HmbBfDI - Vermerk: Abdingbarkeit von TOMs (Art. 32 DSGVO)
|HmbBfDI - Vermerk: Abdingbarkeit von TOMs (Art. 32 DSGVO)|
|Relevant Law:||Article 6(1)(a) GDPR|
Article 25(1) GDPR
Article 32 GDPR
|National Case Number/Name:||Vermerk: Abdingbarkeit von TOMs (Art. 32 DSGVO)|
|European Case Law Identifier:||n/a|
|Original Source:||Datenschutz Hamburg (in DE)|
|Initial Contributor:||Florian Kurz|
Note published by Hamburg’s Data Protection Authority on the issue of technical and organizational measures and the to what extent they must be implemented.
The Data Protection Authority of Hamburg discussed to what extent controllers and processor must implement technical and organizational measures according to Art. 32 GDPR. It then answered the question whether the data subject can consent to a data processing which does not necessarily meet the requirements of Art. 32 GDPR.
To what extent are the provisions in Art. 32 GDPR obligatory and thus, not subject to the preferences of the data subject?
The authority holds that Art. 32 GDPR contains a number of obligations for controllers and processor, which allows for a certain margin of discretion, yet, within that margin they must be implemented. However, these obligations do not extend to data subjects. It is argued that data subjects have the right to consent to any conceivable data processing (e.g. those lacking certain technical and organizational measures), even if others might consider such processing harmful. The authority’s argument is based on Art. 8(2) of the Charter of Fundamental Human Rights which explicitly mentions consent as a central element of data processing. Thus, according to the supervisory authority a data subject can, for example, consent to the sending of an email without proper encryption, even though Art. 32 GDPR stipulates such a technical measure for certain emails.
It is important to note that only Art. 6(1)a GDPR allows for such a derogation from Art. 32 GDPR. The other legal basis in Art. 6 GDPR restrict a data subject’s „disposition capability“.
As mentioned above, only the data subject can consent to a derogation from the requirements of Art. 32 GDPR. Nevertheless, Art. 25(1) GDPR stipulates that the „controller shall, both at the time of the determination of means for processing and at the time of the processing itself, implement appropriate technical and organizational measures“. This means that regardless of a data subject’s eventual choice, a controller must have appropriate measures implemented, only then can a data subject consent to a data processing without the appropriate technical and organizational measures.
The controller must also ensure that, if a data subject consents to a data processing without sufficient technical and organizational measures, the requirements of Art. 7 GDPR are fulfilled. Otherwise, as is the case with all processing activities based on consent, the data processing is not in compliance with the GDPR.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) 1. Issue and basic considerations Article 32 of the GDPR provides that those responsible and contract processors have suitable technical and Take organizational measures to protect the rights and freedoms of data subjects to protect. The security of the processing is guaranteed by the person responsible or the contract processors through pseudonymization or encryption of personal data as well as by ensuring confidentiality, integrity, availability and resilience The GDPR does not stipulate any specific protection in Article 32 of the GDPR. level, but obliges those responsible to weigh up the risks the processing and implementation costs as well as the type, scope, circumstances and the purpose of the processing. Recital 83 GDPR shows the standards according to which this balancing is to be carried out. gene has: "When assessing the data security risks, the personal data related to the processing should risks associated with gener data are taken into account, such as - whether unintentional or unintentional lawful - destruction, loss, alteration or unauthorized disclosure of or unauthorized ter access to personal data that has been transmitted, stored or otherwise processed, especially when these are emphysical, tangible or intangible Could cause damage. " Recital 83 GDPR states the purpose of the regulation: "These measures should take into account the state of the art and the implementation guarantee a level of protection (...) that is compatible with the risks emanating from the processing risks and is appropriate to the type of personal data to be protected. " The person responsible or the processor must therefore check which risks arise the scenarios mentioned. This is more possible in relation to the costs To set protective measures. The starting point for all of this is the state of the art (Art. 32 para. 1 GDPR). He can determine which specific measures are required on the basis of recognized Security measure catalogs such as the BSI basic protection, ISO 27001 or the standard Check the data protection model. As a result, he remains with the determination of the protective measures 1 Mantz, in: Sydow, GDPR, 2nd edition 2018, Art. 32 GDPR marginal number 36. - 1 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) 2 at the same time a (judgment) leeway. This does not apply if the person responsible for a very agreed protective measure is legally required. This should be the exception 