ESRS S4 – Consumers and end-users

ESRS 2 SBM-3 S4 – Material impacts, risks, and opportunities and their interaction with strategy and business model

The table below shows the material impacts of our business activities on society and the environment that we have identified through the double materiality assessment.

We provide overarching information on how material impacts, risks, and opportunities interact with our strategy and business model in the “ESRS 2 SBM-3 – Material impacts, risks, and opportunities and their interaction with strategy and business model” section.

The following overview illustrates Deutsche Telekom’s material topic-specific risks and opportunities and their financial effects on our financial position, financial performance, and cash flows.

Risks and opportunities that represent a top risk in the next two years are described in the “Risk and opportunity management” section.

Consumers and end-users who may be affected by Deutsche Telekom’s material impacts include:

• People who purchase our products or use our services that potentially negatively impact their rights to privacy, to have their personal data protected, to freedom of expression and to non-discrimination
• People who are particularly vulnerable to health or privacy impacts or impacts from marketing and sales strategies, such as children or financially vulnerable individuals

They do not include:

• Consumers or end-users of products that are inherently harmful to people or increase risks for chronic disease
• Consumers or end-users who are dependent on accurate and accessible product- or service-related information, such as manuals and product labels, to avoid potentially damaging use of a product or service

When analyzing the material financial risk in connection with data protection, we also consider the impact on Deutsche Telekom’s business customers.

For information on how we have developed an understanding of how consumers and end-users with particular characteristics may be at greater risk of harm, see section “ESRS S1‑1 – Policies related to our own workforce.”

ESRS S4‑1 – Policies related to consumers and end-users

Information-related impacts for consumers and/or end-users (freedom of expression and access to (quality) information), personal safety of consumers and/or end-users (personal security), and social inclusion of consumers and/or end-users (non-discrimination and access to products and services). As a provider of digital infrastructure, we run our operations based on the principle of digital responsibility. As society becomes increasingly digital, we at Deutsche Telekom are making strenuous efforts to ensure everyone can take part in the digital world and lead their lives alongside each other on the basis of democratic principles. To ensure we can achieve these objectives across our Group, we have incorporated digital inclusion as a key topic in our CR strategy. With our approach to digital inclusion (access, affordability, and ability) and digital values, we want to advance our material positive impacts related to access to information, freedom of expression, personal security, and social inclusion, and mitigate negative impacts:

• Access to state-of-the-art information technology is key to participating in the information and knowledge society (Access). That is why we continue to rapidly expand our infrastructure and improve transmission speeds with new, secure technology. This build-out is based on the goals of our Europe-wide integrated network strategy, which we use to help achieve the EU Commission’s network build-out targets and the Federal Government’s Digital Agenda and broadband strategy. The strategy is founded on the two pillars of building out mobile and fixed networks, with the focus of the former being on 5G coverage – the most powerful technology standard currently available. In the fixed network, we are focusing on rolling out our optical fiber to provide our customers with a reliable connection at gigabit speeds.
• Ensuring that products and services are affordable is also important so that people can participate equitably in the information and knowledge society (Affordability). We offer rate plans and equipment tailored to the financial possibilities of different consumers and end-users.
• We also want to develop their skills and motivation to use digital media (Ability). We view media literacy as the key to safe interactions with digital media and a crucial skill for our work and private lives. Our approach begins with strengthening basic skills in using media and extends all the way to safeguarding privacy and dealing responsibly with hate and disinformation.

For further information on the network build-out, please refer to the sections “Group strategy” and “Economic environment.”

In addition, we aim to promote digital values and hence the social inclusion of consumers and end-users by developing their skills: The internet is supposed to be a space in which everyone can feel safe. That is why we are shaping the transition towards a positive culture of online debate and making a stand against hate speech and for civil courage online. We are working closely with non-governmental organizations (NGOs) toward that end.

