Data responsibility

Data responsibility

Strategy and concepts

Data protection and data security

GRI 103-2

Ensuring data security and respecting and protecting personal data are high priorities for the Mercedes-Benz Group. We can only gain the public’s acceptance of new technologies such as Artificial Intelligence (AI) if we show that the data of our customers and the users of our products are secure. As a result, we are one of the world’s first automotive companies to define and publish fundamental principles for the use of this technology.

For us, data protection begins during the design of new products and services and encompasses numerous additional measures for complying with data security requirements. We use an integrated data compliance management system to ensure the systematic and risk-based planning, implementation and continuous monitoring of all these measures.

Holistic data responsibility

GRI 103-2

Data responsibility involves more than just data protection. The Mercedes-Benz Group is taking on this responsibility with a holistic approach to data governance. This approach covers legal, cultural and organisational aspects. The key aims are the sustainable design of data-based business models and the responsible handling of data in the interests of our customers, employees and other stakeholders. In order to achieve these goals, we have taken a number of measures, for example employee training and the provision of in-depth information to our customers. We have also established a Group-wide Data Governance System that consists of our Group-wide Data Governance Structure, our data vision, our data culture and our Data Compliance Management System.

The Group-wide Data Governance Structure

The Group-wide Data Governance System was developed at the Board of Management’s Integrity and Legal Affairs division. The implementation of data governance in the divisions of the Mercedes-Benz Group is the responsibility of the various bodies for data and data analytics. These are cross-functional teams of managers who perform data-related responsibilities. The teams meet regularly to promote the digital transformation at the divisions on the basis of the measures prioritised by the Board of Management. All the relevant specialist units coordinate their current data analytics projects within these boards and create the basis for the efficient and responsible use of data. Specialists at Corporate Data Protection monitor the projects from the beginning in order to help ensure that they are conducted in compliance with all relevant laws.

A Data Governance Committee also exists at the Group level of the Mercedes-Benz Group. This committee defines the framework of core company-wide topics relating to data management, information security, data protection and data compliance. In addition, it makes business policy decisions about the way the company handles data.

Each division is responsible for the operational implementation of our strategic data responsibility goals. Consequently all the divisions of the Mercedes-Benz Group have launched a corresponding programme for the creation of specific processes and systems that ensure the responsible use of data.

Reliably controlling data protection and data compliance

The Chief Officer Corporate Data Protection at the Mercedes-Benz Group performs the tasks required by law to ensure compliance with data protection rules. Together with his team, he monitors compliance with data protection legislation and our data protection policies. His tasks include handling complaints regarding data protection and communicating with the regulatory authorities for data protection. He also carries out communications and training measures. In addition, he advises responsible individuals and specialist units on all questions relating to data protection. He is independent and reports to the Chief Compliance Officer and the Board of Management member for Integrity and Legal Affairs.

We started to set up the Data Compliance Management System as early as 2018. The first step was to establish the Data Compliance department within the Compliance organisation. We consolidated the tasks of this department under the management of the Chief Officer Corporate Data Protection in the Corporate Data Protection division after the successful establishment of the Data Compliance Management System in 2021. The Chief Officer Corporate Data Protection defines the individual elements of the Data Compliance Management System and controls its implementation throughout the Group. The tasks of the Chief Officer Corporate Data Protection also include carrying out the annual Data Compliance Risk Assessment and establishing the Data Compliance Programme, which includes all of the measures needed for implementing the Data Compliance Management System. Among other things, these measures include compliance with the formal requirements of the GDPR. One example is the introduction of a in order to meet our documentation obligations. In addition, Group-wide data compliance monitoring and reporting processes exist.

The Mercedes Benz Group Data Vision and Guiding Principles

The Mercedes Benz Group Data Vision and Guiding Principles (Graphic)

The Chief Compliance Officer provides a key interface for Group-wide data compliance management. The Chief Compliance Officer heads the compliance organisation and reports on current data compliance developments to the Board of Management member for Integrity and Legal Affairs on a regular basis and also submits quarterly reports to the Board of Management as a whole.

Our approach to the effective management of data protection also relies on local contact persons at our numerous sites and facilities around the world. These Local Compliance Officers or Local Compliance Responsibles support the local management’s implementation of the data compliance measures. We specifically prepare these local contacts for their tasks and support them with training courses and consultation.