3 because it depends on an overall assessment of the protective measures taken, which must first guarantee the necessary protection in their entirety. However, can the protection requirements of the data require that at least one of several conceivable technical protective measures are taken if this corresponds to the state of the art. In science and practice, there is discussion as to whether affected persons are placed in a lower level of protection veau can consent as is legally required. The problem shows up in practice typically with the help of (e-mail) encryption. according to Art. 32 GDPR that end-to-end encryption is required, as there are For example, it concerns particularly sensitive personal data according to Art. 9 GDPR. However, if either the responsible person or the person concerned does not speaking technical means to implement such an encryption, the The question of whether and under what conditions the data subject is transferred to a lower protection level can consent. So it's about the question of whether or to what extent the specifications apply of Art. 32 GDPR for mandatory requirements that are not at the disposal of the data subject. ben acts. 2Jandt, in: Kühling / Buchner, DS-GVO BDSG, 2nd edition. 2018, Art. 32 DSGVO Rn. 8; Mantz, in: Sydow, GDPR, 2nd ed. 3018, Art. 32 GDPR marginal 10. Likewise Piltz, in: Gola, DS-GVO, 2nd edition. 2018, Art. 32 DSGVO Rn. 3. 4Jandt, in: Kühling / Buchner, DS-GVO BDSG, 2nd edition. 2018, Art. 32 DSGVO Rn. 5; Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 GDPR marginal number 26. 5The technical feasibility can also fail due to the compatibility of the systems used: Schöttle / Lud- wig, BRAK-Mitteilungen 2020, 312, 313. - 2 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) 2. Is system data protection a mandatory, indispensable right? 6th The question of whether Art. 32 GDPR constitutes a mandatory, non-disposable right becomes partially affirmed with the argument that the GDPR is a European minimum standard of I want to create system data protection. So that such a system can be established uniformly across Europe can, it is necessary that the requirements of Art. 32 GDPR are also implemented and cannot be circumvented through agreements with the data subjects. Behind- The reason for this argument is the fear that the system data protection would otherwise reduced to a minimum level due to economic considerations of those responsible would. A platform with many users could, instead of having to costly adapt its Systems to the state of the art simply an agreement with all users about it ensure that they consent to the use of the platform despite the risks of the outdated technology. gen. Especially with providers whose customers have no comparable alternatives or who If the users have built their network on the platform ("lock-in effect"), it should be easy to obtain appropriate explanations from the user. This would contravene the aim of the GDPR. running, data protection through technology design (data protection by design) and through Promote protection-friendly default settings (data protection by default) (cf. Art. 25 Para. 1 and recital 78 sentence 2 GDPR). These considerations are justified. However, at the same time it would be a significant limitation the freedom of decision of the data subjects when processing their personal data that you expressly request, with reference to the system data protection cannot be carried out. This is with medical practices, tax consultants or lawyers to observe, the information or the transmission of urgently needed documents by simple cher e-mail because they fear to violate Art. 32 GDPR, even if the person concerned expressly consents to the insecure type of transmission. It shouldn't 6 Against the indispensability: Jandt, in Kühling / Buchner, DS-GVO, 3rd edition 2020, Art. 32 DSGVO marginal 40, which only applies to the Choice of means considers an option to be admissible; To the old legal situation also HmbBfDI, activity Richt Datenschutz 2018, p. 122 and HmbBfDI, letter of 8.1.18, p. 2, available at https: //www.dr-daten- Schutz.de/wp-content/uploads/2018/02/schreiben-der-aufsichtsbehoerde.pdf; For a waiver: Römermann / Praß, in: BeckOK BORA, 30th Edition 2020, § 2 BORA marginal number 43-44; Wagner, BRAK-Mitteilungen 4/2019, 167, 171 cited from VG Mainz judgment. December 17, 2020 - 1 K 778 / 19.MZ, BeckRS 2020, 41220, para. 42, which leaves the question open; VG Berlin ruling v. May 24, 2011 - Az. 1 K 133/10, BeckRS 2011, 52814; Bay. State Office for Data Protection Supervision, Activity Report 2015/16, p. 99; Summary of the dispute at Mar- tini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4a-4d. 7 Hornung, ZD 2011, 51, 52. - 3 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) still be the person concerned in the sense of the ordinance, this person against their will and possibly to their detriment to impose a level of protection that they expressly 8th rejects. Due to these conflicting interests, the question of the dispensability of the system data protection is therefore not to be answered across the board. The answer must be between the Differentiate between the controller or processor and the data subject. a. Differentiation between the data subject and the person responsible Art. 32 GDPR contains obligations for the person responsible or the processor, which Allow some leeway for judgment, but are