In line with Deutsche Telekom’s CR strategy, GCR develops our approach to digital inclusion and digital values. In accordance with the local network build-out strategy, responsibility for network build-out is decentralized and lies with the Board of Management departments of the Germany, Europe, and United States operating segments.

We use the Beneficiaries – Digital Society ESG KPI, among others, to measure the effectiveness of our activities to advance digital inclusion Group-wide. We also measure the reach of selected campaigns. In addition, we consider the impact measurement for our network build-out activities in terms of the progress we have made in network build-out.

For further information on the Beneficiaries – Digital Society ESG KPI, please refer to the section “ESRS S4‑5 – Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities.”

Personal safety of consumers and/or end-users (protection of children). Protecting our customers’ data and ensuring their safety is crucially important for consumer protection at Deutsche Telekom. In this context, we aim to protect children and young people in particular when they use digital media. Our commitment to protecting children and young people in the Germany and Europe operating segments is anchored in our Code of Human Rights. Beyond that, the Group does not have a uniform Group-wide approach for the protection of children because the topic is managed and actions are monitored locally in line with country-specific requirements.

To advance the protection of children when they use digital media, we provide an age-appropriate content portfolio for children and offer information for parents and guardians to help them shield their children from harmful content. We implement various actions to ensure that young people acquire media skills and can interact safely with online content. For detailed information, please refer to our approach to digital inclusion and digital values described above.

In addition, we collaborate closely with law enforcement authorities and NGOs as well as other partners from business, politics, and society to ban online content that is harmful to children and young people. In Europe, we have been committed to fighting child pornography on the internet since 2007. GSMA (an association representing the interests of mobile operators worldwide), of which we have been a member since 2008, pursues the same objectives at a global level. Other than this, in view of the decentralized management and country-specific regulations, we have not defined any specific time-bound or outcome-oriented targets or other targets in the Group that we can use to measure our progress in mitigating the negative impacts associated with the protection of children.

Information-related impacts for consumers and/or end-users (privacy). Deutsche Telekom practices an active data privacy and compliance culture that we have built up over many years. It forms the basis for countering impacts in the area of data privacy and for preventing the material risks arising from any data privacy incidents. The Group companies are subject to specific data protection requirements. In the EU, for example, the General Data Protection Regulation (GDPR) in particular applies. These requirements must be implemented and their compliance must be monitored. Our data privacy management system outlines the actions, processes, and audits we use to ensure compliance with laws, regulations, and self-commitments to uphold data privacy. Since data privacy regulations differ in the United States, T‑Mobile US has adopted its own approach, which is presented at the end of this section.

We aim to ensure lawful processing of personal data, upholding fundamental human rights. We are committed to the fundamental right to data protection and informational self-determination applicable in the EU and promote its global recognition. Particularly when developing and using artificial intelligence (AI) or other algorithm-based applications, we ensure that these comply with data privacy regulations and take human rights-related matters into consideration. At the same time, we work to ensure that every individual retains control over the use of their data. This includes providing information on how data-driven business models work and how, for example, our customers can exert digital sovereignty.

Through our global data privacy organization, we are continually pursuing the objective of a transparent, high level of data protection in all of the Group companies. As far as legally possible, the companies of the Deutsche Telekom Group have additionally committed to complying with the Binding Corporate Rules Privacy policy, which are intended to ensure a uniform high level of data protection for our products and services in accordance with ISO 27701.

Similar to the data privacy organization, we have established a security organization which operates both on a centralized basis and in all Group entities. The Security policy contains Deutsche Telekom’s key safety-related principles in relation to data security and is also based on the ISO 27701 standard. These components form the basis for ensuring an appropriate and consistent level of security within our Group.

The Board of Management department for Human Resources and Legal Affairs has overarching responsibility for data privacy. Responsibility for data security rests with the Board of Management department for Technology and Innovation.

