Data Privacy

Data Privacy as a Human Right

✓ The need to protect personal data and questions as to whether data processing complies with the General Data Protection Regulation (GDPR), which came into force in 2018, have been a focus of concern with the public at large and with internet users in particular for far longer that this year. We aim to enable customers to decide for themselves what happens to their data, which is why protecting personal data is both part of our DNA and a prerequisite for our business. In line with this, we explicitly acknowledge that data privacy is an inalienable human right and have established processes designed to ensure that data privacy rights are taken into account at all times in our day-to-day business.

Infringements of data privacy regulations can be caused by human error and technical weaknesses, among other things. In addition to the risk of being fined, United Internet could lose its customers’ trust. The following instruments are used to combat these risks and hence to ensure data privacy at United Internet. ✓

See the “Risk, Opportunity and Forecast Report” in our Annual Report .

The General Data Protection Regulation (GDPR) and Data Privacy in Practice

✓ Since the GDPR and the revised version of the German Data Protection Act (Bundesdatenschutzgesetz – BDSG) came into force, companies have had to comply with stricter requirements regarding personal data and its processing. Data privacy law is dominated by a constantly changing mix of technological progress, new case law, and the issuance of more detailed specifications by the supervisory authorities.

The “Schrems II” ⁽¹⁾ judgment by the European Court of Justice (ECJ) led to reformulated and more detailed requirements regarding data transfer to third countries. This was the background to the focus in 2022 (as in the previous year) on data transfers outside Europe, which applied both to society as a whole and to the market. Reporting on regulatory measures and court-driven developments, coupled with the expiration of the transition period for standard data protection clauses, posed significant challenges for the data protection community. We work every day to meet the growing demand for European internet solutions and the responsibility for ensuring that customer data is handled securely and sustainably.

In December 2021, the German Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG) entered into force. Among other things, this act makes clear that cookies can only be stored if GDPR-compliant consent has been given. Thanks to the new provisions of the TTDSG, users of the United Internet Group's websites and web shops can specify for themselves how cookies are to be used. A multilevel consent procedure allows them to protect their privacy as optimally as possible by deciding for themselves the information that should be processed. ✓

(1) Judgment of the European Court of Justice of July 16, 2020, in case C-311/18 (ECLI:EU:C:2020:559). Subject matter: Transfers of personal data to third countries for commercial purposes.

Ensuring Data Privacy at United Internet

✓ We aim to ensure compliance with data privacy requirements throughout the Group, and to embed this in our systems, processes, and products. Our local data privacy departments work together to ensure compliance with a uniform approach throughout the Group, plus a high level of data privacy.

The United Internet Group continued establishing organizational and operational data privacy responsibilities in its divisions in 2022 so as to be able to meet future challenges and to design privacy-enhancing processes in a dynamic working environment. Data privacy officers have now been appointed in all segments and independent data privacy departments established. These take over full control of data privacy compliance for the segments concerned, and are assisted in implementing data privacy requirements by contacts in the relevant departments. The data privacy officers in the Group segments and the Group Data Privacy Officer report to the segment management boards and to United Internet AG’s CFO respectively.

In 2022, as in previous fiscal years, the work of the United Internet Group’s data privacy departments focused on optimizing and modifying internal implementation measures arising from European and national data privacy regulations, plus supervisory requirements.

We have anchored the target of ensuring compliance with data privacy requirements in the Group in the following ways:  ✓

• Data privacy expertise integrated in the product development process
  ✓ The data privacy departments and data privacy coordinators serve as internal consultants for data privacy questions that arise, for example, during product design or development (“privacy by design” or “privacy by default”) or in relation to contractual agreements. ✓


• Comprehensive, easy-to-understand rulebooks
  ✓ We help ensure compliance with data privacy requirements and best practices by providing internal guidelines and processes that make these more understandable and more transparent. This includes specifying the basic data privacy rules to be observed, how to use e-mail and the internet securely, and what to do in the case of external visitors to the Company’s locations. ✓


• Prevention through regular data privacy training
  ✓ We want each and every employee to help ensure that personal data is processed lawfully and in particular that sensitive information does not fall into the wrong hands. We do this by regularly training staff on basic data privacy requirements using face-to-face and/or e-learning formats. Since the end of 2021, the United Internet Group has had a fully redesigned data privacy e-learning course, replacing the e-learning course used in previous years. Advanced training events on data privacy and data security are also held at regular intervals. For example, a regular drill-down event is held above and beyond the entry-level and advanced training for employees and/or managers; this teaches managers their roles and the principles behind their responsibilities as regards data privacy and data privacy compliance. ✓

• Contact with supervisory authorities
  ✓ United Internet’s data privacy departments are in regular contact with the competent data protection supervisory authorities; this applies in particular to handling customer submissions that have been passed on by the authorities. We also forward notifications of breaches of GDPR requirements – of which there were 36 in 2022 ⁽¹⁾ (2021: 78; 2020: 39) ⁽²⁾ – to the competent data protection supervisory authorities. ✓



(1) Including Consumer Access, Business Access, Consumer Applications, and Business Applications; excluding independently managed companies.

(2) Including Consumer Access, Consumer Applications, and Business Applications; excluding independently managed companies.



• Complaints mechanisms for effective detection
  ✓ Customer questions and complaints about data privacy are handled by trained staff in special data privacy teams in the Complaints Management department, who work in close cooperation with the specialist data privacy departments for the Group companies concerned. In addition, our employees can contact the data privacy departments in confidence at any time to discuss data privacy issues arising in the course of their day-to-day work. ✓


• Effectiveness monitored using checks
  ✓ The United Internet Group’s data privacy departments are in a position and authorized to perform internal data privacy checks at any time. In addition, independent audit organizations are commissioned to perform external, objective data privacy audits in order to identify internal potential for improvement. The data privacy departments are also involved in the measures taken to check service providers and subcontractors.
  
  As part of its risk-driven audit approach, Internal Audit regularly assesses all subgroups to determine whether the data protection requirements have been implemented appropriately and whether the internal control system is appropriate overall. External experts are consulted as necessary to conduct inspections and reviews under the supervision of Internal Audit. Internal Audit then monitors the implementation of the measures derived from this. ✓


• Technical safeguards enhance data privacy
  ✓ Customers trust us with their personal data. We protect this by constantly enhancing and improving the security standards that we have implemented. For example, the 1&1 Service PIN was introduced in the Consumer Access segment in December 2019. This is a personal five-digit code that customers can access and modify independently in their 1&1 Control Center. If customers make contact by phone, customer service staff compare three digits of the PIN as part of the authentication procedure. The 1&1 Service PIN replaced the three-factor authentication method previously used as the main means of authentication. Security measures such as a support PIN and two-factor authentication are also being implemented in the Consumer Applications and Business Applications segments, or are available to customers as an individual configuration option if needed. ✓