Actions for End-users and Users

This chapter covers the various concrete actions addressed to United   Internet customers. These range from digital security and consumer protection through enabling digital participation down to customer service and facilitating fact-based opinion-forming.

Information Security for Digital Security and Consumer Protection

As a data processing company, United   Internet has a high level of social responsibility when it comes to protecting the data transferred to it and hence safeguarding customers from detrimental effects. Customer trust in the information security measures taken is the bedrock for them being prepared to entrust United   Internet with their information in the form of digital data such as photos, documents, and e-mails.

Expanding Internet Security

United   Internet’s goal is to protect customer information against unauthorized access and misuse. The individual segments’ security strategies aim to achieve the protective goals of data confidentiality, availability, and integrity throughout the Group. Security management in the segments is based on highly targeted technical and organizational measures. These are derived from the security guideline requirements, which in turn are based on a variety of criteria. Sources include international standards, and especially ISO 27001, but also legislation such as the TKG, the European NIS2 Directive, or the German BSI Act (BSI-Gesetz – BSIG).

See the European NIS2 Directive .
See the BSI Act : Federal Office for Information Security.

The measures taken to protect the product landscape against unauthorized access and misuse are constantly upgraded. United   Internet’s information security management system (ISMS) is based on international standards such as ISO 27001, the BSI IT-Grundschutz compendium from Germany’s Federal Office for Information Security (BSI), and BSI C5.

See ISO 27001 Certification .

Building on these standards, United   Internet assesses whether an appropriate, risk-based, effective approach to information security challenges exists – from security management down to implementation of the security requirements in the operating security units. In addition, planning and achieving information security objectives is a key part of implementing and maintaining the ISMS.

Management Using the Information Security Management System (ISMS)

All of the segments have an ISMS. In line with the individual segments’ business strategies, the ISMS in the Consumer Access, Consumer Applications, and Business Applications segments is managed by United   Internet’s Group Information Security Officer (GISO) and the Segment Information Security Officers (SISOs). In the case of the Business Access segment, this task is performed by the Head of Information Security Management. A guidelines management policy is also used. The SISOs are responsible for information security risk management. In addition, they develop security instructions and employee training courses, and are responsible for communication with public authorities, e.g., in the case of reportable security incidents.

The Technical Security & Abuse Management department is responsible for providing advice on security architectures and applications, systems, and network security. It trains employees how to ensure secure development and operations, performs security tests, and deals with potential security incidents together with other departments. The department also develops and operates systems that are used in abuse management processes. These processes ensure that support is provided to customers in security incidents for which they themselves are responsible, helping them to use United   Internet’s products securely again.

The SISOs perform segment-specific Telecommunications Security Officer roles, e.g., under the TKG. They report regularly to the Chief Technology Officers for their segments. Reporting covers the information security risk portfolio, any relevant security incidents that have occurred, the specific measures taken, the results of security audits, and key security trends. Internal security architecture experts support the GISO and the SISOs in designing and implementing comprehensive, cross-segment security improvements. Senior management at the Business Access Segment is ultimately responsible for information security there. It commissions the Head of Information Security Management and his department, plus the organizations supporting them, to operate and continuously improve the ISMS. In this way, United   Internet establishes structured, targeted security management.

In the Business Access segment, United   Internet has organized information security in keeping with the Three-Lines-of-Defense (TLoD) model. Information Security Management represents the second line of defense under this model. Among other things, the department develops and resolves policies and work instructions that serve as the basis for operational security measures, requirements, and activities. These are then implemented by the staff responsible in the various departments, the first line of defense. A Security Operations Center works 24 x 7 to identify, target, and remedy security attacks. The Head of Information Security is also the Business Access Segment’s Telecommunications Security Officer under the TKG and reports regularly to the management board.