T‑Mobile US is subject to U.S. data privacy laws. The company has appointed a Chief Privacy Officer to ensure compliance with these laws. Confidential handling of information and personal data is incorporated in various areas of T‑Mobile US, including in the T‑Mobile US Code of Conduct. In addition, T‑Mobile US provides its employees with annual data privacy and data security training and offers role-specific training designed to help them comply with data privacy laws.

For further information on the T‑Mobile US Code of Conduct, please refer to the section “ESRS G1‑1 – Business conduct policies and corporate culture.”

We publish an annual Group-wide transparency report on the principles of our cooperation with law enforcement authorities. On top of this, we disclose the type and scope of the information we provide to security authorities in the European national companies and at T‑Mobile US in individual reports.

Personal safety of consumers and/or end-users (health and safety). There are public debates about potential health impacts of 5G and the EMF used by mobile communications surrounding the build-out of the 5G network. We have been providing information on the scientific evidence regarding mobile communications and health as well as on the statutory thresholds for more than 20 years now. Our collaboration with local authorities to expand the infrastructure is another focus of our communications.

We want to make our mobile communications infrastructure and our products, as well as the processes on which they are based, as resource-efficient, secure, and safe for health as possible. The EMF principles in force throughout the Group, which we updated in 2023, play a key role in this regard: Our EMF policy contains uniform minimum requirements for mobile communications and health that go far beyond the national legal requirements. It provides a mandatory framework that ensures that the topic of mobile communications and health is addressed in a consistent, responsible way throughout the Group, and it is based on the recommendations of the International Commission on Non-Ionizing Radiation Protection (ICNIRP). This policy is a reflection of our commitment to greater transparency, participation, and the provision of information and scientific facts. All Group companies that operate mobile networks have accepted the EMF policy and implemented most of the required actions.

Ultimate responsibility for mobile communications and health lies with the Board of Management department for Germany; however, the EMF policy is implemented decentrally by the individual Group companies, usually by top management in the technology division. The responsible EMF managers of the Group companies describe the relevant EMF situation in the EMF Core Team working group, thereby promoting the exchange of technical information. We have no other established process for monitoring the effectiveness of the EMF policy. We have also not set any specific time-bound or outcome-oriented or other targets for advancing and measuring progress in the management of material risks relating to the topic of mobile communications and health.

Human rights policy commitments relevant to consumers and/or end-users. We are committed to respect human rights and make efforts to enforce them in the context of our customers. Our actions are based on the universally accepted standards and principles that we have defined in Deutsche Telekom’s Code of Human Rights.

For further information, please refer to the section “ESRS S1‑1 – Policies related to own workforce.”

In relation to end-users and consumers, the Code of Human Rights defines principles and expectations in the context of:

• Privacy and informational self-determination
• Freedom of expression and information
• Protection of children and young people
• Mobile communications and health
• Digital responsibility and participation

T‑Mobile US has its own Human Rights Statement, which does not explicitly address the principles and expectations outlined above in relation to consumers and end-users, with the exception of data protection and freedom of expression and information, but covers them as a whole.

Protecting human rights also plays a key role for us in responsibly shaping technological change and digitalization – because our aspiration is to apply a humanistic value system in the use of our technologies. This is another reason why we engage with end-users and consumers in the formats explained in section “ESRS S4‑2 – Processes for engaging with consumers and end-users about impacts.” In the Code of Human Rights, we also describe our approach to taking mitigation measures in the event of negative impacts on human rights. However, we only provide or enable remediation in the upstream value chain and in our internal business units – not in the context of end-users and consumers.

Both Deutsche Telekom’s Code of Human Rights and the Human Rights Statement of T‑Mobile US comply with relevant internationally recognized instruments, such as the UN Guiding Principles on Business and Human Rights. However, as our due diligence does not yet extend to the downstream value chain, human rights-related reports related to consumers and end-users are not systematically recorded. Participants in the downstream value chain can nevertheless use the Company’s complaints channels.

