In order to strenghten data protection and data security in the Group, Deutsche Telekom regularly implements appropriate internal controls, audits and certifications of corporate departments. For this purpose, the company uses a system of controls, audits and certifications by external and internal experts. It plays a pioneering role here: In the telecommunications industry, certification of individual corporate departments is still the exception.
Deutsche Telekom therefore welcomes the fact that the European legislator has recognized the importance of certifications. In Article 42 of the GDPR, it calls for the introduction of data protection-specific certification procedures as well as data protection seals and data protection certification marks.
Internal controls and audits
Every year, the corporate departments Internal Auditing, Group Privacy and Central Security Management conduct numerous checks and audits on data privacy and data security. Risk-based controls are part of the data privacy compliance management system. For example, these checks examine whether only necessary data is stored (principle of data economy) and whether it is also deleted once its purpose has expired. Further audits serve to safeguard the information and network technologies used in the Group. For example, the implementation of authorization, data privacy and security concepts are reviewed throughout the Group to identify any gaps. Such gaps can arise from security deficiencies in software solutions. Once identified, the deficiencies are promptly eliminated together with the industry partners.
The results of the various checks and audits ensure a high level of data privacy and security. They either demonstrate the effectiveness of internal systems and processes or help to identify and remedy any weaknesses at an early stage.
Certification is a procedure used by external, independent bodies such as TÜV, DEKRA or auditing companies. It proves whether certain requirements for products and services and their respective manufacturing processes, including trade relations, people and systems, are met.
In 2014, auditors from Deloitte & Touche audited the effectiveness of Deutsche Telekom's data protection-related Compliance Management System (CMS). The result: All measures described in the CMS are effectively implemented. On September 30, 2014, the auditors of Deutsche Telekom AG, Telekom Deutschland GmbH, and its majority holdings, along with T-Systems International GmbH and its majority holdings, confirmed the effectiveness of the CMS.
In 2020, further development of the existing data protection-specific certification activities in the Deutsche Telekom Group was defined as a strategic goal for data privacy. To this end, the new certification offerings in the data privacy area were analyzed. On the basis of this market analysis, in an exchange of information with the responsible supervisory authorities and the accreditation body, Deutsche Telekom has developed a modular certification concept that aims to provide both comprehensive certifications of the data privacy management system (e.g., ISO 27701) and product-, process- and service-specific certifications in accordance with Art. 42 of the GDPR at Deutsche Telekom. Numerous units in the Deutsche Telekom Group are already certified to ISO/IEC 27701:2019 and the central functions are promoting and supporting the roll-out for other interested units. At the same time, the data protection experts are continuing to monitor and analyze developments in the market for certifications in accordance with Art. 42 of the GDPR. The Group is thus further establishing itself as a pioneer in the telecommunications industry in the context of data protection-specific certifications.
The central security management system and parts of Telekom Deutschland GmbH have been awarded certification in accordance with the international standard ISO 27001. This confirms compliance with specifications for security in information management systems, in products, customer interactions and internal processes.
For example, the Open Telekom Cloud is also certified in accordance with the Trusted Cloud Data Protection Profile for Cloud Services (TCDP). This test standard complies with the data protection requirements of the German Federal Data Protection Act for cloud computing.
Through its participation in the Data Protection Foundation, Deutsche Telekom also actively supports the AUDITOR research project, which is currently developing a standard for the data protection certification of cloud services in accordance with the GDPR as a successor project to the Trusted Cloud project.