Data compliance

Connectivity and digitalization will have a major impact on mobility in the future. The responsible handling and protection of data that is created and stored by digital systems is a top priority at Daimler.

The regulatory requirements relating to data protection have become significantly more stringent in recent years, mainly as a consequence of the implementation of the European Union’s General Data Protection Regulation (GDPR). We are addressing the increased requirements within the framework of our Group-wide Data Compliance Management System (Data CMS), which along with our data vision and our data culture is a fundamental component of our overarching Data Governance System. Our new Data Protection Policy EU and our Global Data and Information Policy form the basis for the handling of employee, customer, and business-partner data in a sustainable manner in accordance with all legal requirements.

The Data CMS, which combines all Group-wide measures, processes, and systems for ensuring data protection compliance, is based on the existing Daimler Compliance Management System (CMS). The Data CMS supports the systematic planning, implementation, and monitoring of compliance with data protection requirements. Such measures include programs that help ensure compliance with the GDPR and local data protection laws, as well as various communication and training measures and measures for product-related data protection activities. (See »Our Compliance Management System«)

In 2017, we created the Data Compliance unit to set up the Data Compliance Management System. This unit defines the individual elements of the Data CMS and manages its implementation throughout the Group. To this end, the Chief Compliance Officer submits data compliance reports on a regular basis to the Board of Management member of Daimler AG for Integrity and Legal Affairs, and also provides information on relevant developments in his quarterly reports to the Board of Management.

At the same time, the Chief Officer Corporate Data Protection performs the tasks required by law to ensure compliance with data protection rules. Here the Chief Officer Corporate Data Protection works with a team that monitors compliance with applicable data protection laws and the Daimler Data Protection Policy. In addition, the Chief Officer Corporate Data Protection handles complaints regarding data protection and is also responsible for issuing mandatory reports to supervisory authorities and consulting privacy impact assessments. The Chief Officer Corporate Data Protection is independent and reports directly to the Board of Management member for Integrity and Legal Affairs.

Since the end of 2018, we have been realigning the previous network of local data protection coordinators and merging this network into our global compliance network. This process will be completed by the end of 2020. We specifically prepare Local Compliance Officers and Local Compliance Responsibles for their new tasks in the field of data compliance and support them with training courses and consultation.

A key component of the Data CMS is the Data Compliance Risk Assessment, which is a systematic process conducted by the Data Compliance unit each year in order to identify, analyze, and evaluate data compliance risks at Daimler. The assessment is performed for both Group companies and corporate departments. The analyses are based on centrally compiled information on all units at the Group; specific additional details are taken into account in line with the given risk assessment. The results of the analyses form the basis for managing and minimizing risks in a targeted manner.

Employees are instructed to report all potential data protection incidents internally via the Information Security Incident Management Process. Criminal violations of data protection rules are addressed by the whistleblower system BPO (Business Practices Office), which can also be used by external stakeholders who wish to report violations of laws or internal regulations.

We document and evaluate the implementation of defined data compliance measures within the framework of a monitoring and reporting process. For example, our compliance organization conducts an annual evaluation to assess the adequacy and effectiveness of our Data CMS. We document in our compliance reporting system any areas where action needs to be taken, and we also monitor the implementation of the associated measures. If necessary, the compliance organization will make adjustments to the Data Compliance Management System on the basis of the knowledge gained from the evaluation, while also taking into account changes to the risk situation and new legal requirements.

Anti Financial Crime Compliance
Technical compliance