Corporate Responsibility

Laws and corporate rules

To ensure the protection and safety of natural and legal persons, data privacy and security matters are subject to stringent legal guidelines worldwide. In its role as a telecommunications company, Deutsche Telekom is especially committed to compliance with various laws and regulations.

  • The General Data Protection Regulation (GDPR),
    entered into force on 25 May 2016 and will be directly applicable in all member states of the European Union without transposition into national law from 25 May 2018.
  • The Federal Data Protection Act (BDSG) coming into force on 25 May 2018,
    together with the (partly still to be adopted) data protection laws of the federal states and other sector-specific regulations on data protection in the cases in which the GDPR offers so-called "opening clauses”.

They are specifically regulated by

  • Telecommunications Act (TKG)
    The TKG is the framework directive for telecommunications networks and services. It regulates the telecommunications market and is committed, among other things, to public and customer protection.
  • Telecommunications Interception Ordinance (TKÜV) 
    The TKÜV is based on the TKG and regulates concrete obligations for the technical and organisational implementation of measures for interception of telecommunications.
  • Telemedia Act (TMG)
    The TMG regulates the legal framework for electronic communication and information services offered by means of telecommunication systems, in particular Internet services in Germany. It is one of the central provisions of Internet law.

Within the Deutsche Telekom Group data protection and data security are subject to 

  • the Binding Corporate Rules Privacy (BCRP)
    The BCRPs form the Group-wide internal data protection regulations. They are the national and international central basis for the handling of data, in particular the transmission of customer and employee data within the Group. The BCRP are a new version of the Privacy Code of Conduct, which has been uniformly regulating internal requirements for the handling of personal data worldwide since 2004.
  • the group policy on organization of data privacy
    This defines the governance and implementation functions for data protection in the German Group companies. It implements roles to assume responsibility for data processing in the Group companies.
  • the group policy on general security
    The Group guideline on safety contains the main safety-relevant principles of the Group.

These Group guidelines set binding standards based on the international ISO 27001 standard to ensure an adequately high and consistent level of security and data protection within the Group.

The General Data Protection Regulation states that personal data may be processed in a country outside the European Union (so-called third country), in particular if appropriate guarantees are provided for an adequate level of data protection. As such, Deutsche Telekom Group uses the standard data protection clauses recognized by the European Commission or our Binding Corporate Rules Privacy for data transmission within the Group.