Strategy and concepts
Data protection and data security
Ensuring data security and respecting and protecting personal data are high priorities for the Mercedes-Benz Group. We can only gain the public’s acceptance of new technologies such as Artificial Intelligence (AI) if we show that the data of our customers and the users of our products are secure. As a result, we are one of the world’s first automotive companies to define and publish fundamental principles for the use of this technology.
For us, data protection begins during the design of new products and services and encompasses numerous additional measures for complying with data security requirements. We use an integrated data compliance management system to ensure the systematic and risk-based planning, implementation and continuous monitoring of all these measures.
Holistic data responsibility
Data responsibility involves more than just data protection. The Mercedes-Benz Group is taking on this responsibility with a holistic approach to data governance. This approach covers legal, cultural and organisational aspects. The key aims are the sustainable design of data-based business models and the responsible handling of data in the interests of our customers, employees and other stakeholders. In order to achieve these goals, we have taken a number of measures, for example employee training and the provision of in-depth information to our customers. We have also established a Group-wide Data Governance System that consists of our Group-wide Data Governance Structure, our data vision, our data culture and our Data Compliance Management System.
The Group-wide Data Governance Structure
The Group-wide Data Governance System was developed at the Board of Management’s Integrity and Legal Affairs division. The implementation of data governance in the divisions of the Mercedes-Benz Group is the responsibility of the various bodies for data and data analytics. These are cross-functional teams of managers who perform data-related responsibilities. The teams meet regularly to promote the digital transformation at the divisions on the basis of the measures prioritised by the Board of Management. All the relevant specialist units coordinate their current data analytics projects within these boards and create the basis for the efficient and responsible use of data. Specialists at Corporate Data Protection monitor the projects from the beginning in order to help ensure that they are conducted in compliance with all relevant laws.
A Data Governance Committee also exists at the Group level of the Mercedes-Benz Group. This committee defines the framework of core company-wide topics relating to data management, information security, data protection and data compliance. In addition, it makes business policy decisions about the way the company handles data.
Each division is responsible for the operational implementation of our strategic data responsibility goals. Consequently all the divisions of the Mercedes-Benz Group have launched a corresponding programme for the creation of specific processes and systems that ensure the responsible use of data.
Reliably controlling data protection and data compliance
The Chief Officer Corporate Data Protection at the Mercedes-Benz Group performs the tasks required by law to ensure compliance with data protection rules. Together with his team, he monitors compliance with data protection legislation and our data protection policies. His tasks include handling complaints regarding data protection and communicating with the regulatory authorities for data protection. He also carries out communications and training measures. In addition, he advises responsible individuals and specialist units on all questions relating to data protection. He is independent and reports to the Chief Compliance Officer and the Board of Management member for Integrity and Legal Affairs.
We started to set up the Data Compliance Management System as early as 2018. The first step was to establish the Data Compliance department within the Compliance organisation. We consolidated the tasks of this department under the management of the Chief Officer Corporate Data Protection in the Corporate Data Protection division after the successful establishment of the Data Compliance Management System in 2021. The Chief Officer Corporate Data Protection defines the individual elements of the Data Compliance Management System and controls its implementation throughout the Group. The tasks of the Chief Officer Corporate Data Protection also include carrying out the annual Data Compliance Risk Assessment and establishing the Data Compliance Programme, which includes all of the measures needed for implementing the Data Compliance Management System. Among other things, these measures include compliance with the formal requirements of the GDPR. One example is the introduction of a record of processing activities in order to meet our documentation obligations. In addition, Group-wide data compliance monitoring and reporting processes exist.
The Chief Compliance Officer provides a key interface for Group-wide data compliance management. The Chief Compliance Officer heads the compliance organisation and reports on current data compliance developments to the Board of Management member for Integrity and Legal Affairs on a regular basis and also submits quarterly reports to the Board of Management as a whole.
Our approach to the effective management of data protection also relies on local contact persons at our numerous sites and facilities around the world. These Local Compliance Officers or Local Compliance Responsibles support the local management’s implementation of the data compliance measures. We specifically prepare these local contacts for their tasks and support them with training courses and consultation.
The data vision provides the framework
The Mercedes-Benz Group’s commitment to the responsible handling of data is anchored in its data vision. The data vision provides our employees with a clear framework for how they should handle data. It has been made known throughout the Group and is also included in the current version of our Integrity Code.
The data security in our vehicles also meets our customers’ high standards of security. We continually refine our data security measures in line with advances in IT in order to protect the data against manipulation and improper use.
