Posts

Belgisches Gericht entscheidet: Verschlüsselung als zusätzliche Maßnahme beim Datenexport

Belgian court rules: Encryption as an additional measure when exporting data

The Belgian Council of State ruled on August 19, 2021 (case number 251.378) that encryption of data during data export can be an appropriate measure to ensure an adequate level of data protection. Golem.de reported on this on Sept. 17, 2021, and gdprhub.eu also dealt with it. The Belgian ruling now confirms the view of many data protection experts that encryption can be used under certain conditions to export data to insecure third countries in compliance with the law. This question had been hotly debated since the ECJ’s Schrems II ruling.

Read more

Establishment of Technical and Organizational Measures – The NRW Data Protection Supervisory Authority Recommends the Defense-In-Depth Approach

Securing data processing

According to the requirements of the General Data Protection Regulation, every form of data processing must be protected by technical and organizational measures. Implementing this requirement is not easy in practice, but requires comprehensive planning. This is particularly true when introducing a new processing operation. The basic requirement for safeguarding every processing operation is set out in Article 32 of the General Data Protection Regulation. This states that the selection of specific security measures must be based on the expected risk and its probability of occurrence, but also on the circumstances of the data processing and the implementation costs.

What my Defense-In-Depth approach

The Defense-In-Depth approach is the multi-layered design of a security system to defend against attacks. The decisive factor here is that no single, isolated security measure is taken. Rather, multiple measures must be combined in such a way that if one measure fails or is overcome, the other measures compensate for the gap and continue to ensure the security of data processing.

This system was developed for military purposes, with a different objective in detail, and then applied to the concept of information security.

However, this risk-based approach can also be applied when planning comprehensive protection of data processing operations.

Data protection supervisory authority recommends defense-in-depth approach

In its annual report presented on August 31, 2021, the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia now points out the fundamental importance of the defense-in-depth approach for securing data processing. Thus, using a number of practical examples, it explained that errors leading to a breach of personal data protection can occur at any time. According to the state commissioner, this could happen even without the intention of those responsible. For this reason, the defense-in-depth approach has become established in practice. (https://www.ldi.nrw.de/mainmenu_Aktuelles/Inhalt/26_-Bericht/26_-Bericht-LDI-NRW.pdf P. 156)

 

If you have any questions regarding the technical and organizational safeguarding of your processing operations, please do not hesitate to contact your team at aigner business solutions GmbH. Simply use our contact form for this purpose. You can also reach us by phone at our headquarters in Hutthurm on +49 (0) 8505 91927 – 0 or at our branch office in Munich on +49 (0) 89 413 2943 – 0.

Jedes zehnte Cookie-Banner verstößt gegen geltendes Recht

Every tenth cookie banner violates applicable law

This is the result of a review of nearly 1000 websites by consumer centers and consumer associations. As reported by their federal association on 17.09.2021, several consumer centers and associations have checked the websites to see whether they use cookie banners in compliance with the law.

Read more

Rechtswidrige Einwilligungserklärung - Datenschutzaufsichtsbehörde verhängt Bußgeld in Höhe von 2 Millionen Euro

Unlawful declaration of consent – data protection supervisory authority imposes a fine of 2 million euros

The General Data Protection Regulation sets out a whole series of conditions that must be met by an effective declaration of consent in accordance with Art. 6 Para.1 lit.a, 7 DSGVO. However, the fact that these requirements must also be observed in practice is now shown by the fine of 2 million euros imposed by the Austrian data protection supervisory authority.

Read more

Über die Versuchung Häkchen für Datenschutz-Einwilligungen voranzukreuzen

About the temptation to tick the box for data protection consent

Data subjects must tick the boxes for data protection consents themselves – this is what the GDPR wants, and this is how the ECJ and BGH decided: If those responsible want to process data on the basis of consent in accordance with Art. 6 Para. 1 lit. a GDPR, the checkboxes must be ticked be set by those affected themselves. Actually, it has been clear for a long time that the pre-filling of the checkboxes does not constitute consent by the person concerned, which meets the requirements of Art. 4 No. 11 GDPR.

Read more

Auswahl und Betrieb von Software – im Einklang mit der DSGVO

Selection and operation of software – in accordance with the GDPR

In modern companies it is almost inconceivable to handle business processes without the support of software. So it’s hardly surprising that new software is constantly coming onto the market. In addition, existing systems must be continuously adapted to the increasingly complex business processes.

Read more

NIS2 - Security of Network and Information Systems 2

NIS2 – Security of Network and Information Systems 2.0 for more cybersecurity in the EU

At the end of 2020, the EU Commission presented a draft for the Security of Network and Information Systems (NIS) 2.0 directive. This is intended to replace the NIS Directive, which became the first EU-wide cybersecurity law to come into force in August 2016. The new draft makes further demands on companies with regard to cybersecurity.

Read more

Internationale Datentransfers - Anwendungsbereich der neuen Standardvertragsklauseln

International Data Transfers – Scope of the New Standard Contractual Clauses

The data processing operations, which are becoming more and more complex as a result of globalization, are a challenge for many companies, not least in terms of data protection law. The fact that data processing does not take place centrally, but often takes place internationally scattered in a transmission chain, requires a close look at the possibilities for legitimation. It is therefore necessary to take a closer look at the new standard contractual clauses and what options they offer. In the following article, the topic of the so-called onward transfer of personal data between processors outside the EU is to be examined. In contrast to transmission, further transmission means the transfer of data from one processor to another processor.

Read more

10. Tätigkeitsbericht des BayLDA für 2020 veröffentlicht

10. BayLDA activity report for 2020 published

The Bavarian State Office for Data Protection Supervision (BayLDA) presented its tenth activity report for 2020 in July 2021. The activity report is drawn up on the basis of Art. 59 GDPR and provides information on the priorities and working conditions of the BayLDA as well as the data protection assessment of various case constellations.

Read more

Noyb legt Beschwerden bei Datenschutz-Aufsichtsbehörden gegen Cookie-Banner ein

Noyb files complaints with data protection supervisory authorities against cookie banners

Noyb announced that it had filed official complaints with the relevant data protection supervisory authorities against 422 companies because of their cookie banners. Noyb stands for “None of your business” and is an association that is committed to enforcing data protection. One of the founding members of the association is the well-known data protection activist Max Schrems. This became known, among other things, through the proceedings he initiated, which led to the groundbreaking decisions of the ECJ that overturned both Safe Harbor and the EU-US Privacy Shield.

Read more