ESRS S4 – Consumers and end-users

ESRS 2 SBM-3 S4 – Material impacts, risks, and opportunities and their interaction with strategy and business model

In our double materiality assessment, we considered possible impacts, risks, and opportunities related to consumers and end-users. The table below shows the material impacts of our business activities on society and the environment that we identified in the process.

We provide overarching information on how material impacts, risks, and opportunities interact with our strategy and business model in the section “ESRS 2 SBM-3.”

The following overview illustrates Deutsche Telekom’s material risks and their financial effects on our financial position, financial performance, and cash flows.

For further information on risks and opportunities that represent a top risk or top opportunity in the next two years, please refer to the section “Risk and opportunity management.”

Consumers and end-users who may be affected by Deutsche Telekom’s material impacts include:

• People who purchase our products or use our services that potentially negatively impact their rights to privacy, to have their personal data protected, to freedom of expression and to non-discrimination
• People who are particularly vulnerable to health or privacy impacts or impacts from marketing and sales strategies, such as children or financially vulnerable individuals

They do not include:

• Consumers or end-users of products that are inherently harmful to people or increase risks for chronic disease
• Consumers or end-users who are dependent on accurate and accessible product- or service-related information, such as manuals and product labels, to avoid potentially damaging use of a product or service

When analyzing the material financial risk in connection with data protection, we also consider the impact on Deutsche Telekom’s business customers.

For information on how we have developed an understanding of how consumers and end-users with particular characteristics may be at greater risk of harm, see the section “ESRS 2 SBM-3 S2.”

ESRS S4‑1 – Policies related to consumers and end-users

Information-related impacts for consumers and/or end-users (freedom of expression and access to (quality) information), personal safety of consumers and/or end-users (personal security), and social inclusion of consumers and/or end-users (non-discrimination and access to products and services, and responsible marketing practices). As a provider of digital infrastructure, we run our operations based on the principle of digital responsibility. As society becomes increasingly digital, we at Deutsche Telekom are making strenuous efforts to ensure everyone can take part in the digital world and lead their lives alongside each other on the basis of democratic principles. To ensure we can achieve these objectives across our Group, we have incorporated digital inclusion as a key topic in our CR strategy. With our approach to digital inclusion (access, affordability, and ability) and digital values, we want to advance our material positive impacts related to access to information, freedom of expression, personal security, and social inclusion, and mitigate negative impacts:

• Access to state-of-the-art information technology is key to participating in the information and knowledge society (Access). That is why we continue to rapidly expand our infrastructure and improve transmission speeds with new, secure technology. This build-out is based on the goals of our Europe-wide integrated network strategy, which we use to help achieve the EU Commission’s network build-out targets and the Federal Government’s Digital Agenda and broadband strategy. The strategy is founded on the two pillars of building out mobile and fixed networks, with the focus of the former being on 5G coverage – the most powerful technology standard currently available. In the fixed network, we are focusing on rolling out our optical fiber to provide our customers with a reliable connection at gigabit speeds.
• Ensuring that products and services are affordable is also important so that people can participate equitably in the information and knowledge society (Affordability). We offer rate plans and equipment tailored to the financial possibilities of different consumers and end-users.
• We also want to develop their skills and motivation to use digital media (Ability). We view media literacy as the key to safe interactions with digital media and a crucial skill for our work and private lives. Our approach begins with strengthening basic skills in using media and extends all the way to safeguarding privacy and dealing responsibly with hate and disinformation.

In the reporting year, we overhauled our strategic approach for advancing digital inclusion and adapted it to current social and technological developments. Implementation is scheduled for the coming year, with the aim of specifically refining existing actions.

In addition, we aim to promote digital values and hence the social inclusion of consumers and end-users by developing their skills: The internet is supposed to be a space in which everyone can feel safe. That is why we are shaping the transition towards a positive culture of online debate in which we make a stand against hate speech and for civil courage online. We are working closely with NGOs toward that end.

In line with Deutsche Telekom’s CR strategy, GCR develops our approach to digital inclusion and digital values. In accordance with the local network build-out strategy, responsibility for network build-out is decentralized and lies with the Board of Management departments of the Germany, Europe, and United States operating segments.