For us, ensuring effective data protection and data security in vehicles is an integral component of the development of products and services. That’s why our developers use the privacy by design approach when designing new vehicles and functions and in the conception of digital business models. Many of the current model series already provide technical functions such as live traffic information and active traffic jam assistants that are based on the processing of data. This development is continuing: for example, further innovations such as interconnected vehicles and automated driving functions are on the way.
EU data protection regulation specifies intragroup data protection standards
The Mercedes-Benz Group’s Data Protection Policy EU specifies uniform intragroup data protection standards based on the GDPR. It regulates how EU-related personal data of employees, customers, and business partners are to be handled for all Group companies. We utilise it in order to take account of the special regulatory environment in our European core market.
This policy also includes binding corporate rules for Group companies that are located outside the area subject to the GDPR but which nevertheless, as the recipients of cross-border data transfer, process personal data to which the GDPR applies. Our Data Protection Policy EU has been submitted to the responsible supervisory authority in Baden-Württemberg for approval as binding corporate rules as defined by the GDPR.
Our global data and information policy regulates data compliance worldwide
The Mercedes-Benz Group’s global data and information policy forms the foundation for the responsible, legally compliant and ethical handling of information and data worldwide. It represents the responsibilities and roles in a data- and information-based environment transparently. In addition, the policy specifies targets, principles and organisational structures and determines measures for implementing the data compliance processes. The policy also includes global standards for data compliance that are designed to ensure that a uniform level of data protection exists worldwide throughout the Group. We thus set a binding standard that is supplemented by the provisions of the Data Protection Policy EU and the applicable local data protection laws.
Data Compliance Management System
The Mercedes-Benz Group’s Data Compliance Management System supports the Group in the systematic planning, implementation and continuous monitoring of measures to ensure compliance with the data protection requirements. It takes into account the existing applicable data protection regulations. For our Group companies in the EU, the GDPR is particularly relevant; for our Group companies outside the EU, the relevant local data protection laws apply. Additional areas of the law that are relevant to data use are also being incorporated into this system in order to identify and address possible risks.
Responsible use of Artificial Intelligence
Artificial Intelligence (AI) is playing an increasingly important role for the future of the automotive industry in an extremely wide range of areas. It boosts flexibility and efficiency in production operations and enables us to better fulfil our customers’ needs. But alongside its great potential, the use of intelligent systems also holds risks — of which the Mercedes-Benz Group is aware. That’s why the responsible use of AI is a high priority for us.
Four principles for the use of AI
As early as 2019, the Mercedes-Benz Group was one of the world’s first automotive companies to define and publish four principles for the responsible use of AI. They are: responsible use, explainability, protection of privacy, and safety and reliability. The objective is to approach AI-specific risks preventively. These principles are intended to provide our employees with a framework for the development and use of AI and to strengthen trust in our AI-based solutions.
The principles are anchored in the Mercedes-Benz Group’s Integrity Code. They supplement our data vision and are thus an important part of our company’s digital responsibility.
Governance for AI
In addition, the Mercedes-Benz Group has developed a framework for using AI — the Artificial Intelligence Governance Model (AIGM). On the one hand, we want to use this risk-based agile approach to ensure the legal and ethical use of AI in practice. On the other, we want it to provide an even stronger anchor for the four AI principles.
The AIGM will support us here in recognising and minimising legal and ethical risks at an early stage, and thus enable the responsible implementation of AI-based business models. At present, it is especially focussed on systems that apply machine learning or deep learning.
Our AI principles, which are complemented by the four areas of action — risk analysis, risk mitigation measures, dialogue, and review and engagement — are at the heart of the AIGM.
The Mercedes-Benz Group launched a wide range of AI governance initiatives during the reporting year. The focus was on testing and optimising our AIGM processes and measures in various business and functional units.
For example, we have introduced an innovative chatbot solution. It helps our employees to quickly and simply assess AI-specific risks. Furthermore, we have extended our general provision of information and advice with a guideline for the practical implementation of our AI principles. In addition, we have set up a central AI governance advice point. This is part of the Board of Management division Integrity and Legal Affairs. We have expanded our range of training courses with an AI governance training module.
We have also used the regular involvement of our external stakeholders — in the context of our association and committee work with the Federation of German Industries (BDI) and the European Automobile Manufacturers’ Association (ACEA), for example — to provide further momentum for responsible AI governance. Our Sustainability Dialogue 2021 was also focussed on the responsible use of AI. Together with representatives from business, science, government and society, we discussed the topic “Decision-making in the Age of Artificial Intelligence — Our Responsibilities as Participants” in the working group Employees and Integrity.
We plan to continue our AI governance activities in 2022.