ESRS S4‑2 – Processes for engaging with consumers and end-users about impacts

In order to understand and address our material impacts, we engage with the interests and perspectives of end-users and consumers both on an ongoing basis and ad hoc, particularly in the context of the development and use of products and services and our network build-out plans. We do not have a procedure for directly engaging with children. That is why we involve legitimate proxies in the event of negative impacts on the protection of children. Consumer protection associations, NGOs, and public authorities play an important role in this context. Responsibility for engaging with consumers and end-users, or their legitimate representatives as well as legitimate proxies, is organized decentrally. We make a distinction between three inclusion formats: information, dialogue, and participation. The Design for All sounding board is an example of how the interests of consumers and end-users are taken into account. It is staffed with external experts and advises us (Deutsche Telekom excluding T‑Mobile US) on ways of making our products and processes more accessible and easier to use.

For further information on our stakeholder engagement process, please refer to the section “ESRS 2 SBM-2 – Interests and views of stakeholders.”

ESRS S4‑3 – Processes to remediate negative impacts and channels for consumers and end-users to raise concerns

A variety of channels is available to consumers and end-users in all the countries where we operate to raise inquiries and complaints about Deutsche Telekom products or services. These include telephone hotlines, email, live-chats, and social media. Consumers and end-users can also contact Deutsche Telekom’s data protection and data security teams directly via country-specific channels and report cases of data misuse on the internet in connection with Deutsche Telekom’s systems. Consumers and end-users in Germany can also contact us directly via a free hotline and established mailboxes if they have health-related questions about the electromagnetic compatibility of mobile communications infrastructure or devices, as well as their impact on the environment, or if they wish to express any concerns. There are no comparable channels in the European national companies and at T‑Mobile US that can be used explicitly for reporting complaints related to the topic of mobile communications and health. The other complaints channels are available for this. We provide information for consumers and end-users on the required contact information on our website.

We examine the reports received through the various channels mentioned above and forward them to the appropriate internal experts as needed. As part of our review of information received in connection with the data protection of our customers, we assess whether the supervisory authorities and the persons affected must be notified, and we act accordingly. We initiate mitigation measures if necessary and possible. To ensure the effectiveness of the process, we regularly test whether channels can be reached and evaluate customer feedback. We also monitor the number of reports received and use them to measure awareness and acceptance of the contact options.

For more information on our non-financial performance indicator for customer satisfaction (TRI*M), please refer to the section “Performance management system.”

We describe our strategy for the protection of individual whistleblowers against retaliation in section “ESRS G1‑1 – Business conduct policies and corporate culture.”

ESRS S4‑4 – Taking action on material impacts on consumers and end-users, and approaches to managing material risks and pursuing material opportunities related to consumers and end-users, and effectiveness of those actions

Information-related impacts for consumers and/or end-users (freedom of expression and access to (quality) information), personal safety of consumers and/or end-users (personal security), and social inclusion of consumers and/or end-users (non-discrimination and access to products and services). We are continuously building out our network to enable technical access to the network. This allows us to provide broad accessibility in emergency situations, improving the personal safety of consumers and end-users. To this end, we also cooperate with partners – especially in more remote areas. The requirements and underlying conditions are different in each of the countries in which we operate, and taking appropriate action is the responsibility of the operating national companies.

Our network build-out in Germany follows the open access principle: The networks that we build are open for use by our competitors, regardless of whether they were involved in building the network. As such, network sharing agreements with other German network operators can contribute to broader mobile communications coverage. Similar agreements in various forms are also in place in the other European countries in which we operate. By cooperating with other companies, we are also helping to build out the fixed network more quickly in Germany. The US also has federal interconnection and roaming agreements to promote broad and accessible mobile coverage across the country.

