Digitalization is leading to the creation of new mobility concepts and business divisions. Data provides a basis for this development by enabling us to provide innovative services that offer our customers added value. At the same time, our customers expect their data to be protected. Our holistic data governance system aims to ensure sustainably designed data-based business models and the responsible handling of data in the interests of our customers. Topics where this approach is used include the opportunities and risks of connected and (partially) automated vehicles and data-based services. The protection of customer and employee data is a particular focus of our corporate digital responsibility.

Our approach to data governance is embedded in a comprehensive corporate project that is developing and implementing a wide range of measures in order to achieve the aforementioned goals.

  • Introduction of a comprehensive Data Compliance Management System: We are taking a risk-based approach to the development of a data-focused compliance management system.
  • A data vision: We are using a Group-wide approach to formulate our vision and the responsibility we bear with regard to data, as well as a set of guiding principles in order to give our employees a clear frame of reference for their actions.
  • Further implementation of our data culture: We are raising our employees’ awareness of the need to handle data responsibly, as well as the new challenges posed by data-based business models.
  • Creation of a data governance organization: At our divisions, we are continuously enhancing our data management system in accordance with the regulatory requirements and our integrity standards.

Connectivity and digitalization will play a crucial role in future mobility — whether it involves automated and driverless driving or new services. Our customers’ demand for connected services is already increasing steadily. In addition, data offers opportunities to increase efficiency and improve the use of resources in the value and production chains. At Daimler we are addressing these developments by means of a holistic approach to data governance in order to ensure the responsible handling of data. This will enable us to offer new services to our customers and other stakeholders and to securely handle the accumulated data.

The Group-wide data governance system is being developed at the Board of Management’s Integrity and Legal Affairs division. It provides all Daimler AG employees with a frame of reference for activities regarding data, including clearly defined basic principles governing data handling, such as transparency, autonomy and data security. We take marketspecific and regional differences into account when applying these basic principles. We have installed appropriate processes and systems in order to ensure that our data processing is effective and efficient.

To make sure that our customers know why certain data is collected at certain times, we provide them with in-depth information about our data processing procedures in our sales materials, on the vehicle website, in the operating instructions and in the terms of use. We also want to make sure that our customers can decide for themselves which services they actually use and which data they would like to share — either by consent, by contract or as implied consent at the touch of a button. Our data security principle meets our customers’ stringent security demands. Daimler aims to protect its customers’ data against manipulation and misuse. We continuously enhance our data security measures in order to keep up with the progress of IT technology. The connected vehicle backend helps to protect data and is designed to ensure that customers can securely use services from Daimler and from third parties.

An important element of our data governance is a comprehensive Data Compliance Management System that brings together the data protection measures, processes and systems existing throughout the Group. Against the background of the increasing implementation of data-based business models and the new requirements due to the European Union’s General Data Protection Regulation (GDPR), our in-house measures to guarantee data protection have been adapted.

Implementation of the General Data Protection Regulation. In order to implement the EU’s General Data Protection Regulation (GDPR), the Corporate Data Protection unit has analyzed the new requirements and used this analysis to design practical guidelines for complying with them. This has helped all of the Group’s corporate units in the EU member states to prepare for the implementation of the new regulation in order to ensure a uniform approach. The guidelines emphasized that data processing must be transparent and that the affected individuals’ freedom of choice must be safeguarded as part of the overall guarantee of autonomy. Furthermore, the unit introduced procedures for data protection impact assessments, as well as methods for promoting data protection by design.

Our Data Compliance Management System supports our systematic planning, implementation and continuous monitoring of measures to ensure compliance with the data protection requirements. In the first step, the Data Compliance Management System is focusing on data protection law. For our corporate units in the EU, the GDPR is particularly relevant; for our corporate units outside the EU, the respective local data protection laws apply. Additional areas of the law that are relevant to data use are being successively incorporated into this system in order to comprehensively identify and minimize possible risks. The Data Compliance Management System stipulates an annual risk assessment process that helps us systematically analyze and evaluate all of our business units with regard to their risks related to data protection. The results of the Data Compliance Risk Assessment serve as the basis for the formulation of measures that address possible data protection risks. These measures include concrete processes for implementing the General Data Protection Regulation and local data protection laws, as well as various measures for communication, training and consultation within the relevant business units. The implementation of the stipulated measures is being evaluated and documented within the framework of a monitoring and reporting concept.
More information about the Daimler Compliance Management System

The Chief Officer Corporate Data Protection and his team monitor the implementation of the Daimler Corporate Data Protection Policy and the data protection laws. In addition, the Chief Officer Corporate Data Protection initiates communication and training measures and provides consultation. His tasks also include the handling of complaints regarding data protection and the reporting of breaches of data protection.
The Daimler Corporate Data Protection Policy — full text (PDF)

We regularly provide information on data protection incidents. There were no serious data protection incidents detected in 2018. The heightened awareness of data protection that has resulted from the introduction of the GDPR and the correspondingly broad range of relevant media reports is also reflected in the number of related inquiries and complaints. The number of inquiries and complaints received by Corporate Data Protection increased in 2018 by comparison with the previous year. By contrast, the number of investigations conducted by the data protection authorities in response to customer complaints decreased to three.

We believe that ensuring effective data protection in vehicles is an integral component of product development. The design of data protection in connected vehicles and within automated driving functions is therefore a key focus of our product-related data protection activities.

Our customers can rest assured that we assign a high priority to data protection in our vehicles. In addition to transparency in data processing, the choices we offer to our customers play an important role. Our customers can decide for themselves which of our services, such as Mercedes me connect, they would like to use. They can activate or deactivate these services at any time. Furthermore, they are always in control of access to, and use of, their personal data. For example, they can decide whether, and under what circumstances, their data can be shared with third-party suppliers. Customer data can be shared with third parties only with the active consent of the customer, which can be withdrawn at any time.