essentially mandatory and not available for disposition of the controller or processor. Something different applies with regard to the Affected person, as the GDPR as evidenced by Article 1 (2) GDPR "the fundamental rights and Freedoms of natural persons and in particular their right to personal protection Data ”declared to their subject matter. The primary protection is the basic right to Data protection (Article 8GRCh) .This is at the disposal of the fundamental right holder, as or a person. This is already evident at the level of fundamental law, as Article 8 (2) sentence 1 of the CFR centrally based on the consent of the data subject. The person concerned is fundamentally additionally at liberty in all possible forms of processing of your personal Consent to data, even if this may be provided by outsiders than for the concerned parties Person are perceived as harmful. In this way, consent can be given that disadvantageous Adhesive or sexualized recordings are published on the Internet. The loading could also consent to the fact that the access data to their bank account or their health data are published. Whether this is in your interests or in the interests of data protection, does not play a role as long as an effective consent is given. It appears before this it is not convincing to assume that, although consent to direct publication It is possible to store personal data, but not to transmit such data to a path that is not adequately secured. The worst consequence would be spying on and a no longer controllable general publication. The affected person could but consent anyway. 8th On § 9 BDSG old version: VG Berlin, ruling v. May 24, 2011 - 1 K 133.10, marginal number 24. - 4 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) The requirements of the European fundamental rights, which the GDPR in accordance with Art. 1 Para. 2 GDPR therefore suggest that the protective measures when processing your own personal n-related data are indispensable by the data subject. This also includes the technical means that are used for processing (or are not used). 9 Art. 32 GDPR supports this conclusion, as two objectives can be derived from its wording let: Primarily the protection of the person concerned and secondarily the establishment of a high, Europe-wide uniform level of data security. So Art. 32 Para. 1 GDPR refers to ex- implicitly on the "risk [...] for the rights and freedoms of natural persons". Art. 32 GDPR 11 In addition - like the entire GDPR - there is also the regulatory objective, a uniform level of Create data security when processing personal data. The secondary goal is also achieved if the person concerned waives any action after Art. 32 GDPR is admitted by making the regulation binding on the person responsible. requirements for creating an appropriate standard of data security in general mine (see 3.). The requirements of Art. 32 GDPR are therefore at the disposal of the person concerned. For the 12th Controllers or processors contain binding rules, as Article 32 GDPR contains an obligation to implement appropriate measures and the responsible verbal or processor does not grant any decision-making power over whether he implements them. 13th 9 10gl. on § 9 BDSG and Art. 2 Paragraph 1 in conjunction with 1 Paragraph 1 GG: Lotz / Wendler, CR 2016, 31, 34. Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4b. 11 Cf. Rec. 10 p. 1 and 2 GDPR. 12 Likewise Bay. State Office for Data Protection Supervision, Activity Report 2015/16, p. 99. 13Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd ed. 2021, Art. 32 DSGVO Rn. 4c, which is based on the fact that a consent Only the structure of the relationship between the person concerned and the person responsible and not any third party. - 5 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) b. If Articles 6 and 7 GDPR prevent the need to take protective measures gene? The systematic argument, Art. 6 Para. 1 lit. a and 7 GDPR, which regulate consent, concerns only the "whether" and not the "how" of the processing and therefore conclude consent of the person concerned, does not get caught. Art. 6 para. 1 lit. a and 7 GDPR create the legal basis for the person responsible can carry out processing at all and thus implement Art. 8 Para. 2 CFR. Art. 6 and 7 GDPR therefore expand the legal circle of the person responsible who has no legal basis is not allowed to process any personal data of the data subject. The consent of the person concerned is one legal basis among many and is an printing of the basic freedom of disposition of the data subject over their data. The remaining The legal basis of Art. 6 Para. 1 GDPR (lit. b-f) restrict the ability to dispose of affected person against. From the (fundamentally mandatory) standardization of these legal bases, which are only just beginning to encroach on the fundamental right under Art. 8 CFR ben, it cannot be concluded that the data subject is only free of disposition as far as it is regulated in Art. 6 and 7 GDPR. The freedom of disposition of those affected Rather, the person is basically unrestricted and is only restricted by Art. 6 GDPR. Articles 6 and 7 of the GDPR do not increase the legal circle of the person concerned, but rather alone that of the person responsible. The rights of the data subject already result from Art. 8 GRCh and not just from the GDPR. From Art. 6 Para. 1 lit. a, 7 GDPR, only the It can be concluded that the data