Internal information and training measures
As part of its data-driven transformation, the Mercedes-Benz Group is promoting a more active use and responsible handling of data. The seven principles of our data vision provide us with a framework for these activities.
In order to establish our data culture throughout the Group, it is important that all of the employees embrace these principles and put them into practice in their daily work. To this end, we implemented extensive information and training measures for all employees in 2021. These included a new web-based training programme in particular. It uses practical questions to explain the importance of handling data correctly. The training programme has been introduced worldwide and is compulsory for all administrative employees.
Moreover, various web-based training courses and sessions enable our employees to address the topics of data culture and data governance. They are trained in the responsible use and sharing of data and are taught how to increase transparency and data quality. In addition, the Data Navigator and the Digipedia provide all employees with two platforms that contain all of the key information as well as numerous data-related learning opportunities.
Every three years, all employees at our controlled Group companies who have e-mail access must complete the Integrity@Work web-based training course, which also raises their awareness of data protection issues. Participation in the web-based training course “Expert module — EU General Data Protection Regulation Overview” is obligatory for managers in the EU. The course was reworked during the reporting year and the target group has completed the new version. Local management at every Group unit can require other employees to participate in these courses. Thanks to our IT-supported Learning Management System, all training measures are available around the globe.
Employees from units where data protection is particularly relevant, such as human resources, sales and development, are trained in person by the respective Local Compliance Officer or Local Compliance Responsible. This training is carried out either in person or online. In addition, we produce annual training plans for units at the Group that are subject to high data protection risks. Participation in the training courses is documented. For example, we have trained all of the executives in the Research and Development unit in the basics of data protection and in the fundamentals of privacy by design during the reporting year. The executives’ participation is mandatory. We recommend that all other managers and employees for whom the training course is relevant due to their job profile should also complete the training course.
The onboarding process for new managing directors at Group companies also includes an overview of the Group’s Data Compliance Management System. All managers can also conduct their own independent study programme using the Corporate Governance Navigator on the Group intranet, which also includes information on the topic of data protection.
The local data compliance organisation is particularly important in the implementation of, the consulting for, and the monitoring of the compliance measures. For this reason, our Local Compliance Officers and Local Compliance Responsibles at Group units with a medium or high data protection risk classification also take part in a data compliance qualification programme in addition to the aforementioned courses. In this programme, they obtain basic knowledge on data protection law and receive instruction in how to handle specific tasks. Local Compliance Officers and Local Compliance Responsibles at Group units with a low data protection risk classification take part in a video-based training programme with comparable content.
The Mercedes-Benz Group sets a high standard for the handling of its customers’ personal data. Customers can now use our Mercedes me Privacy Center, which was introduced in 2021, to obtain an even faster and more straightforward overview of what personal data of theirs is stored. They can decide for which purposes Mercedes-Benz is allowed to use this data. The focus here is on user-friendliness, so that the customer can directly navigate to his or her available choices via five intuitive categories. This service underlines the principles of self-determination, transparency and security as set out in the data vision and stands for the responsible handling of data.
Before it commissions a service provider who processes personal data, the Mercedes-Benz Group checks whether this company can process the data received in compliance with legal requirements, especially those of the GDPR. The decisive consideration is whether the service provider can demonstrate that it verifiably implements technical and organisational measures for ensuring data security.
The Data Compliance Risk Assessment is a key component of the Mercedes-Benz Group’s Data Compliance Management System. This assessment is a systematic process conducted by the Data Compliance team each year in order to identify, analyse and evaluate data compliance risks at our company. This applies equally for Group companies and for the central entities. The results of this analysis form the basis for managing and minimising risks.
The assessments are based on centrally compiled information on all Group entities; specific additional details are taken into account in line with the given risk assessment. First, the Data Compliance team makes an assessment on the basis of internal and external information. This includes, for example, an examination of data processing indicators that result from normal business activities and an analysis of the regulatory environment in the country in which the given Group unit is located. Data Compliance uses these indicators to determine whether the Group entity in question is exposed to particular risks and therefore needs to be looked at more closely. In such cases, the unit also makes use of information from the Group’s local entities for its risk classification. The Chief Compliance Officer and the Divisional Compliance Officers’/Regional Compliance Officers’ network confirm the results of the annual Data Compliance Risk Assessment and report these results to the Board of Management and Supervisory Board committees of Mercedes-Benz Group AG, Mercedes-Benz AG and Mercedes-Benz Mobility AG.
The digitalisation strategy opens up new opportunities for the Mercedes-Benz Group to increase customer utility and reinforce the values of the company. Nonetheless, the high degree of penetration of all business units by information technology (IT) also harbours risks for our business and production processes and the units’ products and services.
