HmbBfDI (Hamburg) - Vermerk: Abdingbarkeit von TOMs

From GDPRhub
HmbBfDI - Vermerk: Abdingbarkeit von TOMs (Art. 32 DSGVO)
LogoDE-HH.png
Authority: HmbBfDI (Hamburg)
Jurisdiction: Germany
Relevant Law: Article 6(1)(a) GDPR
Article 25(1) GDPR
Article 32 GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: Vermerk: Abdingbarkeit von TOMs (Art. 32 DSGVO)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: Datenschutz Hamburg (in DE)
Initial Contributor: Florian Kurz

Note published by Hamburg’s Data Protection Authority on the issue of technical and organizational measures and to what extent they must be implemented.

English Summary

Facts

The Data Protection Authority of Hamburg discussed to what extent controllers and processors must implement technical and organizational measures according to Article 32 GDPR. It then answered the question whether the data subject can consent to a data processing which does not necessarily meet the requirements of Article 32 GDPR.

Dispute

To what extent are the provisions in Article 32 GDPR obligatory and thus, not subject to the preferences of the data subject?

Holding

The authority holds that Article 32 GDPR contains a number of obligations for controllers and processors, which allows for a certain margin of discretion. However, these obligations do not extend to data subjects. It is argued that data subjects have the right to consent to any conceivable data processing (e.g. those lacking certain technical and organizational measures), even if others might consider such processing harmful. The authority’s argument is based on Article 8(2) of the Charter of Fundamental Human Rights which explicitly mentions consent as a central element of data processing. Thus, according to the supervisory authority a data subject can, for example, consent to the sending of an email without proper encryption, even though Article 32 GDPR stipulates such a technical measure for certain emails.

It is important to note that only Article 6(1)(a) GDPR allows for such a derogation from Article 32. The other legal basis in Article 6 restricts a data subject’s „disposition capability“.

As mentioned above, only the data subject can consent to a derogation from the requirements of Article 32 GDPR. Nevertheless, Article 25(1) stipulates that the „controller shall, both at the time of the determination of means for processing and at the time of the processing itself, implement appropriate technical and organizational measures“. This means that regardless of a data subject’s eventual choice, a controller must have appropriate measures implemented, only then can a data subject consent to a data processing without the appropriate technical and organizational measures.

The controller must also ensure that, if a data subject consents to a data processing without sufficient technical and organizational measures, the requirements of Article 7 GDPR are fulfilled. Otherwise, as is the case with all processing activities based on consent, the data processing is not in compliance with the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

                            The Hamburg representative for

                         Data protection and freedom of information


                      Note: omission of TOMs (Art. 32 GDPR)

1. Issue and basic considerations


Article 32 of the GDPR provides that those responsible and contract processors have suitable technical and
Take organizational measures to protect the rights and freedoms of data subjects

to protect. The security of the processing is guaranteed by the person responsible or the

contract processors through pseudonymization or encryption of personal data
as well as by ensuring confidentiality, integrity, availability and resilience

The GDPR does not stipulate any specific protection in Article 32 of the GDPR.

level, but obliges those responsible to weigh up the risks
the processing and implementation costs as well as the type, scope, circumstances

and the purpose of the processing.

Recital 83 GDPR shows the standards according to which this balancing is to be carried out.

gene has:

"When assessing the data security risks, the personal data related to the processing should

risks associated with gener data are taken into account, such as - whether unintentional or unintentional

lawful - destruction, loss, alteration or unauthorized disclosure of or unauthorized
ter access to personal data that has been transmitted, stored or otherwise

processed, especially when these are emphysical, tangible or intangible

Could cause damage. "

Recital 83 GDPR states the purpose of the regulation:

"These measures should take into account the state of the art and the implementation

guarantee a level of protection (...) that is compatible with the risks emanating from the processing

risks and is appropriate to the type of personal data to be protected. "

The person responsible or the processor must therefore check which risks arise

the scenarios mentioned. This is more possible in relation to the costs
To set protective measures. The starting point for all of this is the state of the art (Art. 32 para.