We measure the effectiveness of our activities to advance digital inclusion with metrics such as the Community Contribution – Digital Society and Beneficiaries – Digital Society ESG KPIs. We also measure the reach of selected campaigns. We consider the impact measurement for our network build-out activities in terms of the progress we have made in network build-out.

Personal safety of consumers and/or end-users (protection of children). Protecting our customers’ data and ensuring their safety is crucially important for consumer protection at Deutsche Telekom. In this context, we aim to protect children and young people in particular when they use digital media. Our commitment to protecting children and young people in the Germany and Europe operating segments is anchored in our Code of Human Rights. T‑Mobile US safeguards children’s privacy through data privacy practices and the services and products outlined in the company’s Children’s Privacy Notice. In line with the different country-specific requirements, we do not have a uniform Group-wide approach for the protection of children because the topic is managed and actions are monitored locally.

We provide an age-appropriate content portfolio for children and offer information for parents and guardians to help them shield their children from harmful content. We implement various actions to ensure that young people acquire media skills and can interact safely with online content. For detailed information, please refer to our approach to digital inclusion and digital values described above.

In addition, we collaborate closely with law enforcement authorities and NGOs as well as other partners from business, politics, and society to ban online content that is harmful to children and young people. In Europe, we have been committed to fighting child pornography on the internet since 2007. GSMA (an association representing the interests of mobile operators worldwide), of which we have been a member since 2008, pursues the same objectives at a global level. In view of the decentralized management and country-specific regulations, we have not defined any specific time-bound or outcome-oriented targets or other targets in the Group that we can use to measure our progress in mitigating the negative impacts associated with the protection of children.

Information-related impacts for consumers and/or end-users (privacy). Data privacy is an important topic for Deutsche Telekom. We practice an active data privacy and compliance culture that we have built up over many years. Data privacy forms the basis for countering material impacts on our customers and for preventing the material risks arising from any data privacy incidents. The Group companies are subject to specific data protection requirements. In the EU, for example, the General Data Protection Regulation (GDPR) in particular applies. These requirements must be implemented and their compliance must be monitored. Our data privacy management system outlines the actions, processes, and audits we use to ensure compliance with laws, regulations, and self-commitments to uphold data privacy. The Board of Management department for Human Resources and Legal Affairs has overarching responsibility for data privacy. The individual Group companies are responsible for implementation and are represented at the highest level by the respective management bodies. Since data privacy regulations differ in the United States, T‑Mobile US has adopted its own approach, which is presented at the end of this section.

We aim to ensure lawful processing of personal data, upholding fundamental human rights. We are committed to the fundamental right to data protection and informational self-determination applicable in the EU and promote its global recognition. Particularly when developing and using artificial intelligence (AI) or other algorithm-based applications, we ensure that these comply with data privacy regulations and take human rights-related matters into consideration. At the same time, we work to ensure that every individual retains control over the use of their data. This includes providing information on how data-driven business models work and how, for example, our customers can exert digital sovereignty.

Through our global data privacy organization, we are continually pursuing the objective of a transparent, high level of data protection in all of the Group companies. As far as legally possible, the companies of the Deutsche Telekom Group have additionally committed to complying with the Binding Corporate Rules Privacy policy, which are intended to ensure a uniform high level of data protection for our products and services in accordance with ISO 27701. Similar to the data privacy organization, we have established a security organization to strive for an appropriate and consistent level of security within our Group.

For further information, please refer to the section “G-Company-specific – Policies related to cybersecurity.”

T‑Mobile US is subject to U.S. data privacy laws. The company has appointed a Chief Privacy Officer within Legal Affairs to ensure compliance with these laws. Confidential handling of information and personal data is incorporated in various areas of T‑Mobile US, including in the T‑Mobile US Code of Business Conduct. In addition, T‑Mobile US provides its employees with annual data privacy training and offers role-specific training designed to help them comply with data privacy laws.

We publish an annual Group-wide transparency report on the principles of our cooperation with law enforcement authorities. On top of this, we disclose the type and scope of the information we provide to security authorities in the European national companies and at T‑Mobile US in individual reports.

