HmbBfDI (Hamburg) - Vermerk: Abdingbarkeit von TOMs
From GDPRhub
| HmbBfDI - Vermerk: Abdingbarkeit von TOMs (Art. 32 DSGVO) | |
|---|---|
 | |
| Authority: | HmbBfDI (Hamburg) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(a) GDPR Article 25(1) GDPR Article 32 GDPR |
| Type: | Advisory Opinion |
| Outcome: | n/a |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | Vermerk: Abdingbarkeit von TOMs (Art. 32 DSGVO) |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | German |
| Original Source: | Datenschutz Hamburg (in DE) |
| Initial Contributor: | Florian Kurz |
Note published by Hamburg’s Data Protection Authority on the issue of technical and organizational measures and to what extent they must be implemented.
English Summary
Facts
The Data Protection Authority of Hamburg discussed to what extent controllers and processors must implement technical and organizational measures according to Article 32 GDPR. It then answered the question whether the data subject can consent to a data processing which does not necessarily meet the requirements of Article 32 GDPR.
Dispute
To what extent are the provisions in Article 32 GDPR obligatory and thus, not subject to the preferences of the data subject?
Holding
The authority holds that Article 32 GDPR contains a number of obligations for controllers and processors, which allows for a certain margin of discretion. However, these obligations do not extend to data subjects. It is argued that data subjects have the right to consent to any conceivable data processing (e.g. those lacking certain technical and organizational measures), even if others might consider such processing harmful. The authority’s argument is based on Article 8(2) of the Charter of Fundamental Human Rights which explicitly mentions consent as a central element of data processing. Thus, according to the supervisory authority a data subject can, for example, consent to the sending of an email without proper encryption, even though Article 32 GDPR stipulates such a technical measure for certain emails.
It is important to note that only Article 6(1)(a) GDPR allows for such a derogation from Article 32. The other legal basis in Article 6 restricts a data subject’s „disposition capability“.
As mentioned above, only the data subject can consent to a derogation from the requirements of Article 32 GDPR. Nevertheless, Article 25(1) stipulates that the „controller shall, both at the time of the determination of means for processing and at the time of the processing itself, implement appropriate technical and organizational measures“. This means that regardless of a data subject’s eventual choice, a controller must have appropriate measures implemented, only then can a data subject consent to a data processing without the appropriate technical and organizational measures.
The controller must also ensure that, if a data subject consents to a data processing without sufficient technical and organizational measures, the requirements of Article 7 GDPR are fulfilled. Otherwise, as is the case with all processing activities based on consent, the data processing is not in compliance with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
1. Issue and basic considerations
Article 32 of the GDPR provides that those responsible and contract processors have suitable technical and
Take organizational measures to protect the rights and freedoms of data subjects
to protect. The security of the processing is guaranteed by the person responsible or the
contract processors through pseudonymization or encryption of personal data
as well as by ensuring confidentiality, integrity, availability and resilience
The GDPR does not stipulate any specific protection in Article 32 of the GDPR.
level, but obliges those responsible to weigh up the risks
the processing and implementation costs as well as the type, scope, circumstances
and the purpose of the processing.
Recital 83 GDPR shows the standards according to which this balancing is to be carried out.
gene has:
"When assessing the data security risks, the personal data related to the processing should
risks associated with gener data are taken into account, such as - whether unintentional or unintentional
lawful - destruction, loss, alteration or unauthorized disclosure of or unauthorized
ter access to personal data that has been transmitted, stored or otherwise
processed, especially when these are emphysical, tangible or intangible
Could cause damage. "
Recital 83 GDPR states the purpose of the regulation:
"These measures should take into account the state of the art and the implementation
guarantee a level of protection (...) that is compatible with the risks emanating from the processing
risks and is appropriate to the type of personal data to be protected. "
The person responsible or the processor must therefore check which risks arise
the scenarios mentioned. This is more possible in relation to the costs
To set protective measures. The starting point for all of this is the state of the art (Art. 32 para.
1 GDPR). He can determine which specific measures are required on the basis of recognized
Security measure catalogs such as the BSI basic protection, ISO 27001 or the standard
Check the data protection model. As a result, he remains with the determination of the protective measures
1
Mantz, in: Sydow, GDPR, 2nd edition 2018, Art. 32 GDPR marginal number 36.
- 1 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
2
at the same time a (judgment) leeway. This does not apply if the person responsible for a very
agreed protective measure is legally required. This should be the exception
3
because it depends on an overall assessment of the protective measures taken,
which must first guarantee the necessary protection in their entirety. However, can
the protection requirements of the data require that at least one of several conceivable technical
protective measures are taken if this corresponds to the state of the art.
