S 1.5 Data protection
Description
The goal of data protection is to protect the right of individuals to determine for themselves if and how their personal data will be disclosed and used from being encroached on (right to informational self-determination).
Since data protection and information security are closely interlinked, this IT-Grundschutz module on the subject of data protection will, on the one hand, present general and practical conditions for data protection and, on the other hand, point out the connections between information security and IT-Grundschutz.
The IT-Grundschutz "Data Protection" module was created by the Federal Commissioner for Data Protection and Freedom of Information together with the state and federal Technology for Data Protection Officers Work Group as well as the state Data Protection Authorities. This module is intended for private and public users of IT-Grundschutz in Germany.
Since this module is based on German law, it can only be implemented outside of Germany in a general sense. The module cannot be considered as part of the formal process for obtaining IT-Grundschutz certification.
General legal conditions when processing personal data
The constitution of the Federal Republic of Germany includes the rights of the citizens to fundamentally make the decisions regarding the use of their personal data themselves. According to § 1 Federal Data Protection Act (BDSG), the goal of data protection "is to protect the right to privacy of individuals from being violated through improper handling of their personal data". The state data protection laws contain similar descriptions regarding the task of protecting the "right to informational self-determination". The entire data protection legislation only refers to personal data. This includes "individual information about personal or material conditions of a certain or determinable natural person". Artificial persons are not included.
The following information only refers to German legislation. The legislation to be applied in the individual case depends on whether the data processing centre is an office of the Federal Government, of a Federal State, or a private, non-public company. The Federal Data Protection Act is applicable to public offices of the Federal Government and for private companies and the respective state data protection law is applicable to public offices on state level. The structure of the data protection laws is mostly uniform; however, the contents differ in some areas. This is applicable to the basic terms of data processing, to the admissibility of data processing due to a statutory provision or a consent, and to the rights of the citizens. Furthermore, there are area-specific special laws to be prioritised over the provisions of the data protection laws on federal and state level (e.g. social code, road traffic act, registration acts, police acts).
The following information refers to the provisions of the BDSG and therefore is applicable to public offices of the Federal Government and private companies. The individual state data protection laws must be observed for public offices on state level.
Admissibility of collecting, processing, and using personal data, state-specific particularities
Collecting, processing, and using personal data (and/or data that can be referred to individuals) is only admissible if this is allowed for or ordered by a statutory provision or if the person concerned has given consent. The consent must be issued regularly in writing. Prior to issuing the consent, the person concerned must be informed about the purpose of processing. In order to assess the admissibility of data processing, it is important whether personal data is required at all. Design and selection of data processing programs must be oriented towards the goal of not collecting, processing, or using any or of only collecting, processing, and using as low an amount of personal data as possible. In this, the anonymisation and pseudonymisation options must be used particularly.
Furthermore, the principles of necessity and appropriation of data processing must be taken into consideration. Accordingly, data processing is only admissible if it is required in order to perform a task. Personal data exclusively stored for the purposes of data protection control, data backup, or for ensuring proper operation of a data processing system must only be used for these purposes. The data must only be processed for purposes defined beforehand. Collecting and storing data for not yet defined purposes is inadmissible. Changes to the purpose are only admissible in the exceptional cases mentioned in the law. In general, it must be pointed out that the state data protection laws are characterised by different deviations in the respective context that must be taken into consideration individually.
Data secrecy, obligation for data protection, briefing
The persons employed in the field of data processing are not allowed to collect, process, or use personal data in an unauthorised manner. In non-public offices, the employees must be obliged to data secrecy according to § 5 BDSG when commencing their work. In the public sector, a formal obligation is no longer required for the Federal Government and in the majority of the states. A corresponding data protection-related briefing is used here. Exceptions in the state data protection laws must be taken into consideration.
