Policies related to consumers and end users
When considering policies relating to consumers and end users, we distinguish thematically between the areas of information security and data protection in terms of the opportunity and risk involved. For a description of the risk, please refer to the section on cybercrime – customer data in the summary management report, risk and opportunity report, in the chapter on risks.
Information security and data protection are closely linked, but there are a number of differences that we must also take into account in the strategic and operational handling of the issues. The following table provides an overview (source: own illustration):
|
|
Data protection |
|
Information security |
|---|---|---|---|---|
Legal basis |
|
GDPR, BDSG, TTDSG |
|
NIS2, IT-SIG 2 etc. |
Protection of |
|
Fundamental rights and freedoms |
|
Infrastructures, companies |
Authorised representative |
|
DSB |
|
CISO, ISB |
Legitimisation |
|
Art. 37–39 GDPR |
|
ISO 27001, TISAX® |
Supervisory authorities |
|
17 state authorities + federal government |
|
BSI |
In order to realise the issue mentioned above, we attach great importance to preventive actions. To this end, we have implemented binding group-wide guidelines (principles) and policies (frameworks) on information security and data protection for Bechtle’s business activities. They are an important component of the information security strategy based on the ISO 27001 standard and the data security policy of central Bechtle IT, based on the requirements of the EU’s GDPR regulation. The documents are accessible throughout the group via the intranet and are intended to help inform all Bechtle workers about the principles of data protection, information security, confidentiality and other important requirements and to ensure compliance with legal requirements. These include the central information security guideline, the central guideline “IT Compliance” and the employee guideline “Information Security” as well as the data protection guideline and the generally applicable training documents on the EU GDPR.
As part of the certification of the information security management system (ISMS) in accordance with DIN EN ISO 27001 and TISAX®, the required annual preparation and updating of the ISMS management review ensures that the Executive Board or the respective managing directors of the certified companies are involved. Bechtle IT, organisationally located within Bechtle AG, is certified in accordance with DIN EN ISO 27001 as the central function responsible for information security and data protection for Bechtle. As at 31 December 2025, 25 (2024: 15) companies in Germany and abroad were only certified in accordance with ISO 27001, 3 (2024: 6) are only certified according to TISAX® and four companies are certified according to both ISO 27001 and TISAX®; converted to the number of employees, this corresponds to a percentage certificate coverage of 59 per cent (2024: 47 per cent).
In order to give greater weight to information security for us and our customers, the information security strategy was expanded in April 2024 through the creation of the position of Chief Information Security Officer (CISO), who reports directly to the Chief Technology Officer (CTO) and the Chief Executive Officer (CEO) and is also responsible for data protection. The CTO holds a divisional board mandate and reports to the Executive Board. The CTO and CISO both have the authority to define and demand the necessary guidelines within the company. The data protection coordinators, as the implementing body, are directly linked to the managing directors in all companies as staff units. The Atarax group of companies, a consulting firm specialising in data protection and IT security, has been appointed as data protection officer at all German companies.
Data protection and information security are closely linked to the human rights of our customers, as they concern key aspects of the protection of individual privacy, freedom of expression and informational self-determination. This is regulated by the Universal Declaration of Human Rights (UDHR), Article 12, and Article 8 of the European Convention on Human Rights (ECHR). Data protection laws such as the GDPR implement this right in concrete terms and ensure that personal data is only processed with consent and under clearly defined conditions. Our guidelines and policies on data protection are designed to ensure compliance with the law and thus also the implicitly included human rights of our customers. By ensuring that our policies are known and adhered to, we also implicitly respect human rights. In our e-learning training course on information security and data protection, we have included a knowledge test to ensure that the content has been understood by the workers. The training also refers to the guidelines, which are available on the intranet. This approach is in line with the corporate responsibility to respect human rights in accordance with the UN Guiding Principles on Business and Human Rights, even if these do not contain any specific provisions on data protection or information security.
We assure our customers that we comply with the requirements. Our information security actions are designed to protect our customers from negative impacts on human rights, such as surveillance by third parties, including other companies/competitors, government agencies or criminal actors.
The information security strategy pursues the goal of protecting Bechtle against IT and cyber threats and thus creating the basis for a stable and secure digital infrastructure. We want to position Bechtle as a secure, reliable and trustworthy partner in the market in order to strengthen the trust of customers, partners and workers in the long term. In addition, security is continuously developed throughout the Bechtle Group with a high level of expertise in order to constantly maintain a high level of security and consolidate the company’s cyber resilience in the long term. In 2025, our reporting channel privacy@bechtle.com, which is available to both internal and external stakeholders, did not receive any reports from our customers (downstream value chain) on cases that violated the United Nations Guiding Principles.
Processes for engaging with consumers and end-users about impacts
Processes for engaging with our customers do not exist.
