20 April 2017
The German Federal and State Commissioners (‘the Commissioners’) released, on 14 April 2017, a Standard Data Protection Model (‘SDP Model’), which analyses the interrelation between the legal requirements regarding data processing and the selection and implementation of technical and organisational data protection measures, under existing German law and the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
Dr. Carlo Piltz, Lawyer at Reusch Rechtsanwälte, told DataGuidance, “In principle, the SDP Model must be welcomed. It is a first [attempt] by the German data protection authorities (‘DPAs’) to find a common and practical approach for data controllers to fulfill their obligations under current and future data protection laws. The solution chosen by the SDP Model, to provide mechanisms to transfer the regulatory requirements of the GDPR (especially of its Article 5) into technical and organisational measures, might help data controllers in practice to comply with the GDPR requirements.”
The SDP Model states that its purpose is to assist DPAs to conduct more transparent reviews of technical and organisational data protection measures on the one hand, and to assist data controllers and processors in the planning, implementation and supervision of data protection measures and functions on the other. To this end, the SDP Model structures the legal requirements in terms of data protection goals such as data minimisation, availability, integrity, confidentiality, transparency, unlinkability, and intervenability. It also provides advice on solutions for transposing them into practical measures.
Piltz commented, “One might criticise the SDP Model for attempting to systemise the legal principles for the processing of personal data pursuant to Article 5 of the GDPR and the rules on the security of processing under Article 32 of the GDPR, when it is rather questionable whether all these principles and all the rules on the security of processing can really be systemised on the basis of protection goals. Furthermore, the SDP Model is only directed at controllers and aimed at supervisory authorities, [whereas] the GPDR also obliges processors to implement technical and organisational measures to ensure a level of security appropriate to the risk of the processing.”
This aim of obliging manufacturers and involving them in the SDP Model is understandable, but the obligations of the GDPR, and those with regard to Privacy by Design and Privacy by Default, do not encompass the manufacturers of products
According to the SDP Model, the data minimisation goal must be addressed proactively as an element of a data protection friendly design, and that this should begin with the design of information technology by the manufacturer and its configuration and adaptation to operating conditions.
“This aim of obliging manufacturers and involving them in the SDP Model is understandable, but the obligations of the GDPR, and those with regard to Privacy by Design and Privacy by Default, do not encompass the manufacturers of products,” noted Piltz. “At least, as long as they don’t act as data controllers. So if the SDP Model wants to involve manufacturers (who might never act as a data controller since they only build the product but don’t process personal data), then this goes beyond the scope of the GDPR.”
The SDP Model was unanimously and affirmatively acknowledged, under the abstention of Bavaria, by the 92nd Conference of the Independent Data Protection Authorities of the Bund and the Länder. Additionally, it was announced that a further international version of the SDP Model will be prepared, which will focus ‘even more closely on aspects of the operationalisation of fundamental rights by an appropriate selection and implementation of organisational measures and technical functionalities.’
“The SDP Model might become part of a minimum standard, if it could, in the future be considered ‘state of the art’ (see Article 32 of the GDPR),” concluded Piltz. “But to become state of the art, the SDP Model would need to be accepted not only in one country in the EU and not only by one country’s DPA. Furthermore, the SDP Model does not specify the technical and organisational measures which should actually be implemented. It is one possible way to address the necessary security goals. So I would think that, in the future, companies can still rely on their ‘own’ security audit/assessment as long as they implement appropriate technical and organisational measures. And the specific measures will in practice always differ depending on each individual processing situation and the circumstances.”
Finally, the Commissioners noted that the SDP Model will be revised after May 2018.
Cristina Ulessi | Privacy Analyst