Cybercrime and malware harbour risks that could affect the availability, integrity and confidentiality of information and IT-supported operating material. In the worst case, this would result in IT-supported business processes being interrupted — despite comprehensive precautions. This scenario could have a negative effect on the company’s financial result. Furthermore, the loss or misuse of sensitive data can, in some circumstances, lead to reputational damage. In particular, stricter regulatory requirements such as the GDPR can also provide a basis for third-party claims — and lead to costly regulatory instructions and fines that have an impact on the financial result.
The globally active Mercedes-Benz Group and its comprehensive business and production processes must be able to store and exchange information currently, completely and correctly. Our internal IT security framework is oriented according to international standards and also draws on industry standards and good practices for its protective measures. New regulatory requirements for cybersecurity and cybersecurity management systems are taken into account in the further development of our processes and standards.
Secure IT systems and a reliable IT infrastructure are operated with an eye for the need to keep information secure. In addition, risks are identified over the complete life cycle of applications and IT systems and treated according to their importance. We place a special focus on risks that lead to the interruption of business processes as a consequence of an IT system failure or the loss or falsification of data. Special attention is required in this area due to the advance of the digitalisation and networking of manufacturing facilities. For this reason we are continuing to further develop our technical and organisational security measures.
The demands regarding the confidentiality, integrity and availability of data also continue to grow. For this reason, the Mercedes-Benz Group has implemented a large number of measures to minimise the associated risks at the earliest possible stage and to limit possible damage. Emergency plans have been created and our employees are regularly trained and made aware of the issues.
We analyse specific threats and coordinate our countermeasures in a globally operating Cyber Intelligence and Response Centre. In addition, we continually extend the protection of our products and services against the dangers of hacker attacks and cybercrime. We also operate cybersecurity programmes in order to systematically reduce the risks.
We estimate that the extent of the IT-related risks and the probability of corresponding incidents occurring was unchanged in comparison to the previous year on the basis of the constant implementation of countermeasures.
Dealing with personal data breaches
The Mercedes-Benz Group has established a central reporting system for all incidents involving information security: the Information Security Incident Management Process. It is available around the clock. Employees and contractors are instructed to report all potential personal data breaches via this system. Incidents relating to data protection that occur at units subject to the provisions of the GDPR are addressed by the Corporate Data Protection unit. This is assisted in its local investigations by a local Incident Support department. The Corporate Data Protection unit then issues a recommendation to the local management team as to whether supervisory authorities must be informed of the incident and whether those affected by it must be notified within the period stipulated by law. Local Incident Support departments handle incidents relating to data protection that occur at units that are not subject to the GDPR. Together with the local management teams, these departments decide whether supervisory authorities must be informed of an incident and whether those affected by it must be notified. Here, the Corporate Data Protection unit can be brought in for support at any time. The results of all investigations have to be submitted to the Corporate Data Protection unit for documentation purposes.
During the reporting year, a small number of cases were reported to the responsible data protection supervisory authorities. The authorities did not take any measures against the company in response.
Alongside the data protection incident management process, the Mercedes-Benz Group has established a general whistleblower process via which all potential compliance violations can be reported. This system is tasked with fairly and adequately investigating reports on incidents that pose a high risk to the company and its employees. The Data Compliance team teaches all Local Compliance Officers and Local Compliance Responsibles how to address complaints. These courses provide information on local and non-European data protection provisions and on the requirements defined in the GDPR.
The contact details of the Chief Corporate Data Protection Officer are publicly available, and customers can direct their questions or concerns regarding data protection to him or his team at any time.
The number of complaints received by Corporate Data Protection was on a lower level overall. Data protection supervisory authorities conducted investigations in response to customer complaints. This figure was in the low single-digit range. No measures were taken against the company as a result of any of these investigations.
Effectiveness and results
The effectiveness of our management approach
The Mercedes-Benz Group’s Data Compliance Management System is constantly being further developed. Based on an annual monitoring and reporting process we examine the extent to which the previously defined measures have been implemented and the objectives pursued have been achieved. In this way, the compliance organisation continuously assesses whether the compliance management system is appropriate and effective. The resulting respective need for action and the measures subsequently taken are documented in the compliance reporting and the implementation is documented in the system.
The annual monitoring evaluation of the Data Compliance Management System has shown that the design of the system continues to be appropriate and suitable for achieving our compliance objectives. There are no indications that the implementation objectives of the Data Compliance Management System were not fully achieved in the reporting year 2021. We intend to also evaluate the third stage, the effectiveness of the Data Compliance Management System, in 2022.