Data Privacy

Protecting personal data and questions relating to the admissibility of processing personal data under the General Data Protection Regulation (GDPR) and the national legislation applicable in the countries in which the United   Internet Group does business are more than just compliance requirements: they are also in United   Internet’s own interests.

This is because the lawful, secure, and responsible handling of personal data, especially in relation to internet use, is always in the public eye.

Specifically, United Internet’s customers trust it with the data relating to over 28 million fee-based customer contracts and roughly 40 million ad-financed free accounts worldwide. That is why guaranteeing strict security and systematically protecting customer data are part of the Group’s DNA. Data privacy and information security at United Internet are aligned in all cases with the current requirements of, and strict standards applicable to, data protection in Europe and Germany.

Privacy – A Universal Human Right

United Internet aims to enable customers to decide for themselves what happens to their data, which is why protecting personal data is both part of its DNA and a prerequisite for its business. The Group explicitly accepts that data privacy is an inalienable basic right and has established processes designed to ensure that data privacy rights are taken into account at all times in its day-to-day business.

Infringements of data privacy rules can be caused by human error or technical vulnerabilities, among other things. In addition to the risk of being fined, United Internet could lose its customers’ trust. The following instruments are deployed to ensure data privacy at United   Internet and to combat risks effectively.

Ensuring Data Privacy at United Internet

United Internet’s goal is to ensure compliance with data privacy requirements throughout the Group, and to embed this in its systems, processes, and products.

In practice, this means monitoring developments at the legislative level, in case law, and in supervisory practice along with monitoring technological risks and threat scenarios, and adapting the data privacy management system to reflect current developments. The Group companies have created and maintain data privacy organizations, policies, and processes that are appropriate to the size of their business areas and the risks involved. The divisions have established their own data privacy areas and appointed data protection officers. Other data protection roles are created to the extent that this is necessary to implement the data privacy goals, bearing in mind the business area, its size, and the risks involved in each case.

The target of ensuring compliance with data privacy requirements was embedded in the Group in the following ways:

• Embedding data privacy expertise in the product development process
  The data privacy departments and data privacy coordinators serve as internal consultants for data privacy questions that arise, for example, during product design or development (“privacy by design” or “privacy by default”) or in relation to contractual agreements.


• Comprehensive, easy-to-understand rules
  United Internet’s internal policies and processes facilitate compliance with data privacy requirements and best practices. Among other things, they specify the basic data privacy rules to be observed, how to use e-mail and the internet securely, and what to do in the case of external visitors to the Company’s locations.


• Regular data privacy training aids prevention
  United Internet wants each and every employee to help ensure that personal data is processed lawfully and in particular that sensitive information does not fall into the wrong hands. To achieve this, it hold regular employee training courses.

• Contact to the supervisory authorities
  The United Internet Group’s data privacy departments are in regular contact with the competent data protection supervisory authorities; this applies in particular to dealing with customer concerns that have been passed on by the authorities. Set reporting and review processes have been defined for data privacy incidents. Where an obligation to report them exists, they are reported to the supervisory authorities. A total of 25 reports (2022: 36) ⁽¹⁾ were made to the competent data protection supervisory authorities in 2023.
  
  

  (1) Including Consumer Access, Business Access, Consumer Applications, and Business Applications. The data for the Business Applications segments only contains reports by IONOS SE.



• Complaints procedures aid effective detection
  Customer questions and complaints about data privacy are handled by trained staff in special data privacy teams, who work in close cooperation with the specialist data privacy units in the Group companies concerned. In addition, employees can contact the data privacy units or their data protection officer in confidence at any time to discuss data privacy issues arising in the course of their day-to-day work.


• Checks to monitor effectiveness
  The United Internet Group’s data privacy units are able and authorized to perform internal data privacy checks at any time. In addition, independent audit organizations can be commissioned as needed to perform external, objective data privacy audits in order to identify internal potential for improvement. The data privacy units are also entitled to check service providers and subcontractors in the course of their controls.


• Technical safeguards enhance data privacy
  Customers trust United Internet with their personal data. The security standards that have been implemented at Group companies are constantly enhanced and improved to ensure that this data is protected.