In emergency situations, it is crucial for networks to function properly, so that emergency calls can be made and responses organized. In emergencies such as floods or large fires, in which network equipment is damaged to the point that mobile communications and fixed-network services cannot be quickly restored, our Disaster Recovery Management (DRM) comes into play. It provides mobile containers with communications technology, emergency power generators, and mobile radio masts to provide a replacement for the disrupted mobile communications and fixed-line networks. The movable masts are connected via radio relay and satellite links to restore mobile communications coverage within a few hours of extreme events. This allows us to quickly provide a connection to the network in an emergency. We also use the relay and satellite connections to quickly put regular mobile network sites (back) into operation if this is urgently needed and the planned or previously existing connection (e.g., in the form of optical fiber) is not yet or no longer available.

For more information on how we deal with extreme weather events, please refer to the section “ESRS 2 SBM-3 E1 – Material impacts, risks, and opportunities and their interaction with strategy and business model.”

The further we advance with the network build-out, the more effectively we can implement the related actions. Monitoring is performed decentrally in the operating segments, for example, by measuring network coverage, evaluating customer satisfaction, using external benchmarks, and recording the build-out obligations in connection with frequency auctions, e.g., by local regulatory authorities.

In addition to this, we are driving forward the development of technologies and products for a range of target groups. Making our products and services as accessible and non-discriminatory as possible is an increasingly important aspect of what we do. We drafted the Design for All product development guideline in 2023. This guideline is aimed at Group employees and aims to prevent exclusion, stigmatization, and discrimination right from the product development stage. This involves ensuring that our product development process takes full account of human diversity, including aspects such as physical and mental abilities, as well as other diversity dimensions such as age, gender, ethnic origin, and nationality. In adopting this approach, we are going beyond the legal obligations in Europe related to accessibility. We introduced a corresponding training concept in the reporting year that will help our employees to better grasp the principles of Design for All and help build awareness. The course is available on Deutsche Telekom’s online training platform. For legal and other reasons, T‑Mobile US employees do not have access to the platform, but the company is also supporting employees by providing training to enable them to develop accessible products and services.

To harness the potential of information technologies for the benefit of society, Deutsche Telekom promotes media literacy among consumers and end-users with a wide range of products and services available throughout the Group – always with the aim of ensuring that everyone can navigate the digital world safely and confidently. The Teachtoday International platform launched in the reporting year provides an overview of all the Group’s media literacy initiatives worldwide. These also include measures that are explicitly designed to raise awareness on how to handle disinformation.

We (Deutsche Telekom excluding T‑Mobile US) continued our No Hate Speech initiative, which was launched in Germany in the summer of 2020, in the reporting year. Through this campaign, we aim to raise awareness in society and enable people to put into practice and defend fundamental democratic values online. We are advocating for an internet in which everyone can utilize the opportunities of the digital world – without having to fear marginalization or hate speech. Our aim here is also to promote diversity in the digital world. We published the current campaign video “Feuerlöscher!” (fire extinguisher) in German-speaking countries in the reporting year as part of this initiative. Our aim with the video is to educate people and raise awareness on how to deal with disinformation. We are currently examining whether the campaign can be extended to other national companies.

To advance digital equity, T‑Mobile US established Project 10Million to offer free and reduced internet connectivity and mobile hotspots to up to 10 million eligible student households. Through the end of 2024, T‑Mobile US has connected over 6.3 million students since program launch. The company also works with its External Diversity and Inclusion Council, which includes of members from civil rights and social justice organizations representing a wide-range of underrepresented communities, to identify digital literacy and inclusion programs to support across the country.

We are also looking at how to use AI responsibly in the context of disinformation. In the reporting year, we took part in the collaborative innovation program X-Creation, which was initiated by T‑Systems in the previous year, and developed the “News-Profi-App” (news professional). This is designed to enable users to verify information easily and simply by fact-checking it. True to the motto “share it with the app first, then with the world,” the aim is to use AI to compare questionable content with trusted information and to be able to feed back the result to the person who spread the disinformation. The option to share the results with the original source is intended, above all, to reach people who are distant from socio-political issues, receptive to disinformation, and quick to share it without actively checking it. We started rolling out the app in Germany in the reporting year. We are currently looking for partners and sponsors who want to become involved in expanding and implementing the app.

