3.4 Cybersecurity and data privacy Actions and results Assessing and fostering our privacy by design processes was a key focus area in fiscal 2023. Privacy by design at Siemens Siemens’ data privacy management system is supported by our Privacy by Design Toolkit, a software To put our data privacy measures into action throughout the solution that helps process owners incorporate data privacy Group, Siemens has made them an integral part of our com- in all the stages of product development. One of the Toolkit pliance system. Our data privacy management system was modules includes data privacy questions that must be established to ensure that all our business activities comply answered before the launch of a planned product or service. with data privacy requirements and the applicable laws. The The toolkit is intended to integrate data privacy from the system specifies policies, procedures, and controls required very beginning of a product’s development. We also rolled by the GDPR, including data subject rights, a privacy incident out a new privacy by design awareness training program for process, mandatory trainings, audits, and keeping a record product developers in a virtual classroom, learn about and of processing activities. discuss data privacy challenges drawn from real business examples. As part of our global audit plan, selected Siemens Transparency and rights of data subjects products were also included in our data privacy audits. Our websites, digital products, and solutions include data privacy policy statements that inform users about processing Data protection at our suppliers and partners steps and data subject rights. When we process personal Data protection requirements are consistently observed and data on behalf of customers, we do so under contractual implemented within the Group and by our external suppliers regulations that govern how the data is handled, including and partners. Suppliers and partners undergo a preliminary the transfer of customer data to third parties. data protection audit and are required by contract to adhere to data protection standards. We want our people to be committed to data protection and regular training Documentation Siemens’ employees receive regular training on how to Siemens documents the purpose, risk, and security standards handle personal data that is tailored to specific functions applied to all the Group’s processing activities in a central and target groups. For this purpose, we developed a web- database: the Register of Processing Activities. This register based data protection training program consisting of an allows us to evaluate whether data protection law permits a “Essentials” level that is mandatory for all employees who given processing activity and to document compliance with process personal data as part of their job and specialized the applicable laws. “Nuggets” designed for specific fields and target groups. Controls All data protection requirements and measures at Siemens are subject to regular controls. Siemens conducts risk-based data protection audits of its processing activities, products, Data privacy management system and services. to ensure compliance with data protection requirements in all business processes Treatment of data protection violations In the event of a potential data protection violation, a rapid Data protection in our products and solutions response is essential to ensuring that the violation is swiftly (privacy by design) stopped and corrected. To facilitate this, Siemens has estab- Siemens wants to ensure that its products and solutions can be lished a global Data Privacy Incident Process that uses central used in compliance with all relevant data protection rules. At reporting channels and aims to immediately inform all Siemens, privacy by design means that compliance with the internal and external stakeholders (including the data law, transparency, informational self-determination, data subjects and regulatory authorities). minimization, and data security are already applied when products and services are developed. Therefore, privacy by design is integrated into our product development processes. SIEMENS SUSTAINABILITY REPORT 2023 53