The data vision provides the framework

The Mercedes-Benz Group’s commitment to the responsible handling of data is anchored in its data vision. The data vision provides our employees with a clear framework for how they should handle data. It has been made known throughout the Group and is also included in the current version of our Integrity Code.

The central principles of our data vision include transparency, self-determination and security. We would like our customers to be aware of which data is being collected, when, and for what purpose. To this end, we provide them with in-depth information in our sales materials, in apps, in operating instructions, in the terms of use, on the data protection landing page and, wherever possible and expedient, directly in the vehicle itself. Our goal is to ensure that our customers can decide for themselves which services they actually use and which data they would like to share — either by consent, by contract or at the touch of a button. They can activate and deactivate the Mercedes me connect services in the Mercedes me Portal or in the Mercedes me App at any time, for example. Customers receive an overview of their personal data and can decide what we may use the data for in the new Mercedes me Privacy Center.

The data security in our vehicles also meets our customers’ high standards of security. We continually refine our data security measures in line with advances in IT in order to protect the data against manipulation and improper use.

For us, ensuring effective data protection and data security in vehicles is an integral component of the development of products and services. That’s why our developers use the approach when designing new vehicles and functions and in the conception of digital business models. Many of the current model series already provide technical functions such as and active traffic jam assistants that are based on the processing of data. This development is continuing: for example, further innovations such as interconnected vehicles and automated driving functions are on the way.

EU data protection regulation specifies intragroup data protection standards

The Mercedes-Benz Group’s Data Protection Policy EU specifies uniform intragroup data protection standards based on the GDPR. It regulates how EU-related personal data of employees, customers, and business partners are to be handled for all Group companies. We utilise it in order to take account of the special regulatory environment in our European core market.

This policy also includes binding corporate rules for Group companies that are located outside the area subject to the GDPR but which nevertheless, as the recipients of cross-border data transfer, process personal data to which the GDPR applies. Our Data Protection Policy EU has been submitted to the responsible supervisory authority in Baden-Württemberg for approval as binding corporate rules as defined by the GDPR.

Our global data and information policy regulates data compliance worldwide

The Mercedes-Benz Group’s global data and information policy forms the foundation for the responsible, legally compliant and ethical handling of information and data worldwide. It represents the responsibilities and roles in a data- and information-based environment transparently. In addition, the policy specifies targets, principles and organisational structures and determines measures for implementing the data compliance processes. The policy also includes global standards for data compliance that are designed to ensure that a uniform level of data protection exists worldwide throughout the Group. We thus set a binding standard that is supplemented by the provisions of the Data Protection Policy EU and the applicable local data protection laws.

Data Compliance Management System

GRI 103-2

The Mercedes-Benz Group’s Data Compliance Management System supports the Group in the systematic planning, implementation and continuous monitoring of measures to ensure compliance with the data protection requirements. It takes into account the existing applicable data protection regulations. For our Group companies in the EU, the GDPR is particularly relevant; for our Group companies outside the EU, the relevant local data protection laws apply. Additional areas of the law that are relevant to data use are also being incorporated into this system in order to identify and address possible risks.

Responsible use of Artificial Intelligence

is playing an increasingly important role for the future of the automotive industry in an extremely wide range of areas. It boosts flexibility and efficiency in production operations and enables us to better fulfil our customers’ needs. But alongside its great potential, the use of intelligent systems also holds risks — of which the Mercedes-Benz Group is aware. That’s why the responsible use of AI is a high priority for us.

Four principles for the use of AI

As early as 2019, the Mercedes-Benz Group was one of the world’s first automotive companies to define and publish four principles for the responsible use of AI. They are: responsible use, explainability, protection of privacy, and safety and reliability. The objective is to approach AI-specific risks preventively. These principles are intended to provide our employees with a framework for the development and use of AI and to strengthen trust in our AI-based solutions.

The principles are anchored in the Mercedes-Benz Group’s Integrity Code. They supplement our data vision and are thus an important part of our company’s digital responsibility.