We measure the effectiveness of our activities to advance digital inclusion with metrics such as the Beneficiaries – Digital Society ESG KPI. In order to identify the impacts of our products and projects on society, including their impacts on consumers and end-users, we have also developed a multi-level approach for the measurement of impacts. We describe the contributions of selected actions to impacts in order to obtain transparent and comparable results, using external frameworks such as the United Nations Sustainable Development Goals (SDGs). In addition, we take regulatory requirements and market trends into account. That allows us to evaluate our contributions to sustainable development. This process was validated externally in 2023. The outcome of the impact measurement helps us to steadily increase the positive impacts of our business activities and reduce negative impacts.

For further information on the Beneficiaries – Digital Society ESG KPI, please refer to the section “ESRS S4‑5 – Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities.”

We want to avoid our own business activities contributing to negative impacts on consumers and end-users. That is why we are committed to human-centric, values-based digitalization (Corporate Digital Responsibility – CDR) and are striving for the responsible use of AI. Back in 2018, we were one of the first companies worldwide to adopt Digital Ethics Guidelines on AI. To supplement them, we developed the professional ethics guidelines in 2021 for all developers and product managers working with AI and have been continuously refining them since then. We founded the Digital Ethics interdisciplinary working group in 2022 that addresses the refining, monitoring, and implementation of digital ethics, further incorporating the topic within the Group. This is strengthened in the co-creation approach with the AI Competence Center (AICC) established in the reporting year. The interdisciplinary working group is also preparing the implementation of the EU AI Act. In the reporting year, we additionally offered a large number of training courses on the potential, functioning, and risks of generative AI. In our CDR framework, which we published in 2022, we set forth our perspectives on the far-reaching subject area of digital responsibility.

TMUS adopted its AI Principles in 2023, and published its Responsible AI Policy and Guidelines for the enterprise in the reporting year. A governance council has also been established with senior leaders that oversee the company’s responsible use of AI.

We use the Community Contribution – Digital Society ESG KPI to measure our financial, human, and in-kind contribution to the digital society. With this approach we want to advance our material positive impacts related to access to information, freedom of expression, personal security, and social inclusion, and mitigate negative impacts: As previously outlined, we are taking a variety of measures to ensure everyone can take part in the digital world and lead their lives alongside each other on the basis of democratic principles. In the reporting year, our contribution to promoting the digital society amounted to a total of approximately EUR 1,102 million. We measure the effectiveness of our activities across the Group using the Beneficiaries – Digital Society ESG KPI. When measuring the two KPIs, we rely on methods employed by the organization Business for Societal Impact (B4SI), which incorporate the aspects “input” and “impact”. The Community Contribution – Digital Society ESG KPI represents the “input,” while the Beneficiaries – Digital Society ESG KPI represents the “impact.” The Beneficiaries – Digital Society ESG KPI indicates the number of people who have benefited directly or indirectly (based on assumptions) from our commitment to promoting a digital society. These include, for example, people who use our media literacy platforms, attendees at workshops, and users of discounted rates (including household members). The metrics in this topical standard are not additionally validated externally.

For further information on our target of improving the Beneficiaries – Digital Society ESG KPI, please refer to the section “ESRS S4‑5 – Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities.”

Community Contribution – Digital Society ESG KPI

For information on our investments in network build-out, please refer to the section “Group strategy.”

When we develop actions to mitigate actual or potential negative impacts on consumers and end-users, we align ourselves with the legal requirements of the countries in which we operate. We keep the special protection that needs to be afforded to children in our sights at all times. We also draw on annual trend analyses, the findings of scientific studies, and our dialogue with NGOs. The feedback we receive through the formats described in section “ESRS S4‑2 – Processes for engaging with consumers and end-users about impacts” is incorporated into the focus of our activities and the development of our products and services.

