Data protection

The topics of artificial intelligence (AI) and the further development of our data protection risk management were primary focuses for data protection in the reporting year.

We have worked out the first concepts for development of in-house AI applications. They enable transparent and lawful data management and are intended to ensure that patients will be able to retain their right in future to self-determination of their own information in spite of the increasingly complex world of data processing.

In this context, Helios also pursued communication with the supervisory authorities – including on the design of individual AI development phases compliant with data protection regulations – and engaged intensively with planned regulatory innovations.

Protecting data effectively: our data protection management system

The Helios data protection management system ensures within the scope of the coordination model that all the companies in the Helios Hospitals Group have access to the full range of necessary tools in order to protect personal data appropriately. The Central Service Data Protection is responsible for the data protection strategy and for developing the data protection management system. During the reporting year, we developed our data protection management system in order to be in a position to ensure creation of an even more robust maturity measurement in all Helios companies.

Data protection is a management function at Helios. The management of the Central Service Data Protection reports directly to the Chief Executive Officer (CEO). The Central Service Data Protection is currently supported by 92 colleagues. In the roles of regional managers, regional data protection coordinators, or as data protection officers and data protection coordinators, these colleagues monitor the implementation of data protection requirements. Building and maintaining trust is important for our patients. We also believe that mutual trust serves as a guarantee for a positive relationship between our employees and Helios as an employer.

In 2023, 123 (2022: 115) violations of the protection of personal data were reported to the responsible supervisory authority pursuant to Article 33 of the General Data Protection Regulation. The overwhelming majority of the incidents were identified by sensitized employees. The orientation guide Incident Management published in the reporting year is intended to provide support with fast answers to detailed questions relating to the issue of violations of personal data protection. We carried out a detailed analysis of the data protection violations identified during the reporting year and we modified as necessary any established processes for the purpose of reducing risk.

Training and sensitization program

New employees at Helios have to make a commitment to confidentiality before they start their new job. They also need to complete online training for data protection within eight weeks of starting at Helios. Participation in regular training and awareness measures facilitate ongoing sensitization of employees to responsible handling of personal data. In 2023, the online training courses on offer were expanded by the topic of data protection and research, among others.