The four AI principles

The four AI principles (Graphic)

Governance for AI

In addition, the Mercedes-Benz Group has developed a framework for using AI — the Artificial Intelligence Governance Model (AIGM). On the one hand, we want to use this risk-based agile approach to ensure the legal and ethical use of AI in practice. On the other, we want it to provide an even stronger anchor for the four AI principles.

The AIGM will support us here in recognising and minimising legal and ethical risks at an early stage, and thus enable the responsible implementation of AI-based business models. At present, it is especially focussed on systems that apply machine learning or .

Our AI principles, which are complemented by the four areas of action — risk analysis, risk mitigation measures, dialogue, and review and engagement — are at the heart of the AIGM.

The Mercedes-Benz Group launched a wide range of AI governance initiatives during the reporting year. The focus was on testing and optimising our AIGM processes and measures in various business and functional units.

The Artificial Intelligence Governance Model

The Artificial Intelligence Governance Model (Graphic)

For example, we have introduced an innovative chatbot solution. It helps our employees to quickly and simply assess AI-specific risks. Furthermore, we have extended our general provision of information and advice with a guideline for the practical implementation of our AI principles. In addition, we have set up a central AI governance advice point. This is part of the Board of Management division Integrity and Legal Affairs. We have expanded our range of training courses with an AI governance training module.

We have also used the regular involvement of our external stakeholders — in the context of our association and committee work with the Federation of German Industries (BDI) and the European Automobile Manufacturers’ Association (ACEA), for example — to provide further momentum for responsible AI governance. Our Sustainability Dialogue 2021 was also focussed on the responsible use of AI. Together with representatives from business, science, government and society, we discussed the topic “Decision-making in the Age of Artificial Intelligence — Our Responsibilities as Participants” in the working group Employees and Integrity.

We plan to continue our AI governance activities in 2022.

Measures

Internal information and training measures

As part of its data-driven transformation, the Mercedes-Benz Group is promoting a more active use and responsible handling of data. The seven principles of our data vision provide us with a framework for these activities.

In order to establish our data culture throughout the Group, it is important that all of the employees embrace these principles and put them into practice in their daily work. To this end, we implemented extensive information and training measures for all employees in 2021. These included a new web-based training programme in particular. It uses practical questions to explain the importance of handling data correctly. The training programme has been introduced worldwide and is compulsory for all administrative employees.

Moreover, various web-based training courses and sessions enable our employees to address the topics of data culture and data governance. They are trained in the responsible use and sharing of data and are taught how to increase transparency and data quality. In addition, the Data Navigator and the Digipedia provide all employees with two platforms that contain all of the key information as well as numerous data-related learning opportunities.

Every three years, all employees at our controlled Group companies who have e-mail access must complete the Integrity@Work web-based training course, which also raises their awareness of data protection issues. Participation in the web-based training course “Expert module — EU General Data Protection Regulation Overview” is obligatory for managers in the EU. The course was reworked during the reporting year and the target group has completed the new version. Local management at every Group unit can require other employees to participate in these courses. Thanks to our IT-supported Learning Management System, all training measures are available around the globe.

Employees from units where data protection is particularly relevant, such as human resources, sales and development, are trained in person by the respective Local Compliance Officer or Local Compliance Responsible. This training is carried out either in person or online. In addition, we produce annual training plans for units at the Group that are subject to high data protection risks. Participation in the training courses is documented. For example, we have trained all of the executives in the Research and Development unit in the basics of data protection and in the fundamentals of privacy by design during the reporting year. The executives’ participation is mandatory. We recommend that all other managers and employees for whom the training course is relevant due to their job profile should also complete the training course.

The onboarding process for new managing directors at Group companies also includes an overview of the Group’s Data Compliance Management System. All managers can also conduct their own independent study programme using the Corporate Governance Navigator on the Group intranet, which also includes information on the topic of data protection.

The local data compliance organisation is particularly important in the implementation of, the consulting for, and the monitoring of the compliance measures. For this reason, our Local Compliance Officers and Local Compliance Responsibles at Group units with a medium or high data protection risk classification also take part in a data compliance qualification programme in addition to the aforementioned courses. In this programme, they obtain basic knowledge on data protection law and receive instruction in how to handle specific tasks. Local Compliance Officers and Local Compliance Responsibles at Group units with a low data protection risk classification take part in a video-based training programme with comparable content.