subject's freedom of disposition is only can be restricted as provided by these standards. The opposite conclusion 14Jandt, in Kühling / Buchner, GDPR BDSG, 3rd edition 2020, Art. 32 GDPR marginal 40; Notification of the Austrian DSB, Az. D213.692 / 0001-DSB / 2018 from November 16, 2018, 3.2., Available at https://www.ris.bka.gv.at/Doku- ment.wxe? ResultFunctionToken = 74ce9b96-f183-4bba-94e8-d17273ebf78b & Position = 1 & Sort = 2% 7cDesc & Ab- question = Dsk & decision type = undefined & organ = undefined & search for legal clause = true & search- NachText = True & GZ = & FromDate = 01.01.1990 & ToDate = 18.04.2019 & Norm = & ImRisSeitVonDatum = & ImRisSeit- BisDatum = & ImRisSeit = Undefined & ResultPageSize = 100 & Search words = & Document number mer = DSBT_20181116_DSB_D213_692_0001_DSB_2018_00. Regarding the legal situation according to § 9 sentence 2 BDSG (old version): Bergt, NJW 2011, 3752, 3755, who does not however agree with the opinion. closes. - 6 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) that Art. 6 and 7 GDPR extend the scope of the freedom of disposition of the data subject cannot be determined from the legal system. The legal system speaks therefore - contrary to the literature view presented at the beginning - especially for the possibility of the person concerned in the lowering of the security of the consent to work, as the freedom of disposition of the person concerned is guaranteed by Art. 6 and 7 GDPR is restricted only in relation to the "whether" and not in relation to the "how" Regulation on a restriction of the freedom of disposition over the "how" is missing, it remains in train to the "how" unlimited. At this point, too, the consequence of the opposing view should finally be taken up again. be shown: If one only allowed consent to the "whether" of the processing, it would be possible to consent to their own personal data, including health data, such as e.g. a medical certificate can be published on the internet by a third party. Not possible it would, however, be agreed that the third party would send the same data via unencrypted e-mail the person concerned sends because then it cannot be guaranteed that the transmission the data is not being accessed and it may become public knowledge. This The result is neither appropriate nor can it be derived from the. Art. 6 para. 1 lit. a and 7 Derive GDPR. c. Intermediate result: Compliance with the security of processing during specific processing is fundamental additionally at the disposition of the person concerned. - 7 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) 3. Obligation to create the standards of data required according to Art. 32 GDPR security by the controller or processor Art. 25 para. 1 GDPR obliges the person responsible to "both at the time of the determination supply of the means for the processing as well as at the time of the actual processing Appropriate technical and organizational measures "to protect the persons concerned to meet. This means that the person responsible, regardless of a specific processing based on a typical consideration of the processing carried out by it. 15th has to take measured protective measures. The latter is also reflected in the fact that Article 32 GDPR does not depend on rights and freedoms. t of the individual data subject speaks, but rather of the data subjects in the plural. The weighing up by the person responsible has therefore taken place on the basis of a typical weighing-up. not related to the specific individual. This shows that Article 32 of the GDPR is an obligation standardized for the controller or processor, which must be implemented by them. zen is. Since it is not about the data of the person responsible, but about those of the data subjects Person acts, only the person concerned can confirm compliance with the requirements of Art. 32 GDPR. A free decision about a waiver of compliance with the provisions of Article 32 of the GDPR can be made However, only meet the data subject if the required under Art. 32 GDPR TOMs are at least held up by the responsible person. The responsible person or the The processor has already at the point in time at which he has the funds for the later specifies specific processing, for example when he decides on which Way the data is transmitted, the appropriate technical and organizational measures took to implement. Therefore, a person responsible for processing by- leads, which requires the transmission of sensitive data, do not withdraw from the fact that he already has cannot guarantee secure transmission in principle and the person concerned has a permanent to get stale consent to do so. Rather, it already has a secure form of transmission to the To reserve the time of the selection of the means for the processing. This does not preclude that the data subject can consent to specific processing concerning him or her, 15th Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4c. - 8 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) that the specific measure was carried out without the level of protection required under Article 32 GDPR. leads, provided that the person responsible can guarantee this in principle. 