Information Management and Data Protection
Information and its management are an important part of our commercial success. Our information comes from a number of different areas – from marketing through to customer services, development and finance. Data security and protection is particularly important for us.
We adhere strictly to the applicable laws governing the protection and security of personal data. We have also developed a number of measures, including a uniform Group-wide rulebook on data protection and privacy, information security and the internal control system, and a cyber security system to protect company-related data. These measures are detailed in corresponding Group guidelines. The comprehensive framework is strengthened by clear responsibilities and contact persons for all relevant areas of the Group. In addition to our data protection officer, we also have data protection coordinators in all departments in Germany and Austria and conduct regular training on data protection and privacy for our employees. All employees are required to complete this training when they joined the company and every year afterwards. Our data protection training was digitalized in 2021 and included in the online training catalog. As a result, employees can complete the training independently from any location. Data protection coordinators track the training on behalf of the employees in their department to ensure that they complete it. Detailed information about our data protection measures is available here: https://www.vonovia.de/en/datenschutz
Elements of the system for the protection of company-related data:
- Implementation of the Risk2Value DPMS data protection management tool to help us meet statutory data protection requirements. This data protection management system catalogs the processes that involve the processing of personal information. We can also use the system to document and assess any data breaches that occur, in addition to taking steps in response.
- Definition of a fundamental level of information protection to protect the company’s assets and image; information security policy to ensure compliance with statutory requirements and the related tasks
- Establishment of an IT security administrator with responsibility for achieving the IT security targets and for direct reporting to the Chief Information Officer (CIO)
- Companies and specialist departments are responsible for security risks relating to information and data that is predominantly created, collected, used or processed within their sphere of responsibility
- Management of the process with IT systems
- Raising employee awareness as a prerequisite for information security
- Holding regular data protection audits for providers that process personal data on behalf of Vonovia. Topics covered by the audit include the procedures and measures used to guarantee system resilience and IT disaster recovery plans.
- Scanning relevant IT systems for weaknesses on a regular basis (e.g., pen tests). Cyber security is one of our key focus areas. We follow the current recommendations of the Federal Office for Information Security (BSI).
- Certification of service providers (data center) to ensure that all IT systems are 99% covered in accordance with ISO 27001
Due to the extensive measures that we have taken in the area of data protection, we believe that risks related to inadequate IT security or violations of the General Data Protection Regulation only have an extremely low probability of occurrence. Mobile working, which we use far more extensively now than was the case before the coronavirus pandemic, does not involve any significant data protection-related risks.
The Management Board is provided with information about developments in the area of data protection and information security once a year. In Austria, a status report is provided to the management of BUWOG once a year. The Supervisory Board’s audit committee deals with topics related to data security, and is also provided with the data protection report on an annual basis.