Information Protection Measures

The BSI has detected an ongoing high threat level in cyberspace. In addition to offering telecommunications technology, United   Internet uses information technology to provide services relating to business processes whose availability and proper functioning could be endangered by threats from the internet or from internal sources. In addition to availability risk, there is a risk that hack attacks could, for example, lead to result in customer data being read, deleted, or misused. Potential threats from the internet represent one of the largest risk clusters facing United   Internet, measured in terms of their impact. Vulnerabilities could have far-reaching consequences for customers. United   Internet has taken the technical and organizational security measures described below, among others, to contain such risks. No sanctions in the form of fines were imposed on United   Internet in the 2024 fiscal year for security violations or other security-related incidents.


Technical Measures
  • Secure software development:  The best protection against vulnerabilities is to prevent them arising in the first place. All segments use various maturity levels of the Secure Software Development Life Cycle (SSDLC), the methodology for which incorporates security in the software development process right from the start. Integral components of product development include actions such as threat analyses, dual control source code reviews, automated checks, developer documentation, and application tests, among other things. As the use of agile development methods and new technical platforms spreads, the SSDLC is being continuously expanded to include software dependency analyses up to and including secure (software) containerization.

  • Global distributed DDoS shield : Distributed denial of service attacks (DDoSs) are concerted internet attacks originating from multiple sources that are designed to reduce the availability of services. The Group works together with partners to protect United   Internet against these attacks using an internally developed global DDoS shield, which is optimized continually and which is deployed in the Consumer Access, Consumer Applications, and Business Applications segments. An internal team of experts is entrusted with continuous improvement of the DDoS mitigation platforms and with maintaining a constant high level of security. The Business Access segment uses a DDoS product from an external provider.

  • Systematic use of encryption – Transport Layer Security (TLS) TLS is used throughout United   Internet for encrypted customer data transfer. In addition, the Group makes TLS functionality available to customers so as to protect their data traffic, e.g., when entering passwords or payment information. United   Internet bases the strength of its encryption on recognized international authorities such as the U.S. National Institute of Standards and Technology (NIST) or Germany’s BSI.

  • Georedundancy : United   Internet operates data centers in multiple, geographically discrete locations in Europe and the U.S.A. This allows the Company to store and back up information at a variety of different locations and minimize the risk of business interruptions and data losses caused by external factors.

  • Certification of Company data centers:  United   Internet ensures that it can offer customers the highest possible security standards by having its own data centers certified. These include the data centers belonging to the Business Applications Segment, the data centers and technical spaces in the Business Access Segment that are within the scope of certification, and some system operations at Customer Support, all of which are certified in accordance with ISO 27001 and BSI-IT-Grundschutz. Other security certifications are obtained for areas above and beyond the data centers; these include the IT-Grundschutz or BSI C5 (cloud security) certifications recognized in Germany, plus international standards such as PCI DSS (in the area of electronic payments systems). In addition, business continuity management (BCM) in the Business Customers area is constantly enhanced.
Organizational Measures
  • Information security training for staff: Above and beyond United   Internet’s technology, humans are an important and ever-present aspect of its security chain. Basic and refresher training taking the form of e-learning courses is used to provide employees with information on security issues. This mandatory e-learning must be repeated every two years. Classroom training is also offered for knowledge-building.

  • Information security rules United   Internet provides employees with a comprehensive rulebook to serve as a guide in all areas of information security. The mandatory Information Security Policy serves as the formal basis for this within the Group. This rulebook is continually enhanced and updated at segment level so as to reflect up-to-the-minute technological challenges. It is disseminated using a variety of different communications channels, depending on the target groups concerned. In addition to the training courses that have already been mentioned, tips and tricks and explanations of the rules for key employee roles are available on the intranet. The regular introductory event, security training, and the intranet also provide information on contact points to which staff must report potential security incidents, or suspicions of such events, without undue delay. This reporting obligation encompasses events in which applicable rules are being breached or that could otherwise pose a danger to the Group.

  • Security audits : Product, process, and system audits are performed in order to ensure the effectiveness of the ISMSs in the segments. They are supplemented by checks performed by the departments themselves and by additional audits. These audits, which are often commissioned externally, are supported by the local security organization. One increasingly common tool here are maturity models. Maturity models offer an efficient way of planning effort-intensive, in-depth audits more effectively. They allow audits to be planned for those places in which they will support maturation most effectively. In particular, the technical departments that are responsible for customer data use a security maturity model developed by Information Security. As a result, they benefit from a clear assessment of how they are developing. The model also provides a way of ensuring independent, focused, and comparable progress.

