Ensuring legal compliance: guidelines for responsible conduct
GRI 102-16; GRI 102-17; GRI 412-3
Legal compliance is ensured at all levels of Tchibo. The basis for this is the Tchibo Code of Conduct (CoC), which we updated in 2017. It is binding for all employees of Tchibo GmbH and the international units, and regulates their dealings with business partners and customers. The CoC is based, among other things, on the core labour standards of the International Labour Organisation (ILO), and on international guidelines such as those of the OECD and the United Nations on business and human rights. For example, it prohibits any form of corruption, granting or taking of advantages. If an employee violates one of these principles, he or she is subject to sanctions under labour law.
We regularly train our managers in dealing with the Code of Conduct. The managers also regularly confirm in writing that they have understood and complied with the rules of the CoC, and have reported any violations that have come to their attention. They also sign an assurance that they have explained the CoC to their staff and that they are monitoring compliance with the CoC. Each new employee receives a copy of the CoC. We inform our employees about developments – on the intranet and directly through their supervisors.
Compliance with internal and external requirements is monitored by maxingvest ag's Group Auditing department in internal audits. We offer employees, suppliers and customers the opportunity to point out possible misconduct by phone (whistleblowing), via an anonymous contact option operated by an independent body. If necessary, the information received is forwarded anonymously to the Compliance Committee as an internal investigative body. The Compliance Committee consists of various division heads of maxingvest ag and Tchibo GmbH as well as the Chairman of the Works Council. Grievances can also be brought to the attention of the works council, the human resources department, the legal department, the corporate responsibility department and the corporate audit department.
Compliance Management System
We have now structured the company's many compliance activities to date in a Compliance Management System (CMS) based on the PS 980 standard of the Institute of Auditors (IDW). The compliance organization is responsible for the details of the CMS. It develops Group-wide standards and guidelines, supports and facilitates measures and processes in the divisions, and advises the latter.
Our CMS is divided into seven core elements that interact with each other: Compliance culture, compliance goals, compliance risks, compliance programme, compliance organisation, compliance communications, compliance monitoring and compliance improvement. The CMS provides a solid framework for ensuring that ethical and legal conduct is implemented across the Tchibo Group. The compliance programme – as part of the CMS – comprises principles and measures designed to reduce compliance risks. It accordingly includes preventive measures (regulations and sensitisation), compliance monitoring, responding to misconduct, and ongoing system improvement, e.g. as a result of self-assessments. One essential aspect is its integration into the company’s processes.
Identify and prevent: risk management
Our business is subject to various risks – e.g. from currency fluctuations or environmental incidents that can have an impact on commodity prices. As part of our integrated risk management system, we identify these risks and take preventive measures to limit them. We make a fundamental distinction here between company risks and supply chain risks.
We carry out risk inventories to take stock of all material risks. This includes compliance risks that may arise from non-compliance with legal requirements. In the 2018 reporting year, compliance risks are the main focus of our risk management.
We break down risks into a risk cluster with three categories: short-term operational risks, one-off risks, and strategic risks. Within these categories a further differentiation is made. Risks that are acutely threatening are immediately reported to the management at the time they occur, to quickly control potential threats. An update on the development of risks is incorporated into Tchibo's steering and planning systems several times a year. The Internal Audit department reviews the effectiveness of the risk management on an ongoing basis, and informs the Management Board and Supervisory Board of the risk situation in regular reports. These reports are taken into account in the Group Auditing department's risk-oriented audit planning. Information on threatening risks is immediately communicated to these bodies.
To guard against risks in the area of procurement, we integrate social and environmental requirements into our procurement and quality processes. For instance, we are gradually reducing the number of suppliers we use for our consumer goods, developing the remaining suppliers into strategic partners, and supporting them with the Worldwide Enhancement of Social Quality (WE) qualification programme. In our issues management, we analyse the relevant concerns of our stakeholders on an ongoing basis. For instance, in 2014 we decided to integrate the standards underlying Greenpeace’s DETOX Commitment into our purchasing and quality processes. Beyond this, we also practice resolute supplier monitoring as part of our risk management.