Personal safety of consumers and/or end-users (health and safety). There are public debates about potential health impacts of 5G and the electromagnetic fields (EMF) used by mobile communications surrounding the build-out of the 5G network. We have been providing information on the scientific evidence regarding mobile communications and health as well as on the statutory thresholds for more than 20 years now. Our collaboration with local authorities to expand the infrastructure is another focus of our communications.

We want to make our mobile communications infrastructure and our products, as well as the processes on which they are based, as resource-efficient, secure, and safe for health as possible. The EMF principles in force throughout the Group, which we updated in 2023, play a key role in this regard: Our EMF policy contains uniform minimum requirements for mobile communications and health that go far beyond the national legal requirements. It provides a mandatory framework that ensures that the topic of mobile communications and health is addressed in a consistent, responsible way throughout the Group, and it is based on the recommendations of the International Commission on Non-Ionizing Radiation Protection (ICNIRP). This policy is a reflection of our commitment to greater transparency, information, participation, and a focus on scientific facts. All Group companies that operate mobile networks have accepted the EMF policy and implemented most of the required actions.

Ultimate responsibility for mobile communications and health lies with the Board of Management department for Germany; however, the EMF policy is implemented decentrally by the individual Group companies, usually by top management in the technology division. The responsible EMF managers of the Group companies describe the relevant EMF situation in the EMF Core Team working group, thereby promoting the exchange of technical information. We have no other established process for monitoring the effectiveness of the EMF policy. We have also not set any specific time-bound or outcome-oriented or other targets for advancing and measuring progress in the management of material risks relating to the topic of mobile communications and health.

Human rights policy commitments relevant to consumers and/or end-users. We are committed to respecting human rights and enforcing them along our supply chain. Our actions are based on the universally accepted standards and principles that we have defined in Deutsche Telekom’s Code of Human Rights.

In relation to end-users and consumers, the Code of Human Rights defines principles and expectations in the context of:

• Privacy and informational self-determination
• Freedom of expression and information
• Protection of children and young people
• Mobile communications and health
• Digital responsibility and participation

T‑Mobile US has its own Human Rights Statement, which also covers many of the same key principles and expectations as it relates to consumers and end-users, though does not explicitly address every aspect outlined in the Group Code of Human Rights.

Protecting human rights also plays a key role for us in responsibly shaping technological change and digitalization – because our aspiration is to apply a humanistic value system in the use of our technologies. This is another reason why we include end-users and consumers in the formats outlined in the section “ESRS S4‑2.”

Both Deutsche Telekom’s Code of Human Rights and the Human Rights Statement of T‑Mobile US comply with relevant internationally recognized instruments, such as the UN Guiding Principles on Business and Human Rights. However, as our due diligence does not yet extend to the downstream value chain, human rights-related reports related to consumers and end-users are not systematically recorded. For this reason, no remedial action will be taken in the event of potential or actual negative impacts in this area. Participants in the downstream value chain can nevertheless use the Company’s complaints channels.

ESRS S4‑2 – Processes for engaging with consumers and end-users about impacts

In order to understand and address our material impacts, we engage with the interests and perspectives of end-users and consumers both on an ongoing basis and ad hoc, particularly in the context of the development and use of products and services and our network build-out plans. We do not have a procedure for directly engaging with children. That is why we involve legitimate proxies in the event of negative impacts on the protection of children. Consumer protection associations, NGOs, and public authorities play an important role in this context. Responsibility for engaging with consumers and end-users, or their legitimate representatives as well as legitimate proxies, is organized decentrally. We make a distinction between three inclusion formats: information, dialogue, and participation. One example of how the interests of consumers and end-users are already taken into account in the development process is the user testing of products and services (excluding T‑Mobile US). Various stakeholder groups representing different diversity dimensions are specifically incorporated into this process. In the reporting year, greater emphasis was placed – among other things – on persons with disabilities. We want our product development process to take full account of human diversity, including aspects such as different physical and mental abilities, age, gender, ethnic origin, and nationality. In this way, we will be able to make our products and processes more accessible and easier to use.

