184 BMW Group Report 2024 To Our Stakeholders Combined Management Report Group Financial Statements Responsibility Statement and Auditor’s Report Remuneration Report Other Information Sustainability Statement Data security and data protection Customer data protection A relationship with our customers built on trust is of great im- portance to the BMW Group. In accordance with applicable laws, priority is given to protecting privacy, maintaining confidentiality and ensuring the integrity of personal data. Within the Company, the Group Data Protection department per- forms the role of data protection officer, who is responsible for coordinating the global data protection network. To ensure that personal data is processed in compliance with the law, their core tasks include monitoring compliance with all data protection laws. The department also provides training for employees. In addition, the Group Data Protection department advises on new projects, reviews compliance with data protection require- ments and conducts process audits. In this capacity, it acts inde- pendently and without being subject to outside or hierarchical di- rection. It works closely together with the relevant data protection authorities, especially when it comes to clarifying fundamental data protection issues arising out of the growing connectivity of vehicles. Dealing with the opportunities and risks associated with digitalisation Advancing digitalisation and automation are opening up a wealth of opportunities. Areas where artificial intelligence is applied, for example in self-driving cars, the optimisation of production pro- cesses or personalised customer experiences, offer great poten- tial, but also entail risks, such as risks to data privacy and the threat of cyberattacks ↗ Risks and Opportunities. It is for this reason that the BMW Group continually develops its processes and systems. Identified data protection risks that may have both systemic and individual impacts are dealt with imme- diately. In the reporting year, the following measures, among oth- ers, were implemented or expanded to ensure data quality and to increase data security: — The consolidation and revision of customer profiles helps to ensure data consistency and accuracy. — The CIC and the local data protection officers help custom- ers to take responsibility for how they manage their own data. — The launch of the Passkey procedure is a new, even safer way to register for online services. — A system-wide approach has been implemented for a syn- chronised and automated exercise of data subjects’ rights in accordance with the General Data Protection Regulation (GDPR). Furthermore, specific data protection guidelines have been de- fined for digital communication channels, such as the BMW and MINI websites and the My BMW and MINI apps. Among other things, they include requirements on app development, define terms such as ”personal data” and provide specific instructions on the secure handling of customer data. Organisation of and approach to preventing the misuse of data Personal data obtained through contact with customers is col- lected, processed and used in accordance with data protection laws. The BMW Group collects data related to vehicles-, custom- ers- and customer groups that could be linked to specific individ- uals using a combination of different identifiers. To prevent this and any possible negative repercussions for customers, the Company implements various measures, from anonymisation to solutions such as Privacy by Design. In addition, all systems are regularly checked for compliance with the latest IT security standards. Specialised teams of experts systematically search for potential weak points. New findings are integrated into the development of mandatory safety standards. The BMW Group uses the term “customer trust” to denote trust that data is processed correctly and securely, which is the cor- nerstone of a sustainable business relationship. A systematic ap- proach to incident management is essential in order to prevent, detect and resolve possible incidents involving customer data. In- cident management is an integral part of the information security management system (ISMS) and operates worldwide in cooper- ation with the Customer Data Delegates (CDDs). The CDD role is firmly established within the sales companies, financial services companies and corresponding central divisions. The global CDD network ensures that tasks are carried out sys- tematically and to a consistently high standard. The following on- going measures and targets are being implemented and are due to run until 2026: — internal auditing of sales companies — setting up of project teams to secure departmental IT — data protection projects on the rights of data subjects — regular global and regional CDD workshops With the aim of minimising risks when customer data is pro- cessed in various IT applications, the BMW Group takes a struc- tured approach that gives equal consideration to all customer groups. The goal of minimising the Company risk associated with a cus- tomer data breach is set out in the target management process which applies throughout the organisation. Responsibility for this lies with the CDDs. Those with functional responsibility in the business and IT departments are also involved. In the unlikely event of a customer experiencing a negative im- pact, a structured incident response process is activated. Group Data Privacy Protection, the subsidiary in question and the cor- responding CIC are involved in this process. Together they inves- tigate the incident and take steps to resolve it.