1 GDPR). He can determine which specific measures are required on the basis of recognized

Security measure catalogs such as the BSI basic protection, ISO 27001 or the standard
Check the data protection model. As a result, he remains with the determination of the protective measures



1
 Mantz, in: Sydow, GDPR, 2nd edition 2018, Art. 32 GDPR marginal number 36.

                                             - 1 - The Hamburg representative for

                            Data protection and freedom of information



                         Note: omission of TOMs (Art. 32 GDPR)
                                       2
at the same time a (judgment) leeway. This does not apply if the person responsible for a very

agreed protective measure is legally required. This should be the exception
     3
because it depends on an overall assessment of the protective measures taken,
which must first guarantee the necessary protection in their entirety. However, can

the protection requirements of the data require that at least one of several conceivable technical

protective measures are taken if this corresponds to the state of the art.


In science and practice, there is discussion as to whether affected persons are placed in a lower level of protection

veau can consent as is legally required. The problem shows up in practice typically

with the help of (e-mail) encryption.

according to Art. 32 GDPR that end-to-end encryption is required, as there are
For example, it concerns particularly sensitive personal data according to Art. 9 GDPR.

However, if either the responsible person or the person concerned does not

speaking technical means to implement such an encryption, the

The question of whether and under what conditions the data subject is transferred to a lower protection

level can consent. So it's about the question of whether or to what extent the specifications apply

of Art. 32 GDPR for mandatory requirements that are not at the disposal of the data subject.

ben acts.





















2Jandt, in: Kühling / Buchner, DS-GVO BDSG, 2nd edition. 2018, Art. 32 DSGVO Rn. 8; Mantz, in: Sydow, GDPR, 2nd ed.

3018, Art. 32 GDPR marginal 10.
 Likewise Piltz, in: Gola, DS-GVO, 2nd edition. 2018, Art. 32 DSGVO Rn. 3.
4Jandt, in: Kühling / Buchner, DS-GVO BDSG, 2nd edition. 2018, Art. 32 DSGVO Rn. 5; Martini, in: Paal / Pauly, DS-GVO
BDSG, 3rd edition 2021, Art. 32 GDPR marginal number 26.
5The technical feasibility can also fail due to the compatibility of the systems used: Schöttle / Lud-

wig, BRAK-Mitteilungen 2020, 312, 313.

                                                   - 2 - The Hamburg representative for
                           Data protection and freedom of information



                        Note: omission of TOMs (Art. 32 GDPR)

2. Is system data protection a mandatory, indispensable right?

                                                                                                6th
The question of whether Art. 32 GDPR constitutes a mandatory, non-disposable right becomes

partially affirmed with the argument that the GDPR is a European minimum standard of
I want to create system data protection. So that such a system can be established uniformly across Europe

can, it is necessary that the requirements of Art. 32 GDPR are also implemented and

cannot be circumvented through agreements with the data subjects. Behind-

The reason for this argument is the fear that the system data protection would otherwise
reduced to a minimum level due to economic considerations of those responsible

would. A platform with many users could, instead of having to costly adapt its

Systems to the state of the art simply an agreement with all users about it

ensure that they consent to the use of the platform despite the risks of the outdated technology.
gen. Especially with providers whose customers have no comparable alternatives or who

If the users have built their network on the platform ("lock-in effect"), it should be easy

to obtain appropriate explanations from the user. This would contravene the aim of the GDPR.

running, data protection through technology design (data protection by design) and through

Promote protection-friendly default settings (data protection by default) (cf. Art. 25 Para.
1 and recital 78 sentence 2 GDPR).


