Compliance at ProSiebenSat.1

ProSiebenSat.1 Group follows a policy of compliance. The Executive Board believes that sustained economic success in a competitive environment can only be achieved by ensuring that all action taken is in compliance with the applicable laws. In the following, we report on the fields of law identified as particularly relevant for ProSiebenSat.1 Group. The prevention of corruption and violations of antitrust law and media law are important success factors for the market position and the attainment of the targeted corporate objectives. Due to the increasing digitalization of our business operations, data protection forms another central pillar of the compliance management system (CMS). Compliance with legal requirements for other fields of law relevant to ProSiebenSat.1 Group is addressed via separate governance systems. [DMA, G4-56]

ProSiebenSat.1 does not tolerate rule-breaking. ProSiebenSat.1 Group has therefore set down fundamental guidelines and procedures in its Code of Compliance, which was updated in 2016. They provide a framework for conduct in business, legal and ethical matters. They serve all members of the Executive Board, the management and the employees of ProSiebenSat.1 Group as a binding reference and regulatory framework for dealing with each other and with business partners, customers, suppliers and other third parties. This culture of integrity and compliance finds its way into our daily work; it is a component of the corporate processes. The Executive Board supports this by providing a suitable compliance organization and adequate and efficient compliance programs. These include consulting, training and measures derived from guidelines. ProSiebenSat.1 Group’s CMS is continuously being enhanced, improved and reviewed. In order to obtain an independent, external assessment, the audit firm KPMG has audited the CMS in the areas of antitrust law, anti-corruption regulations, media law and data protection law in accordance with the IDW Auditing Standard 980. The audit focusing on appropriateness and implementation as of December 31, 2016, was successfully completed on April 6, 2017. [DMA, G4-56]

In light of the CMS requirements and its individual Group structure, ProSiebenSat.1 is structured into centralized and decentralized compliance organizations. The centralized organization is made up of the Compliance Board, the Group Chief Compliance Officer (CCO) and the compliance subject-matter experts (SME). The decentralized compliance organization is represented by the Unit Compliance Officers (UCO), who are appointed for the affiliated companies.

Centralized compliance organization

Centralized compliance organization (Graphic)

A special role in the compliance organization is awarded to the Compliance Board, the function of which is to support the Executive Board with regard to the implementation, monitoring and enhancement of the CMS. The Compliance Board meets once a month. The permanent members are the CCO, the Group Chief Financial Officer (CFO), the Executive Board member responsible for Legal and Compliance and the Head of Group Audit. The Compliance Board is supplemented by further members with operating functions. The Board’s task is to decide on the focus of the CMS, to investigate matters and to propose sanctions. On the basis of a relevance analysis, the focal points of ProSiebenSat.1’s CMS were identified as combating corruption, antitrust and media law, and data protection:

  • Anti-corruption: ProSiebenSat.1 aims to create transparency in its dealings with customers, suppliers and authorities in order to meet international standards for combating corruption and national and local requirements for combating corruption and bribery. The CMS therefore covers the prevention of criminal acts of corruption, especially the criminal offenses of taking and giving bribes in commercial practice (Sections 299 et seq. of the German Criminal Code (StGB)), granting benefits to public officials (Section 333 StGB) and bribing public officials (Section 334 StGB). In 2016, there were no incidences of corruption or charges of corruption brought against the Group or ProSiebenSat.1 employees. [DMA, G4-SO5]
    The implementation of a systematic and standardized risk analysis for compliance risks is a material foundation of the CMS for ProSiebenSat.1 Group. Building on the relevance analysis, a compliance risk assessment is carried out as a second step. Specific weighting factors, such as the Corruption Perceptions Index, are included in the consolidation of the results into a risk portfolio for the Group. Following the assessment of ProSiebenSat.1 Media SE in 2015, a total of 14 companies were subjected to a compliance review in 2016, covering various areas such as antitrust and media law, data protection and corruption risks. This included key entities like ProSiebenSat.1 TV Deutschland GmbH and SevenOne Media GmbH, which generate a high share of consolidated revenues, and maxdome and SevenVentures in the digital business. As regards the key competition and corruption issues, we are focusing on our advertising sales model due to its significant economic importance for the ProSiebenSat.1 business model. [G4-SO3]
  • Antitrust law: With regard to antitrust law, the CMS at ProSiebenSat.1 covers the prevention of agreements and concerted practices that may adversely affect competition (Section 1 of the German Act against Restraints of Competition (GWB), Art. 101 of the Treaty on the Functioning of the European Union (TFEU)) and the prevention of the abuse of a dominant market position (Section 19 GWB, Art. 102 TFEU). Since 2008, RTL 2 Fernsehen GmbH & Co. KG and El Cartel Media GmbH & Co. KG have been involved in a civil lawsuit against ProSiebenSat.1 regarding anticompetitive behavior, which was also not yet concluded in 2016. [G4-SO7]
  • Media law: The requirements of the CMS according to media law concern licensing requirements, journalistic independence, the separation of advertising and programming, requirements for product placement, requirements according to laws for the protection of young people and the prevention of surreptitious advertising or the broadcast/distribution of illegal advertising.
    To protect journalistic independence and fundamental journalistic conditions, ProSiebenSat.1 Group formulated guidelines back in 2005 that all program creators in Germany are obliged to uphold. The “Guidelines for Ensuring Journalistic Independence” can be viewed on the corporate website and specify the understanding of the journalistic principles set forth in the Press Code of the German Press Council. ProSiebenSat.1’s journalists and editors are accordingly free to shape their contributions and report independently of social, economic or political interest groups. As a media corporation, political independence is of the utmost importance for ProSiebenSat.1. [G4-34, G4-56]
    Donations in cash or in kind to political parties are prohibited if they have not been previously approved by the Executive Board of ProSiebenSat.1 Media SE. ProSiebenSat.1 made no political donations in 2016. At the same time, the journalists and editors are aware of their responsibility with regard to the spread of information and their contribution to public opinion. Those with editorial responsibility, especially editors in chief, are responsible for compliance with these guidelines and for their implementation in daily business. [G4-SO6]
    In the field of youth protection, ProSiebenSat.1 Group’s youth protection officers make sure that programming on TV and online is age-appropriate. They work independently of the management and ensure that content which is inappropriate for children is broadcast only at the legally prescribed broadcasting times. They also guarantee technical methods of protection regarding the distribution of unsuitable content on the internet. Youth protection officers are therefore involved early on in the production and purchase of programs at ProSiebenSat.1. At an early stage, they assess screenplays, accompany productions and formats and compile reports. Independently, ProSiebenSat.1 Group’s TV and online editors receive regular training on youth protection requirements. In addition to internal guidelines and training, we are also committed to protecting young people via various organizations: The Company is represented on the Board of the Voluntary Self-Regulation of Television Association (Freiwillige Selbstkontrolle Fernsehen e. V., FSF) and the Board of the German Association for Voluntary Self-Regulation of Digital Media Service Providers (Freiwillige Selbstkontrolle Multimedia-Diensteanbieter e. V., FSM). The two associations are organizations for the voluntary self-regulation of private television broadcasters and multimedia service providers and are recognized as independent supervisory bodies for television and the internet by the Commission for the Protection of Minors in the Media (Kommission für Jugendmedienschutz, KJM). [G4-56, M4]
    In 2016, there were seven cases in which regulations and voluntary rules of conduct regarding the effects of products and services on health and safety were not complied with. We also include youth protection violations and violations against programming principles and journalistic due diligence here. In three of these cases, fines totaling around EUR 14,000 were imposed for violations against youth protection regulations. In two cases, however, the fines were rescinded in court appeals. In a third case, which relates to a fine of EUR 5,000, ProSiebenSat.1 also lodged an appeal that has not yet been decided upon. In three cases, the responsible authorities raised objections but no fines were imposed. In another case, a violation of voluntary rules of conduct was eventually ascertained with regard to the Voluntary Self-Regulation of Television Association’s (FSF) broadcasting time restrictions for youth protection. However, a fine was not imposed. In 41 cases, cease-and-desist declarations were also made following warnings under civil law in relation to regulations for the protection of fair competition and trademark law. In one case, a fine of around EUR 500 was also imposed due to a violation of advertising regulations. There were no cases of non-compliance with regulations or voluntary rules of conduct regarding the labeling of products and services. The fines imposed in the reporting period on account of non-compliance with laws and regulations regarding the provision and use of products and services totaled approximately EUR 14,000. [G4-PR2, G4-PR4, G4-PR7, G4-PR9]
  • Data protection: For a media company like ProSiebenSat.1, data protection is of particularly high importance, especially in light of advancing digitalization and new forms of advertising such as addressable TV. In February 2016, a one-day data protection summit was held in Munich for the first time. The participants comprised internal and external data protection officers from the consolidated entities of ProSiebenSat.1 Group. Together with expert speakers, they discussed in particular the latest data protection issues and implementation within ProSiebenSat.1 Group.
    In addition to statutory provisions, ProSiebenSat.1’s internal guidelines are binding for the handling of personal data and their automatic collection, processing and use. ProSiebenSat.1 has set down its data protection principles in the Global Data Protection Standard, the data protection policy, the Code of Compliance and in further data protection provisions. Among other things, the guidelines precisely dictate the data protection processes in the Group.