  • Continuous monitoring : The various IT systems are monitored continuously in order to discover any data vulnerabilities as quickly as possible. In addition to local monitoring, the Security Incident and Event Management System (SIEM), which has been customized internally and which was migrated in fiscal year 2024 to a more modern platform, permits any incidents to be captured and can trigger appropriate responses. The time taken to distinguish between security-related incidents (e.g., attacks) and incidents that are not security-related (e.g., interruptions to power circuits) is measured to facilitate continuous improvement. The response times from the point at which notification of a problem is received to its resolution are also logged. In addition, United   Internet has defined internal targets for certain protective goals, such as data availability.

Security Incident Handling

All business segments have defined standardized processes for handling security incidents in compliance with standards such as ISO   27001. Once a significant incident is detected, a trained incident manager takes responsibility for its resolution. Where necessary, he or she also consults the Security Team or external consultants.

When integrating acquired companies, United   Internet reviews the existing technical and organizational information security measures both before the combination and at key points in the subsequent integration process. 1 A maturity analysis based on international standards is used for this. The level of maturity established in this way is supplemented by a risk assessment complete with recommended actions. A range of integration measures are then resolved and implemented, depending on the results and the business strategy. The segments’ security organizations assess the maturity level and the measures to be taken, and determine whether it makes sense to integrate the acquired company with United   Internet’s ISMS. The goal is to establish and maintain an appropriate, Group-wide security standard.

1 This process does not apply to the Business Access Segment.

Data Privacy

United   Internet ensures that personal data is protected, and checks the admissibility of processing personal data, in line with the European GDPR and the national regulations applicable in the countries in which it operates. This is not merely a compliance requirement but is also in United   Internet’s own interests. This is because the lawful, secure, and responsible handling of personal data, especially in relation to internet use, is always in the public eye. In particular, United   Internet’s customers trust it with the data for their roughly 29   million fee-based customer contracts and roughly 39   million ad-financed free accounts worldwide. That is why guaranteeing strict security and systematically protecting customer data are part of the Company’s DNA. Data privacy and information security at United   Internet are aligned in all cases with the current requirements of, and strict standards applicable to, data protection in Europe and Germany.

Protecting personal data is a core part of United   Internet’s core philosophy, enabling it both to meet its own standards and to enable customers to decide for themselves what happens to their data. At the same time, this protection is one of the foundations of the Company’s business. United   Internet explicitly acknowledges that data privacy is an inalienable basic right and has established processes designed to ensure that data privacy rights are taken into account at all times in its day-to-day business. Infringements of data privacy rules can be caused by human error or technical vulnerabilities, among other things. Such incidents could lead to United   Internet losing its customers’ trust.

In line with this, the goal of United   Internet’s data privacy actions is to ensure compliance with data privacy requirements throughout the Group, and to embed this in its systems, processes, and products. In practice, this means tracking developments at the legislative level, in case law, and in supervisory practice, plus monitoring technological risks and threat scenarios, and continuously adapting the data privacy management system on this basis. The segments have created their own individual data privacy organizations, guidelines, and processes for this. They have established their own data privacy units and appointed data protection officers. Other data protection roles have been established where they are needed to implement the data privacy goals, bearing in mind the individual segment involved, its size, and the risks involved.

United   Internet uses the following tools to ensure compliance with data privacy requirements in the Group:

  • Embedding data privacy e xpertise in the product development process : The data privacy departments and data privacy coordinators serve as internal consultants for data privacy questions that arise, for example, during product design or development (“privacy by design” or “privacy by default”) or in relation to contractual agreements.

  • Comprehensive, easy-to-understand rules : United   Internet’s internal policies facilitate compliance with data privacy requirements and best practices. Among other things, they specify the basic data privacy rules that must be observed, how to use e-mail and the internet securely, and what to do in the case of external visitors to the Company’s locations.

