Strategy and concepts
Data protection and data security
Ensuring data security and respecting the protection of personal data is a high priority for the Mercedes-Benz Group. It can only gain acceptance for new technologies such as artificial intelligence (AI) if it demonstrates that the data of its customers and of the users of its products are secure. As one of the first automotive companies to do so, the Mercedes-Benz Group therefore defined and published a series of fundamental principles for dealing with this technology.
At the Mercedes-Benz Group, data protection begins with the design of new products and services and includes numerous other measures to ensure compliance with data protection requirements. To plan, implement and regularly monitor all these measures in a systematic and risk-based manner, it uses an integrated data compliance management system.
Holistic data responsibility
Data responsibility is more than data protection. The Mercedes-Benz Group is taking on this responsibility with a holistic approach to data governance. This approach covers legal, cultural and organisational aspects. The key aims are the sustainable design of data-based business models and the responsible handling of data in the interest of customers, employees and other stakeholders. In order to achieve these aims, the Mercedes-Benz Group has introduced measures such as establishing the Group-wide Data Governance System. This system primarily consists of the data governance structure, the data model, the data culture and a data compliance management system.
Data governance structure
The data governance system was developed at the Board of Management’s Integrity and Legal Affairs division. The implementation of data governance in the divisions of the Mercedes-Benz Group is the responsibility of the various bodies for data and data analytics. These are cross-functional teams of managers who undertake data-related responsibilities. The teams meet regularly to drive forward the digital transformation process within the divisions on the basis of the measures prioritised by the Board of Management. All relevant specialist units coordinate their current data analytics projects in the various Boards and create the basis for the efficient and responsible use of data. Specialists at Corporate Data Protection monitor the projects from the outset in order to help ensure that they are conducted in compliance with all relevant laws.
Within Mercedes-Benz Group AG, a Digital Governance Board that includes members of the Board of Management has been created. Since the beginning of 2022, this board has been continuing the work previously conducted by the former Data Governance Committee. The body defines the framework for Group-wide core topics of digital governance and thus supports the digital transformation of the Group.
The operational implementation of the Mercedes-Benz Group’s strategic goals in the area of data responsibility takes place in the individual business units. To this end, each business division of the Mercedes-Benz Group has established a corresponding programme for the creation of specific processes and systems to ensure the responsible use of data.
Reliably controlling data protection and data compliance
The Chief Officer Corporate Data Protection at the Mercedes-Benz Group performs the tasks required by law to ensure compliance with data protection rules. Together with his team, he monitors compliance with data protection laws and the Group’s own data protection policies. His tasks include handling complaints regarding data protection and communicating with the regulatory data protection authorities. He also carries out communications and training measures. In addition, he advises responsible individuals and specialist units on all questions relating to data protection. He is independent and reports to the Chief Compliance Officer and the Board of Management member for Integrity and Legal Affairs.
Corporate Data Protection, headed by the Chief Officer Corporate Data Protection, defines the individual elements of the Data Compliance Management System and coordinates its Group-wide implementation. The responsibilities of the Chief Officer Corporate Data Protection also include the performance of an annual data compliance risk assessment and the definition of data compliance measures. The implementation of such measures is the responsibility of the management of the respective corporate companies and divisions.
An important interface for the group-wide management of data compliance is the function of the Chief Compliance Officer, who heads the compliance organisation and reports on current data compliance developments to the Board of Management member for Integrity and Legal Affairs on a regular basis and also submits quarterly reports to the full Board of Management.
Our approach to the effective management of data protection also relies on local contact persons at our numerous sites and facilities around the world. These Local Compliance Officers or Local Compliance Responsibles support the local management’s implementation of the data compliance measures. The Mercedes-Benz Group prepares these local contacts specifically for their tasks and supports them with training and advisory services.
The data vision provides the framework
The Mercedes-Benz Group’s commitment to the responsible handling of data is anchored in its data vision, which provides employees with a clear framework on how they should handle data. It has been publicised throughout the Group and has also been incorporated into the current version of the Integrity Code.
The Mercedes-Benz Group also meets the high expectations of its customers with regard to data security in its vehicles: data security measures are constantly being refined in line with advances in IT in order to protect the data against manipulation and misuse.
For the Mercedes-Benz Group, effective data protection and data security in the vehicle are integral components of the development of products and services.
