S 2.503 Aspects of a data protection concept

Initiation responsibility: IT Security Officer, Data Protection Officer

Implementation responsibility: Data Protection Officer, IT Security Officer

For a company and/or government agency, the data protection requirements to be complied with when processing personal data and how these requirements have been implemented must be defined and documented. This way, many cases where thorough examinations and drawing up an individual data protection concept for individual procedures are too expensive can be dealt with wholesale. Furthermore, this provides for the basis generally applicable to all IT systems, including new IT systems no data protection concept has been drawn up for yet.

Of course, the respectively applicable statutory provisions must primarily be observed. In this environment there are, however, generally applicable aspects normally to be taken into consideration when processing personal data. The mentioned aspects should also serve as an orientation aid for individual data protection concepts.

The objective of the data protection concept is to document all data protection-related aspects in a summarising documentation and it may also be used as a basis for data protection-related examinations.

Aspects to be taken into consideration

• directory of all procedures
• extent and use of the personal data to be processed Is there a direct reference (e.g. address, fiscal information) or an indirect reference (e.g. license plate, land parcel)?
• legal basis for processing
• appropriation
• consideration of special types of data
• compliance with data economy, data avoidance
• protection requirements of the data: protection requirements determination according to protection level concept and taking into consideration the application context (normal, high, very high) in accordance with data protection-related aspects, category assessment see BSI standard 100-2, chapter 4.2 or also protection level concepts in different federal states
• particularities of "automated retrieval procedures"
• prohibition of automated evaluations
• right to information, correction, blocking, objection, damages
• avoidance of infringements and their consequences
• deletion of data
• logging
• prior check (for this, there are checklists in different federal states)
• provisions regarding the responsibilities for data protection (see S 2.502 Specification of the responsibilities for data protection)
• documentation and approach regarding the involvement of the Data Protection Officer of the company and/or government agency
• documentation and approach regarding the involvement of the Federal and State Officer for Data Protection or involvement of the regulatory authority
• contractual regulations for commissioned data processing
• particularities of data processing in third countries (amongst other things, Safe Harbor rules)
• technical and organisational safeguards in accordance with the appendix to § 9 BDSG and/or corresponding provisions in the state data protection laws and/or according to the provisions by special law, assignment of the safeguards from the IT-Grundschutz Catalogues according to objectives of the laws (basic security check tables of the BSI, a table for module S 1.5 Data protection can be found on the BSI websites at Resources for IT-Grundschutz), target/actual comparison regarding implementation and later auditing and data protection-related control
• commitment to data protection and/or corresponding instruction (see form of the BfDI on the internet at www.bfdi.de or corresponding leaflets of the data protection officers and regulatory authorities)
• approval of the procedures
• description of every procedure
• notifications to register offices (see also S 2.510 Notification and specification of retrieval procedures regarding the processing of personal data)
• appointment and tasks of a Data Protection Officer (see S 2.502 Specification of the responsibilities for data protection)
• consideration of the different data protection-related responsibilities (Federal Commissioner for Data Protection, State Commissioner for Data Protection, regulatory authorities)

Review questions:

• Is there a data protection concept covering all departments of the organisation?
• Is the data protection concept updated regularly?
• Are all employees, even newly hired ones, committed to and/or informed of the data protection concept?
• Are there sufficient resources for implementing the data protection concept?