Informationssicherheit in der Finanzwirtschaft: Cloud-Dienstleister mit ISO/IEC 27001-Zertifikat sind die sichere Wahl Teil 3

Information security in the financial industry: Cloud service providers with ISO/IEC 27001 certification are the safe choice Part 3

Companies in the financial sector must comply with numerous regulations to protect data and IT systems. In addition to the GDPR, the requirements from BAIT, VAIT and KAIT are particularly relevant here.

Read more

Vorteile und Risiken von Pseudonymisierung und Anonymisierung

Anonymization in data protection – opportunity or risk borderline? Part 2

Part 2: What procedures, advantages and risks do pseudonymization and anonymization entail in data protection?

What are the procedures for pseudonymization?

In the case of pseudonymization, the person responsible can use a rights and roles concept to ensure that the pseudonymized data record is not merged with the identifiers. One option, for example, is to encrypt the identifiers and manage the key securely so that only authorized persons can decrypt the data record.
Read more

Anonymisierung – Chance im Datenschutz oder Risiko-Grenzfall?

Anonymization in data protection – opportunity or risk borderline? Part 1

Part 1: The concepts of anonymization and pseudonymization

Anonymization – in the context of data protection, this often means that data controllers do not have to comply with data protection regulations when further processing the data. The background to this connotation is that, according to Art. 2 (1), the GDPR only applies to personal data. Anonymized data sets are characterized by the fact that they are no longer personally identifiable. If data controllers want to evade the requirements of the GDPR, they strive to anonymize the processed data. If extensive customer data records are to be analyzed and evaluated for marketing purposes, for example, the goal is to anonymize the data records so that they no longer have to comply with data protection requirements in the course of further processing.
Read more

VG Ansbach - Eine passende Rechtsgrundlage für eine lückenlose Videoüberwachung der Trainierenden im Fitnessstudio

VG Ansbach: A suitable legal basis for seamless video surveillance of gym users?

A violation of the GDPR occurs in particular if the data is processed without a corresponding legal basis. This was the case in the present case, in that a fitness studio in Bavaria monitored the entire training area without any gaps, and collected a prohibition order from the Bavarian State Office for Data Protection Supervision (BayLDA) for this. However, the gym saw this sanction as an opportunity to take administrative action against the data protection supervisory authority itself. The Ansbach Administrative Court (VG) now ruled on February 23, 2022 (Case No. AN 14 K 20.00083) that the BayLDA, which had been sued by the gym, had legally and proportionately prohibited the video surveillance as a remedial measure under Article 58 (2) of the GDPR (paras. 43-44 et seq.). The action brought by the gym, on the other hand, was “only justified to a minor extent” (para. 26).

Read more

Informationssicherheit in der Finanzwirtschaft: Cloud-Dienstleister mit ISO/IEC 27001-Zertifikat sind die sichere Wahl Teil 2

Information security in the financial industry: Cloud service providers with ISO/IEC 27001 certification are the safe choice Part 2

Selecting a cloud service provider: ISO 27001 certificate as a central criterion

Certification in accordance with the ISO/IEC 27001 standard forms a central criterion for the selection of a cloud service provider. Companies from the financial sector that transfer their data externally must trust their cloud provider and rely on the provider’s compliance with all technical, legal and contractual requirements. Certification by an external body proves that IT security and information security are practiced in a company and that this is verified by annual re-audits by external auditors.

Read more

Die neue ISO/IEC 27002:2022 – neue Struktur für Informationssicherheit

The new ISO/IEC 27002:2022 – new structure for information security

The international standard ISO/IEC 27002 defines general measures for higher information security. In this way, it helps to implement the measures from Annex A of ISO/IEC 27001. A few weeks ago, the new version ISO/IEC 27002:2022 was published. What is new and what do the changes mean for companies?

Read more

Schadenersatz wegen rechtswidriger Einbindung von Google Fonts - Wegweiser über den Einzelfall hinaus

Damages due to unlawful integration of Google Fonts – Guide beyond the individual case

Illegal integration of Google Fonts – The verdict

In its judgment of January 20, 2022 (Case No. 3 O 17493/20), the Munich Regional Court ruled on the claims of a data subject against a website operator in relation to the integration of Google Fonts. The plaintiff was awarded a claim for damages in the amount of €100.00. The defendant was prohibited from using Google Fonts under § 823 para. 1 in conjunction with § 1004 BGB analogously. § 1004 of the German Civil Code (BGB), the defendant was prohibited from disclosing the plaintiff’s IP address to Google in the future.

Read more

Von der GAP-Analyse zum Audit: ISO 27001 Success Story - Fact Informationssysteme und Consulting AG

VIDEO: From GAP analysis to audit: ISO 27001 Success Story – Fact Informationssysteme und Consulting AG

From GAP analysis to audit: All inclusive to ISO 27001 certification! We show you how Fact Informationssysteme und Consulting AG completely reorganized its IT security and data protection within one year.
Read more

Abberufung nur aus wichtigem Grund? Der EuGH muss über den besonderen Schutz für Datenschutzbeauftragte entscheiden

Dismissal only for cause? ECJ decision: Special protection for data protection officers

Special protection for data privacy officers

Special protection for data protection officers with a function as advisors to a data processing entity can only be adequately met if the data protection officer can act completely independently. For this reason, his or her position in the company is particularly protected under the General Data Protection Regulation. In particular, Art. 38 GDPR states that a data protection officer may not be dismissed or disadvantaged on the basis of his/her duties. This is intended to ensure that a data protection officer is able to perform his or her auditing and advisory duties in a truly independent manner and does not evaluate data protection issues in a biased manner for fear of professional consequences.

Read more

BSI issues red alert for Log4J vulnerability

The BSI has declared a red alert level for the Log4j vulnerability on Saturday, Dec. 11, 2021. Numerous applications are threatened by the vulnerability.

According to media reports, the affected applications include iCloud and Minecraft, as well as a system from Tesla. Various federal agencies are also threatened by the vulnerability.

Read more