Data Protection Policy EU: Binding Corporate Rules
Based on the General Data Protection Regulation (GDPR), the Data Protection Policy EU defines uniform internal data protection standards for the Mercedes-Benz Group. This Policy regulates how EU-related personal data of employees, customers and business partners are to be handled for all Group companies. With it, the Mercedes-Benz Group is giving due consideration to the special regulatory environment in its European core market.
The European Data Protection Board recognised the Policy as Binding Corporate Rules (BCR) during the reporting year. By complying with these BCR, the Mercedes-Benz Group ensures an appropriate level of data protection when transmitting personal data to Group companies in third countries.
The global data and information policy regulates data compliance worldwide
The Mercedes-Benz Group’s global data and information policy forms the basis for the responsible, legally compliant and ethical handling of information and data worldwide. It represents the responsibilities and roles in a data and information-based environment transparently. In addition, the policy specifies targets, principles and organisational structures and determines measures for implementing the data compliance processes. It also includes the Global Standards for Data Compliance, which are designed to ensure a consistent level of data protection across the entire Group. In this way, the Mercedes-Benz Group is setting a binding standard that is supplemented by the requirements of the internal Data Protection Policy EU and the respective applicable local data protection laws. The policy is adapted on a regular basis to reflect current developments and its content further developed.
Data Compliance Management System
The Data Compliance Management System supports the Mercedes-Benz Group in the systematic risk-based planning, implementation and continuous monitoring of the measures to ensure compliance with data protection requirements in. It takes into account the existing applicable data-protection regulations. For Group companies in the EU, the GDPR is particularly significant; for companies outside the EU, the basis is provided by the internal Global Standards for Data Compliance and the respective local data protection laws.
Responsible handling of Artificial Intelligence
Artificial intelligence (AI) is playing an increasingly important role for the future of the automotive industry in a wide variety of areas: it boosts flexibility and efficiency in production operations and enables the Group to meet the needs of its customers even better. But, alongside its great potential, the use of intelligent systems also holds risks – of which the Mercedes-Benz Group is aware. The responsible handling of AI is therefore a high priority.
Four principles for the use of AI
In 2019, the Mercedes-Benz Group defined and published four principles for the responsible handling of AI. They are: “Responsible Use”, “Explainability”, “Protection of Privacy” and “Safety & Reliability”. The objective is to approach AI-specific risks preventively. The principles are intended to provide employees with orientation for the development and deployment of AI and to strengthen trust in the Group’s own AI-based solutions.
The principles are anchored in the Mercedes-Benz Group’s Integrity Code. They complement the data vision and are thus an important component of digital corporate responsibility.
Governance for AI
In addition, the Mercedes-Benz Group has developed a framework for dealing with AI. With a risk-based and agile approach, it wants to bring the four AI principles even more strongly into practice and ensure a legally compliant and ethical approach to AI.
The AI governance approach supports the Mercedes-Benz Group in identifying and minimising legal and ethical risks at an early stage – and thus in implementing AI-based business models responsibly. At present, it is especially focused on systems that use Machine Learning (ML) or Deep Learning (DL).
In the reporting year, the Mercedes-Benz Group further developed its AI governance approach. The focus was on integrating new ethical and regulatory requirements and harmonising AI governance more closely with existing processes.
Among other things, the Mercedes-Benz Group has optimised an innovative chatbot, which supports employees in quickly and easily assessing AI-specific risks themselves. Furthermore, the Mercedes-Benz Group has expanded its information activities and updated the AI Principles Implementation Guidance. Central AI governance consultation supports employees in implementing AI projects in a responsible way.
Internal information and training measures
In its transformation, the Mercedes-Benz Group is focusing on a more active use and responsible handling of data. The seven principles of the data vision serve as a framework here.
In order to establish the data culture group-wide, it is important that all employees embrace these principles and can put them into practice in their daily work. To this end, the Mercedes-Benz Group offers its employees various web-based training, education and qualification measures.
All employees of the controlled Group companies who have email access must complete the web-based training courses “Integrity@Work” and “Data@Mercedes-Benz” every three years. Among other things, these training measures increase awareness for data protection issues and explain how data can be used sensibly. They also show how employees themselves can handle data responsibly. Participation in a web-based training course on the GDPR is mandatory for managers in the EU. The local management of each group company can extend these offers to additional employees. Members of the executive management and all supervisory bodies are also mandatorily assigned the web-based training course “Corporate Governance” to complete every three years – this also contains information on data protection. Thanks to the IT-supported Learning Management System, all training measures are available around the globe.
