Germany: DIGA digital health applications can’t use Standard Contractual Clauses

in German:
According to the external legal blog post below, DIGA does not allow for standard contractual clauses for transfer of data in countries without an EU adequacy decision. (Note: Not all health apps fall under DIGA).
– This leads to an impact to apps, if US Privacy Shield would not survive Schrems II in mid-July 2020 – in the context of US 3rd parties used (e.g. Google Firebase, etc).

https://www.reuschlaw.de/news/risiko-fuer-betreiber-von-gesundheits-apps-datenuebermittlung-in-die-usa-wegen-eugh-urteil-bald-unzul/

Five Safes Framework

http://www.fivesafes.org/

The Five Safes is a framework for helping make decisions about making effective use of data which is confidential or sensitive. – The Five Safes proposes that data management decisions be considered as solving problems in five ‘dimensions’:

  • projects (Is this use of the data appropriate?),
  • people (Can the users be trusted to use it in an appropriate manner?),
  • settings (Does the access facility limit unauthorised use?),
  • data (Is there a disclosure risk in the data itself?) and
  • outputs (Are the statistical results non-disclosive?).

The combination of the controls leads to ‘safe use’.

See also https://en.wikipedia.org/wiki/Five_safes

Germany BfDI: Position paper on Anonymization (with focus on telecoms)

https://www.bfdi.bund.de/DE/Infothek/Transparenz/Konsultationsverfahren/01_Konsulation-Anonymisierung-TK/Positionspapier-Anonymisierung-DSGVO-TKG.html?nn=5216976

My high-level reading (I’m not a lawyer..):

  • Anonymization is viewed as a processing activity and requires a legal basis. (The paper argues different approaches).
  • Transparency obligations must be met.
  • Anonymization can be used as an alternative to deletion.

Germany/Saarland: Privacy inspection questionnaires

.. in German

The DPA Saarland uses four questionnaires:
– interesting questions incl. on various concepts (data deletion, encryption, pseudonymization, risk evaluation/model, privacy management, ..)

https://fragdenstaat.de/anfrage/fragebogen-zur-prufung-des-datenschutzes-15/

Key points from the Accountability questionnaire (GDPR Art 5 (2))

  • (Translation, highlights by myself)
    Accountability Review
    according to Art. 5 Para. 2 GDPR
    Responsible:
    Posted December 04, 2018
    Case number:

    We kindly ask you to answer the following questions in full and send the requested documents based on Art. 58 GDPR by January 31, 2019 at the latest.

    Basic concept

    1. Is there a data protection guideline(/policy/directive) in the company?
      • Yes. Please send us a copy of the guideline.
      • No.
    2. Has a data protection officer been appointed and reported to the supervisory authority?
      • Yes. ____________________________________
      • No.
    3. What are the tasks of your data protection officer in this function (short description)?
    4. Does the data protection officer perform other functions in or for the company?
      • Yes. Please describe them briefly.
      • No.
    5. If there are several locations or branches of the company, are these integrated into a uniform data protection concept?
      • Yes. Please send us a copy of the data protection concept.
      • No.
    6. Do these locations or branches independently decide on the purposes and means for processing personal data?
      • Yes.
      • No.
    7. Are internal responsibilities with regard to data protection-relevant processes or procedures (e.g. training of employees, reporting of data protection violations, …)?
      • Yes. Please send us a copy of the written specifications.
      • No.
    8. Are there rules for internal controls to ensure compliance with data protection regulations?
      • Yes. Please send us a copy of these rules.
      • No.
    9. Please describe briefly how the company is dealing with inputs by the data protection officer (e.g. reports, statements or similar)

      List of processing activities (Art. 30 GDPR)

    10. Is there a complete list of processing activities?
      • Yes. Please state the number of processing activities.
      • No. Please give the reason.
    11. Please describe the method used (e.g. purpose, means, process, IT system, …) to determine the individual processing activities.
    12. Please describe the rules on how the directory of processing activities is managed (e.g. updates or with regard to change history and powers, etc.).

      Uniform risk model

    13. Is there a document that provides a company-wide understanding of data protection risk?
      • Yes. Please send us a copy of this document.
      • No.
    14. Please describe how, in your opinion, the damage to the rights and freedoms of natural persons should be understood when evaluating data protection risk.
    15. Please describe which scales are used to model the likelihood of occurrence and severity of a data protection risk in the company.
    16. Please describe how you ensure that all relevant positions understand the difference between the corporate risk (focus: corporate values) and a data protection risk (focus: rights and freedoms of natural persons).
    17. Is the risk model known to those responsible for data protection as well as the company data protection officer and the information security officer?
      • Yes.
      • No.