ESRS S4‑3 – Processes to remediate negative impacts and channels for consumers and end-users to raise concerns

A variety of channels is available to consumers and end-users in all the countries where we operate to raise inquiries and complaints about Deutsche Telekom products or services. These include telephone hotlines, email, live-chats, and social media. In addition, consumers and end-users also contact Deutsche Telekom’s data protection and data security teams directly via country-specific channels and report cases of data misuse on the internet in connection with Deutsche Telekom’s systems. In Germany they can also contact us directly via a free hotline and established mailboxes if they have health-related questions about the electromagnetic compatibility of mobile communications infrastructure or devices, as well as their impact on the environment, or if they wish to express any concerns. There are no comparable channels in the European national companies and at T‑Mobile US that can be used explicitly for reporting complaints related to the topic of mobile communications and health. Other complaints channels are available for this. In the reporting year, we introduced the additional “report barrier” channel in Germany. The straightforward process allows users to point out barriers, thus actively helping to improve accessibility. We provide information for consumers and end-users on the required contact information on our website.

We examine the reports received through the various channels mentioned above and forward them to the appropriate internal experts as needed. In connection with protecting our customers’ data, we assess whether the supervisory authorities and the persons affected must be notified and take appropriate action. We initiate mitigation measures if necessary and possible. To ensure the effectiveness of the process, we regularly test whether channels can be reached and evaluate customer feedback. We also monitor the number of reports received and use them to measure awareness and acceptance of the contact options.

For further information on our non-financial performance indicator for customer retention/satisfaction (TRI*M index), please refer to the section “Management of the Group.”

We outline our policy for protecting individuals against retaliation in the section “ESRS G1‑1.”

ESRS S4‑4 – Taking action on material impacts on consumers and end-users, and approaches to managing material risks and pursuing material opportunities related to consumers and end-users, and effectiveness of those actions

Information-related impacts for consumers and/or end-users (freedom of expression and access to (quality) information), personal safety of consumers and/or end-users (personal security), and social inclusion of consumers and/or end-users (access to products and services). We are continuously building out our network to enable technical access to it. This allows us to provide broad accessibility in emergency situations, improving the personal safety of consumers and end-users. To this end, we also cooperate with partners – especially in more remote areas. The requirements and underlying conditions are different in each of the countries in which we operate; taking appropriate action is the responsibility of the operating national companies.

Our network build-out in Germany is also taking place in collaboration with other companies, for example under network sharing agreements with other German network operators. This is contributing to broader mobile communications coverage. However, use of our network infrastructure by competitors always requires a commercial agreement. In addition, through strategic partnerships we are helping to build out the fixed network more quickly in Germany. Similar agreements in various forms are also in place in the other European countries in which we operate. The US has federal interconnection and roaming agreements to promote broad and accessible mobile coverage across the country.

In emergency situations, it is crucial for networks to function properly, so that emergency calls can be made and responses organized. In emergencies such as floods or large fires, in which network equipment is damaged to the point that mobile communications and fixed-network services cannot be quickly restored, our Disaster Recovery Management (DRM) comes into play. It provides mobile containers with communications technology, emergency power generators, and mobile radio masts to provide a replacement for the disrupted mobile communications and fixed-line networks. The movable masts are connected via radio relay and satellite links to restore mobile communications coverage within a few hours of extreme events. This allows us to quickly provide a connection to the network in an emergency. We also use the relay and satellite connections to quickly put regular mobile network sites (back) into operation if this is urgently needed and the planned or previously existing connection (e.g., in the form of optical fiber) is not yet or no longer available.

The further we advance with the network build-out, the more effectively we can implement the related actions. Monitoring is performed decentrally in the operating segments, for example, by measuring network coverage, evaluating customer satisfaction, using external benchmarks, and recording the build-out obligations in connection with frequency auctions, e.g., by local regulatory authorities.

For further information on our investments in network build-out, please refer to the section “Group strategy.”

