PeakMaven

DE Book a Consultation
CON.2

CON.2 Data Protection

Unlike information security, which primarily serves to protect the data-processing institution itself, the task of data protection is to protect natural...

Layer: CON — Concepts and Procedures
Level: Basic
Roles: Top Management Data Protection Officer
Keywords: CON Data Protection

Description

Introduction

Unlike information security, which primarily serves to protect the data-processing institution itself, the task of data protection is to protect natural persons from institutions or bodies whose processing activities intrude too deeply into the fundamental rights and freedoms of those persons. The Basic Law for the Federal Republic of Germany guarantees citizens the right to determine, as a matter of principle, how their personal data are used. The federal and state data protection laws refer to this when they emphasise the protection of the right to informational self-determination. The EU Charter of Fundamental Rights formulates in Article 8 a direct right to the protection of personal data (paragraph 1), emphasises the necessity of a legal basis for data processing (paragraph 2) and prescribes oversight of compliance with data protection rules by an independent body (paragraph 3). The General Data Protection Regulation (GDPR) elaborates on these requirements of the Charter of Fundamental Rights. Of central importance is Article 5 GDPR, which lists the principles for the processing of personal data, some of which can also be understood as protection objectives. In addition to the GDPR, the Federal Data Protection Act (BDSG), the data protection laws of the federal states, and other sector-specific rules such as the Telecommunications and Telemedia Data Protection Act (TTDSG) must be taken into account.

In summary, four types of risk that must be mitigated using different categories of protective measures can be distinguished in the context of operational data protection:

  • Risk Type A: The fundamental rights infringement upon natural persons resulting from the processing has not been designed to be sufficiently mild.
  • Risk Type B: The measures for reducing the intensity of infringement of a processing operation are, with regard to the assurance objectives, not complete, or are not operated with sufficient effectiveness, or are not controlled, reviewed and assessed to a sufficient and ongoing degree.
  • Risk Type C: The measures required by information security (cf. e.g. IT-Grundschutz according to BSI) are not complete, or are not operated with sufficient effectiveness, or are not controlled, reviewed and assessed to a sufficient and ongoing degree.
  • Risk Type D: The information security measures are not operated in a manner that is sufficiently compliant with data protection, within the meaning of Risk Types A and B.

The assessment of the proportionality of the fundamental rights infringement of a processing operation is not covered by the Standard Data Protection Model (SDM). This legal assessment, as well as the assessment of the legal basis (cf. in particular Art. 6 and 9 GDPR) and the processing purpose, must be carried out before the SDM is applied. Thus, Risk Type A is not directly the subject of the SDM’s application. If one or more risk types are not considered, or if insufficient distinction is made between the risk types, there is a danger that the right to informational self-determination of the data subject cannot be guaranteed in accordance with the law.

The Conference of Independent Data Protection Supervisory Authorities of the Federation and the Länder (Datenschutzkonferenz, DSK) has developed the Standard Data Protection Model (SDM), a method that systematises the technical and organisational measures cited in German and European legal provisions on the basis of seven protection or assurance objectives. The model thereby serves bodies responsible for data processing and those involved as processors to systematically plan and implement the required measures. It thus promotes the data protection-compliant design and organisation of IT procedures, applications and infrastructures. On the other hand, the model provides data protection supervisory authorities with a means to reach a transparent, comprehensible and well-founded overall assessment of a processing operation using a uniform system. The SDM is suitable as a method for regularly reviewing and professionally evaluating the effectiveness of the technical and organisational measures of data processing on the basis of and according to the criteria of the GDPR.

When selecting appropriate technical and organisational measures, the SDM adopts the perspective of data subjects and the exercise of their fundamental rights, and therefore differs fundamentally from the perspective of IT-Grundschutz, which focuses primarily on information security and is intended to protect data-processing institutions. For the risk assessment and subsequent selection of measures under the SDM, what is decisive is the impairment that data subjects must accept as a result of the institution’s data processing.

Against this background, a distinction must be made between the selection of measures to ensure information security for institutions and the selection of measures to ensure data protection: the IT-Grundschutz methodology primarily serves information security, while the Standard Data Protection Model serves the implementation of data protection legal requirements (in particular the principles of Article 5 GDPR and the data subject rights of Chapter III GDPR). The SDM therefore makes the following claims:

  • It converts data protection legal requirements into a catalogue of assurance objectives.
  • It structures the procedures under consideration into the components of data, systems and services (including interfaces), and processes.
  • It takes into account the classification of processing activities based on the risk levels “none or low”, “normal” and “high” according to the GDPR into the protection requirement levels “normal” and “high”, particularly with effects at the level of the specialist departments and their professional procedures, which are supported by applications and IT infrastructure.
  • It offers a catalogue of standardised protective measures.

The SDM’s reference measures catalogue covers measures applicable to information networks or procedures (processing operations) and to the institution as a whole within the framework of a data protection management process.

The assessment of the proportionality of the fundamental rights infringement of a processing operation is not covered by the SDM. This legal assessment, as well as the assessment of the legal basis pursuant to Article 6 and, if applicable, Article 9 GDPR, must be carried out before the SDM is applied. Thus, Risk Type A is not addressed within the SDM itself.

Objective

The objective of this building block is to demonstrate the connection between data protection requirements, as operationalised by the Standard Data Protection Model, and IT-Grundschutz.