These considerations are justified. However, at the same time it would be a significant limitation

the freedom of decision of the data subjects when processing their
personal data that you expressly request, with reference to the system data

protection cannot be carried out. This is with medical practices, tax consultants or lawyers

to observe, the information or the transmission of urgently needed documents by simple

cher e-mail because they fear to violate Art. 32 GDPR, even if
the person concerned expressly consents to the insecure type of transmission. It shouldn't




6 Against the indispensability: Jandt, in Kühling / Buchner, DS-GVO, 3rd edition 2020, Art. 32 DSGVO marginal 40, which only applies to the
Choice of means considers an option to be admissible; To the old legal situation also HmbBfDI, activity
Richt Datenschutz 2018, p. 122 and HmbBfDI, letter of 8.1.18, p. 2, available at https: //www.dr-daten-
Schutz.de/wp-content/uploads/2018/02/schreiben-der-aufsichtsbehoerde.pdf;
For a waiver: Römermann / Praß, in: BeckOK BORA, 30th Edition 2020, § 2 BORA marginal number 43-44; Wagner,

BRAK-Mitteilungen 4/2019, 167, 171 cited from VG Mainz judgment. December 17, 2020 - 1 K 778 / 19.MZ, BeckRS 2020,
41220, para. 42, which leaves the question open; VG Berlin ruling v. May 24, 2011 - Az. 1 K 133/10, BeckRS 2011, 52814; Bay.
State Office for Data Protection Supervision, Activity Report 2015/16, p. 99; Summary of the dispute at Mar-
tini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4a-4d.
7 Hornung, ZD 2011, 51, 52.


                                                 - 3 - The Hamburg representative for

                         Data protection and freedom of information


                      Note: omission of TOMs (Art. 32 GDPR)

still be the person concerned in the sense of the ordinance, this person against their will

and possibly to their detriment to impose a level of protection that they expressly
      8th
rejects.

Due to these conflicting interests, the question of the dispensability of the system data

protection is therefore not to be answered across the board. The answer must be between the
Differentiate between the controller or processor and the data subject.


a. Differentiation between the data subject and the person responsible

Art. 32 GDPR contains obligations for the person responsible or the processor, which

Allow some leeway for judgment, but are essentially mandatory and not available for disposition
of the controller or processor. Something different applies with regard to the

Affected person, as the GDPR as evidenced by Article 1 (2) GDPR "the fundamental rights and

Freedoms of natural persons and in particular their right to personal protection
Data ”declared to their subject matter. The primary protection is the basic right to

Data protection (Article 8GRCh) .This is at the disposal of the fundamental right holder, as or

a person. This is already evident at the level of fundamental law, as Article 8 (2) sentence 1 of the CFR
centrally based on the consent of the data subject. The person concerned is fundamentally

additionally at liberty in all possible forms of processing of your personal

Consent to data, even if this may be provided by outsiders than for the concerned parties
Person are perceived as harmful. In this way, consent can be given that disadvantageous

Adhesive or sexualized recordings are published on the Internet. The loading could also

consent to the fact that the access data to their bank account or their health
data are published. Whether this is in your interests or in the interests of data protection,

does not play a role as long as an effective consent is given. It appears before this

it is not convincing to assume that, although consent to direct publication
It is possible to store personal data, but not to transmit such data to

a path that is not adequately secured. The worst consequence would be spying on and
a no longer controllable general publication. The affected person could

but consent anyway.





8th
 On § 9 BDSG old version: VG Berlin, ruling v. May 24, 2011 - 1 K 133.10, marginal number 24.

                                              - 4 - The Hamburg representative for

                            Data protection and freedom of information



                         Note: omission of TOMs (Art. 32 GDPR)

The requirements of the European fundamental rights, which the GDPR in accordance with Art. 1 Para. 2 GDPR

therefore suggest that the protective measures when processing your own personal

n-related data are indispensable by the data subject. This also includes the technical
means that are used for processing (or are not used). 9


Art. 32 GDPR supports this conclusion, as two objectives can be derived from its wording

let: Primarily the protection of the person concerned and secondarily the establishment of a high,

Europe-wide uniform level of data security. So Art. 32 Para. 1 GDPR refers to ex-

implicitly on the "risk [...] for the rights and freedoms of natural persons". Art. 32 GDPR
                                             11
In addition - like the entire GDPR - there is also the regulatory objective, a uniform level of

Create data security when processing personal data. The secondary goal

is also achieved if the person concerned waives any action after
Art. 32 GDPR is admitted by making the regulation binding on the person responsible.

requirements for creating an appropriate standard of data security in general

mine (see 3.).


