Basic Rules on Data Protection

Contact of the data protection officer: dsb@hzdr.de

Contracts with service providers / commissioned data processing

The use of service providers and the use of third-party services (e.g. in the context of software) is often associated with the transfer of personal data. Depending on the specific structure, data protection agreements must also be concluded. This is often (but not always) a so-called “order processing” within the meaning of Art. 28 GDPR.

Data protection should already be kept in mind when selecting service providers/providers and the HZDR data protection officer should be involved at an early stage. If this is only done after the contract has been concluded, the HZDR is in a poor negotiating position, meaning that mandatory requirements can no longer be met or can only be met at great expense.

Process directories/preliminary checks

Insofar as personal data is regularly processed, these processes must be documented accordingly (so-called register of processing activities). These must be created by the responsible departments at the HZDR and made available to the data protection officer.

In the case of processing operations involving particular risks for the data subjects (e.g. video surveillance, personality profiles, behavior and performance monitoring), a so-called data protection impact assessment is required by law. However, our data protection officer will be happy to assist you with the preparation.

Data security/technical and organizational measures

Technical and organizational measures must be implemented at the HZDR for the effective implementation of data protection. These include in particular

1. access control

Unauthorized persons should not be granted access to data processing systems that are used to process personal data. Possible measures could be

  • Definition of secure areas,
  • Definition of authorized persons (employees, external authorities, external companies, maintenance services, application support),
  • Definition of visitor regulations,
  • Securing buildings and rooms and
  • attendance records.

2. access control

Only authorized persons may have access to data processing systems (DP systems). For this purpose, data processing systems must always be protected with authentication procedures. The following instructions must be observed:

  • User IDs, i.e. user name and password, are bound to the respective user and must not be passed on - violating this requirement is more than just a negligence offense and will result in labor law measures and possibly a criminal complaint in the event of damage
  • Passwords should be at least 8 characters long and contain special characters and numbers. They must not be easy to guess.
  • If the password becomes known, it must be changed immediately.

3. access control

This measure is closely linked to access control. Authorized persons who have properly identified themselves on the IT system with their user ID have differentiated and thus graded authorizations in the respective software systems according to their user rights. When assigning authorizations, those responsible must consider the requirements of substitutes and take them into account when assigning access. Passing on your own accesses is generally not permitted, even for operational/official reasons. By doing so, you are also taking your own risk, as you can be held responsible for actions taken in your name (with your user data).

Attempting to obtain additional, unassigned user rights may be a criminal offense under Section 202a of the German Criminal Code (spying on data) and may result in consequences under employment and criminal law.

4. transfer control

Personal data and confidential company/office information may only be transmitted via secure communication channels. Transmission by e-mail is only permitted in encrypted form. If the recipient is to be able to verify the accuracy and originality of the document, the use of a digital signature is recommended.

External data carriers such as USB sticks, external hard disks, SD memory cards, etc. must be handled with great care. Personal and confidential content should be encrypted. The transfer or electronic transmission of personal and confidential data and data carriers must be traceable.

5. input control

The user administration tools and the associated rights management must make it possible to trace who has initiated new entries, changes or the deletion of personal and confidential information. For this reason, the high risk of passing on user IDs is pointed out again at this point.

6. contract control

In the case of personal data processing by order (e.g. external maintenance of IT systems with which personal information is processed or disposal of paper with confidential or personal content by external companies), appropriate contractual regulations must be in place to keep the activities of these external contractors transparent. (see contracts with service providers / order processing)

7. availability control

Personal and other confidential information must be stored in such a way that loss is not possible or that, in the event of loss, reconstruction of the data is possible with reasonable technical and organizational effort. For this reason, local data storage is generally not permitted. Only central resources can be adequately secured and restored in the event of a loss. IT is responsible for the technical and organizational protection of central resources (if necessary in consultation with the company data protection officer). In addition to data backups and access control regulations, this also includes, for example, fire protection measures, UPS, virus protection/firewall, etc. The IT basic protection catalog of the BSI (Federal Office for Information Security) should be used as a standard.

8. principle of separation

Personal data may only be used for the purpose for which it was originally collected. Data collected for different purposes must also be processed separately. In principle, there should be a so-called client separation, i.e. a separate file is created for each person, e.g. as part of the personnel file. The use of data in combined files (use of an original database for other purposes) must be defined and established internally.