Information Security & Data Privacy Briefing Businesspartner.

EAO Information Security and Data Privacy at EAO.

We take security seriously – and shape it together with you.

Dear business partners,

Trust is the basis of every successful cooperation. At EAO AG, we have therefore committed ourselves not only to meeting the highest standards in information security and data protection, but to actively living them. This white paper gives you an overview of the security standards that apply across our sites.

1. OUR VISION: SECURITY AS THE FOUNDATION OF TRUST

At EAO, we understand information and IT assets as valuable business assets. For us, the protection of these resources is not an annoying set of rules, but a living corporate culture. We want you to feel safe working with us – and that starts with transparency about our standards.

2. OUR MANAGEMENT SYSTEMS: STRUCTURE WITH SYSTEM

2.1 Information Security Management System (ISMS)

Across all EAO locations, we live a professional information security management system, based on the ISO 27001 standard. This system ensures that your data and information are systematically protected – through technical measures, organizational processes and trained employees.

2.2 TISAX certification at the Auerbach site

Our site in Auerbach is certified according to TISAX – the recognized standard of the automotive industry for information security. This certification independently confirms that we meet the high requirements of the automotive industry and continuously monitor them.

2.3 Data Protection Management System (DSMS)

In parallel to our ISMS, we operate a comprehensive data protection management system that ensures that personal data is processed in accordance with the GDPR and other applicable data protection regulations.

3. OUR PROTECTION GOALS: WHAT IS IMPORTANT TO US

We are guided by clear protection goals that include both information security and data protection:

3.1 Integrity

Information is protected from unauthorized and unnoticed changes.

3.2 Confidentiality

Information is protected from unauthorized disclosure – only authorized persons have access.

3.3 Availability

The functionality of our systems and the usability of information are guaranteed at all times.

3.4 Authenticity

The authenticity of information and the identity of the communication partners are proven.

3.5 Imputability

Responsibilities for actions and decisions are clearly defined and documented.

3.6 Data protection

Personal data is specially protected and processed exclusively lawfully.

4. OUR ORGANIZATIONAL STRUCTURE: CLEAR RESPONSIBILITIES

In order to implement these high standards, we have defined clear roles and responsibilities:

4.1 Chief Information Security Officer (CISO)

Responsible for the strategic orientation and monitoring of information security throughout the EAO Group.

4.2 Data Protection Officer (DPO)

Your contact for all questions relating to data protection – both internally and externally. The DPO monitors compliance with data protection regulations and advises on data protection-related projects.

4.3 Information Security Delegates (ISD)

There is an ISD at each EAO site, which acts as a local contact for information security issues and coordinates the implementation of security guidelines on site.

4.4 Information Security Circles

Our Information Security Circle, in which CISO, DPO and all ISDs come together to discuss incidents, evaluate audit results and drive continuous improvement, meets regularly.

5. WHAT WE EXPECT FROM EXTERNAL PARTNERS

As an external partner, you are an important part of our security concept. Therefore, we would like to ask you to observe the following principles:

5.1 Confidentiality

Treat all EAO information confidentially. Share information only with people you need to accomplish tasks. Consistently limit access to EAO information to the so-called need-to-know principle: access is only granted to those people who actually need the respective information to perform their tasks.

5.2 Non-Disclosure Agreement

As the basis of our trusting cooperation, we ask you to read and sign the EAO Confidentiality Agreement. It thus documents that you treat information and IT security with the same seriousness as we do.

5.3 Sharing within your organization

Information security can only be achieved if it is lived throughout the organization. We therefore ask you to actively communicate our security requirements within your company – especially to all employees who come into contact with EAO information.

Concrete steps that have proven successful:

  • Inclusion of the requirements in internal guidelines and work instructions
  • Implementation of training and awareness-raising activities
  • Use of different communication channels (e.g. intranet, onboarding, team meetings)
  • Regular review of effectiveness through feedback or internal audits
  • Role model function of the management level through active exemplification of safety standards

5.4 Data economy

Collect and process only the data that is actually necessary for the performance of your tasks. If you find that you need support, we recommend that you seek professional advice. We will be happy to be your contact person for this.

5.5 IT security

Information protection can only succeed where the current state of the art is adhered to. Together with our partners, we want to live this standard.

5.6 Obligation to report incidents

If you become aware of a security incident or data breach, please inform us IMMEDIATELY. This enables us to react quickly and limit damage.

5.7 Order processing

If you process personal data on our behalf, this is done on the basis of a data processing agreement in accordance with Art. 28 GDPR, which regulates all necessary security measures and your obligations in detail.

6. DATA PROTECTION: DSMS AND TRANSPARENCY

Data protection is processed and documented centrally by us.

Among other things, we document all data processing operations in a directory in accordance with Art. 30 GDPR and, if necessary, carry out data protection impact assessments. All activities are recorded and regularly evaluated in order to continuously improve the level of data protection at EAO AG.

7. AWARENESS CAMPAIGNS AND REGULAR TRAINING

Through regular awareness campaigns and updates from the data protection officer and CISO, we keep awareness of security issues alive and provide information about current threats.

All EAO employees regularly take part in training courses on information security and data protection. In particular, we also rely on short training courses that are held several times a year. The training content is continuously updated and adapted to new threats.

8. INCIDENT MANAGEMENT: WHEN SOMETHING DOES HAPPEN

Despite all precautions, security incidents can never be completely ruled out. That's why we have clear processes for dealing with incidents:

8.1 Quick Response

Any incident is immediately reported to the IT Service Desk and the responsible ISD. The DPO and CISO are informed immediately.

8.2 Structured editing

  1. Notification and initial assessment
  2. Categorization and escalation according to a defined escalation plan
  3. Containment and corrective actions
  4. Documentation and root cause analysis
  5. Incident Report and Lessons Learned
  6. Presentation in the Information Security Circle

8.3 Reporting obligations

In the event of data breaches, the DPO and CISO immediately check whether there is an obligation to report to the supervisory authority (Art. 33 GDPR) or an obligation to notify data subjects (Art. 34 GDPR).

9. CONTINUOUS IMPROVEMENT: SECURITY IS A PROCESS

9.1 Audits and Reviews

We conduct annual internal audits on data protection and information security and undergo external audits (including TISAX recertification) to ensure that our standards remain current and are met.

9.2 Risk management

Risks are systematically identified, assessed and treated in accordance with the EAO Risk Policy. All processing operations are subject to risk assessment, and data protection impact assessment is carried out in the event of high risk.

9.3 Change Management

All changes to IT systems and processes are controlled, tested and documented by a formal IT change management process. Emergency changes require approval from the Head of IT or System Engineer IT Security

9.4 Monitoring and Logging

Our systems are continuously monitored to detect anomalies at an early stage. Monitoring includes network IT systems, network traffic and user activities while respecting the rights of employees.

10. YOUR DIRECT LINE TO US

Do you have any questions about our safety standards? Want to report an incident? Would you like to exercise your data protection rights?

We are here for you:

Chief Information Security Officer (CISO)

E-mail: privacy.policies@eao.com

Data Protection Officer (DPO)

E-mail: privacy.policies@eao.com

11. CONCLUSION

Security is not a one-way street at EAO. It is created through the interaction of technology, organization and people – and this also includes you as our partner. We thank you for your trust and support in implementing our high safety standards.

Together, we ensure that your data and ours are in good hands.

Your EAO AG

As of: March 2026

Cookie consent
Our website uses cookies. For more information about cookies on this website, please see our Privacy Policy and learn more about us in the Legal Notice. You may change the setting in the Privacy Policy.
Accept all
Reject non-required
Manage Settings