-wide projects on the topic.
(1) Judgment of the European Court of Justice of July 16, 2020, in case C‑311/18 (ECLI:EU:C:2020:559). Subject matter: Transfers of personal data to third countries for commercial purposes.
In 2021, as in previous fiscal years, the work of the United Internet Group’s data privacy departments focused on the optimization and modification of internal implementation measures arising from European and national data privacy regulations, including supervisory requirements. In parallel to activities focusing on operational data privacy operations (e.g., answering questions from data subjects, providing support for data privacy issues at the product level and ad hoc project work), enhancements to the structure of the data privacy organization were driven forward at high speed. In order to be able to meet future challenges and actively shape a dynamic working environment, the United Internet Group continued its drive to set up organizational responsibilities in its operating divisions. September 2021 saw the appointment of a top-level data privacy officer for the United Internet subsidiary IONOS SE and its relevant domestic and international equity interests. In addition, an independent data privacy department was created and given appropriate responsibilities. IONOS’s expansion of its local data privacy organization and of independent organizational management capabilities follows the example set by other United Internet subsidiaries.
Last but not least, the companies belonging to the United Internet Group were confronted in fiscal year 2021 with legislative measures on how to deal with cookies, and the ECJ and German Federal Court of Justice rulings on the need to obtain consent for these. In December 2021, the German Telecommunications Telemedia Data Protection Act (TTDSG) entered into force. This act makes clear that cookies can only be stored if consent complying with the GDPR has been given. The United Internet Group tracks changes in the legislation and case law on an ongoing basis, so as to evaluate and if necessary modify existing processes. The objective is to allow users of the United Internet Group's websites and web shops to say for themselves how cookies are to be used. A multilevel consent procedure allows them to protect their privacy as optimally as possible by deciding for themselves the information that should be processed.
We aim to ensure compliance with data privacy requirements throughout the Group, and to embed this in our systems, processes, and products. Our local data privacy departments work to ensure a uniform approach is adopted throughout the Group and a high level of data privacy. The operating business is supported by a system of data privacy coordinators and managers, and local data privacy organizations. The data privacy officers in the Group segments and the Group Data Privacy Officer report to the segment management boards and to United Internet AG’s CFO respectively.
We have anchored the target of ensuring compliance with data privacy requirements in the Group in the following ways:
(1) Including Consumer Access, Consumer Applications, and Business Applications, excluding independently managed companies.