In addition, we drove forward the development of technologies and products for a range of target groups in the reporting year to make our products and services as accessible and non-discriminatory as possible. A key factor here was the “Design for All” guideline that we drafted in 2023 which aims to prevent exclusion, stigmatization, and discrimination right from the product development stage. The focus in the reporting period was on implementing legal requirements related to accessibility in the segments. In Germany, for example, we systematically reviewed and specifically adapted products, services, websites, and shop systems to make them more accessible to people with various limitations. In addition, we published information on the accessibility of our services. To build awareness, we continued our “Design for All” training for employees in the reporting year. The course is available on Deutsche Telekom’s online training platform. Employees of T‑Mobile US do not have access to the platform for legal and other reasons, but the company also supports employees in developing accessible products and services through training.

To harness the potential of information technologies for the benefit of society, Deutsche Telekom promotes media literacy among consumers and end-users with a wide range of products and services available throughout the Group – always with the aim of ensuring that everyone can navigate the digital world safely and confidently. The Teachtoday International platform provides an overview of all the Group’s media literacy initiatives worldwide. These also include measures that are explicitly designed to raise awareness on how to handle disinformation.

To advance digital access, T‑Mobile US established Project 10Million to offer free and reduced rates for internet connectivity and mobile hotspots to up to 10 million eligible student households. Through the end of 2025, T‑Mobile US has connected nearly 6.7 million students since program launch (2024: 6.3 million).

We are also looking at how to use AI responsibly in the context of access to information. In the reporting year, we awarded prizes for innovative approaches to AI-powered language generation as part of the T‑Challenge. We are continuing our collaboration with Resemble AI. This project demonstrates how AI-based technologies can assist in detecting audio deepfakes and prevent misuse through synthetic voices. Together, we want to help build digital trust and promote secure access to information and communication channels. In addition, we also promoted the use of AI to enhance the quality and trustworthiness of information in the reporting year, for example by refining an application that helps users verify information.

The effectiveness of our activities to advance material positive impacts related to access to information, products and services, and the media literacy offering is assessed using the Community Contribution – Digital Society and Beneficiaries – Digital Society ESG KPIs, among other things. When measuring the two KPIs, we rely on methods employed by the organization Business for Societal Impact (B4SI), which incorporate the aspects “input” and “impact.” The Community Contribution – Digital Society ESG KPI represents the “input,” while the Beneficiaries – Digital Society ESG KPI represents the “impact.” We use the Community Contribution – Digital Society ESG KPI to measure our financial, human, and in-kind contribution to the digital society. In the reporting year, this figure amounted to a total of EUR 977 million (2024: EUR 1,102 million). The Beneficiaries – Digital Society ESG KPI indicates the number of people who have benefited directly or indirectly (based on assumptions) from our commitment to promoting a digital society. These include, for example, people who use our media literacy platforms, attendees at workshops, and users of discounted rates (including household members). The metrics in this topical standard are not additionally validated externally.

Community Contribution – Digital Society ESG KPI

Social inclusion of consumers and/or end-users (non-discrimination and responsible marketing practices). We (excluding T‑Mobile US) continued our No Hate Speech initiative, which was launched in Germany in 2020, in the reporting year. Through this campaign, we aim to raise awareness in society and enable people to put into practice and defend fundamental democratic values online. We are advocating for an internet in which everyone can utilize the opportunities of the digital world – without having to fear marginalization or hate speech. In the reporting year, we launched the “Open your eyes” campaign, calling for greater social cohesion and civil courage. Our aim here is also to promote diversity in the digital world. In the reporting year, we either started or continued the No Hate Speech initiative in six European national countries.

We want to avoid our own business activities contributing to negative impacts on consumers and end-users. That is why we are committed to human-centric, values-based digitalization (Corporate Digital Responsibility – CDR) and are striving for the responsible use of AI. Back in 2018, we were one of the first companies worldwide to adopt Digital Ethics Guidelines on AI. They are continuously implemented by means of an integrated governance framework with processes, supporting tools, awareness-raising measures, and organizational anchoring. We set forth our perspectives on digital responsibility in our CDR framework, which we published in 2022. The Digital Ethics interdisciplinary working group, which handles the implementation of the EU AI Act, was founded in the same year. AI is managed through coordinated collaboration of functional, technical and regulatory responsibilities (excluding T‑Mobile US). These structures are anchored at Board level and facilitate a timely response to current developments. In the reporting year, we additionally conducted a large number of information sessions and offered many training courses on the functioning, opportunities, and risks of AI. T‑Mobile US adopted its AI Principles in 2023, and published its Responsible AI Policy and Guidelines for the enterprise in 2024. A governance council has also been established with senior leaders that oversee the company’s responsible use of AI.