Processes to mitigate negative impacts and channels through which consumers and end users can raise concerns
With regard to information security, users (workers, business partners) must understand when and why business-relevant information must be protected. To ensure this, they are obliged to observe the guidelines and directives provided and to obtain adequate support when required. Bechtle offers appropriate training and advice on information security. In addition to this preventative approach, crisis intervention plans are in place for both information security and data protection. Internal and external stakeholders can use the compliance hotline or the whistleblower hotline for human rights violations and the hotline privacy@bechtle.com for violations in the area of information security and data protection. Further information on this can be found in the Governance information section.
To ensure data protection compliance, the Data Protection Guideline and the Data Protection Directive fulfil the requirements of accountability and documentation. Each business unit must demonstrate the legally compliant, transparent and purpose-related processing of personal data as well as compliance with the principles of data minimisation, storage limitation, data accuracy and data security. Here too, the Data Protection Guideline and the Data Protection Directive form the basis.
IT security actions are selected on a risk-orientated basis from the perspective of the persons concerned and are regularly reviewed and further developed, taking into account the principles of “privacy by design” and “privacy by default”. Suspected or identified breaches of information security requirements must be reported immediately to the line manager, the IT Coordinator, the Information Security Officer (ISB) or via the emergency number. This IT compliance reporting channel is the responsibility of the CISO and is separate from the compliance team in the legal department. However, reports of breaches of data protection law must be sent to the Data Protection Coordinator (local/central) or to the Data Protection Officer at privacy@bechtle.com. The reporting channel is also available to our customers and is publicised via the privacy policy on the website.
The effectiveness of the reporting channels, such as privacy@bechtle.com and the whistleblower system, is ensured by the fact that incoming reports are recorded in a structured manner, checked and processed in accordance with defined processes. The responsible departments follow up on the reports and initiate appropriate remedial or corrective actions if necessary. Findings from reports received are incorporated into the further development of data protection and information security processes. Bechtle ensures that consumers and end users are informed about the existing reporting channels and perceive them as trustworthy by providing clear information on the use, responsibility and confidentiality of the processes. The option of confidential reporting supports the use of channels for raising concerns or complaints. Reports are treated confidentially and processed in accordance with the applicable internal regulations so that consumers, end users and other whistleblowers do not have to fear any repercussions from a report made in good faith.
Bechtle AG’s information security management system is certified in accordance with ISO 27001 and is regularly audited by external parties as part of the certification process. We also carry out additional internal and external safety tests. These include business continuity tests as internal control mechanisms for checking the effectiveness of emergency and restart processes as well as penetration testing (pen testing), which check the security of as many system components and applications of a network or software system as possible. These security tests are carried out at least twice a year in our certified data centres and are part of our continuous security measures. In addition, there are ad hoc tests that we initiate due to changing services, further developments or new launches.
The data protection management system is also regularly reviewed to ensure that it is up to date and effective. In order to ensure the group-wide implementation of the requirements of the EU GDPR, our data protection officer conducts data protection audits in all Bechtle companies with regard to the requirements of the EU GDPR in order to identify open points and derive appropriate actions.
Taking actions
In the following, we report on the actions taken with regard to material impacts on consumers and end users and approaches to managing material risks and exploiting material opportunities in connection with consumers and end users, as well as the effectiveness and approaches. Actions relating to information security and data protection are managed by our internal Security Operations Centre (SOC). Since 2024, we have had an emergency number to enable us to report and handle critical cases quickly. Our actions relate to our own IT systems and our own business activities. We continuously work on our security policies so that we can react quickly to changing requirements and adapt our security strategy if necessary.
As remedial actions, we carry out backups and check these through restore exercises, we create recovery plans and maintain these and integrate crisis management. We use IT security products from well-known manufacturers and carry out a requirements analysis before using them. The manufacturer’s safety check is carried out on the basis of certificates and verifications. Ultimately, we ensure that our systems have an appropriate and secure IT architecture and consider the entire security chain.
With regard to the material opportunity, our action plan provides for the continuous expansion of customer relationships and security offerings. Bechtle currently serves over 10,000 active security customers in Europe with an end-to-end portfolio of product and technology sourcing, consulting services, professional services, managed services and learning services. With this end-to-end approach, we are able to support our customers in technical and preventive organisational security aspects.
Most attacks start with identity theft. The access data obtained in this way can be used by attackers as an entry point into the company or sold on the darknet. We support our customers here with the IAM (Identity and Access Management) and PAM (Privileged Access Management) competence centres, which focus on the protection of identities, security awareness training and a specially developed darknet scan service.
Preventive actions can never prevent all attacks. Continuous 24/7 attack monitoring is therefore important. To this end, we offer the customer services from the Bechtle Security Operations Centre (SOC) that are geared towards early detection of potential attacks and a prompt response. Automated, playbook-based reaction mechanisms are also used. Security analysts are available to provide support for actions that cannot be automated, as well as in the event of successful attacks as part of Digital Forensics & Incident Response (DFIR). The restoration of affected systems can also be supported. In this context, a structured emergency and crisis management system is planned in order to be prepared for security incidents.
Finally, with our information security and data protection experts, we offer comprehensive services in the area of non-technical security. Governance, Risk & Compliance is particularly essential in order to fulfil regulatory requirements such as NIS2, DORA, CRA or the AI Act, which pose challenges for our customers.