16 Finally, it should be emphasized that the special case of consent in the unencrypted E-mail communication with attorneys by introducing §2 (2) 5BORA in between has been legitimized under professional law. The data protection law admissibility of this communication However, onsform remains unaffected by Section 2 (2) sentence 5 BORA, as it concerns the GDPR in relation to BORA, acts of higher-ranking European law and no opening clause is relevant 17th is. BORA can therefore only make regulations for professional law, as this is not included in the The scope of the GDPR falls, but not for data protection law, which in this respect is finally regulated by the GDPR. Therefore, the statements made here also apply in this case. 18 As a result, Article 32 GDPR is mandatory for the controller and the processor Law. These have the necessary technical requirements to guarantee a to maintain an appropriate level of protection, even if the person concerned is able to do so insists on dispensing with the corresponding TOMs in individual cases. 4. Requirements for an effective consent From the explanations it follows that consent to the lowering of the level of protection is possible, but only under two conditions: On the one hand, the person responsible must in principle, be able to comply with the protective rights required after weighing up Art. 32 GDPR level.On the other hand, the consent must meet the requirements of Art. 7 GDPR are sufficient. These prerequisites result from the different re- the effects of Art. 32 GDPR vis-à-vis the person responsible or the contract workers and the person concerned. While Art. 32 GDPR the person responsible regardless of the individual case, obliged to maintain an appropriate level of security during processing work that he carries out (including under 3.), is the regulation of the freedom of 16Martini, in: Paal / Pauly, DS-GVO BDSG, 3rd edition 2021, Art. 32 DSGVO Rn. 4c. 17Gasteyer, AnwBlOnline 2019, 557, 558; The BMJV also shares this view: ZD-Aktuell 2020, 07039. 18 On the admissibility of email communication by lawyers under data protection law: VG Mainz Urt. December 17, 2020 - 1 K 778 / 19.MZ, BeckRS 2020, 41220 Rn. 27-40 and on the dispensability in this context: Römermann / Praß, in: 19ckOK BORA, 30th Edition 2020, § 2 BORA marginal numbers 43-44. I.E. also Römermann / Praß, in: BeckOK BORA, Römermann 30. Edition, 2020, § 2 BORA marginal numbers 43-44; For voluntary of consent according to § 9 BDSG old version: Lotz / Wendler, CR 2016, 31, 35. - 9 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) data subject to decide how their data will be handled, does not preclude gen (on this already under 2.) The GDPR contains with Art. 7 GDPR basic standards for the judgment on how the consent of the data subject is to be structured directly only on the "whether" of the processing, but also on the "how" 20th turn to. The consent to the technical implementation ("how") of processing is meaningful fully to be judged by the same standards as the question of whether the processing after Art. 6 GDPR is permissible ("whether"). The evaluations of Art. 7 GDPR and the related Requirements for consent should not only be based on a partial question of the admissibility of the processing processing, since processing is a uniform process - if only for reasons of Practicality - must be considered. If you were to consent to the "whether" and that "How" to apply different standards, this calls for considerable delimitation difficulties and rendered neither the data subject nor the person responsible any service. Voluntary consent is therefore a prerequisite for any waiver; in particular, the Affected people are free from (also factual) coercion and have a real opportunity to make a decision. ben. He cannot be forced to consent to unsafe data processing if he consults an online service or a doctor or lawyer of his choice. Rather, must a reasonable safe alternative exist for him, free from unreasonable disadvantages can choose. For example, if as an alternative to sending unencrypted e-mails the written submission of documents is offered, no compulsion due to an unreasonable measured extension of the processing time or through additional costs. A Unreasonableness can also result from the fact that those affected are permanently the more complex, time-consuming and cost-intensive due to printing and shipping costs To choose a more secure way of written communication because there is no secure digital processing is made possible. The person responsible must therefore ensure from the outset that a concretely defined and foreseeable time also creates possibilities of secure digital processing that are free from these drawbacks. 20Römermann / Praß, in: BeckOK BORA, 30th Edition 2020, § 2 BORA marginal number 44. 21 On § 9 and 4a BDSG old version Bergt, NJW 2011, 3752, 3755. - 10 - The Hamburg representative for Data protection and freedom of information Note: omission of TOMs (Art. 32 GDPR) 5. Conclusion The person responsible and the processor have the requirements according to Art. 32 GDPR It is imperative to implement and maintain measures. Affected persons can go into the setting of the level of protection provided for in Art. 32 GDPR, however, based on their own Consent to data in individual cases, if the consent is voluntary within the meaning of Art. 7 GDPR However, this assumes that the person responsible is required to do so in accordance with Article 32 of the GDPR Always keep protective measures in place and make them available to the person concerned upon request. without creating any disadvantages for the person concerned. J3, February 18, 21 - 11 -