Posts

Establishment of Technical and Organizational Measures – The NRW Data Protection Supervisory Authority Recommends the Defense-In-Depth Approach

Securing data processing

According to the requirements of the General Data Protection Regulation, every form of data processing must be protected by technical and organizational measures. Implementing this requirement is not easy in practice, but requires comprehensive planning. This is particularly true when introducing a new processing operation. The basic requirement for safeguarding every processing operation is set out in Article 32 of the General Data Protection Regulation. This states that the selection of specific security measures must be based on the expected risk and its probability of occurrence, but also on the circumstances of the data processing and the implementation costs.

What my Defense-In-Depth approach

The Defense-In-Depth approach is the multi-layered design of a security system to defend against attacks. The decisive factor here is that no single, isolated security measure is taken. Rather, multiple measures must be combined in such a way that if one measure fails or is overcome, the other measures compensate for the gap and continue to ensure the security of data processing.

This system was developed for military purposes, with a different objective in detail, and then applied to the concept of information security.

However, this risk-based approach can also be applied when planning comprehensive protection of data processing operations.

Data protection supervisory authority recommends defense-in-depth approach

In its annual report presented on August 31, 2021, the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia now points out the fundamental importance of the defense-in-depth approach for securing data processing. Thus, using a number of practical examples, it explained that errors leading to a breach of personal data protection can occur at any time. According to the state commissioner, this could happen even without the intention of those responsible. For this reason, the defense-in-depth approach has become established in practice. (https://www.ldi.nrw.de/mainmenu_Aktuelles/Inhalt/26_-Bericht/26_-Bericht-LDI-NRW.pdf P. 156)

 

If you have any questions regarding the technical and organizational safeguarding of your processing operations, please do not hesitate to contact your team at aigner business solutions GmbH. Simply use our contact form for this purpose. You can also reach us by phone at our headquarters in Hutthurm on +49 (0) 8505 91927 – 0 or at our branch office in Munich on +49 (0) 89 413 2943 – 0.

Personenbezogene Daten als Währung des 21. Jahrhunderts - Daten - Personenbezogene Daten - Währung - Datenschutz - DSGVO - Datenübermittlung - Datenverarbeitung

Personal data as the currency of the 21st century

“Knowledge is power” and knowledge about potential prospects and customers is of enormous value. Data trading has therefore been a flourishing industry for years. Read more

Internationale Datentransfers - Anwendungsbereich der neuen Standardvertragsklauseln

International Data Transfers – Scope of the New Standard Contractual Clauses

The data processing operations, which are becoming more and more complex as a result of globalization, are a challenge for many companies, not least in terms of data protection law. The fact that data processing does not take place centrally, but often takes place internationally scattered in a transmission chain, requires a close look at the possibilities for legitimation. It is therefore necessary to take a closer look at the new standard contractual clauses and what options they offer. In the following article, the topic of the so-called onward transfer of personal data between processors outside the EU is to be examined. In contrast to transmission, further transmission means the transfer of data from one processor to another processor.

Read more

Video surveillance and data protection

Video surveillance is used by many companies. This has, for example, economic reasons, as video surveillance is more cost-efficient than a guard service. At the same time, companies have to deal with the permissibility of the video surveillance used. Within the scope of our activities, as external data protection officers, we support companies in all data protection issues. This also includes the topic of “video surveillance and data protection”. In this blog post, we explain which requirements must be met in order to operate a video surveillance system in compliance with data protection law.

Read more

Nicht-datenschutzkonforme-Fotoveroeffentlichung

Non-compliant publication of photos in brochure – employee receives compensation of € 5,000 for pain and suffering

Competent employees are a figurehead for successful companies. It is therefore standard practice for websites and other advertising materials to show photos of employees. As a ruling by the Münster Labor Court (Case No. 3 Ca 391/20) dated March 25, 2021 makes clear, data protection requirements must not be disregarded. The defendant employer was ordered to pay € 5,000 in damages for pain and suffering due to the publication of a photo of her employee without her written consent, Section 82 (1) of the GDPR, as it was a photo publication that did not comply with the GDPR. The defendant had used a picture of the plaintiff in a context related to her skin color in violation of the GDPR.

Read more