      Privacy compliant data processing

    18. Is there a documented legal basis for the processing of personal data for every processing activity according to Art. 30 GDPR?
      • Yes.
      • No. Please give the reason.
    19. Is there a documented legitimate interest assessment if processing is based on a “balancing of interests” according to GDPR Art. 6 Para. 1 lit. f?
      • Yes.
      • No. Please give the reason.
    20. Are consents within the meaning of Art. 4 No. 11 GDPR designed in accordance with the requirements of Art. 7 GDPR and can they be withdrawn at any time?
      • Yes.
      • No. Please give the reason.
    21. Describe the contexts in which the data subject’s consent is obtained.
    22. Send appropriate samples of the declarations of consent you are using.
    23. Has a threshold value analysis (i.e. risk assessment) been carried out for each processing documented in the directory according to Art. 30 GDPR to prepare the question of whether a data protection impact assessment has to be carried out?
      • Yes.
      • No. Please give the reason.
    24. Please name the processing activities for which you have determined the need to carry out a data protection impact assessment in accordance with Art. 35 GDPR and provide us with the documented results of the data protection impact assessments.
    25. Is there a deletion concept (e.g. according to DIN 66398) that also regulates the handling of archives and backups?
      • Yes. Please send us a copy of this concept.
      • No. Please give the reason.
    26. Are adequate measures in place to ensure confidentiality, integrity and availability according to GDPR Art 32?
      • Yes. Please send us the security concept.
      • No. Please give the reason.
    27. Is there a process (Plan-Do-Check-Act) to ensure the effectiveness of the measures under Art. 32 GDPR?
      • Yes. Please send us a description of this process.
      • No. Please give the reason.
    28. Please describe how Privacy by Design is conceptually implemented in accordance with Art. 25 Para. 1 GDPR, taking particular account of the principles of data minimization and compliance with the purpose limitation in the processing activities in the company.
    29. Does a uniform audit methodology apply to audits by the data protection officer?
      • Yes. Please send us copies of the last two audit reports.
      • No. Please give the reason.
    30. Please describe how it is ensured that processors are selected in accordance with Art. 28 GDPR on the basis of a suitable risk model and effective technical and organizational measures based on them (in accordance with Art. 25 Para. 1 GDPR).
    31. Please describe how it is ensured that (for sub-processing) the legal basis of the so-called second level for data transfers to third countries is correctly designed.
    32. Is there a uniform encryption concept?
      • Yes. Please send us a copy of the written specifications.
      • No. Please give the reason.
    33. Does a uniform pseudonymization concept exist?
      • Yes. Please send us a copy of the written specifications.
      • No. Please give the reason.
    34. Are there processing activities in the company for which there is a joint controllership pursuant to Article 26 GDPR?
      • If yes, please describe this processing in key words and submit the corresponding agreements on joint responsibility for two of these processing processes.
      • No.

      Dealing with data subject rights

    35. Has a process been implemented to deal with information claims under Art. 15 GDPR?
      • Yes. Please describe this process.
      • No. Please give the reason.
    36. Please describe how it is ensured that the personal data of those affected can be quickly and completely available from all existing systems and, if applicable, branches.
    37. Are data subjects transparently informed about all processing activities documented in the directory according to Art. 30 GDPR in accordance with Art. 12 ff. And, if applicable, Art. 21 GDPR?
      • Yes.
      • No. Please give the reason.
    38. Has the website (s) been revised since May 25, 2018 in such a way that they are sufficiently informed about the data processing (the website) in accordance with Art. 13 GDPR?
      • Yes.
      • No. Please give the reason.

      Please send us a complete list of all domain names for your company.

    39. Has a procedure been implemented to ensure compliance with the deadlines regarding the rights of the data subjects pursuant to Art. 14-22 GDPR?
      • Yes. Please describe this procedure.
      • No. Please give the reason.
    40. Has a procedure been implemented to respond to requests from data protection supervisory authorities regarding data protection complaints received there?
      • Yes. Please describe this procedure.
      • No. Please give the reason.
    41. Are training documents available with which the persons who are involved in the processes to ensure the rights of those affected are properly informed?
      • Yes. Please send us a copy of these documents.
      • No. Please give the reason.
    42. Have you considered how to respond to a data subject’s application for data portability in accordance with Art. 20 GDPR? If necessary, please describe your considerations.
    43. Have you already made such an application?
      • Yes.
      • No.

