Deutsche Bank

Non-Financial Report 2017

Data Protection

All data, whether directly or indirectly related to a natural person, are protected by national and international regulations. Personal data includes, for example, information on customers, as well as of Deutsche Bank employees and employees of our service providers. In view of the fact that virtually all business processes require the processing of personal data in times of increasing digitalisation, the protection of these data represents a matter of special concern to us.

Our Group Data Privacy (GDP) department is a specialized and independent control function situated in Frankfurt, Berlin, New York, Singapore, London, and Birmingham. The department focuses on questions of legitimacy relative to the collection, processing, and use of personal data that have been provided to the bank. Our GDP-team directly reports to the Management Board and is supported by local Data Protection Officers of those countries in which we conduct business. Thus, there are direct and indirect reporting lines between our central and de-central data protection organization; regular reconciliation and constant exchange on data protection-related topics are performed on a global, European, and local level. In addition, Deutsche Bank participates in relevant committees and working groups, such as “Bundesverband deutscher Banken”, IBM Guide Share Europe, and Bitkom, thereby contributing to the interpretation and development of industry-specific and prevailing standards. The mandate for Deutsche Bank´s Group Data Privacy (GDP) is complemented by a Data Protection unit within Postbank.

Regulatory data protection is dealt with high importance at Deutsche Bank – data protection-related developments are observed and analyzed on a regular basis by us. We implement relevant changes or change our control processes accordingly. The same goes for technical developments and new digital business models—together with the responsible areas, these are checked by Group Data Privacy on compliance with data protection-related regulations and standards.

After more than four years of negotiations, the EU General Data Protection Regulation (GDPR) was enacted on May 24, 2016. With a transition time of two years, the regulation will take effect on May 25, 2018. Our main focus lies on implementing the extensive requirements jointly with our business divisions and infrastructure areas to ensure compliance by the end of May 2018. Non-compliance will entail significant fines and, resulting from this, considerable financial, regulatory and reputational risks. Currently, Group-wide processes, contracts, guidelines, and forms are being checked and appropriately amended to ensure compliance as part of a larger effort to implement the requirements of the GDPR. Moreover, we are currently revising the control framework of Group Data Privacy to ensure the comprehensive review of compliance with data protection-related requirements. The GDPR program is accompanied by three Management Board members.

In order to prevent data protection breaches, and to ensure effective dealing with these, appropriate processes have been implemented. They ensure that any incidents are reported immediately and proper measures can be taken.