ÖBB Annual Report 2023

173 Group Management Report Österreichische Bundesbahnen-Holding Aktiengesellschaft Consolidated Financial Statements | Group Management Report 128 Risk assessment update on data protection The medium-term objective is to subject all registered processing activities in the Group to a data protection risk assessment. It assesses – in contrast to IT risk management - not the business risks, but the risks to the rights and freedoms of the natural persons whose data is processed. More than half of the total entries contained in the registers of processing activities had undergone a risk assessment by the end of the year. Outlook Data Protection 2024 Certification of the DSDM ÖBB-Holding AG teamed up with the IT division to evaluate the requirements for certification of the DSMS (data protection management system) in accordance with ISO 27701 as early as 2023. Certification is scheduled for 2024. The prerequisite is a certification of the ISMS (information management system) in accordance with ISO 27001, which was successfully completed in 2023. Revision of the data protection information for employees Data protection information has been available on the HR portal for employees since the entry into effect of the GDPR. The information discloses essential aspects of data processing within the scope of the employment relationship. This information is to be fundamentally revised in 2024. Transparency The ÖBB Group bases the design and communication of its corporate governance on international standards and best practice methods as well as the Public Corporate Governance Code of the federal government. A key tool is transparent, timely and detailed reporting on many of ÖBB’s subject areas, as well as their assessment and certification by external bodies. The ÖBB Group has functioning control bodies or mechanisms that perform their tasks. The duties of the Supervisory Board are defined by law, the Articles of Association and the Rules of Procedure for the Supervisory Board. The most senior supervisory body (Supervisory Board) holds ordinary meetings five times a year and additional extraordinary meetings as required. Standardised reports on the topics of “Human Resources”, “Compliance”, “Internal Audit”, “Data Protection”, “Risk Management”, “Internal Control System”, “Security”, “Sustainability” and “Diversity” in particular are regularly submitted to the Supervisory Board as part of these reports – in addition to the financial and activity reports as part of the report submitted by the Executive Board to the Supervisory Board at almost every Supervisory Board meeting. Critical issues are also addressed with ad hoc reports to the Supervisory Board and information to the owner. GRI 2-15, 2- 16 Compliance Effective, efficient and transparent design of business processes is of great importance to the ÖBB-Group. To implement them, an organisation is needed that takes appropriate measures and thus makes a significant contribution to the sustainable success of the company. As a result, a comprehensive compliance management system has been implemented in the ÖBB-Group that is based on internationally recognised standards. All corporate bodies and employees of the ÖBB Group are included in the definition of public officials in the Criminal Code, which means that the stricter provisions of the Criminal Code on Corruption apply. Accordingly, behaviour with integrity is all the more indispensable. The Code of Conduct of the ÖBB-Group serves as the core of the compliance approach. This binding Code of Conduct describes the ethical principles and general principles on which the ÖBB-Group bases its business activities. ÖBB employees are obliged to inform their employer immediately and demonstrably as soon as they become aware that a conflict of interest could arise. The higher the official function of the person, the more critical the assessment standards need to be in avoiding conflicts of interest. The ownership structure of the ÖBB Group also necessitates compliance with the Federal Public Corporate Governance Code, which also lays down measures for the avoidance and disclosure of conflicts of interest. GRI 2-24, 2-15 Long-term and sustainable awareness-raising on compliance-related topics is achieved through regular training sessions tailored to the respective target group and corresponding risks. These training courses are supplemented by a comprehensive, Group-wide e-learning program. In addition, individual consultations are offered to management and all employees. MR128 |