Personal safety of consumers and/or end-users (protection of children). Although our business activity is directly connected with negative impacts on the protection of children and young people, we do not cause them. Our focus is therefore on developing and implementing mitigation and prevention measures. To tackle the cross-industry challenge of protecting minors from unsuitable media content, we (excluding T‑Mobile US) work together with different organizations for the protection of minors. We participate continuously in coalitions that coordinate the involvement of companies and organizations from the internet and media sector. We are involved in various country-specific initiatives and support national programs to protect children and young people from age-inappropriate content on the internet and to raise awareness for ways to combat disinformation and promote respectful behavior online. One example of this is the online magazine AwareNessi, which is aimed at children and their adult caregivers. The issues are available in several languages.

Another focus of our actions is to raise parents’ and legal guardians’ awareness for technical solutions. Depending on the operating system, mobile devices in our distribution network have integrated parental controls that can be used to monitor or restrict content, applications, screen time, or location tracking. Our website and social media channels provide comprehensive support for child-proofing devices and user accounts. T‑Mobile US, for example, offers customers the option of designating their children’s user accounts as Kidsʼ Line accounts. The data from these accounts is used only for basic services such as device operation or network administration, but not for targeted advertising. Kids’ Line accounts are automatically excluded from the Group company’s online advertising and marketing communications.

In addition, we offer service plans for children and young people at some national companies that provide protection against fraudulent websites and theft of login or bank details through a specific security feature. Our MagentaTV platform combines services such as television, media libraries, and streaming services and is available in selected European countries. It also features a parental control function that allows legal guardians to configure a supervisory function. For example, this allows them to block inappropriate content or to define usage criteria based on information from the content provider (e.g., “suitable for persons aged 18 and over”). We monitor the effectiveness of our actions to mitigate negative impacts on the protection of children by evaluating the usage rates of the above-mentioned products and services, for example, and – in relation to selected initiatives – also in the context of tracking the Beneficiaries – Digital Society ESG KPI.

When we develop actions to mitigate actual or potential negative impacts on consumers and end-users, we align ourselves with the legal requirements of the countries in which we operate. We keep the special protection that needs to be afforded to children in our sights at all times. We also draw on annual trend analyses, the findings of scientific studies, and our dialogue with NGOs. The feedback we receive through the formats for engaging with consumers and end-users about impacts described in the section “ESRS S4‑2” is incorporated into the focus of our activities and the development of our products and services. Since we do not implement or directly enable any specific mitigation measures, we have not established any procedures for measuring the effectiveness of such mitigation measures. As part of our No Hate Speech initiative, we inform consumers and end-users about their digital rights. This includes providing information to people that, under the Digital Services Act (DSA), internet platforms are required to enable users to report input containing disinformation and hate speech. We take this risk very seriously, especially with respect to children and young people. Since Deutsche Telekom does not operate a platform itself, we do not fall within the scope of this EU regulation. For incidents related to extremism and child pornography, which may lead to criminal proceedings, we encourage consumers and end-users to contact local law enforcement authorities directly. When designing content that is relevant to the protection of minors, we involve our youth protection officer in Germany; she suggests restrictions or changes, for example. In addition, it is not possible to allocate human and financial resources for managing the measures described above in the Group with any degree of accuracy due to the complexity of our activities. As a rule, all measures are implemented using the budgets of the individual units of the national companies responsible, and normally do not require significant operating or capital expenditure.

Unless specified otherwise, all actions and initiatives described in this standard are ongoing and have no specific time frame.

