S 2.514 Maintenance of data protection during operation

Initiation responsibility: Top Management

Implementation responsibility: IT Security Officer, Data Protection Officer

Besides the appointment of a Data Protection Officer (bDSB) in the company and/or government agency, establishing internal IT auditing and data protection control is an important safeguard within the framework of the organisational control prescribed by the data protection laws. It helps to ensure, on site and in a timely manner, the security of data processing and the compliance with data protection requirements.

IT auditing checks the correctness of data processing by controlling the implementation of the IT security policy. This particularly includes controlling the documentation of the procedures, the specified application of the procedure, and the entire security safeguards.

On the other hand, internal data protection control which is mostly incumbent upon the Data Protection Officer (see also S 2.502 Specification of the responsibilities for data protection) includes checking the compliance with the requirements derived from the data protection laws. This includes:

• controlling the procedures for compliance with the legal basis and appropriation,
• ensuring the rights to information, correction, blocking, deletion, and damages of the person concerned,
• briefing and/or obliging the employees regarding data protection,
• maintaining file and/or procedural overviews and device directories, and
• controlling the technical-organisation safeguards regarding site access control, system access control, data access control, disclosure control, input control, order control, availability control, and "separate processing according to appropriation" derived from the statutory provisions.

It makes sense that IT auditing and data protection control work together and complement each other. Through timely examination of the logged data, they help to quickly discover possible misuse and keep the retention period and the extent of the logged data as short/small as possible. They can provide the management of the data processing centre with advice regarding the new design and further development of procedures and serve as competent points of contact during control visits of the regulatory authorities or the Federal or State Commissioner for Data Protection. Both functions can also be assigned to employees as an auxiliary activity and combined for small offices. However, it must generally be observed that there is no conflict of interest with the other tasks assumed (see also S 2.502 Specification of the responsibilities for data protection).

Review questions:

• Is compliance with the data protection requirements checked regularly?
• Are the responsibilities and competences of IT auditing and data protection control coordinated?