[Epic] Guarantee compliance with GDPR and BDSG

Problem:

  • According to the requirements catalogue, compliance with data protection requirements is particularly important during the development of the MVP.
  • The provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) must be strictly observed, particularly with regard to data protection through technical design and data-protection-friendly default settings.
  • Therefore, continuous auditing of the proposed solutions is essential in the context of this FITKO Neo project to avoid designing a system that infringes any relevant GDPR rules.

Goal:

Guarantee that the system being designed in the context of the FITKO Neo project complies with all relevant GDPR rules.

ACs:

  • Name GDPR specialists.
  • Update them on the scope, goals and solution designs of the project.
    • Keep them updated on any solution diagrams that have already been created.
  • Organise auditing routines.
  • Document the results of audits in Nextcloud.
    • If necessary, create new tasks tickets.

Notes/ resources:

  • Requirements uIDs: OZG_26, LB_51, LB_65

  • The translated GDPR requirements are found below. They can be found on the “Leistungsbeschreibung”, page 56.

Lawfulness of processing:

The technical and organizational design of the system must ensure that all forms of data processing are carried out exclusively in accordance with the applicable data protection regulations.

The processing of personal data is always based on one of the legal bases of Art. 6 GDPR.

A clear legal basis (e.g., consent, legitimate interest, legal basis) is documented and traceable for each data processing operation.

Information obligation:

Private individuals whose data is processed in the system must be informed comprehensively and transparently in accordance with Art. 13 GDPR in an easily understandable privacy policy about the type, scope, purpose, and legal basis of the data processing.

This policy must be made available both during registration and on an ongoing basis.

The information obligations include, in particular, information on the storage period of the data, the rights of the data subjects (e.g., right to information, right to erasure) and the contact details of the data protection officer.

The creation of a privacy policy is not part of the services commissioned.

However, upon request, all relevant information about the developed system must be made available.

Right to information:

Private individuals whose data is processed in the system have the right under Art. 15 GDPR to obtain a copy of the personal data that is the subject of the processing.

Implementation of technical measures for the automated provision of a copy of this data.

Right to erasure:

Private individuals whose data is processed in the system have the right to have their personal data erased in accordance with Art. 17 GDPR.

Implementation of technical measures for the automated erasure of this data.

Peripheral systems:

Indirectly process personal data (e.g., log data on web servers), the relevant data protection requirements must be met.

This includes the principle of data minimization, according to which only data necessary for the respective purpose may be processed, as well as the implementation of technical and organizational measures for data security in accordance with Art. 32 GDPR.

Order processing:

The relevant contracts for order processing in accordance with Art. 28 GDPR must be concluded if third parties (e.g., hosting providers) are commissioned to process personal data (e.g., in test or demo systems).

The systems must be designed in such a way that the rights of data subjects, such as the right to data portability and the right to erasure, can be exercised at any time.

Data protection impact assessment:

Regular data protection impact assessments (DPIA) must be carried out in accordance with Art. 35 GDPR.

Risks must be identified at an early stage and appropriate measures taken to minimize them.

Edited by icarl