Data protection concept
In a data protection concept (abbr. DSK ), the information necessary for an assessment under data protection law on the collection, processing and use of personal data is described. It documents the type and scope of the collected, processed or used personal data. The description of the data or data fields is usually called a data field catalog . The legal basis and purpose limitation for the collection, processing and use of personal data result from the definition of data protection requirements. A description of the interfaces as an interface catalog and all intended evaluations of data ( evaluation catalog ) give an overview of the use and transmission of personal data. Furthermore, the implemented technical and organizational measures for data protection according to § 9 of the Federal Data Protection Act (BDSG) and annex are documented. From this representation, the appropriateness of the technical and organizational measures taken for data protection can be viewed.
As a comprehensive document, the data protection concept provides information on the legality of data processing when collecting, processing and using personal data. In addition to the technical concept , operating concept and security concept , the data protection concept is part of the documentation of an IV process (process, project, IV application or IV system ).
In a security concept or IT security concept (abbreviation SiKo), in contrast to the data protection concept, only the security measures are described. An IT security concept is usually based on a security assessment with risk analysis based on a threat analysis. In addition to the term IT security concept, the term security concept or data security concept is also often used.
In older IT security concepts, the old legal term data backup is also used for the topic of "IT security". In this context, however, these are not security copies of data in the sense of a so-called backup .
Personal data
Personal data are individual details about personal or factual circumstances of a specific or identifiable natural person (data subject).
Special types of personal data
Special types of personal data are information about "racial" and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life.
Categories of personal data
- Customer data
- Personal data of data subjects with whom there is a contractual relationship or a contract-like relationship as a contractor.
- Supplier data
- Personal data of data subjects with whom there is a contractual or contractual relationship as a client. If these are natural persons.
- Employee data
- Personal data of the employees of a company.
- Shareholder data
- Personal data of the company's shareholders ( public limited company ).
- Member data
- Personal data of the members of an association ( association law ) or association ( association (law) ).
- Personal data for business purposes
- Personal data that is used within the meaning of Section 29 BDSG. This also includes the term address trading .
Responsible body
The responsible body is any person or body who collects, processes or uses personal data for themselves or has this carried out by others on behalf of ( data processing on behalf of ) ( Section 3 (7) BDSG).
Structure and structure of a data protection concept
The following points must be included in a data protection concept:
- Description of personal data and specification of the respective purpose (purpose of use)
- Details of the responsible body
- Description of the guarantee of data subject rights
- Description of the technical and organizational measures for data protection
Possible types of representation of the individual contents are:
- Data flow diagram (data fields, tables or data types are shown with the interfaces in the individual processing steps)
- Data field catalog
| Data field number | Data type | Data field name | description | Usage | Location | Deletion period |
|---|---|---|---|---|---|---|
| current number | Type and category (see above under 1 personal data) | technical data field name | Explanatory data field name or composition for calculated fields | Use of the date with earmarking | logical and physical location | When will it be deleted? (Date, date or statutory retention period ) |
