Corporate Governance and Responsible Business Practices

Information Management and Data Protection

Information and its management are an important part of our commercial success. Our information comes from a number of different areas – from marketing through to customer services, development and finance. Data security and protection is particularly important for us. We adhere strictly to the applicable laws governing the protection and security of personal data. We have also developed other measures, including a uniform Group-wide rule book on data protection and privacy, information security and the internal control system, and a cyber security system to protect company-related data. These are strengthened by clear responsibilities and contact persons for all relevant areas of the Group. In addition to our data protection officer, we also have data protection coordinators in all departments in Germany and Austria and conduct regular training on data protection and privacy for our employees.

Elements of the system for the protection of company-related data:

• Definition of a fundamental level of information protection to protect the company’s assets and image; information security policy to ensure compliance with statutory requirements and the related tasks
• Establishment of an IT security administrator with responsibility for achieving the IT security targets and for direct reporting to the Chief Information Officer (CIO)
• Companies and specialist departments are responsible for security risks relating to information and data that is predominantly created, collected, used or processed within their sphere of responsibility
• Management of the process with IT systems
• Raising employee awareness as a prerequisite for information security
• In 2020 we also introduced Risk2Value, a risk management tool that helps us to meet our statutory data protection obligations.