In science and practice, there is discussion as to whether affected persons are placed in a lower level of protection
veau can consent as is legally required. The problem shows up in practice typically
with the help of (e-mail) encryption.
according to Art. 32 GDPR that end-to-end encryption is required, as there are
For example, it concerns particularly sensitive personal data according to Art. 9 GDPR.
However, if either the responsible person or the person concerned does not
speaking technical means to implement such an encryption, the
The question of whether and under what conditions the data subject is transferred to a lower protection
level can consent. So it's about the question of whether or to what extent the specifications apply
of Art. 32 GDPR for mandatory requirements that are not at the disposal of the data subject.
ben acts.
2Jandt, in: Kühling / Buchner, DS-GVO BDSG, 2nd edition. 2018, Art. 32 DSGVO Rn. 8; Mantz, in: Sydow, GDPR, 2nd ed.
3018, Art. 32 GDPR marginal 10.
Likewise Piltz, in: Gola, DS-GVO, 2nd edition. 2018, Art. 32 DSGVO Rn. 3.
4Jandt, in: Kühling / Buchner, DS-GVO BDSG, 2nd edition. 2018, Art. 32 DSGVO Rn. 5; Martini, in: Paal / Pauly, DS-GVO
BDSG, 3rd edition 2021, Art. 32 GDPR marginal number 26.
5The technical feasibility can also fail due to the compatibility of the systems used: Schöttle / Lud-
wig, BRAK-Mitteilungen 2020, 312, 313.
- 2 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
2. Is system data protection a mandatory, indispensable right?
6th
The question of whether Art. 32 GDPR constitutes a mandatory, non-disposable right becomes
partially affirmed with the argument that the GDPR is a European minimum standard of
I want to create system data protection. So that such a system can be established uniformly across Europe
can, it is necessary that the requirements of Art. 32 GDPR are also implemented and
cannot be circumvented through agreements with the data subjects. Behind-
The reason for this argument is the fear that the system data protection would otherwise
reduced to a minimum level due to economic considerations of those responsible
would. A platform with many users could, instead of having to costly adapt its
Systems to the state of the art simply an agreement with all users about it
ensure that they consent to the use of the platform despite the risks of the outdated technology.
gen. Especially with providers whose customers have no comparable alternatives or who
If the users have built their network on the platform ("lock-in effect"), it should be easy
to obtain appropriate explanations from the user. This would contravene the aim of the GDPR.
running, data protection through technology design (data protection by design) and through
Promote protection-friendly default settings (data protection by default) (cf. Art. 25 Para.
1 and recital 78 sentence 2 GDPR).
These considerations are justified. However, at the same time it would be a significant limitation
the freedom of decision of the data subjects when processing their
personal data that you expressly request, with reference to the system data
protection cannot be carried out. This is with medical practices, tax consultants or lawyers
to observe, the information or the transmission of urgently needed documents by simple
cher e-mail because they fear to violate Art. 32 GDPR, even if
the person concerned expressly consents to the insecure type of transmission. It shouldn't
6 Against the indispensability: Jandt, in Kühling / Buchner, DS-GVO, 3rd edition 2020, Art. 32 DSGVO marginal 40, which only applies to the
Choice of means considers an option to be admissible; To the old legal situation also HmbBfDI, activity
Richt Datenschutz 2018, p. 122 and HmbBfDI, letter of 8.1.18, p. 2, available at https: //www.dr-daten-
Schutz.de/wp-content/uploads/2018/02/schreiben-der-aufsichtsbehoerde.pdf;
For a waiver: Römermann / Praß, in: BeckOK BORA, 30th Edition 2020, § 2 BORA marginal number 43-44; Wagner,
BRAK-Mitteilungen 4/2019, 167, 171 cited from VG Mainz judgment. December 17, 2020 - 1 K 778 / 19.MZ, BeckRS 2020,
41220, para. 42, which leaves the question open; VG Berlin ruling v. May 24, 2011 - Az. 1 K 133/10, BeckRS 2011, 52814; Bay.
State Office for Data Protection Supervision, Activity Report 2015/16, p. 99; Summary of the dispute at Mar-
tini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4a-4d.
7 Hornung, ZD 2011, 51, 52.
- 3 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
still be the person concerned in the sense of the ordinance, this person against their will
and possibly to their detriment to impose a level of protection that they expressly
8th
rejects.