Customer data

The Mercedes-Benz Group sets a high standard for the handling of its customers’ personal data. Customers can now use our Mercedes me Privacy Center, which was introduced in 2021, to obtain an even faster and more straightforward overview of what personal data of theirs is stored. They can decide for which purposes Mercedes-Benz is allowed to use this data. The focus here is on user-friendliness, so that the customer can directly navigate to his or her available choices via five intuitive categories. This service underlines the principles of self-determination, transparency and security as set out in the data vision and stands for the responsible handling of data.

Supplier data

Before it commissions a service provider who processes personal data, the Mercedes-Benz Group checks whether this company can process the data received in compliance with legal requirements, especially those of the GDPR. The decisive consideration is whether the service provider can demonstrate that it verifiably implements technical and organisational measures for ensuring data security.

Risk assessment

The Data Compliance Risk Assessment is a key component of the Mercedes-Benz Group’s Data Compliance Management System. This assessment is a systematic process conducted by the Data Compliance team each year in order to identify, analyse and evaluate data compliance risks at our company. This applies equally for Group companies and for the central entities. The results of this analysis form the basis for managing and minimising risks.

The assessments are based on centrally compiled information on all Group entities; specific additional details are taken into account in line with the given risk assessment. First, the Data Compliance team makes an assessment on the basis of internal and external information. This includes, for example, an examination of data processing indicators that result from normal business activities and an analysis of the regulatory environment in the country in which the given Group unit is located. Data Compliance uses these indicators to determine whether the Group entity in question is exposed to particular risks and therefore needs to be looked at more closely. In such cases, the unit also makes use of information from the Group’s local entities for its risk classification. The Chief Compliance Officer and the Divisional Compliance Officers’/Regional Compliance Officers’ network confirm the results of the annual Data Compliance Risk Assessment and report these results to the Board of Management and Supervisory Board committees of Mercedes-Benz Group AG, Mercedes-Benz AG and Mercedes-Benz Mobility AG.

Digitalisation risks

The digitalisation strategy opens up new opportunities for the Mercedes-Benz Group to increase customer utility and reinforce the values of the company. Nonetheless, the high degree of penetration of all business units by information technology (IT) also harbours risks for our business and production processes and the units’ products and services.

Cybercrime and harbour risks that could affect the availability, integrity and confidentiality of information and IT-supported operating material. In the worst case, this would result in IT-supported business processes being interrupted — despite comprehensive precautions. This scenario could have a negative effect on the company’s financial result. Furthermore, the loss or misuse of sensitive data can, in some circumstances, lead to reputational damage. In particular, stricter regulatory requirements such as the GDPR can also provide a basis for third-party claims — and lead to costly regulatory instructions and fines that have an impact on the financial result.

The globally active Mercedes-Benz Group and its comprehensive business and production processes must be able to store and exchange information currently, completely and correctly. Our internal IT security framework is oriented according to international standards and also draws on industry standards and good practices for its protective measures. New regulatory requirements for cybersecurity and cybersecurity management systems are taken into account in the further development of our processes and standards.

Secure IT systems and a reliable IT infrastructure are operated with an eye for the need to keep information secure. In addition, risks are identified over the complete life cycle of applications and IT systems and treated according to their importance. We place a special focus on risks that lead to the interruption of business processes as a consequence of an IT system failure or the loss or falsification of data. Special attention is required in this area due to the advance of the digitalisation and networking of manufacturing facilities. For this reason we are continuing to further develop our technical and organisational security measures.

The demands regarding the confidentiality, integrity and availability of data also continue to grow. For this reason, the Mercedes-Benz Group has implemented a large number of measures to minimise the associated risks at the earliest possible stage and to limit possible damage. Emergency plans have been created and our employees are regularly trained and made aware of the issues.

We analyse specific threats and coordinate our countermeasures in a globally operating Cyber Intelligence and Response Centre. In addition, we continually extend the protection of our products and services against the dangers of hacker attacks and cybercrime. We also operate cybersecurity programmes in order to systematically reduce the risks.

We estimate that the extent of the IT-related risks and the probability of corresponding incidents occurring was unchanged in comparison to the previous year on the basis of the constant implementation of countermeasures.

