Skip to main content

PROTECTING SENSITIVE DATA

Icon: A padlock in a cloud

GIZ’s data protection strategy is based on the EU’s General Data Protection Regulation (GDPR) and is applied at all sites worldwide. The company has appointed a Data Protection Officer with two deputies. Responsibility for implementing the GDPR at operational level within GIZ lies with the Data Protection Management Unit.

Data protection at GIZ

The main role of GIZ’s Data Protection Officer and the Data Protection Management Unit is to structure all processes involving the collection or processing of personal data in such a way that they meet data protection rules at every stage. This is designed to ensure that the rights to informational self-determination enshrined in the GDPR of all data subjects – in other words all those individuals whose personal data are processed at GIZ – are protected.

Whereas the Data Protection Officer and their team report directly to the designated member of the Management Board, the Data Protection Management Unit forms part of the Digital Transformation and IT Solutions Department (DIGITS). In 2022, the Data Protection Management Unit is to be transferred to a new Information Governance Unit.

In 2021, one of the priorities of the Data Protection Officer and the Data Protection Management Unit was not only to provide advice on processing data in compliance with data protection requirements, but also to implement the EU’s new standard contractual clauses in the company. As in 2020, there was also considerable demand for advice on implementing the German Protection Against Infection Act in compliance with data protection requirements and on the national regulations on containing the COVID-19 pandemic in our partner countries.

The responsibilities of the Data Protection Officer

The Data Protection Officer advises internal and external data subjects. They monitor compliance with data protection rules and regulations in the company and maintain an ongoing dialogue with the supervisory authority. The role also involves providing advice to the Management Board and senior company managers on every aspect of data protection. The Data Protection Officer reports to the Management Board on an ongoing basis and is a member of the Risk Management Committee, whose remit extends across the company. Since 2014/2015, the Data Protection Officer has also conducted data protection audits worldwide.

The Data Protection Officer is also the point of contact for complaints relating to data protection and is responsible for looking into any such complaints. The Data Protection Management Unit assists the Officer in investigating suspected cases and in eliminating the causes of the problem if a complaint proves to be substantiated. The number of substantiated complaints relating to data protection in 2021 (seven) was comparable to the 2020 figure (nine). All were one-off cases that were resolved by mutual agreement.

The number of individuals who asserted their rights to be informed about personal data held and to have their data erased, as enshrined in the GDPR, increased again in 2021. Two individuals asked for information about personal data held, and there were 19 requests for such data to be deleted (compared with a total of 13 requests in the previous year and one request in 2019). This is an indication of the increasing awareness in this area.

The data protection management system as the digital response to increasing requests concerning data protection

Data protection management at operational level is organised separately from the work of the Data Protection Officer. In cooperation with the relevant organisational units, the Data Protection Management Unit is responsible for implementing the GDPR at GIZ. Compared with the previous year, the number of enquiries received relating to data protection in 2021 (3,500 in total) increased once more by 20 per cent, thereby averaging around 290 requests per month. Increasingly, the Data Protection Management Unit is also handling surveys (total number: 633), for example among staff and partner organisations or surveys to evaluate the results of individual projects.

Due to the huge surge in digitalisation, it became necessary to digitalise manual processes in a data protection management system. GIZ has had a data protection portal since August 2021 to help optimise digital working methods. The online service for Head Office units and the field structure enables email and document-based communication to be reduced, facilitating digital collaboration. It also serves as an audit-proof database for internal audits and for audits by the supervisory authority (the German Federal Commissioner for Data Protection and Freedom of Information – BfDI).

As an accompanying measure to raise awareness, staff are also required to participate in an e-learning programme as part of their onboarding. Thanks to communication on a broad front, including in training courses and information events, a number of different target groups are able to acquire knowledge and skills on this topic.

Information on the following Sustainable Development Goals (SDGs) can be found on this page:

Graphic: GIZ: SDG 5 Gender equality
Graphic: GIZ: SDG 8 Decent work and economic growth
Graphic: GIZ: SDG 10 Reduced inequalities
Graphic: GIZ: SDG 16 Peace, justice and strong institutions

Information on the following sustainability standards can be found on this page:
GRI standard 403, 406; UNGC 6; The Code 14, 15, 16