The requirements of Art. 32 GDPR are therefore at the disposal of the person concerned. For the 12th

Controllers or processors contain binding rules, as Article 32

GDPR contains an obligation to implement appropriate measures and the responsible

verbal or processor does not grant any decision-making power over whether
he implements them. 13th


















9
10gl. on § 9 BDSG and Art. 2 Paragraph 1 in conjunction with 1 Paragraph 1 GG: Lotz / Wendler, CR 2016, 31, 34.
  Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4b.
11 Cf. Rec. 10 p. 1 and 2 GDPR.
12 Likewise Bay. State Office for Data Protection Supervision, Activity Report 2015/16, p. 99.
13Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd ed. 2021, Art. 32 DSGVO Rn. 4c, which is based on the fact that a consent

Only the structure of the relationship between the person concerned and the person responsible and not any third party.

                                                   - 5 - The Hamburg representative for

                          Data protection and freedom of information



                       Note: omission of TOMs (Art. 32 GDPR)

b. If Articles 6 and 7 GDPR prevent the need to take protective measures

   gene?


The systematic argument, Art. 6 Para. 1 lit. a and 7 GDPR, which regulate consent, concerns
only the "whether" and not the "how" of the processing and therefore conclude consent

of the person concerned, does not get caught.


Art. 6 para. 1 lit. a and 7 GDPR create the legal basis for the person responsible
can carry out processing at all and thus implement Art. 8 Para. 2 CFR. Art. 6

and 7 GDPR therefore expand the legal circle of the person responsible who has no legal basis

is not allowed to process any personal data of the data subject.

The consent of the person concerned is one legal basis among many and is an

printing of the basic freedom of disposition of the data subject over their data. The remaining

The legal basis of Art. 6 Para. 1 GDPR (lit. b-f) restrict the ability to dispose of

affected person against. From the (fundamentally mandatory) standardization
of these legal bases, which are only just beginning to encroach on the fundamental right under Art. 8 CFR

ben, it cannot be concluded that the data subject is only free of disposition

as far as it is regulated in Art. 6 and 7 GDPR. The freedom of disposition of those affected

Rather, the person is basically unrestricted and is only restricted by Art. 6 GDPR.

Articles 6 and 7 of the GDPR do not increase the legal circle of the person concerned, but rather alone

that of the person responsible. The rights of the data subject already result from Art. 8
GRCh and not just from the GDPR. From Art. 6 Para. 1 lit. a, 7 GDPR, only the

It can be concluded that the data subject's freedom of disposition is only

can be restricted as provided by these standards. The opposite conclusion






14Jandt, in Kühling / Buchner, GDPR BDSG, 3rd edition 2020, Art. 32 GDPR marginal 40; Notification of the Austrian
DSB, Az. D213.692 / 0001-DSB / 2018 from November 16, 2018, 3.2., Available at https://www.ris.bka.gv.at/Doku-

ment.wxe? ResultFunctionToken = 74ce9b96-f183-4bba-94e8-d17273ebf78b & Position = 1 & Sort = 2% 7cDesc & Ab-
question = Dsk & decision type = undefined & organ = undefined & search for legal clause = true & search-
NachText = True & GZ = & FromDate = 01.01.1990 & ToDate = 18.04.2019 & Norm = & ImRisSeitVonDatum = & ImRisSeit-
BisDatum = & ImRisSeit = Undefined & ResultPageSize = 100 & Search words = & Document number
mer = DSBT_20181116_DSB_D213_692_0001_DSB_2018_00.
Regarding the legal situation according to § 9 sentence 2 BDSG (old version): Bergt, NJW 2011, 3752, 3755, who does not however agree with the opinion.
closes.


                                               - 6 - The Hamburg representative for

                         Data protection and freedom of information


                      Note: omission of TOMs (Art. 32 GDPR)

that Art. 6 and 7 GDPR extend the scope of the freedom of disposition of the data subject
cannot be determined from the legal system.


