Ensuring legal compliance: guide­lines for respon­sible conduct

GRI 102-16; GRI 102-17; GRI 412-3

Legal compliance is ensured at all levels of Tchibo. The basis for this is the Tchibo Code of Conduct (CoC), which we updated in 2017. It is binding for all employees of Tchibo GmbH and the inter­na­tional units, and regulates their dealings with business partners and customers. The CoC is based, among other things, on the core labour standards of the Inter­na­tional Labour Organ­i­sation (ILO), and on inter­na­tional guide­lines such as those of the OECD and the United Nations on business and human rights. For example, it prohibits any form of corruption, granting or taking of advan­tages. If an employee violates one of these principles, he or she is subject to sanctions under labour law.

We regularly train our managers in dealing with the Code of Conduct. The managers also regularly confirm in writing that they have under­stood and complied with the rules of the CoC, and have reported any viola­tions that have come to their attention. They also sign an assurance that they have explained the CoC to their staff and that they are monitoring compliance with the CoC. Each new employee receives a copy of the CoC. We inform our employees about devel­op­ments – on the intranet and directly through their super­visors.

Compliance with internal and external require­ments is monitored by maxingvest ag's Group Auditing department in internal audits. We offer employees, suppliers and customers the oppor­tunity to point out possible misconduct by phone (whistle­blowing), via an anonymous contact option operated by an independent body. If necessary, the infor­mation received is forwarded anony­mously to the Compliance Committee as an internal inves­tigative body. The Compliance Committee consists of various division heads of maxingvest ag and Tchibo GmbH as well as the Chairman of the Works Council. Grievances can also be brought to the attention of the works council, the human resources department, the legal department, the corporate respon­si­bility department and the corporate audit department.

Compliance Management System 

We have now struc­tured the company's many compliance activ­ities to date in a Compliance Management System (CMS) based on the PS 980 standard of the Institute of Auditors (IDW). The compliance organi­zation is respon­sible for the details of the CMS. It develops Group-wide standards and guide­lines, supports and facil­i­tates measures and processes in the divisions, and advises the latter.

Our CMS is divided into seven core elements that interact with each other: Compliance culture, compliance goals, compliance risks, compliance programme, compliance organ­i­sation, compliance commu­ni­ca­tions, compliance monitoring and compliance improvement. The CMS provides a solid framework for ensuring that ethical and legal conduct is imple­mented across the Tchibo Group. The compliance programme – as part of the CMS – comprises principles and measures designed to reduce compliance risks. It accord­ingly includes preventive measures (regula­tions and sensi­ti­sation), compliance monitoring, responding to misconduct, and ongoing system improvement, e.g. as a result of self-assess­ments. One essential aspect is its integration into the company’s processes.

Identify and prevent: risk management 

Our business is subject to various risks – e.g. from currency fluctu­a­tions or environ­mental incidents that can have an impact on commodity prices. As part of our integrated risk management system, we identify these risks and take preventive measures to limit them. We make a funda­mental distinction here between company risks and supply chain risks.

We carry out risk inven­tories to take stock of all material risks. This includes compliance risks that may arise from non-compliance with legal require­ments. In the 2018 reporting year, compliance risks are the main focus of our risk management. 

We break down risks into a risk cluster with three categories: short-term opera­tional risks, one-off risks, and strategic risks. Within these categories a further differ­en­ti­ation is made. Risks that are acutely threat­ening are immedi­ately reported to the management at the time they occur, to quickly control potential threats. An update on the devel­opment of risks is incor­po­rated into Tchibo's steering and planning systems several times a year. The Internal Audit department reviews the effec­tiveness of the risk management on an ongoing basis, and informs the Management Board and Super­visory Board of the risk situation in regular reports. These reports are taken into account in the Group Auditing department's risk-oriented audit planning. Infor­mation on threat­ening risks is immedi­ately commu­ni­cated to these bodies. 

To guard against risks in the area of procurement, we integrate social and environ­mental require­ments into our procurement and quality processes. For instance, we are gradually reducing the number of suppliers we use for our consumer goods, devel­oping the remaining suppliers into strategic partners, and supporting them with the Worldwide Enhancement of Social Quality (WE) quali­fi­cation programme. In our issues management, we analyse the relevant concerns of our stake­holders on an ongoing basis.
For instance, in 2014 we decided to integrate the standards under­lying Green­peace’s DETOX Commitment into our purchasing and quality processes. Beyond this, we also practice resolute supplier monitoring as part of our risk management.

The compliance risks identified and assessed during the annual risk analysis are priori­tised into top risks and form the framework for Tchibo's compliance management system. Our activ­ities, such as training, processes and internal process instruc­tions, are based on this. The identified compliance risks also form the basis for the ongoing further devel­opment of our compliance programme.

