Issues related to the protection of personal data are regulated in the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) and in sectoral laws (ie, the Banking Law, the Energy Law, etc).
Issues related to the protection of personal data and privacy in electronic communications are regulated primarily in the Telecommunications Act (Telekommunikationsgesetz, or TKG) as a result of the implementation of the E-Privacy Directive. These issues will be regulated by the E-Privacy Regulation, once it comes into force.
The implementation of Directive (EU) 2016/1148 (NIS Directive) resulted in the amendment of various German laws, including the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, or BSIG) and the Energy Industry Act (Energiewirtschaftsgesetz, or EnWG).
The EU Cybersecurity Act (Regulation (EU) 2019/881) provides a framework for EU-wide certification of information and communication technology (ICT) products, services and processes.
The German Criminal Act (Strafgesetzbuch, or StGB) lays down penalties for data espionage, phishing, acts preparatory to data espionage and phishing, data tampering, computer sabotage and computer fraud.
Infringements of the provisions set out in the German Data Protection Act and the GDPR with respect to cybersecurity are subject to administrative fines of up to EUR10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The TKG and EnWG provide for fines of up to EUR100,000, while the BSIG provides for fines of up to EUR50,000. (If operators of public telecommunications networks do not submit the mandatory security concept to the Federal Network Agency immediately after the start of network operation, they are threatened with a fine of up to EUR100,000 under the TKG. Violations of the notification obligation are punishable with fines of up to EUR50,000 under the TKG. For non-compliance and in the case of disregard of the reporting obligations, the EnWG provides for fines of up to EUR100,000 and the BSIG for fines of up to EUR50,000.)
The penalties provided for by the StGB range from a fine to a prison sentence of up to five years (for computer fraud).
Data Protection Authorities
In addition to the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI), each federal state has data protection authorities. Those supervisory authorities have powers of approval, advice, investigation and remedy. They conduct investigations into the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority. They may also initiate legal proceedings.
German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI)
In 1991 Germany established the BSI. The office provides security advice for users and standards for public and private bodies. The guiding principle of the BSI is: "As the federal cybersecurity authority, the BSI shares information security in digitisation through prevention, detection and reaction for the state, economy and society."
Central Office for Information Technology in the Security Sector (Zentrale Stelle für Informationstechnik im Sicherheitsbereich, or ZITiS)
The Central Office for Information Technology in the Security Sector is an unincorporated federal agency under the authority of the Federal Ministry of the Interior, Building and Homeland Affairs. ZITiS has the task of supporting and advising federal authorities with security tasks with regard to information technology capabilities. For this purpose, the central office develops and researches methods and tools.
Computer Emergency Response Team for Federal Authorities (CERT-Bund)
The CERT-Bund is the central contact point for preventative and reactive measures in the event of security-relevant incidents in computer systems. It serves as a warning and information service for authorities and private internet users. It provides information about security leaks in software, provides a weakness indication (green/yellow/red) for commonly used software and lists present and past security holes.
The supervisory data protection authorities have powers of investigation and remedy. They conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority. They may also initiate legal proceedings.
They may use the following methods for their investigation purposes:
In general, data protection authorities tend to visit larger companies or those companies whose processing operations are likely to result in a high risk to the rights and freedoms of data subjects. Small and medium-sized enterprises are usually only marginally controlled by the authorities so as not to overburden them financially and in terms of personnel.
Companies that have received fines can file objections and take legal action.
Each federal state has its own data protection authorities and its own data protection laws, which do not contradict the federal or EU laws, but partly extend them. A federal state’s data protection law only applies to that state’s public bodies.
A good example of the manner in which EU laws have been implemented at the national level, is the German NIS Directive Implementation Act (Implementation Act) which came into effect on 30 June 2017; as a transposition of the EU Network and Information Systems Directive (EU 2016/1148 (Directive)). The Implementation Act amended the BSIG, the Atomic Energy Act (Atomgesetz), the EnWG, the Social Security Code V (Sozialgesetzbuch V), and the TKG. The key requirements laid out in the Directive, had, however, already been part of the German IT Security Act (ITSA) which amended the BSIG before the Implementation Act. Because of this, the ITSA assumed the role of “pace-setter” for the Directive. As a consequence of the ITSA, the changes required to be made to the German law resulting from the Directive were relatively small.
On 1 February 2021, the federal government passed the draft of a second law to increase the security of information technology systems (IT Security Act 2.0). This new Act is aimed at strengthening the position of the BSI, heightened consumer protection, stronger corporate precautionary obligations and reinforcing the state’s protective functions.
The tasks of the BSI include:
The CERT-Bund informs about security leaks in software and lists present and past security holes.
