Data Protection: Governance, Processes and Responsibilities

Within the IBB Group, responsibility for compliance with data protection requirements lies with each individual group company and is exercised by its respective Executive Board or Managing Directors.

At IBB, the Data Protection Officer reports regularly (approximately five times per year) to the Executive Board and provides information on current data protection-relevant topics and developments, awareness measures, and data protection incidents. Incidents subject to mandatory notification to the competent supervisory authority are reported to the Executive Board without delay. Reports on completed audits are submitted to the Executive Board immediately after completion. In addition, the Data Protection Officer provides a consolidated annual report on legal and internal developments and highlights potential challenges and risks.

All employees are required, at the beginning of their employment, to comply with data confidentiality and secrecy obligations.

At IBB Ventures and IBB Business Team, strategic responsibility for data protection lies with the respective Managing Directors of each company. In both companies, a Data Protection Officer has been appointed who coordinates the implementation of data protection requirements, supports risk analyses, and reports regularly to management. The management of IBB Ventures also informs the Supervisory Board at least once a year on data protection and IT security matters; corresponding information is also incorporated into the Group Sustainability Statement of the IBB Group.

At IBB Capital, responsibility for data protection lies with the management of the company, and no external Data Protection Officer has been appointed. The management reports to the Supervisory Board on data protection matters once a year.

IBB ensures a high level of data protection through technical and organisational security measures, which are continuously improved in line with technological developments. The register of processing activities is supplemented by the responsible departments for new or amended processing activities and is reviewed for accuracy at least once a year. Data Protection Impact Assessments are carried out for relevant processing activities.

Internal Audit regularly conducts reviews of compliance with data protection requirements. In addition, the Data Protection Officer carries out independent audits. The results and any recommendations for action are reported to the Executive Board and to the audited departments concerned.

At IBB Ventures and IBB Business Team, the data protection management system supports regular audits (including technical and organisational measures, review of processors, updating of Data Protection Impact Assessments) carried out by the respective Data Protection Officer. The results are incorporated into the annual data protection report; interim reports are prepared if required.

Data protection analyses are conducted at least annually and on an ad hoc basis, in particular in the event of material changes or new processing activities, the engagement of new service providers, or changes of subcontractors. Regular internal or external audits and operational reviews assess the effectiveness of data protection measures, compliance with statutory requirements and internal policies, and the appropriateness of documentation. The results are documented, reported to management, and used for the continuous improvement of the data protection management system. All data protection documents published on the intranet are reviewed annually and, in the event of changes, must be acknowledged again by employees.

At IBB, a defined process exists for the internal reporting and documentation of data protection breaches. Reports are submitted by the respective departments via an internal electronic reporting platform in which all relevant information is recorded. The reporting department carries out a risk assessment in accordance with the criteria of ENISA . The Data Protection Officer performs an independent second risk assessment and advises the Executive Board on existing notification obligations towards the competent supervisory authority. The decision on notification to the supervisory authority is taken by the Executive Board. The notification and, where applicable, the information of affected individuals are carried out by the Data Protection Officer in close coordination with the Executive Board.

At IBB Ventures and IBB Business Team, reports are made without delay via various reporting channels that are clearly communicated and regularly reviewed. Following receipt of a report, a standardised risk assessment is carried out to assess the severity of the incident and the potential impact. Incident management is supported by several instruments (including the data protection handbook on the intranet, training materials in the Learning Management System, process descriptions, and electronic reporting systems, including whistleblowing and enquiry forms).

At IBB Capital, management itself assumes the duties of the Data Protection Officer. In the event of data protection breaches, the response is based on the analogous application of the IBB Group’s internal procedures.

At IBB, employees are required to participate regularly in data protection training. The training covers, among other topics, responsibilities, secure data processing, reporting obligations, and IT security.

Awareness of data protection is further strengthened through regular awareness measures implemented by the Data Protection Officer, including intranet publications on current developments, publication of the annual report, events on data protection-relevant topics, and information on audit results.

At IBB Ventures and IBB Business Team, a digital e-learning system has been introduced which all employees must complete at least once a year. Training progress and participation are documented automatically for reporting purposes. In addition, regular, target-group-specific information on current data protection topics, legal changes, internal policies, and best practices is provided via various communication channels, such as email newsletters or interactive digital information events.

At IBB Capital, all employees participate once a year in a web-based data protection training course, which is documented. In addition, ad hoc awareness measures are carried out several times a year, including within the framework of formal information formats or through direct communications from management, for example on phishing incidents.