Dealing with personal data breaches

GRI 418-1

The Mercedes-Benz Group has established a central reporting system for all incidents involving information security: the Information Security Incident Management Process. It is available around the clock. Employees and contractors are instructed to report all potential personal data breaches via this system. Incidents relating to data protection that occur at units subject to the provisions of the GDPR are addressed by the Corporate Data Protection unit. This is assisted in its local investigations by a local Incident Support department. The Corporate Data Protection unit then issues a recommendation to the local management team as to whether supervisory authorities must be informed of the incident and whether those affected by it must be notified within the period stipulated by law. Local Incident Support departments handle incidents relating to data protection that occur at units that are not subject to the GDPR. Together with the local management teams, these departments decide whether supervisory authorities must be informed of an incident and whether those affected by it must be notified. Here, the Corporate Data Protection unit can be brought in for support at any time. The results of all investigations have to be submitted to the Corporate Data Protection unit for documentation purposes.

During the reporting year, a small number of cases were reported to the responsible data protection supervisory authorities. The authorities did not take any measures against the company in response.

Alongside the data protection incident management process, the Mercedes-Benz Group has established a general whistleblower process via which all potential compliance violations can be reported. This system is tasked with fairly and adequately investigating reports on incidents that pose a high risk to the company and its employees. The Data Compliance team teaches all Local Compliance Officers and Local Compliance Responsibles how to address complaints. These courses provide information on local and non-European data protection provisions and on the requirements defined in the GDPR.

The contact details of the Chief Corporate Data Protection Officer are publicly available, and customers can direct their questions or concerns regarding data protection to him or his team at any time.

The number of complaints received by Corporate Data Protection was on a lower level overall. Data protection supervisory authorities conducted investigations in response to customer complaints. This figure was in the low single-digit range. No measures were taken against the company as a result of any of these investigations.

Effectiveness and results

The effectiveness of our management approach

GRI 103-3

The Mercedes-Benz Group’s Data Compliance Management System is constantly being further developed. Based on an annual monitoring and reporting process we examine the extent to which the previously defined measures have been implemented and the objectives pursued have been achieved. In this way, the compliance organisation continuously assesses whether the compliance management system is appropriate and effective. The resulting respective need for action and the measures subsequently taken are documented in the compliance reporting and the implementation is documented in the system.

Results

The annual monitoring evaluation of the Data Compliance Management System has shown that the design of the system continues to be appropriate and suitable for achieving our compliance objectives. There are no indications that the implementation objectives of the Data Compliance Management System were not fully achieved in the reporting year 2021. We intend to also evaluate the third stage, the effectiveness of the Data Compliance Management System, in 2022.

Provider/Privacy

Mercedes-Benz AG Mercedesstraße 120
70372 Stuttgart
Germany
Phone: +49 7 11 17-0
E-Mail:
dialog@mercedes-benz.com

Represented by the Board of Management: Ola Källenius (Chairman), Jörg Burzer, Renata Jungo Brüngger, Sabine Kohleisen, Markus Schäfer, Britta Seeger, Hubertus Troska, Harald Wilhelm

Chairman of the Supervisory Board: Bernd Pischetsrieder

Court of Registry: Stuttgart; commercial register no. 762873
VAT ID: DE 32 12 81 763

Record of processing activities

A record of processing activities is an overview of a company’s processes for processing personal data that falls under the EU’s General Data Protection Regulation (GDPR). This record documents all of the relevant information about the processing of personal data (for example).

All glossary terms

Privacy by design

Privacy by design is data protection by means of technology design. The basic principle of the approach is that personal data can be best protected if software and hardware are designed and developed to comply with data protection regulations from the very start.

All glossary terms

Live traffic information

Live traffic information systems supply vehicles with traffic data in real time.

All glossary terms

Artificial Intelligence (AI)

Artificial Intelligence (AI) refers to computer systems that have features of human intelligence. AI systems can, for example, learn independently, draw conclusions or improve themselves.

All glossary terms

Deep learning

Deep learning is a segment of Artificial Intelligence. It is a machine learning method in which artificial neural networks help an algorithm learn to recognise interconnections within a large pool of data.

All glossary terms

Malicious code

Malicious code or malware refers to computer programs developed to carry out damaging tasks such as stealing passwords or other sensitive data.

All glossary terms