The mandate and goal of our Group Data Privacy unit is to mitigate risks and create a global framework for data privacy-compliant business operations. This unit helps to train our employees to handle data responsibly and with clear accountability. It safeguards our company by providing data privacy risk assurance and ensuring compliance with relevant data privacy laws globally. Group Data Privacy also contributes to creating value for the development of digital business models.
It is of critical importance for our business that we protect our information systems, their contents, and our communication channels against any criminal or unwanted activities. These include e-crime and cyberattacks, such as unauthorized access, information leakage and misuse of data or systems. Our goal is to complete the implementation of a global and consistent data privacy management system by mid-2023.
Roles and responsibilities
Group Data Privacy is an independent function, organizationally integrated into Group Compliance and Data Privacy. We have a Group Data Privacy Officer and a network of local Data Privacy Officers at various sites Group-wide. In line with external regulations, the Data Privacy Officers and their respective teams act independently and without receiving internal or external instructions. Group Data Privacy regularly prepares data privacy updates and a comprehensive data privacy report. This report is submitted to the Executive Board and the Supervisory Board.
Cyber Security is part of our Group Corporate Security Office. In addition, we have a Group Chief Information Security Officer and a network of Information Security Officers within the business sectors, each in turn supported by dedicated networks. The individual sectors hold risk ownership and act as our first line of cyber security defense. Our Global Cyber Security function acts as a second line of defense and has responsibilities regarding cyber security risk governance and oversight. Our third line of defense comprises internal audits.
New Cyber Security organization
At the beginning of 2022, we created a new Cyber Security organization with a mandate to improve trust and strengthen resilience against cyberattacks and data breaches.
Our Cyber Security team defines policies and standards for cyber security (including data security) while providing oversight, tools and systems to manage and monitor our overall cyber security risk exposure. The team is also responsible for providing 24/7 cyber security monitoring and incident response capabilities across the entire company environment as well as training employees across the organization on how to protect data appropriately.
Our commitment: Guidelines and standards
Our Data Privacy Policy and the corresponding standards and procedures define our principles for processing personal data. This approach allows us to achieve a high level of data protection for our employees, contract partners, customers, and suppliers as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European legislation, in particular the European Union General Data Protection Regulation (EU GDPR). We are also taking steps to meet local data privacy requirements, where these are stricter than our Group-wide standards.
Our Group Cyber Security governance framework comprises organizational, process-related and technical information security countermeasures based on recognized international standards. In addition, we apply harmonized electronic and physical security controls (e.g. access control and security monitoring) to bolster our ability to handle sensitive data, such as trade secrets.
Training and IT tools
In line with the EU GDPR and our global approach to data privacy, we regularly conduct e-learning training courses in ten languages. In 2022, the completion rate for our e-learning courses was 98%.
We maintain a central IT tool to provide a single source for data privacy processes, such as registering data processing activities and reporting potential data privacy incidents. In 2022, we rolled out a new data privacy tool. In the reporting year, we registered no sanctioned complaints or incidents concerning breaches of customer privacy, data leaks, theft, or loss of customer data. In three out of 57 cases, minor personal data breaches were reported to the supervisory authority. These were not sanctioned.
|
|
2019 |
|
2020 |
|
2021 |
|
2022 |
|
2022 |
||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reported violations of Data Privacy Guidelines |
|
1 |
|
3 |
|
3 |
|
4 |
|
1 |
||||
Customer Privacy1 |
|
|
|
|
|
|
|
|
|
|
||||
Total number of substantiated complaints received from outside parties |
|
0 |
|
0 |
|
0 |
|
0 |
|
0 |
||||
Total number of complaints from regulatory bodies |
|
1 |
|
0 |
|
0 |
|
0 |
|
0 |
||||
Total number of identified leaks, thefts, or losses of customer data |
|
1 |
|
0 |
|
0 |
|
0 |
|
0 |
||||
|
||||||||||||||