Information-related impacts for consumers and/or end-users (privacy). Protecting the data of all individuals and organizations that have a relationship with Deutsche Telekom is of the utmost importance to us; that is why our processes for managing material risks related to data protection and security are integrated into our existing data protection risk management process. We implement a range of different actions to mitigate reputation, cost, and sanction risks as well as risks to affected customers arising from data privacy incidents, and to enhance privacy. In doing so, we always keep a close eye on current developments, such as regulatory changes or technical advances, e.g., in the field of AI.

Data protection and security aspects generally play an important role in the development of our products and services. We review the technical and privacy-related security of our systems at every step of development using the Privacy and Security Assessment process (PSA) to update new and existing systems when the technology or method of data processing is modified. PSA is an important part of our risk management process. We regularly verify the effectiveness of the PSA process, both internally and through external, independent bodies, as part of the ISO 27001 and 27701 certifications, for example. We use a standardized procedure to also document the data privacy status of our products throughout their entire life cycle. T‑Mobile US does not use the PSA process, but has established its own data privacy impact assessment procedure, which the company uses to identify risks of data processing in new projects as well as initiate engagement with internal Cybersecurity teams to advise on necessary protective measures. T‑Mobile US also conducts a comprehensive data inventory of its systems.

In 2021, T‑Systems and Google Cloud signed a long-term collaboration agreement to mitigate material data privacy risks in connection with business customers. Available since 2022, the joint T‑Systems Sovereign Cloud powered by Google Cloud combines the open-source expertise of both providers, enabling business customers to process their data in the cloud in compliance with German and European data protection and sovereignty requirements (GDPR and Schrems II). This means that companies from regulated industries can also use cloud services.

Telecommunications companies in Europe are required to train their employees on issues related to data privacy law when they begin their employment. To avoid our own business activities contributing to material negative impacts on consumers and end-users, our actions go beyond this legal requirement: In addition to the mandatory training that all Deutsche Telekom employees receive when they join the Group, we provide our employees with training in this area at least every two years and also place them under the obligation to uphold data and telecommunications secrecy. In this context, we also raise our employees’ awareness for risks related to privacy and inform them about existing procedures. This aims to ensure that our employees handle customer data confidentially.

Every two years, we (excluding T‑Mobile US) perform sample analyses to check the data security awareness of our employees. Based on the results, improvement actions are called for where needed. The effectiveness of data protection training at T‑Mobile US is regularly assessed and training content adjusted as needed. Aside from this process, we have not set any specific time-bound or outcome-oriented Group-wide targets for advancing and measuring progress in the management of material risks relating to data privacy.

Personal safety of consumers and/or end-users (health and safety). In the context of our Group-wide risk and opportunity management, we assess the risks that arise for us from the ongoing public, political, and scientific discussions about possible health risks from mobile communications in relation to the build-out of mobile infrastructure and from regulatory interventions. We aim to overcome concerns among the general public by providing objective, scientifically well-founded, and transparent information. One example of our efforts to inform the public about the topics of technology, health, and mobile communications is our ongoing participation in industry initiatives such as the Mobile Telecommunications Information Center in Germany or the Forum Mobilkommunikation (mobile communications forum) in Austria. Their websites provide interested parties with information on topics such as limits, health protection, scientific research, and the development of mobile communications technology. T‑Mobile US aligns its processes with national legal requirements and does not currently have initiatives that go beyond that. Since responsibility for this action is spread between different players in the ICT industry, Deutsche Telekom is unable to track the effectiveness in practice.

ESRS S4‑5 – Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities

To measure the effectiveness of our actions and initiatives in connection with material impacts on digital inclusion, we report the Beneficiaries – Digital Society ESG KPI described above. Our target is to reach a cumulative total of more than 80 million in Beneficiaries from 2024 to 2027. We reached approximately 40 million people with our digital society actions in the reporting year (2024: approximately 34 million). A cumulative total of around 74 million people were reached between 2024 and 2025. We defined our target based on an analysis of existing and planned initiatives in the individual segments. We then calculated the target value for the period 2024 to 2027. Various stakeholders were engaged to develop the target. We inform consumers and end-users as well as other stakeholder groups about our target achievement through our external communication channels.