S 2.205 Transmission and retrieval of personal data

Initiation responsibility: Data Protection Officer, IT Security Officer

Implementation responsibility: Head of IT, Data Protection Officer

If personal data is transmitted from the location of the employer and/or customer to a "remote" workplace (e.g. a teleworker), the data protection regulations must be taken into consideration. According to § 9 BDSG, unauthorised persons must be prevented particularly in such cases from using IT systems with the help of data transmission facilities (access control). Furthermore, it must be guaranteed that it is possible to check or determine where personal data can be transmitted to by data transmission facilities (transmission control).

The transport route and/or the transmission method should be selected in such a way that both the confidentiality and the integrity, as well as the authenticity (proof of origin) of the personal data can be guaranteed.

If personal data is transmitted within the framework of an automated retrieval procedure, the specific admissibility prerequisites specified in the relevant laws must be taken into consideration:

General aspects

• The reason and purpose as well as parties involved in the retrieval procedure must be defined.
• The retrieval authorisations must be defined and controlled.
• The types and amounts of data to be provided must be specified.
• The retention periods and deletion deadlines for data must be defined.
• It must be defined in which cases the storing party must be informed by the retrieving party.
• The transport route must be defined, e.g. access via ISDN switched line, protected with the help of callback based on CLIP and/or COLP (see S 5.49 Callback based on CLIP/COLP).
• Suitable cryptographic procedures (e.g. symmetric and asymmetric encryption, digital signature) should be used in order to prevent violations of data protection when transporting data worthy of protection. Module S 1.7 Crypto-concept contains a description as to how the corresponding procedures and products can be selected.
• If one transport route is used to regularly or permanently exchange personal data, the transmission should be protected with the help of a virtual private network (VPN) (see S 5.76 Use of suitable tunnel protocols for VPN communication and S 5.83 Secure connection of an external network with Linux FreeS/WAN).

Safeguards against unauthorised retrieval

The retrieval of data by persons not authorised for retrieval must be prevented by means of suitable precautions:

• All users must unambiguously identify and authenticate themselves with respect to the IT systems the personal data is retrieved from.
• After a defined number of failed login attempts with IT systems or applications, the authorisation must be blocked.
• Passwords must be changed at regular intervals. Wherever possible, users should be forced to change passwords using a corresponding program.
• Type and extent of logging must be specified (see also S 2.110 Data protection guidelines for logging procedures).
• Random checks or continuous logging must be performed. -Program-controlled verification procedures should be used for verification of the log files.
• It must be defined where logging procedures are performed (retrieving and/or storing end).
• Logging must be designed in such a way that it is possible to subsequently determine whose retrieval authorisation was used to retrieve data.
• The reasons for retrieval must be documented. When retrieving data it should be documented which connection and which terminal devices are used for the transmission.

Safeguards for organisational control

• All employees, particularly those on the retrieving end, must be committed to data secrecy. Employee contracts must contain a clause prohibiting the disclosure of data to third parties.

Review questions:

• Are the data protection regulations taken into consideration when transmitting and retrieving personal data?
• Are there efficient safeguards for preventing unauthorised persons from accessing personal data?
• Does the organisation regularly check where personal data can be transmitted?
• Have the transport route and the transmission method been selected in such a way that confidentiality, integrity, and authenticity of the personal data can be guaranteed?
• Have the technical and organisational safeguards implemented for protecting personal data been documented during retrieval and transmission?
• Is there a concept for checking and determining the admissibility of the data transmissions performed within the framework of automated retrievals?