The legal system speaks therefore - contrary to the literature view presented at the beginning
- especially for the possibility of the person concerned in the lowering of the security of the

consent to work, as the freedom of disposition of the person concerned is guaranteed by Art. 6 and

7 GDPR is restricted only in relation to the "whether" and not in relation to the "how"
Regulation on a restriction of the freedom of disposition over the "how" is missing, it remains in

train to the "how" unlimited.

At this point, too, the consequence of the opposing view should finally be taken up again.

be shown: If one only allowed consent to the "whether" of the processing, it would be possible
to consent to their own personal data, including health data, such as

e.g. a medical certificate can be published on the internet by a third party. Not possible
it would, however, be agreed that the third party would send the same data via unencrypted e-mail

the person concerned sends because then it cannot be guaranteed that the transmission

the data is not being accessed and it may become public knowledge. This
The result is neither appropriate nor can it be derived from the. Art. 6 para. 1 lit. a and 7

Derive GDPR.

c. Intermediate result:


Compliance with the security of processing during specific processing is fundamental
additionally at the disposition of the person concerned.




















                                              - 7 - The Hamburg representative for

                         Data protection and freedom of information


                      Note: omission of TOMs (Art. 32 GDPR)

3. Obligation to create the standards of data required according to Art. 32 GDPR

   security by the controller or processor


Art. 25 para. 1 GDPR obliges the person responsible to "both at the time of the determination
supply of the means for the processing as well as at the time of the actual processing

Appropriate technical and organizational measures "to protect the persons concerned
to meet. This means that the person responsible, regardless of a specific processing

based on a typical consideration of the processing carried out by it.
                                                15th
has to take measured protective measures.

The latter is also reflected in the fact that Article 32 GDPR does not depend on rights and freedoms.

t of the individual data subject speaks, but rather of the data subjects in the plural.
The weighing up by the person responsible has therefore taken place on the basis of a typical weighing-up.

not related to the specific individual. This shows that Article 32 of the GDPR is an obligation
standardized for the controller or processor, which must be implemented by them.

zen is. Since it is not about the data of the person responsible, but about those of the data subjects

Person acts, only the person concerned can confirm compliance with the requirements of Art.
32 GDPR.


A free decision about a waiver of compliance with the provisions of Article 32 of the GDPR can be made
However, only meet the data subject if the required under Art. 32 GDPR

TOMs are at least held up by the responsible person. The responsible person or the

The processor has already at the point in time at which he has the funds for the later
specifies specific processing, for example when he decides on which

Way the data is transmitted, the appropriate technical and organizational measures
took to implement. Therefore, a person responsible for processing by-

leads, which requires the transmission of sensitive data, do not withdraw from the fact that he already has

cannot guarantee secure transmission in principle and the person concerned has a permanent
to get stale consent to do so. Rather, it already has a secure form of transmission to the

To reserve the time of the selection of the means for the processing. This does not preclude that

the data subject can consent to specific processing concerning him or her,




15th
  Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4c.

                                              - 8 - The Hamburg representative for

                           Data protection and freedom of information


                        Note: omission of TOMs (Art. 32 GDPR)

that the specific measure was carried out without the level of protection required under Article 32 GDPR.

leads, provided that the person responsible can guarantee this in principle. 16


Finally, it should be emphasized that the special case of consent in the unencrypted

E-mail communication with attorneys by introducing §2 (2) 5BORA in between
has been legitimized under professional law. The data protection law admissibility of this communication

However, onsform remains unaffected by Section 2 (2) sentence 5 BORA, as it concerns the GDPR

in relation to BORA, acts of higher-ranking European law and no opening clause is relevant
   17th
is. BORA can therefore only make regulations for professional law, as this is not included in the

The scope of the GDPR falls, but not for data protection law, which in this respect
is finally regulated by the GDPR. Therefore, the statements made here also apply

in this case. 18


As a result, Article 32 GDPR is mandatory for the controller and the processor

Law. These have the necessary technical requirements to guarantee a
to maintain an appropriate level of protection, even if the person concerned is able to do so

insists on dispensing with the corresponding TOMs in individual cases.