Alliance for Cybersecurity
An example in this context is the Alliance for Cybersecurity (ACS), which provides companies with up-to-date information on the threat situation in cyberspace as well as practical assistance for the design and implementation of suitable protective measures. Membership is open to all companies and institutions having their headquarters/branch office in Germany. Several thousand companies and institutions have already joined the initiative, which was launched in 2012 by the BSI and the digital association Bitkom, making the Alliance for Cybersecurity a successful model for building trust and profitable co-operation between government and industry in the field of cybersecurity.
Member companies benefit from the expertise of the BSI and their ACS partners, the exchange of knowledge and experience with other companies and institutions on granular topics of cybersecurity and partner services, which in turn increases cybersecurity proficiency within member companies. Furthermore, companies that possess pre-existing expertise in the field of cybersecurity have the opportunity of becoming partners in the ACS to contribute to the network.
The Alliance for Cybersecurity's extensive information offering includes BSI recommendations on topics such as the secure configuration of software products, securing systems for manufacturing and process automation, and monitoring and detecting network anomalies.
Cybersecurity Council Germany e.V.
In August 2012, the Cybersecurity Council Germany e.V. was founded by well-known personalities. The Berlin-based association is politically neutral and aims to advise companies, authorities and political decision-makers in the field of cybersecurity and to strengthen them in the fight against cybercrime.
The members of the association include large and medium-sized companies, operators of critical infrastructure, numerous federal states, local authorities as well as experts and political decision-makers with an interest in cybersecurity. Through its members, the association represents more than three million employees from the industry and almost two million members of other associations and societies.
The Cybersecurity Council Germany e.V. pursues the following goals:
Member companies are integrated into the council-network which includes decision-makers in the field of politics, economics, science and society. Members are also integrated into an international network of leaders and heads of cybercommunities. Private member companies are afforded representation of their corporate interests in the political field of cybersecurity.
With the introduction of the GDPR, the EU was the first polity to introduce new regulations in the area of data protection and security of personal data. Furthermore, the regulations apply supranationally throughout the entire EU and it can be assumed that other countries will use the GDPR as the foundation of their own laws on data security.
The Second EU Data Protection Adaptation and Implementation Act (2.DSAnpUG – EU), was passed in 2019 in order to amend a total of 154 pre-existing laws in an "omnibus process" to further harmonise German data protection legislation with the GDPR. The vast majority of changes under the omnibus act involved aligning the terminology in German federal legislation with the terms used in the GDPR.
Germany also introduced the BSIG before the EU addressed similar topics with the NIS Directive. However, in certain areas, Germany’s federal structure can lead to delays and a patchwork of laws and authorities.
In March 2019, the German Federal Ministry of the Interior published the draft for an IT Security Act 2.0, which contains a holistic approach to IT security. Amongst other things, a consumer-friendly IT security label for commercial products is to be included, the competences of the BSI are to be strengthened and criminal offences in cybersecurity and the associated investigation activities are to be expanded. The draft law also extends the addressees of reporting obligations and implementation measures. Overall, the law is expected to result in a considerable additional economic burden for companies and authorities.
The broad spectrum of applicable law closes many of the security gaps in cyberspace. But the growing number of cyber-attacks make it clear that security standards must be continuously adapted to the changing risks. A further issue is that the rules on cybersecurity are not condensed into one cybersecurity act, but are spread among numerous different laws. This poses profound challenges for companies to determine which legal framework applies to them.
5G networks are expected to become the backbone of transformational services that will positively change life for future generations. This holds true regardless of the area of application, be it automobile vehicles, remote surgery, intelligent care facilities or the multitude of other technological advances that will benefit from 5G. Innovators, investors and users need confidence in the network's cybersecurity to achieve the promising goals of 5G. Therefore, this will be one of the top priorities for 2020.
The E-Privacy Regulation is designed to protect personal data in electronic communications and supplements the GDPR in this respect. It replaces the E-Privacy Directive, which the German legislature implemented largely in the Telemedia Act (Telemediengesetz, or TMG) and the TKG. Many entrepreneurs are already warning that the E-Privacy Directive will seriously damage digital business.
Impact of the SolarWind Hack in Germany
In December 2020, a US-based tech company was the victim of a sophisticated large-scale cyberattack. The attack had far-reaching implications on international users of the company’s software. This included multiple German ministries and federal offices that used or had used the software. The hack clearly revealed the prevalence of security gaps and insufficient attention to IT security.
Due to the complexity of modern IT systems and the comparatively low cost of carrying out attacks of this nature, the threat of vector attacks on software supply chains is expected to gain importance in the coming years. Furthermore, traditional security mechanisms will need to be supplemented with more refined policies for detection of malicious changes in code.
