In order to strenghten data protection and data security in the Group, Deutsche Telekom regularly implements appropriate internal controls, audits and certifications of corporate departments. For this purpose, the company uses a system of controls, audits and certifications by external and internal experts. It plays a pioneering role here: In the telecommunications industry, certification of individual corporate departments is still the exception.
Deutsche Telekom therefore welcomes the fact that the European legislator has recognized the importance of certifications. In Article 42 of the GDPR, it calls for the introduction of data protection-specific certification procedures as well as data protection seals and data protection certification marks.
Internal controls and audits
Every year, the corporate departments Internal Auditing, Group Privacy and Central Security Management conduct numerous checks and audits on data privacy and data security. Risk-based controls are part of the data privacy compliance management system. For example, these checks examine whether only necessary data is stored (principle of data economy) and whether it is also deleted once its purpose has expired. Further audits serve to safeguard the information and network technologies used in the Group. For example, the implementation of authorization, data privacy and security concepts are reviewed throughout the Group to identify any gaps. Such gaps can arise from security deficiencies in software solutions. Once identified, the deficiencies are promptly eliminated together with the industry partners.
The results of the various checks and audits ensure a high level of data privacy and security. They either demonstrate the effectiveness of internal systems and processes or help to identify and remedy any weaknesses at an early stage.
Certification is a procedure used by external, independent bodies such as TÜV, DEKRA or auditing companies. It proves whether certain requirements for products and services and their respective manufacturing processes, including trade relations, people and systems, are met.
In 2014, auditors from Deloitte & Touche audited the effectiveness of Deutsche Telekom's data protection-related Compliance Management System (CMS). The result: All measures described in the CMS are effectively implemented. On September 30, 2014, the auditors of Deutsche Telekom AG, Telekom Deutschland GmbH, and its majority holdings, along with T-Systems International GmbH and its majority holdings, confirmed the effectiveness of the CMS.
In 2020, a further development of the existing data protection-specific certification activities in the Deutsche Telekom Group was defined as a strategic goal for data protection. For this purpose, the new certification offerings in the data protection area were analyzed. Based on this market analysis, in an exchange of information with the responsible supervisory authorities and the accreditation body, Telekom has developed a modular certification concept that aims to provide both comprehensive certification of the Privacy information management system (ISO 27701) and product-, process- and service-specific certification in accordance with Art. 42 DS-GVO in Deutsche Telekom. The Group is thus once again establishing itself as a pioneer in the telecommunications industry in the context of data protection-specific certifications.
The billing process is also certified. Telekom Deutschland GmbH was one of the first telecommunications companies to have its entire billing process in the fixed-line services audited and certified several times by independent TÜViT experts. The process involves collecting and processing of all data that millions of customers generate every day when making calls via Deutsche Telekom`s fixed network. Deutsche Telekom is in close contact with TÜViT for a possible future transfer of the certificate to a certification scheme according to Art. 42. DS-GVO.
The central security management system and parts of Telekom Deutschland GmbH have been awarded certification in accordance with the international standard ISO 27001. This confirms compliance with specifications for security in information management systems, in products, customer interactions and internal processes.
For example, the Open Telekom Cloud is also certified in accordance with the Trusted Cloud Data Protection Profile for Cloud Services (TCDP). This test standard complies with the data protection requirements of the German Federal Data Protection Act for cloud computing.
Through its participation in the Data Protection Foundation, Deutsche Telekom also actively supports the AUDITOR research project, which is currently developing a standard for the data protection certification of cloud services in accordance with the GDPR as a successor project to the Trusted Cloud project.