Sustainability Report 2022

Data protection

GRI 3-3, 418-1

Protection of personal rights and the right to informal self-determination

The task of data protection is to protect individual rights and in particular, the privacy of each person. For this purpose, lawmakers have extensively regulated the processing of personal data, and granted rights to each data subject to protect their own personal data. In the spirit of the Grafensatz “Grafen tip their hats”, the Zeppelin Group respects compliance with data protection requirements not only as a legal requirement, but also as an expression of honest, fair and responsible conduct. Zeppelin employees and business partners should be able to rest easy in the knowledge that their personal data can be protected.

To meet the ever-increasing legal requirements, as well as the importance given to data protection in the Zeppelin Group, Zeppelin maintains the Compliance and Data Protection division in the holding company, whose primary task is the ongoing development of the data protection management system within the Zeppelin Group. The division manages the global data protection organization, consisting of the Group Data Protection Officer as well as other data protection officers, data protection coordinators, and contact persons for data protection. These persons work together to ensure that the personal data of employees and business partners is handled in accordance with legislation. At the same time, they develop and support the introduction of necessary data protection and data security measures and further develop existing measures. However, the development of new digital products and services for customers, as well as the internal introduction of new tools and platforms, are also closely managed and monitored by the data protection organization. The data protection organization thus represents the interface to information security, which supports the projects from a technical perspective and in close coordination with Data Protection.

Progress in data protection

Progress on objective 1
  • Avoidance of data protection breaches through information and training
  • Number of identified data breaches pursuant to Article 33 of the GDPR, of which the number of incidents reported by supervisory authorities

The main objective is to prevent data protection violations by providing targeted information and regular training for employees. Employees are made aware of data protection matters as part of the training and must take mandatory e-learning courses on data protection and information security.

Participation rate in data protection training
Data Protection basic training Unit Roll-out 2021 2022
Total number of participants Number 4,301 7,080
Participants among the Management Board1 Number N/A N/A
Total participation rate % 40.75 68.80
1 The evaluation at function level will only be possible from 2023.

The Group Data Protection Guideline is the central, binding policy on data protection management at Zeppelin and summarizes the rights and obligations, as well as the desired conduct, when handling personal data for all employees. Accompanying guidelines, including their visualization, process summaries, as well as information brochures and data protection notices for employees, provide guidance and transparency at the same time. Further information and templates are available at all times on a central data protection page on the Intranet.

In addition, customers can obtain information on all of Zeppelin’s apps and websites about the processing of personal data when using our websites, apps and platforms, but also when using our services. Fair and responsible behavior towards customers also means being transparent in what you do.

Summary of data protection complaints
Data protection complaints Unit 2020 2021 2022
Reported data protection complaints (in accordance with Article 33 GDPR) Number 12 10 56
of which breaches reported to supervisory authorities Number 0 0 6
Complaints concerning breaches of customer data protection Number N/A N/A 0
Complaints from external parties % N/A N/A 0
Complaints from supervisory authorities % N/A N/A 0
Total number of identified cases of data theft and data loss related to customer data Number N/A N/A 28

The introduction of new data protection management software in December 2021 resulting in the digi­talization and harmonization of numerous processes of the data protection management system within the Zeppelin Group. Among other things, the possibility of reporting data protection violations online has been created, which makes it even easier for employees to report such violations. At the same time, the process for incoming reports has been further optimized, which in part leads to earlier involvement of the data protection organization and, if necessary, information security. The significantly increased numbers in 2022 show that the new reporting channel and the adapted processes are well received by employees. Furthermore, the adapted processes can be used to make significantly better evaluations with regard to the types of data subjects and the type of data protection incident.

Data protection measures

The Zeppelin Group is continuously working on refining and improving its data protection management system (DMS). As already described, data protection management software was successfully introduced in December 2021, which brought with it numerous new processes. In 2022, employees were continuously informed about this and trained in its use. In addition, a report was created on the most important data protection key figures, the main component of which is the information obtained from the data protection management software.

GRI Index