S 2.504 Checking the legal framework and prior checking before processing personal data

Initiation responsibility: Specialists Responsible, IT Security Officer, Data Protection Officer

Implementation responsibility: Data Protection Officer, IT Security Officer, Specialists Responsible

Within the framework of checking the legal framework as a prerequisite of data processing, the following aspects must be considered:

When considering these aspects, legal support should be relied on due to the possibly difficult legal matters, particularly in the field of data protection.

Admissibility of data processing

For processing and using personal data, a so-called prohibition with reservation of authorisation (e.g. § 4 section 1 BDSG) is applicable as a general principle.

Normally, the admissibility of data processing should be checked in collaboration with the offices technically responsible.

Before collecting, processing, or using personal data, it must be checked whether

When personal data is stored, changed, and transmitted by non-public offices, it must be checked whether this

Checking the necessity

As a matter of principle, public offices must only collect personal data if this is required to perform their tasks. This is the case if, without knowledge of the data, performing the corresponding tasks is impossible or made significantly more difficult. This must be checked on a case-by-case basis.

The individual users must only access the data required for the performance of their tasks.

This causes problems regarding the system administrators. In the customary systems, they may access all data as they wish. The access of system administrators to the data must also be limited to a certain extent, particularly in terms of data subject to specific professional confidentiality, such as personnel file data. For this, suitable safeguards include the encryption of data, access restrictions, staggered authorisation concepts, menu guidance, division of the system administrator functions into different roles, as well as secure logging of the system administrator's activities.

When designing the technology, those procedures processing as low an amount of personal data as possible must be selected. The requirement of data avoidance and/or data economy is applicable. If possible, procedures must be designed anonymously or pseudonyms must be used. Service offers should at least provide the customers with the option of selecting an anonymous procedure.

Checking the use of data regarding appropriation

Before storing, changing, and using personal data, it must be checked whether these activities are performed for the purposes the data was collected for and/or, if no collection took place, whether these activities are performed for the purposes the data was stored for.

Regarding this appropriation principle, there are numerous, statutory exceptions, some of which are wide-ranging (see § 14 BDSG for example).

Checking the use of the data regarding specific appropriation

It must be checked whether personal data stored for the purposes of data protection control, data backup, or securing proper operations of a data processing system is only used for these purposes (for example, see § 14 Para. 4, § 31 BDSG).

Prior check

Within the framework of the prior check performed before the first use of automated procedures for processing personal data, it must be checked which risks this may cause to the informational right of self-determination.

If a processing procedure is characterised by specific risks to the rights and freedoms of the persons concerned, e.g. the processing of specific types of data (information about racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, health, or sex life) or if the personal data is to be used to assess the personality of the person concerned, including his/her skills, performance, or behaviour, a prior check must be performed before starting processing (§ 4d Para. 5 BDSG). A prior check is not applicable if a statutory obligation or a consent of the person concerned is present or if the collection, processing, or use serves for the purposes of a contractual relationship or quasi-contractual trust relationship with the person concerned. Some state data protection laws specify general prior checks for all procedures used by public agencies in order to process personal data. The prerequisites for the aforementioned may deviate from the regulations specified by the federal government.

Automated procedures must only be used if it is ensured that there are no risks for the informational right of self-determination.

In this, the following aspects must be checked:

Taking into consideration the state of the art and the costs incurred during implementation, the safeguards to be taken must guarantee a level of protection appropriate for the risks entailed by processing and the type of personal data to be protected.

If personal data is not processed by automated procedures, safeguards preventing any access of unauthorised persons during processing, storage, transport, and destruction must be taken.

Regarding the wording and consequences of the individual state data protection laws, the requirements differ. Therefore, the decision regarding the performance of the prior check must be made on a case-by-case basis.

Review questions:

© Federal Office for Information Security. All rights reserved.