Technical and organisational safeguards
In order to protect the personal data, the data processing centres must take the necessary technical and organisational safeguards required in order to ensure the execution of the provisions from the BDSG. In particular, the "requirements" contained in appendix for § 9 BDSG must be complied with specifying 8 control objectives (site access control, system access control, data access control, disclosure control, input control, order control, availability control, compliance with appropriation). The safeguards to be taken are not described specifically in the law, because their suitability depends on the respective application case and the protection requirements of the personal data and the technical safeguards are subject to permanent change. The control objectives contained in the state data protection laws partially deviate from the objectives of the BDSG, partially more abstract objectives of IT security are mentioned and the specific implementation in security policies is required.
Specific data, prior check, automated individual decisions or retrieval procedures
If a processing procedure is characterised by specific risks for the rights and freedoms of the persons concerned, e.g. the processing of specific types of data (information about racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, health, or sex life) or if the personal data is to be used to assess the personality, including skills, performance, or behaviour, of the person concerned, a prior check must be performed before starting processing (§ 4d Para. 5 BDSG). A Prior check is not applicable if a statutory obligation or a consent of the person concerned is present or if the collection, processing, or use serves for the purposes of a contractual relationship or quasi-contractual trust relationship with the person concerned. Some state data protection laws specify general prior checks for all procedures used by public offices in order to process personal data. The prerequisites for the aforementioned may deviate from the regulations specified by the Federal Government.
Decisions entailing legal consequences for the person concerned or significantly impairing the person concerned must not be exclusively based on automated processing serving for assessing individual personal traits (§ 6a Para. 1 BDSG).
Automated retrieval procedures are subject to special protection requirements. During these online procedures, the receiving office is responsible for the admissibility of the retrieval (§ 10 Para. 4 sentence 1 BDSG). In some state data protection laws, the process of establishing automated retrieval procedures is linked to specific legal prerequisites.
Rights of the persons concerned
According to the BDSG and the state-specific data protection laws, the persons concerned have the following rights in particular:
- right to information regarding their stored personal data, also insofar as referring to the origin of the data, the recipients or categories of recipients the data is forwarded to, and the purpose of storage
- right to correction, if incorrect data is stored
- right to blocking, insofar as the correctness of the data is contested by the person concerned and neither the correctness nor incorrectness can be determined
- right to deletion, if the data is stored inadmissibly or if the data is no longer required Deletion is substituted by blocking if retention periods are applicable, if there are grounds to believe that deleting the data would have adverse effects on the interests worthy of protection of the persons concerned, or if deleting the data is not possible at all or only possible at a disproportionately high expenditure due to the special type of storage.
- right to objection against data processing based on the special personal situation of the person concerned, unless data processing is required by a statutory provision
- right to damages due to personal data being collected, processed, or used in an inadmissible or incorrect manner.
These rights may not be excluded or restricted by contracts or other legal transactions.
Furthermore, the person concerned may also contact the Data Protection Officer of the government agency and/or company (bDSB) or the regulatory authority responsible in each case regarding questions relating to data protection. Nobody must be discriminated against or reprimanded as a result of turning to the Data Protection Officer or the regulatory authority. There are no requirements for form and notice period..
Contact persons and controls
The data protection control instances check the compliance of the data protection-related provisions:
The Data Protection Officers of the government agency and/or company are responsible for internal data protection control. They must be assigned directly to the Top Management and are not subject to any directives when executing their technical knowledge in the field of data protection. The Data Protection Officers work towards the compliance with the provisions regarding data protection. They must be provided by the responsible office with an overview of the automated procedures in the company/government agency. The Data Protection Officer must make the major part of this information available to everybody in a suitable manner. In cases of doubt, the Data Protection Officer of the company and/or government agency may contact the agency responsible for data protection control.
The Federal Commissioner for Data Protection is responsible for the public offices at a federal level. This includes the Federal Administration Agencies and the remaining public offices of the Federal Government, even the federal corporations. The commissioner's main task is to counsel and control these public offices.
The State Commissioners for Data Protection are responsible for counselling and monitoring the State Administration Agencies and the other public offices on state level, also including the municipal administrations.
