Data Processing Agreement Germany

06 Déc Data Processing Agreement Germany

Demonstrating appropriate technical and organizational measures to protect personal data has the effect of reducing the impact. In this context, the principles of privacy already discussed are taken into account by the supervisory authorities through the design, standard privacy, certification and compliance with approved codes of conduct. For this reason, processing managers can, by implementing appropriate and safe processing operations, have a significant impact on the amount of an administrative sanction. The RGPD generally applies the principle of territoriality which limits the scope of the RGPD to its own jurisdiction and to data managers or subcontractors established in the European Union or the European Economic Area (EEA). Under certain conditions, the RGPD may also apply to those responsible for processing outside the EEA if the person in charge of the processing is also concerned: in accordance with Article 49 of the RGPD, the transfer of data to a third country may be done under one of the following conditions: in these cases, no special authorisation from the supervisory authority is required. After agreement from the supervisory authority, the transfer of data may take place when contractual clauses have been made. The RGPD provides specific obligations for the design of data protection and the implementation of data protection assessments. In particular, the processing manager implements technical and organisational measures, such as pseudonymization, both at the time of the processing and at the time of processing itself, aimed at effectively implementing data protection principles, such as data minimisation, and integrating the necessary safeguards for processing to meet the requirements of the DSGVO. In addition, the processing manager takes appropriate technical and organizational measures to ensure that, by default, only the piI needed for each specific purpose of the treatment is treated. While a treatment method, particularly using new technologies, taking into account the nature, scope, context and purposes of treatment, can pose a high risk to the rights and freedoms of individuals, the processing manager also conducts a pre-processing assessment of the impact of the proposed processing operations on the protection of personal data (data protection impact analysis). The supervision of the principles of data protection is entrusted to the various German states.

Thus, each state has its own data protection authority (DPA), which is responsible for processing data on its territory. Like the RGPD, BDSG-Neu applies to the processing of personal data as a whole or partly automated (for example. B computer processing) and by non-automated means (manual processing. B, paper registration) when they must be part of an archiving system (Article 1 of the BDSG-new). The law does not apply to data processing in a private setting. However, the RGPD does not contain a catalogue of technical and organisational measures indicating Article 9, paragraph 1, of the BDSG. In order to determine the specific security measures to be taken, the nature, scope and content of the data processed, the purpose and circumstances of data processing, including business processes, computer systems, applications and infrastructure, must be subject to individual analysis. As a result, companies should address the issue of IT security and data protection through design using compliance audits, certifications and best practices.