Due to these conflicting interests, the question of the dispensability of the system data
protection is therefore not to be answered across the board. The answer must be between the
Differentiate between the controller or processor and the data subject.
a. Differentiation between the data subject and the person responsible
Art. 32 GDPR contains obligations for the person responsible or the processor, which
Allow some leeway for judgment, but are essentially mandatory and not available for disposition
of the controller or processor. Something different applies with regard to the
Affected person, as the GDPR as evidenced by Article 1 (2) GDPR "the fundamental rights and
Freedoms of natural persons and in particular their right to personal protection
Data ”declared to their subject matter. The primary protection is the basic right to
Data protection (Article 8GRCh) .This is at the disposal of the fundamental right holder, as or
a person. This is already evident at the level of fundamental law, as Article 8 (2) sentence 1 of the CFR
centrally based on the consent of the data subject. The person concerned is fundamentally
additionally at liberty in all possible forms of processing of your personal
Consent to data, even if this may be provided by outsiders than for the concerned parties
Person are perceived as harmful. In this way, consent can be given that disadvantageous
Adhesive or sexualized recordings are published on the Internet. The loading could also
consent to the fact that the access data to their bank account or their health
data are published. Whether this is in your interests or in the interests of data protection,
does not play a role as long as an effective consent is given. It appears before this
it is not convincing to assume that, although consent to direct publication
It is possible to store personal data, but not to transmit such data to
a path that is not adequately secured. The worst consequence would be spying on and
a no longer controllable general publication. The affected person could
but consent anyway.
8th
On § 9 BDSG old version: VG Berlin, ruling v. May 24, 2011 - 1 K 133.10, marginal number 24.
- 4 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
The requirements of the European fundamental rights, which the GDPR in accordance with Art. 1 Para. 2 GDPR
therefore suggest that the protective measures when processing your own personal
n-related data are indispensable by the data subject. This also includes the technical
means that are used for processing (or are not used). 9
Art. 32 GDPR supports this conclusion, as two objectives can be derived from its wording
let: Primarily the protection of the person concerned and secondarily the establishment of a high,
Europe-wide uniform level of data security. So Art. 32 Para. 1 GDPR refers to ex-
implicitly on the "risk [...] for the rights and freedoms of natural persons". Art. 32 GDPR
11
In addition - like the entire GDPR - there is also the regulatory objective, a uniform level of
Create data security when processing personal data. The secondary goal
is also achieved if the person concerned waives any action after
Art. 32 GDPR is admitted by making the regulation binding on the person responsible.
requirements for creating an appropriate standard of data security in general
mine (see 3.).
The requirements of Art. 32 GDPR are therefore at the disposal of the person concerned. For the 12th
Controllers or processors contain binding rules, as Article 32
GDPR contains an obligation to implement appropriate measures and the responsible
verbal or processor does not grant any decision-making power over whether
he implements them. 13th
9
10gl. on § 9 BDSG and Art. 2 Paragraph 1 in conjunction with 1 Paragraph 1 GG: Lotz / Wendler, CR 2016, 31, 34.
Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4b.
11 Cf. Rec. 10 p. 1 and 2 GDPR.
12 Likewise Bay. State Office for Data Protection Supervision, Activity Report 2015/16, p. 99.
13Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd ed. 2021, Art. 32 DSGVO Rn. 4c, which is based on the fact that a consent
Only the structure of the relationship between the person concerned and the person responsible and not any third party.
- 5 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
b. If Articles 6 and 7 GDPR prevent the need to take protective measures
gene?
The systematic argument, Art. 6 Para. 1 lit. a and 7 GDPR, which regulate consent, concerns
only the "whether" and not the "how" of the processing and therefore conclude consent
of the person concerned, does not get caught.
Art. 6 para. 1 lit. a and 7 GDPR create the legal basis for the person responsible
can carry out processing at all and thus implement Art. 8 Para. 2 CFR. Art. 6
and 7 GDPR therefore expand the legal circle of the person responsible who has no legal basis
is not allowed to process any personal data of the data subject.
The consent of the person concerned is one legal basis among many and is an
printing of the basic freedom of disposition of the data subject over their data. The remaining
The legal basis of Art. 6 Para. 1 GDPR (lit. b-f) restrict the ability to dispose of
affected person against. From the (fundamentally mandatory) standardization
of these legal bases, which are only just beginning to encroach on the fundamental right under Art. 8 CFR
ben, it cannot be concluded that the data subject is only free of disposition
as far as it is regulated in Art. 6 and 7 GDPR. The freedom of disposition of those affected
Rather, the person is basically unrestricted and is only restricted by Art. 6 GDPR.