Personal safety of consumers and/or end-users (protection of children). Protecting minors from unsuitable media content poses a challenge that affects many industries. We therefore work together with different organizations for the protection of minors and participate continuously in coalitions that coordinate the involvement of companies and organizations from the internet and media sector. We are involved in various country-specific initiatives and support national programs to protect children and young people from age-inappropriate content on the internet and to raise awareness for ways to combat disinformation and promote respectful behavior online. One example of this is the online magazine AwareNessi, which is aimed at children and their adult caregivers. The issues are available in several languages.

Another focus of our actions is to raise parents’ and legal guardians’ awareness for technical solutions. Depending on the operating system, mobile devices in our distribution network have integrated parental controls that can be used to monitor or restrict content, applications, phone usage times, or location tracking. Our website and social media channels provide comprehensive support for child-proofing devices and user accounts. T‑Mobile US offers customers the option of defining the user accounts of their children as Kids’ Line accounts, for example. As a result, the Group company uses the data from these accounts only for basic services such as device operation or network administration, but not for targeted advertising. Kids’ Line accounts are automatically excluded from the company’s online advertising and marketing communications – marketing calls, emails, and text messages do not reach children thanks to this configuration.

In addition, we offer service plans for children and young people at some national companies that provide protection against fraudulent websites and theft of login or bank details through a specific security feature. Our MagentaTV platform, which combines services such as television, media libraries, and streaming services and which we offer in selected European countries, also features a parental control function that allows legal guardians to configure a supervisory function. For example, this allows them to block inappropriate content or to define usage criteria based on information from the content provider (e.g., “suitable for persons aged 18 and over”). We monitor the effectiveness of our actions to mitigate negative impacts on the protection of children by evaluating the usage rates of the above-mentioned products and services, for example, and – in relation to selected initiatives – also in the context of tracking the Beneficiaries – Digital Society ESG KPI.

Although our business activity is directly connected with negative impacts on the protection of children, we do not cause them. Our focus is therefore on developing and implementing mitigation and prevention measures. Since we do not implement or directly enable any specific mitigation measures, we have not established any procedures for measuring the effectiveness of such mitigation measures. As part of our No Hate Speech initiative, we also inform consumers and end-users about their digital rights. This includes providing information to people that, under the Digital Services Act (DSA), internet platforms are required to enable users to report input containing disinformation and hate speech. We take this risk very seriously, especially with respect to children and young people. Since Deutsche Telekom does not operate a platform itself, we do not fall within the scope of this EU regulation. For incidents related to right-wing extremism and child pornography, we encourage consumers and end-users to contact local law enforcement authorities directly. When designing content that is relevant to the protection of minors, we involve our youth protection officer in Germany; she suggests restrictions or changes, for example. In addition, it is not possible to allocate human and financial resources for managing the measures described above in the Group with any degree of accuracy due to the complexity of our business activities. As a rule, all measures are implemented using the budgets of the individual units of the national companies responsible, and normally do not require significant operating or capital expenditure.

Unless specified otherwise, all actions and initiatives described in this standard are ongoing and have no specific time frame.

Information-related impacts for consumers and/or end-users (privacy). Protecting the data of all individuals and organizations that have a relationship with Deutsche Telekom is of the utmost importance to us; that is why our processes for managing material risks related to data protection and security are integrated into our existing data protection risk management process. We implement a range of different actions to mitigate reputation, cost, and sanction risks as well as risks to affected customers arising from data privacy incidents, and to enhance privacy. In doing so, we always keep a close eye on current developments, such as regulatory changes or technical advances, e.g., in the field of AI.