Scope and Modeling

The building block CON.2 Data Protection is to be applied once to the information network when personal data are processed under German or European law. The building block CON.2 Data Protection and in particular the extensive explanations in the introduction thus support practitioners in Germany and Europe in their orientation when components are identified in the protection needs assessment where personal or person-relatable data are processed or otherwise used. In this context, it should be examined whether the building block should be applied not only to individual information networks or procedures but to the institution as a whole.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block CON.2 Data Protection.

Disregard of Data Protection Laws or Use of an Incomplete Risk Model

Under the GDPR, the processing of personal data is fundamentally prohibited. Processing is lawful only when the conditions of Article 6 GDPR are met — for example, when the data subject has given consent, or when a legal provision permits the processing. Processing is also non-compliant, for example, when an institution carries out processing without a sufficiently defined purpose, exceeds the stated purpose, or conducts it entirely without any purpose. The same applies when the institution processes personal data in an intransparent manner, without integrity-assuring measures and without possibilities for data subjects to intervene.

From a data protection perspective, an institution that processes personal data (such as collects, stores, transmits or deletes it) is fundamentally a risk to the persons affected. This risk exists even when the institution’s data processing is lawfully designed.

A risk that frequently arises in practice is access to data that does not serve the purpose of the original processing. This typically involves access by foreign parent companies, law enforcement authorities, banks and insurance companies, public service administrations, IT manufacturers and IT service providers, or research institutions. Often in these contexts it is not examined whether the access is authorised, because, for example, a long-established practice is being continued. Another possibility is that subordinate employees avoid the personal risk of questioning whether a sufficient legal basis exists. Furthermore, responsible parties often draw no consequences from (partially) negative assessment results from a legal department or a Data Protection Officer. If those responsible ignore assessment or advisory results, questions of liability may arise.

A further risk — both for individuals and for the responsible institution — exists when no standard processes are in place for lawfully occurring access to IT services or the transfer of data sets by third parties. The same applies when evidence of proper conduct cannot be provided in the form of logs and documentation.

A major risk for individuals or employees is also inadequate data security. Recital 75 of the GDPR describes the risks associated with the processing of personal data and thus the threat landscape from unauthorised access as follows: “The risks to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, or trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.”

Setting Protection Needs Too Low

A further risk to individuals and employees is an incorrectly assessed protection need for their personal data. This protection need, which is typically determined by the institution responsible for processing personal data, may be set incorrectly or too low for various reasons:

  • The institution has not taken into account the data protection protection objective catalogue, which goes beyond information security.
  • The institution has not distinguished, in the protection needs assessment, between the risks to the exercise of fundamental rights by data subjects and the risks to the institution itself.
  • The institution has distinguished between the two protection interests but has designed the functions of the procedure and the protective measures in favour of the institution and to the detriment of data subjects.

Requirements

The following are the specific requirements of the building block CON.2 Data Protection. Top Management is responsible for ensuring that data protection legal provisions are complied with. The implementation of the measures required to ensure data protection may be delegated to an organisational unit. This is to be distinguished from the role of the Data Protection Officer. Their tasks pursuant to Article 39 GDPR include informing and advising the controllers, processors and their respective employees on their data protection obligations. Their tasks also include monitoring compliance with data protection provisions. Responsibility for upholding data protection remains, however, with the controllers or processors. The Information Security Officer (ISO) must always be involved in strategic decisions. Furthermore, the ISO is responsible for ensuring that all requirements are met and reviewed in accordance with the established security concept.

Additional roles are defined in the IT-Grundschutz Compendium. These should be filled to the extent that it is sensible and appropriate.

ResponsibilitiesRoles
Primary responsibilityTop Management
Additional responsibilitiesData Protection Officer

Exactly one role should bear Primary responsibility. There may also be Additional responsibilities. If one of these additional roles has primary responsibility for fulfilling a specific requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be met as a priority for this building block.

CON.2.A1 Implementation of the Standard Data Protection Model (B)

The statutory provisions on data protection (GDPR, BDSG, the data protection laws of the federal states and, if applicable, relevant sector-specific data protection regulations) MUST be complied with. If the SDM methodology is not applied — that is, if the measures are not systematised on the basis of the assurance objectives and cross-referenced against the SDM’s reference measures catalogue — this SHOULD be justified and documented.

Standard Requirements

No standard requirements are defined for this building block.

Requirements for High Protection Needs

No requirements for high protection needs are defined for this building block.

Additional Information

Good to Know

The EU General Data Protection Regulation: “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” (GDPR) establishes fundamental, EU-wide statutory requirements for compliance with data protection.

The Standard Data Protection Model (SDM) — “A method for data protection consulting and auditing based on uniform assurance objectives” of the Working Group “Technology” of the Conference of Independent Data Protection Authorities of the Federation and the Länder provides a method for implementing statutory data protection requirements.

Referenced by

DER.1 DER.1 Detection of Security-Relevant Events OPS.1.1.5 OPS.1.1.5 Logging

Framework Mappings

ISO 27001
A.5.9 A.5.12 A.5.13
NIST CSF
ID.AM-01 ID.AM-05 PR.DS-01
NIS2
Art. 21(2)(i)

These mappings are provided for reference and do not replace a professional compliance assessment.