Employees from areas of particular relevance for data protection – for example, human resources, sales or development – receive personal training from the responsible Local Compliance Officer or Local Compliance Responsible. In addition, in group companies associated with a high data protection risk, annual training plans are drawn up and participation is documented.
The local compliance organisation plays an important role in implementing, advising and monitoring compliance measures. For this reason, the Local Compliance Officers and Local Compliance Responsibles from group companies associated with a medium or high data protection risk undertake a training programme on data protection and data compliance in addition to the above-mentioned training courses. In this programme, the Mercedes-Benz Group provides them with a basic knowledge of data protection law and guides them in their specific tasks. Local Compliance Officers and Local Compliance Responsibles at group companies associated with a low data protection-related risk take part in a video-based training programme with comparable content.
In addition, employees of the Mercedes-Benz Group are provided with extensive information on the topic of “data” on the Social Intranet.
The Mercedes-Benz Group sets a high standard for the handling of customers’ personal data. Customers use the Mercedes me Privacy Center, which was introduced in 2021, to obtain an even faster and more straightforward overview of what personal data of theirs is stored by the company. They can decide for which purposes Mercedes-Benz is allowed to use this data. The focus here is on user-friendliness. The customer can directly navigate to his or her available choices via three intuitive categories. This service underlines the principles of choice and transparency as set out in the data vision and stands for the responsible handling of data.
The Mercedes-Benz Group intends to further strengthen the trust of its customers in the Mercedes-Benz data processing. The Mercedes me Privacy Center is to be further developed for this purpose. To further increase the reach and involvement of the Privacy Center, Mercedes-Benz Cars is developing it for the next important touchpoint: the Mercedes me App. Customers should be able to manage not only their Connect services or vehicle settings, but also their data protection settings in the app. The app module is expected to be available for most markets before the end of 2023 and will be further developed based on customer interaction and feedback.
The Data Compliance Risk Assessment is a key component of the Mercedes-Benz Group’s Data Compliance Management System. As part of this systematic process, the Corporate Data Protection unit identifies, analyses and evaluates the data protection risks on an annual basis. This applies equally to Group entities and to the central divisions. The results of this analysis form the basis for managing and minimising risks.
Risks of digitalisation
The digitalisation strategy opens up new opportunities for the Mercedes-Benz Group to increase the benefits for customers and the values of the Group. Nevertheless, the high penetration of all business areas with information technology (IT) also harbours risks for business and production processes as well as their services and products.
Cybercrime and malware pose risks that can affect the availability, integrity and confidentiality of information and IT-based resources. In the worst case, this would result in IT-supported business processes being interrupted – despite comprehensive precautions. This scenario could have a negative effect on the Group’s financial result. Furthermore, the loss or misuse of sensitive data can, under certain circumstances, lead to a loss of reputation. In particular, stricter regulatory requirements can, among other things, give rise to claims by third parties – and result in costly regulatory requirements as well as penalties that affect the results of the Mercedes-Benz Group.
For the globally active Mercedes-Benz Group and its comprehensive business and production processes, it is essential that information is kept up to date, complete and correct, and that it can be exchanged. The Group’s own cyber and information security regulations are based on the ISO/IEC 27000 series of standards for information security. New regulatory requirements on cyber security and cyber security management systems are taken into account in the further development of the processes and specifications of the Mercedes-Benz Group.
Secure IT systems and a reliable IT infrastructure are operated in consideration of the need to keep information secure. In addition, risks are identified over the complete life cycle of applications and IT systems and treated according to their importance. The information security risk management process ensures that Mercedes-Benz Group IT security risks are systematically identified, assessed, addressed and regularly reviewed. This also includes information risks arising from cooperation with business partners, suppliers, authorities, customers and other external third parties. The requirements for the process comply with ISO/IEC 27005:2018. The Mercedes-Benz Group places particular focus on risks that lead to business processes being interrupted or to data being lost or falsified due to IT system failures.
The Group’s goal is to reduce possible downtimes in the event of damage and to keep the associated effects on the business processes as low as possible. To this end, the Mercedes-Benz Group is strengthening the resilience of its IT – among other things, emergency plans were updated during the reporting year and a crisis management exercise was carried out within the Group.