Data protection and security aspects generally play an important role in the development of our products and services. We review the technical and privacy-related security of our systems at every step of development using the Privacy and Security Assessment process (PSA) to update new and existing systems when the technology or method of data processing is modified. PSA is an important part of our risk management process. We regularly verify the effectiveness of the PSA process, both internally and through external, independent bodies, as part of the ISO 27001 and 27701 certifications, for example. We use a standardized procedure to also document the data privacy and data security status of our products throughout their entire life cycle. Rather than using the PSA process, T‑Mobile US has established its own process for assessing data protection consequences, using this to identify the risks of data processing in new projects and the required safeguards. T‑Mobile US also has processes in place to ensure data protection and performs a comprehensive data inventory of its systems.

To mitigate material risks arising from the effects and dependencies associated with business customers, T‑Systems has been a member of the EU Cloud Code of Conduct General Assembly of SCOPE Europe – an association that advocates for a common regulatory framework in the European digital industry – since 2021. This expresses our commitment to the EU Cloud Code of Conduct, the first standard for cloud services to be recognized by the European data protection authorities. We are aligning T‑Systems’ cloud offerings with this. T‑Systems and Google Cloud also signed a long-term cooperation agreement in 2021. Since 2022, the joint T‑Systems Sovereign Cloud powered by Google Cloud combines the open-source expertise of both providers, enabling business customers to manage workloads in compliance with German and European regulatory requirements (GDPR and Schrems II). The joint service covers all three aspects of digital sovereignty in various solutions: data sovereignty, operational sovereignty, and software sovereignty, so that companies from regulated industries can process their sensitive data in the cloud in line with sovereignty requirements.

Telecommunications companies in Europe are required to train their employees on issues related to data privacy law when they begin their employment. To avoid our own business activities contributing to material negative impacts on consumers and end-users, our actions go beyond this legal requirement: In addition to the mandatory training that all Deutsche Telekom employees receive when they join the Group, we provide our employees with training in this area at least every two years and also place them under the obligation to uphold data and telecommunications secrecy. In this context, we also raise our employees’ awareness for risks related to data security and privacy and inform them about existing procedures. This aims to ensure that our employees handle customer data confidentially.

Every two years, we (Deutsche Telekom excluding T‑Mobile US) perform sample analyses to check the data protection and security awareness of our employees. Improvement actions are called for where needed. The effectiveness of the data protection training at T‑Mobile US is regularly assessed as part of internal audits. The security of our systems is certified by external, independent bodies throughout the Group. We take any unusual audit findings into consideration when planning the follow-up audit. Aside from this process, we have not set any specific time-bound or outcome-oriented Group-wide targets for advancing and measuring progress in the management of material risks relating to data privacy.

Personal safety of consumers and/or end-users (health and safety). In the context of our Group-wide risk and opportunity management, we assess the risks that arise for us from the ongoing public, political, and scientific discussions about possible health risks from mobile communications in relation to the build-out of mobile infrastructure and from regulatory interventions. We aim to overcome concerns among the general public by providing objective, scientifically well-founded, and transparent information. Examples of our efforts to inform the public about the topics of technology, health, and mobile communications include our ongoing participation in industry initiatives such as the Mobile Telecommunications Information Center in Germany or the Forum Mobilkommunikation (mobile communications forum) in Austria. The websites of these industry initiatives provide insights into the specific details of our collaborative information work. Since responsibility for this action is spread between different players in the ICT industry, Deutsche Telekom is unable to track the effectiveness in practice.

ESRS S4‑5 – Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities

To measure the effectiveness of our actions and initiatives in connection with material impacts on digital inclusion, we report the Beneficiaries – Digital Society ESG KPI described above. Our target is to reach a cumulative total of more than 80 million in Beneficiaries – Digital Society from 2024 to 2027. We reached approximately 34 million people with our digital society actions in the reporting year. We defined our target based on an analysis of existing and planned initiatives in the individual segments. We then calculated the target value for the period 2024 to 2027. We inform consumers and end-users as well as other stakeholder groups about our target achievement through our external communication channels.