Skip to main content
Photo: A person at a desk with monitor, laptop and printer looks at a sheet of paper while using the telephone.
© GIZ / Florian Kopp

Protecting sensitive data

GIZ’s data protection strategy is based on the EU’s General Data Protection Regulation (GDPR) and is applied at all sites worldwide. The company has appointed a Data Protection Officer with two deputies. Responsibility for implementing the GDPR at operational level within GIZ lies with the Data Protection Management Unit.

Data protection at GIZ

The main role of GIZ’s Data Protection Officer and the Data Protection Management Unit is to structure all processes involving the collection or processing of personal data in such a way that they meet data protection rules at every stage.

Whereas the Data Protection Officer and their team report directly to the designated member of the Management Board, the Data Protection Management Unit forms part of the Digital Transformation and IT Solutions Department (DIGITS).

In 2020, one of the priorities of the Data Protection Officer and the Data Protection Management Unit was to assess and advise on processing activities. This involved, for instance, determining to what extent it is legally permissible to process personal data. During the pandemic, these issues have become even more complex because, in addition to the standard legal provisions governing data protection, the Protection against Infection Act and German and international regulations regarding contact tracing have to be respected.

The responsibilities of the Data Protection Officer

The Data Protection Officer advises internal and external data subjects across the company, i.e. people whose personal data is processed by GIZ. The Officer monitors compliance with data protection rules and regulations in the company and maintains an ongoing dialogue with the supervisory authority. The role also involves providing regular advice to the Management Board and senior company managers on every aspect of data protection. The Data Protection Officer reports to the Management Board on an ongoing basis and is a member of the Risk Management Committee, whose remit extends across the company. Since 2014/2015, the Data Protection Officer has also conducted data protection audits worldwide; to date, audits have been carried out in 19 countries and country offices.

The Data Protection Officer is also the point of contact for complaints relating to data protection. In this they have the support of the Data Protection Management Unit, which assists with investigations where necessary. If a complaint proves to be substantiated, the Unit is involved in addressing and eliminating the causes of the problem. The number of substantiated complaints relating to data protection in 2020 (nine) was comparable to the 2019 figure (eight). All were one-off cases which were resolved by mutual agreement. In 2020, more people asked for information about personal data held and requested that such data be deleted (13 enquiries in 2020 compared to only one in 2019). This is an indication of the increasing awareness in this area.

Digitalisation makes for more rigorous demands of data protection management

Data protection management at operational level is organised separately from the work of the Data Protection Officer. Here, too, the number of enquiries received relating to data protection rose from 1,200 in 2019 to slightly over 2,900 in 2020 (marking a 142 per cent increase). This is partly a reflection of the massive leap forward in terms of digitalisation, reinforced by the COVID-19 pandemic. But it is also a sign of a significant increase in data protection awareness within the company. GIZ fosters this awareness and ensures that knowledge is communicated on a broad front, including in training courses and information events for different target groups. The company has also provided a mandatory e-learning programme for staff.

Increasingly, the Data Protection Management Unit is also handling surveys involving staff and partner organisations as well as surveys to evaluate the results of individual projects. An increase of over 300 per cent was recorded.

Data protection screening in the field structure, which was successfully introduced in 2019, had to be shifted online in 2020 as a result of the pandemic. The South Caucasus served as a pilot region in this regard.

Photo: Close-up of a computer mouse on a desk
© GIZ / Florian Kopp

Information on the following Sustainable Development Goals (SDGs) can be found on this page:

Graphic: GIZ: SDG 16 Peace, justice and strong institutions

Information on the following sustainability standards can be found on this page:
GRI standard 102-17; The Code 20