Articles 6 and 7 of the GDPR do not increase the legal circle of the person concerned, but rather alone
that of the person responsible. The rights of the data subject already result from Art. 8
GRCh and not just from the GDPR. From Art. 6 Para. 1 lit. a, 7 GDPR, only the
It can be concluded that the data subject's freedom of disposition is only
can be restricted as provided by these standards. The opposite conclusion
14Jandt, in Kühling / Buchner, GDPR BDSG, 3rd edition 2020, Art. 32 GDPR marginal 40; Notification of the Austrian
DSB, Az. D213.692 / 0001-DSB / 2018 from November 16, 2018, 3.2., Available at https://www.ris.bka.gv.at/Doku-
ment.wxe? ResultFunctionToken = 74ce9b96-f183-4bba-94e8-d17273ebf78b & Position = 1 & Sort = 2% 7cDesc & Ab-
question = Dsk & decision type = undefined & organ = undefined & search for legal clause = true & search-
NachText = True & GZ = & FromDate = 01.01.1990 & ToDate = 18.04.2019 & Norm = & ImRisSeitVonDatum = & ImRisSeit-
BisDatum = & ImRisSeit = Undefined & ResultPageSize = 100 & Search words = & Document number
mer = DSBT_20181116_DSB_D213_692_0001_DSB_2018_00.
Regarding the legal situation according to § 9 sentence 2 BDSG (old version): Bergt, NJW 2011, 3752, 3755, who does not however agree with the opinion.
closes.
- 6 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
that Art. 6 and 7 GDPR extend the scope of the freedom of disposition of the data subject
cannot be determined from the legal system.
The legal system speaks therefore - contrary to the literature view presented at the beginning
- especially for the possibility of the person concerned in the lowering of the security of the
consent to work, as the freedom of disposition of the person concerned is guaranteed by Art. 6 and
7 GDPR is restricted only in relation to the "whether" and not in relation to the "how"
Regulation on a restriction of the freedom of disposition over the "how" is missing, it remains in
train to the "how" unlimited.
At this point, too, the consequence of the opposing view should finally be taken up again.
be shown: If one only allowed consent to the "whether" of the processing, it would be possible
to consent to their own personal data, including health data, such as
e.g. a medical certificate can be published on the internet by a third party. Not possible
it would, however, be agreed that the third party would send the same data via unencrypted e-mail
the person concerned sends because then it cannot be guaranteed that the transmission
the data is not being accessed and it may become public knowledge. This
The result is neither appropriate nor can it be derived from the. Art. 6 para. 1 lit. a and 7
Derive GDPR.
c. Intermediate result:
Compliance with the security of processing during specific processing is fundamental
additionally at the disposition of the person concerned.
- 7 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
3. Obligation to create the standards of data required according to Art. 32 GDPR
security by the controller or processor
Art. 25 para. 1 GDPR obliges the person responsible to "both at the time of the determination
supply of the means for the processing as well as at the time of the actual processing
Appropriate technical and organizational measures "to protect the persons concerned
to meet. This means that the person responsible, regardless of a specific processing
based on a typical consideration of the processing carried out by it.
15th
has to take measured protective measures.
The latter is also reflected in the fact that Article 32 GDPR does not depend on rights and freedoms.
t of the individual data subject speaks, but rather of the data subjects in the plural.
The weighing up by the person responsible has therefore taken place on the basis of a typical weighing-up.
not related to the specific individual. This shows that Article 32 of the GDPR is an obligation
standardized for the controller or processor, which must be implemented by them.
zen is. Since it is not about the data of the person responsible, but about those of the data subjects
Person acts, only the person concerned can confirm compliance with the requirements of Art.
32 GDPR.
A free decision about a waiver of compliance with the provisions of Article 32 of the GDPR can be made
However, only meet the data subject if the required under Art. 32 GDPR
TOMs are at least held up by the responsible person. The responsible person or the
The processor has already at the point in time at which he has the funds for the later
specifies specific processing, for example when he decides on which
Way the data is transmitted, the appropriate technical and organizational measures
took to implement. Therefore, a person responsible for processing by-
leads, which requires the transmission of sensitive data, do not withdraw from the fact that he already has
cannot guarantee secure transmission in principle and the person concerned has a permanent
to get stale consent to do so. Rather, it already has a secure form of transmission to the
To reserve the time of the selection of the means for the processing. This does not preclude that
the data subject can consent to specific processing concerning him or her,
15th
Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4c.