Infor­mation security & Data protection

To provide our customers with an outstanding shopping experience, a multitude of different processes must run quickly and reliably. For this – as well as for personnel management or internal admin­is­trative processes – we need the support of IT systems that store and process data and infor­mation. This data and infor­mation is often sensitive, e.g. if it is required for decision-making within the company or can damage Tchibo if it falls into unautho­rised hands. Sensitive data includes customer and other personal data for which strict legal require­ments exist. We also protect trade secrets such as strategies and pricing infor­mation, contracts, invoices, planning and reporting data, and data needed to operate the IT infras­tructure.

The legally compliant handling of data worthy of protection is an important part of our corporate respon­si­bility and is accord­ingly included in our Code of Conduct (CoC). Our security standards especially aim to prevent unlawful use by unautho­rised persons. Our business partners are also obligated to handle personal data with care.

Increased require­ments: EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR), which came into force on 26 May 2018, entails signif­icant changes to data protection require­ments. The new GDPR has replaced the previous Federal Data Protection Act (BDSG) and the EU Data Protection Directive on which the BDSG is based. It poses a variety of challenges for companies – and Tchibo is no exception.

The GDPR contains stricter rules for companies and enforcement measures for public author­ities in handling personal data. This increases the legal, opera­tional and technical-organ­i­sa­tional require­ments for data protection. Among other things, companies must take appro­priate technical and organ­i­sa­tional measures to ensure data protection and data security. The legal framework for account­ability has been consid­erably tightened. Companies must now be able to prove data protection compliance in their processes at all times.

It is therefore more necessary than ever before to firmly integrate data protection as a management topic into all relevant business processes. In this way, we want to meet the new GDPR’s require­ments for documen­tation and risk assessment. Raising our employees’ awareness and a clear distri­bution of tasks within the national and inter­na­tional corporate divisions are just as indis­pensable for this as the devel­opment of a clear target vision.

Data protection: clear respon­si­bil­ities

Tchibo has defined clear respon­si­bil­ities for data protection. The company data protection officer’s department develops internal data protection guide­lines. The data protection office also reviews, builds awareness about, and advises on data protection. Respon­si­bility for the imple­men­tation of legal and internal data protection and infor­mation security require­ments lies directly with each department. This means that each individual employee shares respon­si­bility for the company’s compliance with data protection laws.

Any acute data or infor­mation risks are reported directly to the IT Gover­nance and Corporate Data Protection depart­ments. If necessary, the super­visory author­ities, crisis management or the Management Board are then involved. In projects where data protection is a relevant factor, such as business process outsourcing, depart­ments are required to involve the corporate data protection department.

Infor­mation security: management and measures 

The security of our IT systems is a prereq­uisite for effective data protection. Infor­mation security also serves to protect infor­mation and systems from a wide variety of threats, ranging from simple malfunc­tions to hardware defects and cyber-attacks. The infor­mation security management system (ISMS) required for this is based on the nationally and inter­na­tionally recog­nised standards ISO 27001, BSI Basic Protection, and the NIST-SP-800 series, and is constantly under­going further devel­opment by the IT Gover­nance department.

Various coordi­nated technical and organ­i­sa­tional measures serve to safeguard infor­mation security at Tchibo. Examples for technical measures include multi-level detection of malware or encryption of data storage and trans­mis­sions. We also involve specialist service providers, e.g. for defence against cyber-attacks or to monitor and respond to new threats. Organ­i­sa­tional measures include guide­lines, standards, company agree­ments and opera­tional instruc­tions.

Above all, the inter­action of various measures is crucial for achieving an appro­priate level of security. For example, technical security measures go hand in hand with the creation and commu­ni­cation of guide­lines and with regular checks.

Just as important as these technical and organ­i­sa­tional measures is awareness-building, training, and advice for employees. In addition to addressing data protection within the company, we also seek external exchange with other companies. For example, we are a member of the Hamburger Daten­schutzge­sellschaft (Hamburg Data Protection Associ­ation). Tchibo employees are also repre­sented in the Data Protection Working Group of the Federal Associ­ation of German Mail-order Companies (bevh) and in the profes­sional associ­a­tions of IT auditors, IT security managers and IT gover­nance experts. We are also in regular contact with other major Hamburg companies and partners. In this way we can learn from each other and develop further.

Happily, we did not identify any signif­icant data protection breaches in 2017. Only minor breaches occurred due to insuf­fi­cient processing of requests for infor­mation and the incorrect sending of adver­tising. These were corrected by awareness-building measures.