03/02/2020 | XING

2019 Annual Report by the New Work SE Data Protection Committee

New Work SE offers brands, products and services that foster a more fulfilling world of work. As the operator of XING, the largest online business network in German-speaking countries, we are well aware of the major responsibility we have to our over 17 million members who rely on us to process and use their data as intended and in compliance with the letter of the law. In view of this, we are committed to protecting all the data entrusted to us in the best possible way. As a German company based in Hamburg, we have always been subject to stringent German data protection and privacy law, effectively making it part of our DNA. The EU General Data Protection Regulation (GDPR) came into force in May 2018, bringing with it a whole host of data protection and privacy requirements. While implementing this new legislation, we took the opportunity to offer our users even more transparency. Here, we worked with the Hamburg Officer for Data Protection and Freedom of Information to develop the Privacy at XING website to inform users of our services about privacy-related measures, provisions and updates.

The New Work SE Data Protection Committee (DPC) was established in 2018 with the aim of handling privacy throughout the New Work group, with activities extending beyond the realms of statutory requirements. The DPC advises the New Work SE Executive Board on privacy issues, while also assessing borderline privacy cases, reviewing internal processes, acting as a point of contact for every business unit within the company, and collaborating on projects deemed sensitive from a privacy viewpoint. Regular members of the DPC in-clude the General Counsel/Vice President Legal and Compliance, the Information Security Officer, the Vice President External Affairs, and the New Work SE Data Protection Officer. Depending on the given circumstances, the DPC may also receive support from specialists in other departments. An overview of the DPC’s current members is available here.

True to its name, the New Work SE Information Security team has been a key partner for the DPC since 2018. This internal collaboration enables New Work SE to deal with data protection and privacy issues swiftly and proficiently, both on conceptual and practical levels, while also putting processes in place to keep pace with increasing demands and uphold the group’s exacting standards in terms of data protection, data security and privacy.

The DPC meets regularly, at least once per quarter, to discuss the latest privacy issues and agree on any action that needs to be taken. The DPC also convenes if any urgent circum-stances arise that require it to meet. The activities and action agreed upon during DPC meetings are documented in detail, and the DPC has committed to publicise its undertak-ings in the form of annual reports.

2019 annual report:

Here are the main items the DPC covered during 2019:

1. Implementation of a group-wide privacy manual

2. Quality management and further development of the privacy management system

3. Broadening of measures to protect against identity theft

4. Coordination of major privacy-related incidents, complaints and enquiries from external authorities

1. Implementation of a group-wide privacy manual:

To standardise and uphold the same high privacy standards throughout the entire New Work group, the DPC developed and adopted a group-wide privacy manual in 2019 which lays down the main rules on how to handle information and data in need of protection. The aims of privacy and compliance with the EU GDPR are documented in a privacy and information security policy that applies to every company in the New Work group, with every employee bound by the provisions set out there. The main content there is imparted and reviewed, for example, in regular privacy training sessions.

2. Quality management and further development of the privacy management systems:

The DPC is also responsible for the quality of the group’s privacy management system. To this end, the DPC regularly reviews the existing policy and guidelines introduced in connec-tion with the EU GDPR to ensure they are up to date and compliant. The DPC also reviews the privacy management system processes on a regular basis with a view to honing their effectiveness. In 2019, the DPC worked with the information security team to revise the group-wide privacy manual and add new guidelines. Furthermore, existing processes for privacy and information security incidents are reviewed and aligned, with the DPC incorpo-rating the need for amendment arising from the ongoing development and specification of EU GDPR requirements.

3. Broadening of measures to protect against identity theft:

In 2019, the DPC also focussed its attention on credential stuffing attacks, which is where a data leak leads to account credentials being made public and then used to log in to an online service illegally. Attacks of this nature have also occurred on xing.com in the past, although New Work SE was not responsible for the data leak in any of those instances. However, XING members remain at risk of identity theft if they use the same login creden-tials on both XING and a platform that has suffered a data leak. As the operator of the XING platform, New Work SE has implemented a number of technical security measures to identify and avert such credential stuffing attacks. In addition, New Work SE constantly seeks to improve preventive measures, in particular by informing and sensitising users to potential and actual threats. In 2016, New Work SE became an industry partner for the research project on ‘effective information after an identity theft’ (EIDI) sponsored by the Federal Ministry of Education and Research. The main aim of the EIDI project is to enable people to report identity theft so as to minimise any further damage resulting from a data leak. New Work SE intends to continue its involvement in the EIDI project in 2020.

4. Coordination of major privacy-related incidents, complaints and enquiries from ex-ternal authorities:

The DPC also meets outside of its regular meetings to discuss pressing privacy-related inci-dents, complaints and enquiries from external authorities, particularly if they are of major importance and relevance to the New Work group. As well as ascertaining and documenting the given circumstances, the DPC also prepares reports and communicates its findings, while also fostering a general exchange of privacy information within the group.

The DPC also meets outside of its regular meetings to discuss pressing privacy-related inci-dents, complaints and enquiries from external authorities, particularly if they are of major importance and relevance to the New Work group. As well as ascertaining and documenting the given circumstances, the DPC also prepares reports and communicates its findings, while also fostering a general exchange of privacy information within the group.

Visit https://privacy.xing.com/en for more information about privacy.

If you would like to get in touch with us about anything to do with privacy, please e-mail datenschutzbeauftragter@new-work.de