Data security under German data protection law

Technical & Organisational measures (toMs) – the 8 commandments

For guaranteeing solid data protection, there needs to be comprehensive data security in the company. According to § 9 (1) BDSG, the internal organisation of the responsible authority must be adapted to the requirements of data protection using proper organisational and technical measures. The BDSG itself concretely mentions the eight principles of data security:

  • Access control

    The physical entry to data processing facilities must be denied to unauthorised parties.
    (Closed doors and windows, monitoring systems like alarm systems and cameras, access logging with visitor pass etc.).

  • Equipment access control

    Access to data processing systems, or the actual use by unauthorised parties must be prevented.
    (Individual identification or ID, secure passwords, documented awarding of authorized access, encryption technology etc.).

  • Data access control

    Access to a specific data processing system should only be enabled by authorized personnel. Data may not be able to be read, copied, modified or removed unauthorized.
    (Authorization concepts, monitoring, regulation at storage locations and storage of data carriers, encryption technology).

  • Forwarding control

    While forwarding through transmission, transport or for saving, data may not be read, copied, modified or removed without authorization. Each point of transmission must be verifiable & determinable.
    (Regulation for permissible transmission and dispatch channels, use of authentications and encryptions, logging of accesses, retrievals and transmissions, secure and organised storage of data carriers)

  • Input control

    The input, change or removal of data within data processing systems should be verifiable retrospectively. That especially includes the identity of the inputting individual as well as the time of the input.
    (Regulation for data acquisition, logging measures, four-eye-principle & server logbook).

  • Process control

    The contractual data processing should only be carried out according to the contracting party’s instructions. (Contractual regulations, contractual penalties, guiding & monitoring the executing person, verifiable processes, distinguishing between instructions and responsibilities).

  • Availability control

    Data must be protected from accidental destruction and loss due to technical defects or deliberate interference. In case of loss of data
    (Hardware monitoring, data backup and recovery tests, air conditioning, protection form hazards like dust, water, fire risks and viruses).

  • Separation rule

    Data collected for different purposes must be processed separately. The objective is to implement that purpose binding principle (see under: legal principles).

The protective purposes listed above must be implemented by all companies handling personal data to ensure data security. In order to fulfill the control categories, corresponding infrastructures and processes must be introduced in the company for long term safety.

The IT Security Act

Since 25th July 2015, the so-called IT Security Act (link to the Act) has been applicable in Germany, which primarily deals with the critical infrastructure within a company.

You will find the statutory text of the IT Security Act or the Act for increasing the security of information technology systems below:

The objective of this Act is to retain the integrity and confidentiality of information technology systems and to protect the company from cyber attacks.  The guarantee of confidentiality and integrity of information technology systems (in addition to availability) was ordered by the Federal Constitutional Court (BVerfG) as a basic right. The principles can be found below:

The digitisation of individual life areas and the market economy has considerable influence on internal security. Data security systems must therefore be expanded as per the requirements and continuous development processes of the IT industry to be able to counteract cybercrime effectively.

The IT security Act expands the existing benchmarks for processing and use of personal data (see above/ annexe to § 9 (1) BDSG) for IT systems.

For this purpose, it modifies numerous, existing statutory regulations or upgrades them accordingly. Changes or modifications can be found within the various internet related laws (telecommunications act and tele-media act), in the Atomic Energy Act and Energy industry law, in the Civil Service Remuneration Act as well as in the law related to the structural reform of the German law on fees. Especially, even the federal agency for security in information technology and the federal criminal police office have reinforced their competencies.

The law affects companies with a critical infrastructure. It remains doubtful what exactly defines critical infrastructure, or rather, which companies are actually affected by the law.

The IT Security Act names, as regards this question, specific sectors, by an amendment resolution of the act through the federal office for security in information technology (BSIG): the now enclosed § 2 (10) IT Security Act shows specific industries, whose facilities and systems are considered as critical infrastructures. They include:

  • The energy sector
  • The information technology and telecommunication sector
  • The transport and traffic sector
  • The health sector
  • The water sector
  • The nutrition sector
  • The finance and insurance sector

Furthermore, all the facilities are included which are of high importance to the community. This is always the case when there are supply shortages or hazards to public security by corresponding manipulations.

For the implementation of the data security required by the IT Security Act, a so-called IT security management system (ISMS) must be introduced. The law itself does not name any corresponding sample procedures or specific benchmarks. Rather, it requires the concerned sectors to determine themselves the security standards and to get permission from the German Federal Office for Information Security.

If the procedures and measures submitted are approved, then the company is subject to a two-yearly inspection. IT-security-incidents, which occur during this time, must be reported to the German Federal Office for Information Security.

Group of companies must appoint a competent information security officer to implement a IT Security Management System (ISMS). Besides implementing an ISMS the information security officer is responsible of supervising the IT-infrastructures.

The DIN-Norm ISO 27001 published by the International Electrotechnical Commission (IEC) and International Organisation for Standardisation (ISO) is an internationally recognised standard for IT security. The ISO 27001 certification, which is also recommended and approved of by the German Federal Office for Information Security, contains two significant certification steps (entry level and upgrade level), which are only issued by certified auditors of the German Federal Office for Information Security.

For further information, click the link below:

An overview, or a guideline for the most important IT security measures can be found by clicking on the link of the German Federal Office for Information Security below:;jsessionid=68BEF69F688E5435AD198FD227EBF495.2_cid341 (in English)