      Dealing with data protection violations

    44. How many data protection violations according to Art. 33 GDPR have you become aware of since May 25, 2018 and how many of them have been reported to the supervisory authority or only documented within the meaning of Art. 33 Para. 5 GDPR?
    45. Please describe how data protection violations are recognized in the company according to Art. 33/34 GDPR.
    46. ​​Please describe how you can identify, document and process data protection violations that occur with service providers (also in third countries).
    47. Does the risk model for classifying data protection risk also apply to data protection violations according to Article 33/34 GDPR?
      • Yes.
      • No. Please give the reason.
    48. Describe the process in the event that a high risk for data subjects is identified in the event of data protection violations.
    49. Describe to what extent it is guaranteed that data protection violations will be reported to the responsible supervisory authority within 72 hours (including on weekends / public holidays).
    50. Has it been clarified and documented at which positions in the company the registration period of 72 hours starts?
      • Yes. Please tell us these places: _______________________
      • No. Please give the reason.
  • updated_publishable_be_2019-05_rightoferasure_summarypublic.pdf

    Summary Final Decision Art 60
    Complaint

    Compliance order to controller

    Background information
    Date of final decision: 17 May 2019
    LSA: BE
    CSAs: NL, SE
    Legal Reference: Right to erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of data subjects (Article 12)
    Decision: Compliance order to controller
    Key words: Right to erasure, Exercise of the rights of the data subjects

    Summary of the Decision
    Origin of the case
    The complaint concerned the failure of the controller to comply with the request of a data subject concerning the exercise of his right of erasure. After two submissions of the webform in order to have his data removed, the complainant also sent e-mails with the same request on 28/06/2018.
    The complainant still did not receive any reply and asserted that the controller did not respond within a month following the request.

    Findings
    The controller has failed to comply with the request of the data subject, thus violating its obligations under Article 12.3 GDPR. The LSA considers that the deadline to answer the request “has been exceeded at all levels”.

    Decision
    The LSA decided to order the controller to comply with the data subject’s request concerning the exercise of the right of erasure.


    This text has been converted automatically from the PDF available via
    https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
    using Apache Tika to allow for a better search. This might result in some characters being mangled.
    Please see the original file for the official wording at
    https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/updated_publishable_be_2019-05_rightoferasure_summarypublic.pdf

    Please see also EDPB Copyright page

    publishable_uk_2020-01_personal_data_breach_summarypublic.pdf

    Summary Final Decision Art 60
    Personal data breach notification

    No infringement of the GDPR

    Background information
    Date of final decision 10 January 2020

    LSA: UK

    CSAs: AT, BE, CY, CZ, DE, DK, EE, EL, ES, FI, FR, IE, IT, HU, LT, LU, LV, MT, NL, PL, PT, SE, SI, SK

    Legal Reference: Personal Data Breach (Articles 33 and 34)

    Decision: No infringement of the GDPR

    Key words: Data breach notification

    Summary of the Decision

    Origin of the case
    The controller reported a data breach notification involving 643 of their customers in the EU. The former ex-employee accessed the customers data and exported them with the intention of extracting money from the controller.

    Findings
    In the course of its investigation, the LSA found that the controller had a relevant contract in place with the service provider, as a processor. The contract provided sufficient guarantees for their processing activities. There has been no damage or distress to any of the data subjects involved in this incident and the controller did not receive any complaints as a result of the infringement.

    The controller implemented two remedial measures, by taking down the portals for which vulnerabilities were found, and by informing the data subjects about the data breach and possible phishing attempts.

    Decision
    Although no infringement to the GDPR was found, the LSA issued two recommendations to the controller.
    First, to implement more regular reviews of any third parties to ensure that they are meeting their contractual agreements in relation to compliance with data protection legislation including having appropriate technical and organisational measures, confidentiality and the processing of data only on the documented instructions of the controller to ensure the protection of data subjects rights.
    Second, to improve password management with their service providers.


    This text has been converted automatically from the PDF available via
    https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
    using Apache Tika to allow for a better search. This might result in some characters being mangled.
    Please see the original file for the official wording at
    https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2020-01_personal_data_breach_summarypublic.pdf

    Please see also EDPB Copyright page