T 2.171 Impairing specified control objectives regarding the processing of personal data

Inadequate technical and organisational safeguards regarding the processing of personal data first and foremost entail the risk that

• unauthorised persons may gain access to data processing systems,
• data processing systems may be used by unauthorised persons,
• authorised persons may access data outside of their access authorisations,
• personal data may be read, copied, modified, or deleted in an unauthorised manner,
• personal data may be read, copied, modified, or deleted in an unauthorised manner during electronic transmission or during transport or storage on data media,
• it is not possible to check or determine where transmission of personal data by data transmission equipment is intended,
• it is not possible to subsequently check and determine whether and by whom personal data in data processing systems was entered, modified, or deleted,
• personal data processed on behalf may be processed contrary to the instructions of the customer,
• personal data is not protected against accidental destruction or loss,
• it is not guaranteed that personal data collected for different purposes can be processed separately.

Examples:

• For example, many IT administrators believe that, for stand-alone PCs only used by one person with one application, it is sufficient to protect the PC with the help of an individual BIOS password. in this case, it is disregarded that the BIOS password protection can be bypassed quickly and with simple means in many cases so that personal data may be read or even manipulated unobtrusively. This also includes the fact that PCs, especially portable devices, can be stolen very easily and the data, unless encrypted, can be read and misused by an expert with the help of operating system programs.
• A problem again and again detected within the framework of controls is the fact that access to the programs and databases of IT systems is protected by user identification (user name and password) and targeted user guidance (menu system, user-specific interface), but it cannot be determined subsequently, although required by law, which data was entered into data processing systems, for example, because the integration of an adequate logging function was omitted while the systems were being designed.
• Triggered by discussions regarding a reduction of the personnel costs and the data processing costs, many users think that they can solve the existing problems by outsourcing the data processing and that they can transfer the data protection obligation to the contractor this way. In doing so, the provisions contained in the data protection laws are often disregarded within the framework of commissioned data processing requiring an unambiguous contractual stipulation and leaving the responsibility, including the control of the technical and organisational safeguards, with the customer.