The compliance risks identified and assessed during the annual risk analysis are prioritised into top risks and form the framework for Tchibo's compliance management system. Our activities, such as training, processes and internal process instructions, are based on this. The identified compliance risks also form the basis for the ongoing further development of our compliance programme.
Information security & Data protection
To provide our customers with an outstanding shopping experience, a multitude of different processes must run quickly and reliably. For this – as well as for personnel management or internal administrative processes – we need the support of IT systems that store and process data and information. This data and information is often sensitive, e.g. if it is required for decision-making within the company or can damage Tchibo if it falls into unauthorised hands. Sensitive data includes customer and other personal data for which strict legal requirements exist. We also protect trade secrets such as strategies and pricing information, contracts, invoices, planning and reporting data, and data needed to operate the IT infrastructure.
The legally compliant handling of data worthy of protection is an important part of our corporate responsibility and is accordingly included in our Code of Conduct (CoC). Our security standards especially aim to prevent unlawful use by unauthorised persons. Our business partners are also obligated to handle personal data with care.
Increased requirements: EU General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR), which came into force on 26 May 2018, entails significant changes to data protection requirements. The new GDPR has replaced the previous Federal Data Protection Act (BDSG) and the EU Data Protection Directive on which the BDSG is based. It poses a variety of challenges for companies – and Tchibo is no exception.
The GDPR contains stricter rules for companies and enforcement measures for public authorities in handling personal data. This increases the legal, operational and technical-organisational requirements for data protection. Among other things, companies must take appropriate technical and organisational measures to ensure data protection and data security. The legal framework for accountability has been considerably tightened. Companies must now be able to prove data protection compliance in their processes at all times.
It is therefore more necessary than ever before to firmly integrate data protection as a management topic into all relevant business processes. In this way, we want to meet the new GDPR’s requirements for documentation and risk assessment. Raising our employees’ awareness and a clear distribution of tasks within the national and international corporate divisions are just as indispensable for this as the development of a clear target vision.
Data protection: clear responsibilities
Tchibo has defined clear responsibilities for data protection. The company data protection officer’s department develops internal data protection guidelines. The data protection office also reviews, builds awareness about, and advises on data protection. Responsibility for the implementation of legal and internal data protection and information security requirements lies directly with each department. This means that each individual employee shares responsibility for the company’s compliance with data protection laws.
Any acute data or information risks are reported directly to the IT Governance and Corporate Data Protection departments. If necessary, the supervisory authorities, crisis management or the Management Board are then involved. In projects where data protection is a relevant factor, such as business process outsourcing, departments are required to involve the corporate data protection department.
Information security: management and measures
The security of our IT systems is a prerequisite for effective data protection. Information security also serves to protect information and systems from a wide variety of threats, ranging from simple malfunctions to hardware defects and cyber-attacks. The information security management system (ISMS) required for this is based on the nationally and internationally recognised standards ISO 27001, BSI Basic Protection, and the NIST-SP-800 series, and is constantly undergoing further development by the IT Governance department.
Various coordinated technical and organisational measures serve to safeguard information security at Tchibo. Examples for technical measures include multi-level detection of malware or encryption of data storage and transmissions. We also involve specialist service providers, e.g. for defence against cyber-attacks or to monitor and respond to new threats. Organisational measures include guidelines, standards, company agreements and operational instructions.
Above all, the interaction of various measures is crucial for achieving an appropriate level of security. For example, technical security measures go hand in hand with the creation and communication of guidelines and with regular checks.
Just as important as these technical and organisational measures is awareness-building, training, and advice for employees. In addition to addressing data protection within the company, we also seek external exchange with other companies. For example, we are a member of the Hamburger Datenschutzgesellschaft (Hamburg Data Protection Association). Tchibo employees are also represented in the Data Protection Working Group of the Federal Association of German Mail-order Companies (bevh) and in the professional associations of IT auditors, IT security managers and IT governance experts. We are also in regular contact with other major Hamburg companies and partners. In this way we can learn from each other and develop further.
Happily, we did not identify any significant data protection breaches in 2017. Only minor breaches occurred due to insufficient processing of requests for information and the incorrect sending of advertising. These were corrected by awareness-building measures.