Special attention is required in this area due to the advance of the digitalisation and networking of manufacturing facilities. The Group is therefore constantly working to refine its technical and organisational security measures.
In a globally operating Cyber Intelligence & Response Center, the Mercedes-Benz Group analyses specific threats and coordinates countermeasures. It is also continuously expanding the protection of its products and services against threats from hacker attacks and cybercrime and also runs cyber security programmes to systematically reduce the risks.
In addition, Mercedes-Benz Group AG has held cyber insurance for several years. Here, risks from cyber attacks are covered in accordance with the insurance conditions typical in the market and up to the amount of the agreed sum insured.
The Mercedes-Benz Group estimates the extent of information technology risks and the probability of occurrence of corresponding incidents to be largely unchanged compared to the previous year due to the constant implementation of countermeasures.
Dealing with personal data breaches
A central reporting process has been established in the Mercedes-Benz Group for all incidents relating to information security: the “Information Security Incident Management” process of the Cyber Intelligence & Response Center (CIRC). The CIRC hotline can also be used to report data protection violations worldwide around the clock by telephone or email. Employees and contractors are instructed to report all potential personal data breaches via this system. Incidents relating to data protection that occur at units subject to the provisions of the GDPR are addressed by the Corporate Data Protection unit, which is supported in its local investigations by a local Incident Support service. The Corporate Data Protection unit then issues a recommendation to the local management team as to whether supervisory authorities must be informed of the incident and whether the affected data subjects must be notified within the period stipulated by law. In units which are not subject to GDPR, the Local Incident Support takes over the further processing. Together with the local management teams, it decides whether supervisory authorities must be informed of an incident and whether affected data subjects must be notified. The Corporate Data Protection unit can be brought in for support at any time. The results of all investigations must be submitted to the Corporate Data Protection unit for documentation purposes.
During the reporting year, a small number of cases were reported to the responsible data protection supervisory authorities. No measures were taken by the official authorities against the Mercedes-Benz Group as a result.
In addition, the Mercedes-Benz Group has established a general whistleblower process, through which all potential compliance violations can be reported. If locally permissible, the report can also be made anonymously. The process enables fair and appropriate handling reports on incidents that pose a high risk to the Group and the employees.
The contact details of the Chief Officer for Corporate Data Protection are publicly available. He – or his team – is available as a point of contact for any customer with data protection concerns.
The number of complaints received by Corporate Data Protection are at a low level. Data protection supervisory authorities conducted no investigations during the reporting year as a result of customer complaints. No measures against the Mercedes-Benz Group were initiated.
The Mercedes-Benz Group promotes open dialogue with external stakeholders. Its aspiration is to interact and share information with experts from associations, data protection authorities, industry and universities in particular and to take their interests into account. As part of the “Sustainability Dialogue” 2022, the participants in the “Data Responsibility” working group discussed the topic of “Strengthening customer trust in Mercedes-Benz data processing”.
As part of its association and committee work with the Federation of German Industries (BDI) or the European Automobile Manufacturers’ Association (ACEA), the Mercedes-Benz Group has also participated in the public discourse on open legal and ethical issues relating to AI.
Effectiveness and results
Effectiveness of the management approach
The Mercedes-Benz Group’s Data Compliance Management System is constantly being further developed. With the help of an annual monitoring and reporting process, it examines the extent to which the previously defined measures have been implemented and the goals pursued with them have been achieved. In this way, the compliance organisation is able to assess on an ongoing basis whether the compliance management system is appropriate and effective. The resulting need for action in any of these situations and the measures subsequently taken are documented as part of the Group’s compliance reporting process, and the implementation is documented in the system.
The annual monitoring evaluation of the Data Compliance Management System has shown that its design is appropriate and suitable for achieving the compliance objectives. There are no indications that the implementation objectives of the Data Compliance Management System were not fully met in the reporting year. In terms of operational effectiveness, there are indications that the objectives of the Data Compliance Management System have not been fully met. Identified weaknesses are analysed and transferred to a lessons-learned process.
On the basis of its data vision and the principles of its data vision, the Mercedes-Benz Group focused on strengthening customers’ trust in the Mercedes-Benz Group’s data processing in the year under review.