4. Requirements for an effective consent


From the explanations it follows that consent to the lowering of the level of protection
is possible, but only under two conditions: On the one hand, the person responsible must

in principle, be able to comply with the protective rights required after weighing up Art. 32 GDPR

level.On the other hand, the consent must meet the requirements of Art.

7 GDPR are sufficient. These prerequisites result from the different re-

the effects of Art. 32 GDPR vis-à-vis the person responsible or the contract

workers and the person concerned. While Art. 32 GDPR the person responsible
regardless of the individual case, obliged to maintain an appropriate level of security during processing

work that he carries out (including under 3.), is the regulation of the freedom of




16Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4c.
17Gasteyer, AnwBlOnline 2019, 557, 558; The BMJV also shares this view: ZD-Aktuell 2020, 07039.
18 On the admissibility of email communication by lawyers under data protection law: VG Mainz Urt. December 17, 2020
- 1 K 778 / 19.MZ, BeckRS 2020, 41220 Rn. 27-40 and on the dispensability in this context: Römermann / Praß, in:

19ckOK BORA, 30th Edition 2020, § 2 BORA marginal numbers 43-44.
  I.E. also Römermann / Praß, in: BeckOK BORA, Römermann 30. Edition, 2020, § 2 BORA marginal numbers 43-44; For voluntary
of consent according to § 9 BDSG old version: Lotz / Wendler, CR 2016, 31, 35.


                                                 - 9 - The Hamburg representative for

                          Data protection and freedom of information



                       Note: omission of TOMs (Art. 32 GDPR)

data subject to decide how their data will be handled, does not preclude
gen (on this already under 2.) The GDPR contains with Art. 7 GDPR basic standards for the

judgment on how the consent of the data subject is to be structured

directly only on the "whether" of the processing, but also on the "how"
           20th
turn to. The consent to the technical implementation ("how") of processing is meaningful
fully to be judged by the same standards as the question of whether the processing after

Art. 6 GDPR is permissible ("whether"). The evaluations of Art. 7 GDPR and the related

Requirements for consent should not only be based on a partial question of the admissibility of the processing
processing, since processing is a uniform process - if only for reasons of

Practicality - must be considered. If you were to consent to the "whether" and that

"How" to apply different standards, this calls for considerable delimitation difficulties

and rendered neither the data subject nor the person responsible any service.

Voluntary consent is therefore a prerequisite for any waiver; in particular, the

Affected people are free from (also factual) coercion and have a real opportunity to make a decision.
ben. He cannot be forced to consent to unsafe data processing if he

consults an online service or a doctor or lawyer of his choice. Rather, must

a reasonable safe alternative exist for him, free from unreasonable disadvantages

can choose. For example, if as an alternative to sending unencrypted e-mails
the written submission of documents is offered, no compulsion due to an unreasonable

measured extension of the processing time or through additional costs. A

Unreasonableness can also result from the fact that those affected are permanently

the more complex, time-consuming and cost-intensive due to printing and shipping costs
To choose a more secure way of written communication because there is no secure digital processing

is made possible. The person responsible must therefore ensure from the outset that

a concretely defined and foreseeable time also creates possibilities of secure digital processing
that are free from these drawbacks.










20Römermann / Praß, in: BeckOK BORA, 30th Edition 2020, § 2 BORA marginal number 44.
21 On § 9 and 4a BDSG old version Bergt, NJW 2011, 3752, 3755.


                                               - 10 - The Hamburg representative for

                         Data protection and freedom of information


                      Note: omission of TOMs (Art. 32 GDPR)

5. Conclusion


The person responsible and the processor have the requirements according to Art. 32 GDPR
It is imperative to implement and maintain measures. Affected persons can go into the

setting of the level of protection provided for in Art. 32 GDPR, however, based on their own
Consent to data in individual cases, if the consent is voluntary within the meaning of Art. 7 GDPR

However, this assumes that the person responsible is required to do so in accordance with Article 32 of the GDPR

Always keep protective measures in place and make them available to the person concerned upon request.
without creating any disadvantages for the person concerned.


J3, February 18, 21







































                                            - 11 -