The Data Protection Authorities for the non-public offices are responsible for counselling and monitoring in the field of economics. This task is assumed by the State Data Protection Officers in some of the Federal States. This task is assumed by the ministry responsible in each case, mostly the Home Office, in the remainder of the Federal States.
The address of the federal and state Data Protection Officers and the Data Protection Authorities for the non-public offices can be found at www.datenschutz.de.
Data protection in the IT-Grundschutz Catalogues
The safeguards contained in other modules of the IT-Grundschutz Catalogues serve for information security and therefore also for protecting personal data. The threat scenarios described in the following are limited to additional threats from a data protection point of view. The corresponding safeguards will be recommended afterwards.
Due to the often difficult legal situation in questions relating to data protection in general or special statutory provisions, competent support should be called on when assessing the legal requirements and the safeguards for the information security policy and data protection concept resulting from these.
Threat scenario
The threats posed in the area of data protection may be very diverse. The following typical threats are examined as examples of the numerous threats posed:
Organisational Shortcomings
| T 2.162 | Lack of admissibility regarding the processing of personal data |
| T 2.163 | Breach of limited use regarding the processing of personal data |
| T 2.164 | Breach of the principle of necessity regarding the processing of personal data |
| T 2.165 | Lack of or inadequate data avoidance and data economy regarding the processing of personal data |
| T 2.166 | Breach of confidentiality regarding the processing of personal data |
| T 2.167 | Lack of or inadequate prior checking |
| T 2.168 | Impairing the rights of persons concerned when processing personal data |
| T 2.169 | Lack of or inadequate protection of commissioned data processing regarding the processing of personal data |
| T 2.170 | Lack of transparency for the person concerned and authorities in charge of monitoring data protection |
| T 2.171 | Impairing specified control objectives regarding the processing of personal data |
| T 2.172 | Lack of or inadequate protection regarding the processing of personal data abroad |
| T 2.173 | Inadmissible automated single-case decisions or retrievals regarding the processing of personal data |
| T 2.174 | Lack of or inadequate data protection monitoring |
Method recommendation
In order to secure the information system examined, other modules will need to be implemented in addition to this module with these modules being selected based on the results of the IT-Grundschutz modelling process.
Within the framework of data protection management, the basic legal conditions must be observed and suitable technical and organisational safeguards must be taken in order to ensure data protection. This includes safeguards during the planning and design phases, during implementation, and during IT systems and procedures operation.
The bundle of safeguards for the field of data protection which must be applied to all IT systems and IT procedures used in order to process personal data is presented in the following.
Planning and design
| S 2.501 | (C) | Data protection management |
| S 2.502 | (B) | Specification of the responsibilities for data protection |
| S 2.503 | (A) | Aspects of a data protection concept |
| S 2.504 | (A) | Checking the legal framework and prior checking before processing personal data |
| S 2.505 | (A) | Definition of technical/organisational safeguards according to the state-of-the-art for processing of personal data |
Implementation
| S 2.506 | (A) | Obligation/briefing of staff members for the processing of personal data |
| S 2.507 | (A) | Organisational procedures for protecting the rights of data subjects regarding the processing of personal data |
| S 2.508 | (A) | Maintaining application registers and compliance with compulsory registration regarding the processing of personal data |
| S 2.509 | (C) | Data protection approval |
| S 2.510 | (A) | Notification and specification of retrieval procedures regarding the processing of personal data |
| S 2.511 | (A) | Regulation of commissioned data processing regarding the processing of personal data |
| S 2.512 | (A) | Regulation of linkage and usage of data regarding the processing of personal data |
Operation
| S 2.110 | (A) | Data protection guidelines for logging procedures |
| S 2.513 | (Z) | Documentation of admissibility regarding data protection |
| S 2.514 | (A) | Maintenance of data protection during operation |
| S 2.515 | (A) | Deletion/destruction in compliance with data protection |