S 2.513 Documentation of admissibility regarding data protection

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Specialists Responsible

Before software or hardware is used for processing personal data, it should be checked for its admissibility regarding data protection with regard to the planned use. The requirements regarding this will differ extremely depending on the IT system (e.g. non-networked PC or central computer centre). The result of the check should be documented. Such documentation is particularly important for data protection examinations.

The Data Protection Officer (bDSB) in the company and/or government agency must be informed about projects involving the automated processing of personal data according to § 4g Para. 1 BDSG. He/she must monitor the proper application of (existing and new) data processing programs that are to be used to process personal data. For this reason, it is recommendable to involve the bDSB right from the beginning, i.e. within the framework of the first planning activities. This is the only way to avoid data protection-related errors right from the planning phase, the elimination of which at a later point in time may be time- and cost-intensive.

Review questions:

• Is hardware and software used for processing personal data checked for admissibility regarding data protection?
• Are the results of the check documented?