Data protection processes

 

 

 

Prior checking

 

Implementation of a risk analysis including compliance review in connection with the introduction/amendment of automatic procedures for processing personal data according to Section 4f of the German Federal Data Protection Act (BDSG) in order to address data-protection-law requirements at an early stage.

Commissioned data processing

 

Process for legal composition of order processing agreements and implementation of the statutory prior review as per Section 11 BDSG.

Disclosures to authorities

 

Process for legal sharing of personal data with authorities.

Rights of the data subject

 

Legal processing of data subjects’ requests:

  • Complaints management
  • Rights of access (Section 34 BDSG)
  • Right to correction (Section 35 BDSG)
  • Right to erasure (Section 35 BDSG)
  • Rights of objection (Section 35 BDSG)

Data breach notification

 

Process for the legal notification of data protection incidences (= unlawful access to personal data by third parties) as per Section 42a BDSG and Section 15a of the German Teleservices Act (TMG).

ProSiebenSat.1 Group has great respect for the privacy and personal rights of all individuals whose data is collected, processed or used. Therefore, no personal data is processed or used unless full compliance with applicable laws is ensured in advance. This is based in particular on sector and industry standards and best practices. We have identified six data leaks or incidents of stolen or lost data in the year reported. Ensuring the protection of all data now and in the future is an essential objective of ProSiebenSat.1 Group. [G4-PR8]

Alongside data protection, information security is also in the commercial interest of ProSiebenSat.1 Group. A loss, manipulation or unauthorized disclosure of business-critical information could lead to significant financial losses or reputational damage. The sufficient security of business processes, IT, infrastructure and critical information is therefore a strategic factor for the competitiveness and continued existence of ProSiebenSat.1 Media SE. Fundamentally, information security at ProSiebenSat.1 has four strategic objectives:

  • Maximize business continuity
  • Minimize business losses
  • Prevent and minimize the effects of security breaches
  • Limit risks

Failures of systems, applications, or networks are as much potential technological risks violations of data integrity and data confidentiality. The continuously increasing scope of information processing and networking and the advancement of technology are increasing complexity in the interplay with people-process technology on the one hand, and on the other hand there is rising vulnerability within Company-wide information processing. Targeted attacks and other threat scenarios show that politically, economically or ideologically motivated groups represent a growing challenge.

ProSiebenSat.1 therefore invests on an ongoing basis in hardware and software, in firewall systems and virus scanners, and establishes various access authorizations and controls. In order to prevent losses, the Group has multiple computer centers at separate locations, which assume each other’s tasks in the event of a system failure. Drills of crisis scenarios and penetration tests help to simulate potential weaknesses and further improve the IT system. In 2016, the Group subjected all relevant business applications to extensive tests, which confirmed that the degree of maturity was good and had improved further. The effectiveness of the security standards is also examined regularly by the Internal Audit department.

As part of our Information Security Management System (ISMS), the following properties of the information are secured by technical and organizational measures:

  • Confidentiality: Ensuring that only authorized individuals have access to information.
  • Integrity: Protection of completeness and correctness of information, systems and procedures.
  • Availability: Ensuring that information, information services and systems are available for authorized users, processes and functions.

To ensure that all employees are aware of the relevant fields of law, ProSiebenSat.1 has developed a two-part training concept comprising e-learning and classroom training. In 2016, 5,523 online training sessions on various compliance issues were carried out throughout the Group. General online compliance training was carried out with content regarding media, copyright, advertising and competition law (1,946 training sessions), data protection (1,924 training sessions) and antitrust law (1,653 training sessions). In addition, 952 participants took part in 42 classroom training sessions on youth protection, IT security, and more. [DMA, G4-SO4]