S 2.508 Maintaining application registers and compliance with compulsory registration regarding the processing of personal data
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Specialists Responsible, IT Security Officer
Along with the centralised data processing systems, all IT systems used must be documented for decentralised data processing (see also BSI standard 100-2, Documenting the IT systems and documenting the IT applications and the related information).
A current directory of the hardware, software, and procedures used, as well as of the collected personal data must be accessible at all times. In some data protection policies, there are specific specifications for the design of these directories.
Automated processing procedures for collecting, processing, or using personal data must be documented in an overview (procedural directory) by the responsible office. As a matter of principle, the overview includes the information according to §§ 4d and 4e BDSG and is mostly maintained by the bDSB according to § 4g Para. 2 BDSG. The data protection laws of the federal states contain similar regulations, if the appointment of a bDSB is provided.
Under certain conditions, non-public offices are obliged to provide the responsible regulatory authority with register information mostly matching the information provided in the procedural directory. According to § 4d Para. 4 BDSG, the obligation to inform generally only includes offices commercially processing personal data for transmission purposes.
While public offices of the federal government are not subject to an obligation to inform regarding the Federal Commissioner for Data Protection and Freedom of Information, public offices in the federal states are in some cases obliged by state laws to provide such information to the respective State Commissioner for Data Protection, particularly on the basis of regulations in the fields of criminal prosecution and protection against threats.
In order for the bDSB to be able to perform his/her task regarding the maintenance of the procedural directory, the information required for the aforementioned according to § 4e BDSG must be complete and up to date. Here, it is particularly important that the legal basis for data processing and appropriation is sufficiently precise so that the purpose may only be changed at a later point in time within the framework of the statutory requirements.
Review questions:
- Is there a current directory of the hardware, software, and procedures used, as well as of the collected personal data?