Ms Schröder, you work with Group Data Protection. Does your profession influence the way you use the internet privately?
Yes, actually it does. I don't always read all the cookie and privacy notices in detail either, but I pay a little more attention to the selection of providers, for example. Where possible, I mainly use European providers, who process the data in accordance with legal requirements that I know. In addition, my browser settings work in a way that cookies are deleted in a timely manner. But I also notice the influence of my work when I'm talking with friends about the issue of data protection. I can get quite emotional at times - especially when others dismiss the importance of data processing operations with comments like: "Who's going to be interested in my data, anyway? I don't have anything to hide."
When handing over personal data, it's worth taking a closer look at the details. Quite often, an important fact is suppressed: in many cases, certainly, it is not just about the one data record. However, a tremendous amount of data is processed these days, for example when people use search engines, which can then be used to create profiles and patterns, the use of which can absolutely throw up critical questions. If, for example, my search only produces the sort of results that are likely to interest me, or that support an image that has been defined by an algorithm, this can certainly influence the shaping of opinions. This is an important issue for us as a society.
Is "data protection" really about protecting data? Or whom or what are you actually protecting?
Although the term itself might suggest otherwise, data protection is not about the "protection of data" but about the protection of the personal rights and privacy of the people whose data is being processed.
The law stipulates that, as employers, we are only allowed to process such data as is necessary for the employment relationship. It is our responsibility, here in Group Data Protection, to ensure that this processing of data is managed properly. The employees have, as it were, several roles for us as data privacy specialists: with respect to the work that people do, the employer must process data – if only so that they get paid. In this context we need to make sure that the necessary data are correctly and properly processed.
Many of our employees, however, also process data relating to their colleagues, as well as to our customers and business partners. It is therefore important that our employees are well trained and know the principles of correct data processing. And of course, to a very considerable extent, we are all also private individuals. Information in this respect is fundamentally taboo for the company. It is also our responsibility to protect this privacy.
What data about an employee are accumulated over the course of their working life?
Quite a lot! From the moment someone applies to us for a job, we as a company receive data. From this point on, employee data protection also applies. Once an applicant is appointed, their working hours are captured, performance and qualifications are documented, feedback is saved and attendance data are captured. Many colleagues post a profile image on the Social Intranet or make provision for their retirement – with all these processes, and even once people have left the company, we continue to hold the aforementioned employee data. We are here to ensure that our colleagues have no need to worry about how any of these data are processed. Because we handle their data responsibly.
What form does this data protection take, in practical terms, with almost 300,000 employees worldwide?
The examination of any data processing operation is undertaken systematically, ensuring that we can examine and evaluate all aspects as far as possible. We always check, for example, that there is a legal basis for the data processing activity. When it comes to relaying data to the tax office, for example, it is quite clear, since there is a legal requirement. Whenever there is a margin of discretion, we weigh up together with the specialist unit: What data is required and to what extent? For what purposes may they be used and for how long will the data be kept? And last but not least: Who needs access to the data?
Of course, we are also involved when new applications are introduced internally. Here it is crucial for us that they are configured in a data protection-friendly manner and that employees can understand, if they are interested, which data is used why and by whom. Information about the topic itself is also an important factor for us. An extensive range of materials is available to employees on the intranet and relevant training courses are offered.