Governance and compliance
In addition to the legal and organisational responsibilities to which the Board of Directors and Management Board of TX Group are subject (responsibilities of the Board of Directors, page 20-37 in the annual report), and as a leading and recognised network of digital platforms, the company places its focus in the compliance area on the two aspects of cyber security and data protection. Ensuring the IT security of TX Group falls under the responsibility of the company’s Chief Information Officer. The relevant cyber security regulations were drawn up, adopted and also implemented on an organisational basis in the 2022 financial year. The Group Chief Information Security Officer (CISO) is responsible for cyber security at TX Group, Tamedia, 20 Minuten and Goldbach, as well as companies such as Zattoo and Doodle, where TX Group holds a majority interest. In the case of those companies and interests not controlled by TX Group, such as smg and Jobcloud, the Group CISO acts in an advisory capacity or on a contract basis. Other TX Group ventures have their own IT security solutions and are also supported by the Group CISO if required. Cyber security is understood and used as an «immune system» that is intended to continuously monitor, ensure, protect and strengthen the resilience of TX Group’s IT systems. Appropriate training for employees is a key factor here, enabling them to recognise virus or hacker attacks as effectively as possible and act accordingly. These training courses are compulsory for new employees. In order to test the IT infrastructure and counter possible weaknesses or errors, TX Group also organises its own «bounty» programme. Here the company is able to draw on the collective expertise of a global community of security researchers; interested parties can register with us for this «Bug Bounty» programme and receive a reward when vulnerabilities are discovered. This collaborative, proactive approach also reflects TX Group’s cyber security philosophy.
In their day-to-day work, the company’s IT security team cooperates closely and in a spirit of trust with the employees responsible for data protection. At TX Group level, up until the end of 2022, these were the five members of the «Data Protection Steering Committee»: appointed by the Management Board, they determined the measures required for compliance with the relevant data protection legislation and laid these down in the «Data Protection Regulations». From 2023 onwards, this task will be taken on by a new body («Data Protection Board») consisting of representatives of TX Group Operations so as to ensure it is carried out more efficiently and also to give it even greater weight within the company. The Data Protection Board and its members are also appointed by the TX Group Management Board. In addition, TX Group has appointed a Group Data Protection Officer (Group DPO) to review and monitor compliance with the relevant data protection legislation as well as to recommend and implement further measures. Furthermore, they supervise the organisation of data protection and the processing of personal data within TX Group. In organisational terms, the Group DPO is attached to TX Group Legal Services. The individual companies of TX Group, such as Tamedia, 20 Minuten and Goldbach, also designate their own data protection officer (DPO) who is assigned tasks in accordance with the law, a data protection manager for coordination purposes and as an interface between the respective company division and the Group DPO, and also various data protection contact persons who support the responsible DPO in carrying out data protection assignments within the company. In the reporting year, TX Group revised its data protection regulations and relaunched the process for setting up, maintaining and updating data processing directories. In addition, the company defined and implemented a standardised, IT-based internal solution for recording, transmitting and processing data subject rights requests and any data protection incidents («data breaches»).
One of the most important principles underlying the company’s data protection measures is that almost all customer data is stored in a cloud solution. As a rule (i.e. where this cloud solution is maintained and managed by the company’s own employees), the AWS (Amazon Web Services) solution by Amazon is used for this purpose. The storage facilities (instances) used for this purpose are located in the European Union (Ireland and Germany) and in Switzerland; TX Group uses the AWS storage facilities in Switzerland. For the small amount of data not stored in the cloud, SAP is used; this programme was installed internally by TX Group and used for a range of different purposes by the company. In the reporting year 2022, there were no substantiated complaints from persons or organisations outside the company or in relation to the approximately ten data protection incidents. In the 2021 financial year, there were two substantiated complaints from persons or organisations outside the company and a total of eight data protection incidents (leak, theft, loss or similar). A fact-finding investigation by the Federal Data Protection and Information Commissioner (FDPIC) against Ricardo AG and TX Group AG has been pending for about four years. In addition, Doodle AG received one request each from the Saxon and Czech data protection supervisory authorities in 2021 and 2022. Apart from initial enquiries, no further action was taken in the latter two cases.