Data Privacy

Data Protection as a Human Right

  • NfS: Respect for Human Rights and Customer-related Matters/Protection of Customer Privacy
  • GRI 418

As the process of digital transformation gains traction, the volume and complexity of the information and the digital footprints that we leave online increase. The need to protect personal data and questions as to whether data processing complies with the General Data Protection Regulation (GDPR), which came into force in 2018, are becoming more and more of an issue with the public at large and with internet users.

We aim to enable customers to decide for themselves what happens to their data, which is why protecting personal data is both part of our DNA and a prerequisite for our business. In line with this, our products and services naturally comply with the strict data privacy standards in force in Europe and Germany. Thus we explicitly acknowledge that data privacy is an inalienable human right and take this into account at all times in our day-to-day business.

The General Data Protection Regulation (GDPR) and Data Privacy in Practice

Following the entry into force in May 2018 of the European General Data Protection Regulation and the associated revision of the German Data Protection Act (Bundesdatenschutzgesetz – BDSG), companies have to comply with stricter requirements regarding personal data and its processing. The law in this area is in a constant state of flux due to technological progress, new case law, and the issuance of more detailed specifications by the supervisory authorities.

The European Court of Justice (ECJ) judgment in the Schrems II(1)“ case resulted in the requirements governing data transfer to third countries being rewritten, or explained in greater detail, in the course of the fiscal year. As a result, both society in general and the market focused mainly on data transfer outside Europe in 2021. Day in, day out we meet the growing demand for European internet solutions and the increasing responsibility for ensuring that customer data is handled as securely and sustainably as possible. The requirements associated with the legal situation after the Schrems II case are being addressed in Group-wide projects on the topic.

(1) Judgment of the European Court of Justice of July 16, 2020, in case C‑311/18 (ECLI:EU:C:2020:559). Subject matter: Transfers of personal data to third countries for commercial purposes.

In 2021, as in previous fiscal years, the work of the United Internet Group’s data privacy departments focused on the optimization and modification of internal implementation measures arising from European and national data privacy regulations, including supervisory requirements. In parallel to activities focusing on operational data privacy operations (e.g., answering questions from data subjects, providing support for data privacy issues at the product level and ad hoc project work), enhancements to the structure of the data privacy organization were driven forward at high speed. In order to be able to meet future challenges and actively shape a dynamic working environment, the United Internet Group continued its drive to set up organizational responsibilities in its operating divisions. September 2021 saw the appointment of a top-level data privacy officer for the United Internet subsidiary IONOS SE and its relevant domestic and international equity interests. In addition, an independent data privacy department was created and given appropriate responsibilities. IONOS’s expansion of its local data privacy organization and of independent organizational management capabilities follows the example set by other United Internet subsidiaries.

Last but not least, the companies belonging to the United Internet Group were confronted in fiscal year 2021 with legislative measures on how to deal with cookies, and the ECJ and German Federal Court of Justice rulings on the need to obtain consent for these. In December 2021, the German Telecommunications Telemedia Data Protection Act (TTDSG) entered into force. This act makes clear that cookies can only be stored if consent complying with the GDPR has been given. The United Internet Group tracks changes in the legislation and case law on an ongoing basis, so as to evaluate and if necessary modify existing processes. The objective is to allow users of the United Internet Group's websites and web shops to say for themselves how cookies are to be used. A multilevel consent procedure allows them to protect their privacy as optimally as possible by deciding for themselves the information that should be processed.

Ensuring Data Privacy at United Internet

  • NfS: Policies Pursued

We aim to ensure compliance with data privacy requirements throughout the Group, and to embed this in our systems, processes, and products. Our local data privacy departments work to ensure a uniform approach is adopted throughout the Group and a high level of data privacy. The operating business is supported by a system of data privacy coordinators and managers, and local data privacy organizations. The data privacy officers in the Group segments and the Group Data Privacy Officer report to the segment management boards and to United Internet AG’s CFO respectively.

We have anchored the target of ensuring compliance with data privacy requirements in the Group in the following ways:

  • Integration of data privacy expertise with the product development process
    The data privacy departments and data privacy coordinators serve as internal consultants for data privacy questions that arise for example during product design or development (“privacy by design” or “privacy by default”) or in the context of contractual agreements.

  • Comprehensive, easy-to-understand rules
    We assist compliance with data privacy requirements and best practices using internal guidelines and processes that make these more understandable and more transparent. Our “Information Security and Data Privacy” brochure explains to staff in a clear, comprehensible manner how to deal responsibly with personal data and information. This includes telling them the basic data privacy rules that they must observe, how to use e-mail and the internet securely, and what to do in the case of external visitors to the Company’s locations.

  • Regular data privacy training to help prevent problems
    We want each and every employee to help ensure that personal data is processed lawfully and to ensure in particular that sensitive information does not fall into the wrong hands. We do this by regularly training staff on basic data privacy requirements using face-to-face and/or e-learning formats. Since the end of 2021, the United Internet Group has had a fully redesigned data privacy e-learning course, replacing the e-learning course used in previous years. Advanced training events on data privacy and data security are also held at regular intervals.

    In addition to entry-level and advanced training for employees and/or managers, a regular drill-down event is held that teaches managers their roles and the principles behind their responsibilities as regards data privacy and compliance with it.
    • NfS: Nonfinancial Key Performance Indicators
    • GRI 418-1
  • Contact with the supervisory authorities
    United Internet’s Data Privacy department is in regular contact with the competent data protection supervisory authorities, particularly in relation to processing customer submissions that the authorities pass on to the Company. We also forward notifications of breaches of GDPR requirements – of which there were 50 in 2021 (2020: 39; 2019: 86)(1) – to the competent data protection supervisory authorities.

    (1) Including Consumer Access, Consumer Applications, and Business Applications, excluding independently managed companies.

  • Complaints procedures ensure effective detection
    Customer questions and complaints about data privacy are handled by trained staff in special data privacy teams in the Complaints Management department, who work in close cooperation with the specialist data privacy departments for the Group companies concerned. We respond to conspicuous events by, for example, adapting our guidelines and raising awareness among the employees involved. In addition, our employees can contact the data privacy departments at any time in confidence to discuss data privacy issues arising in the course of their day-to-day work.

  • Effectiveness checks
    The United Internet Group’s data privacy departments are in a position and authorized to perform internal data privacy checks at any time. In addition, independent audit organizations are commissioned to perform external, objective data privacy audits in order to identify internal potential for improvement. Moreover, the data privacy departments are involved in the measures taken to check service providers and subcontractors.

  • Greater data privacy through technical safeguards
    Customers trust us with their personal data, and the security standards that we have implemented are constantly enhanced and improved in order to protect it. For example, the 1&1 Service PIN was introduced in the Consumer Access segment in December 2019. This is a personal five-digit code that customers can access and modify independently in their 1&1 Control Center. If customers make contact by phone, customer service staff compare three digits of the PIN as part of the authentication procedure. The 1&1 Service PIN replaced the three-factor authentication method previously used as the main means of authentication. Security measures such as a support PIN and two-factor authentication are also being implemented in the Consumer Applications and Business Applications segments, or are available to customers as an individual configuration option if needed.