  • Prevention through regular data privacy training : United   Internet wants each and every employee to help ensure that personal data is processed lawfully and in particular that sensitive information does not fall into the wrong hands. Regular employee training courses are held to achieve this.

  • Contact with supervisory authorities : United   Internet’s data privacy departments are in regular contact with the competent data protection supervisory authorities, in particular so as to process customer concerns that have been passed on by the authorities. Set reporting and review processes have been defined for data privacy incidents. Where an obligation to report them exists, they are reported to the supervisory authorities. A total of 27 reports were submitted to the competent data protection supervisory authorities in fiscal year 2024.

  • Effective detection through complaints procedures : Customer questions and complaints about data privacy are handled by trained staff in special data privacy teams, who work in close cooperation with the specialist data privacy units in the segments concerned. In addition, employees can contact the data privacy units or their data protection officer in confidence at any time to discuss data privacy issues arising in the course of their day-to-day work.

  • Checks for monitoring effectiveness : United   Internet’s data privacy units are able and authorized to perform internal data privacy checks at any time. In addition, independent audit organizations can be commissioned as needed to perform external, objective data privacy audits in order to identify internal potential for improvement. The data privacy units are also entitled to check service providers and subcontractors in the course of their controls.

  • Greater data privacy through continuous enhancement of technical and organizational safeguards:  Customers entrust United   Internet with their personal data. The segment security standards that have been implemented are constantly enhanced and improved to ensure that this data can be protected.

Compliance with Youth Protection Requirements

United   Internet supports youth protection and educating children and young people on how to behave on the internet. The internet is a key part of children and young people’s everyday lives and is used for communication, researching lessons, and entertainment alike. However, in many cases they are not media-literate or experienced enough to deal with unfamiliar life issues or inappropriate content that they discover there. This means that they have difficulty in assessing risks and therefore cannot adequately protect themselves. Developmentally appropriate actions and education on possible dangers and risks are therefore needed. This is the only way in which United   Internet can guarantee adequate protection for children and young people and hence enable them to navigate the internet safely and in an age-appropriate manner.

United   Internet ensures that both its own products and services and its partner offerings comply with the legal requirements for youth protection. Internal reviews are performed during product development and product launches, and any necessary modifications are made. This enables United   Internet to ensure that children and young people are not confronted with inappropriate content. In addition, care is taken to ensure compliance with youth protection legislation for both advertising and editorial content. United   Internet finds the right balance between providing a comprehensive range of information and protecting children and young people by, for example, managing the way in which information is presented and the times at which it is transmitted.

See the General Guidelines on the United Internet Media website.

The segments have appointed youth protection officers who act as contacts for youth protection issues and advise the various departments and functions internally. They also act as the central contacts for external stakeholders, liaise regularly with other youth protection officers, and represent United   Internet in its dealings with associations and supervisory authorities. An additional youth protection officer was appointed during fiscal year 2024 and the officers’ responsibilities focused on one segment each, to the extent that this topic is relevant for the business model concerned. In addition, youth protection e-mail mailboxes have been set up for United   Internet’s portals; the details are given in the legal notices and youth protection sections of the sites concerned. These mailboxes allow people outside the organization to contact the youth protection officers with questions or complaints.

Above and beyond this contact information, the portals’ youth protection sections 1 provide information and tips and tricks designed to educate children, young people, and their parents, and to improve their media literacy. The material provided includes links to youth protection programs and information about counseling services and contacts for specific topics and problems associated with internet usage.

The Consumer Applications Segment ensures that the advertising environments on the WEB.DE and GMX portals are serious and trustworthy, in particular by implementing youth protection measures such as not targeting minors. Advertising for alcohol, tobacco, and erotica is highly restricted. Guidelines forbid advertising that is aimed against equality or diversity. Advertising defaming social groups, that contains unconstitutional, subversive, sexist, or racist material, or that glorifies violence or war is also prohibited.

1 The Consumer Access Segment does not have a youth protection section but it does have a youth protection officer.