- 8 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
that the specific measure was carried out without the level of protection required under Article 32 GDPR.
leads, provided that the person responsible can guarantee this in principle. 16
Finally, it should be emphasized that the special case of consent in the unencrypted
E-mail communication with attorneys by introducing §2 (2) 5BORA in between
has been legitimized under professional law. The data protection law admissibility of this communication
However, onsform remains unaffected by Section 2 (2) sentence 5 BORA, as it concerns the GDPR
in relation to BORA, acts of higher-ranking European law and no opening clause is relevant
17th
is. BORA can therefore only make regulations for professional law, as this is not included in the
The scope of the GDPR falls, but not for data protection law, which in this respect
is finally regulated by the GDPR. Therefore, the statements made here also apply
in this case. 18
As a result, Article 32 GDPR is mandatory for the controller and the processor
Law. These have the necessary technical requirements to guarantee a
to maintain an appropriate level of protection, even if the person concerned is able to do so
insists on dispensing with the corresponding TOMs in individual cases.
4. Requirements for an effective consent
From the explanations it follows that consent to the lowering of the level of protection
is possible, but only under two conditions: On the one hand, the person responsible must
in principle, be able to comply with the protective rights required after weighing up Art. 32 GDPR
level.On the other hand, the consent must meet the requirements of Art.
7 GDPR are sufficient. These prerequisites result from the different re-
the effects of Art. 32 GDPR vis-à-vis the person responsible or the contract
workers and the person concerned. While Art. 32 GDPR the person responsible
regardless of the individual case, obliged to maintain an appropriate level of security during processing
work that he carries out (including under 3.), is the regulation of the freedom of
16Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4c.
17Gasteyer, AnwBlOnline 2019, 557, 558; The BMJV also shares this view: ZD-Aktuell 2020, 07039.
18 On the admissibility of email communication by lawyers under data protection law: VG Mainz Urt. December 17, 2020
- 1 K 778 / 19.MZ, BeckRS 2020, 41220 Rn. 27-40 and on the dispensability in this context: Römermann / Praß, in:
19ckOK BORA, 30th Edition 2020, § 2 BORA marginal numbers 43-44.
I.E. also Römermann / Praß, in: BeckOK BORA, Römermann 30. Edition, 2020, § 2 BORA marginal numbers 43-44; For voluntary
of consent according to § 9 BDSG old version: Lotz / Wendler, CR 2016, 31, 35.
- 9 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
data subject to decide how their data will be handled, does not preclude
gen (on this already under 2.) The GDPR contains with Art. 7 GDPR basic standards for the
judgment on how the consent of the data subject is to be structured
directly only on the "whether" of the processing, but also on the "how"
20th
turn to. The consent to the technical implementation ("how") of processing is meaningful
fully to be judged by the same standards as the question of whether the processing after
Art. 6 GDPR is permissible ("whether"). The evaluations of Art. 7 GDPR and the related
Requirements for consent should not only be based on a partial question of the admissibility of the processing
processing, since processing is a uniform process - if only for reasons of
Practicality - must be considered. If you were to consent to the "whether" and that
"How" to apply different standards, this calls for considerable delimitation difficulties
and rendered neither the data subject nor the person responsible any service.
Voluntary consent is therefore a prerequisite for any waiver; in particular, the
Affected people are free from (also factual) coercion and have a real opportunity to make a decision.
ben. He cannot be forced to consent to unsafe data processing if he
consults an online service or a doctor or lawyer of his choice. Rather, must
a reasonable safe alternative exist for him, free from unreasonable disadvantages
can choose. For example, if as an alternative to sending unencrypted e-mails
the written submission of documents is offered, no compulsion due to an unreasonable
measured extension of the processing time or through additional costs. A
Unreasonableness can also result from the fact that those affected are permanently
the more complex, time-consuming and cost-intensive due to printing and shipping costs
To choose a more secure way of written communication because there is no secure digital processing
is made possible. The person responsible must therefore ensure from the outset that
a concretely defined and foreseeable time also creates possibilities of secure digital processing
that are free from these drawbacks.
20Römermann / Praß, in: BeckOK BORA, 30th Edition 2020, § 2 BORA marginal number 44.
21 On § 9 and 4a BDSG old version Bergt, NJW 2011, 3752, 3755.
- 10 - The Hamburg representative for
Data protection and freedom of information
Note: omission of TOMs (Art. 32 GDPR)
5. Conclusion
The person responsible and the processor have the requirements according to Art. 32 GDPR
It is imperative to implement and maintain measures. Affected persons can go into the
setting of the level of protection provided for in Art. 32 GDPR, however, based on their own
Consent to data in individual cases, if the consent is voluntary within the meaning of Art. 7 GDPR
However, this assumes that the person responsible is required to do so in accordance with Article 32 of the GDPR
Always keep protective measures in place and make them available to the person concerned upon request.
without creating any disadvantages for the person concerned.
J3, February 18, 21
- 11 -