The key cybersecurity laws, as opposed to the cybersecurity-related provisions of general criminal law, are:
German Criminal Act (StGB)
Any unlawful alteration, deletion, suppression or rendering unusable of external data fulfils the facts of the case according to Section 303a of the StGB (data alteration). In particularly serious cases, this is also punishable under Section 303b I No 1 of the StGB ("computer sabotage") and is punishable by imprisonment of up to five years or a fine. Since 2007, distributed denial-of-service (DDOS) attacks have also constituted computer sabotage; the same applies to any action that causes damage to an information system that is essential to another.
Spying on data (Section 202a, StGB) – ie, gaining access to external data that is specially protected against this – is punishable with a prison sentence of up to three years or a fine. Intercepting foreign data in networks or from electromagnetic radiation has also been a punishable offence since 2007. In contrast to Section 202a of the StGB, no special access protection is required here. Procuring, creating, distributing, making publicly accessible, etc, so-called hacker tools has also been a punishable offence since 2007, if a criminal offence is prepared with them (Section 202c, StGB).
According to Section 202a paragraph 2 in conjunction with paragraph 1 of the StGB, data is only protected from being spied on if it is "specially secured" in order to prevent the offence from escalating. This means that only in case users protect their data by technical means do they enjoy protection under criminal law. The earlier debate as to whether "hacking" without retrieving data is punishable under criminal law is no longer relevant since the wording of the Section 202a paragraph 1 of the StGB was changed in 2007 in such a way that criminal liability begins as soon as access to data is gained. It is also disputed whether encryption is part of special security. Although it is very effective, it is argued that the data is not secured, but is only available in an "incomprehensible" or simply "different" form.
Computer fraud is punishable under Section 263a of the StGB with a fine or imprisonment for up to five years if data processing operations are manipulated to obtain financial gain. Even the creation, procurement, offering, safekeeping or transfer of suitable computer programs is punishable.
Please see 1.2 Regulators.
The European Network and Information Security Agency (ENISA) was created in 2004. The objective of ENISA is to serve as a contact point and centre of expertise for the member states and the institutions of the European Union on issues related to network and information security. Its activity consists of:
ENISA also publishes reports and studies on cybersecurity; for example, on privacy, cloud security or the detection of cyber-attacks.
ENISA's main target groups are public sector organisations, in particular:
The Agency also provides support to:
The European ENISA Regulation 2019/881 (Cybersecurity Act), adopted on 17 April 2019, grants a permanent mandate to ENISA and broadens its powers. ENISA has been made responsible for drafting the European Certification Schemes for Cybersecurity. These are to serve as a basis for the certification of products, processes and services that support the provision of the digital single market.
The BSI acts in an advisory capacity to the business community and supports companies of all sizes and from all industries in questions of IT and information security. The objective of the BSI is the preventative promotion of information and cybersecurity in order to enable and promote the secure use of information and communication technology in the state, economy and society.
At federal level, the BSI is also responsible for the protection of critical information infrastructures (KRITIS).
In addition to its advisory function, the BSI co-operates with the business community in a variety of ways. For example, co-operation in the area of certification has long been established. Through the independent testing of IT products and services, the BSI offers manufacturers an opportunity to ensure transparency and more trust in the IT security features of their products and services.
The tasks of the BSI also include:
Please see 1.2 Regulators.
Aspects of cybersecurity are handled by the authorities listed under 1.2 Regulators. Additionally, the Federal Institute for Financial Institutions and Insurances (Bundesanstalt für Finanz- und Versicherungsaufsicht, or BaFin) publishes the MA-Risk, which contains procedural and security requirements to be taken into account by banks, payment service providers and insurers.
The Federal Association for IT Security (TeleTrusT) is a competence network comprising of domestic and foreign members from industry, administration, consulting and science as well as thematically related partner organisations. Due to the broadly diversified membership and the partner organisations, TeleTrusT embodies the largest competence network for IT security in Germany and Europe. TeleTrusT offers forums for experts, organises events or participations in events and gives its opinion on current issues of IT security.
For additional information, please see 1.2 Regulators.
In Germany, the operators of critical infrastructures are obliged by the IT Security Act to comply with certain security standards and reporting requirements. This law will have to be changed due to the NIS Directive.
However, many companies have chosen to voluntarily comply with the ISO 27001 standard as this is a good way to improve cybersecurity. The Federal Network Agency (Bundesnetzagentur, or BNetzA) even explicitly ordered ISO 27001 certification for electricity and gas network operators in its IT security catalogue by 2018. Furthermore, BaFin also refers to common IT standards such as ISO 27001 or the BSI basic protection catalogues in its minimum requirements for risk management.
Nevertheless, it is usually helpful to develop a framework specifically tailored to the company. For this purpose, sources such as COBIT, NIST and SANS20 should be consulted. These current frameworks for cybersecurity can therefore serve other companies as "idea generators" for the design of internal processes. As an "ISMS-light approach", small and medium-sized companies can be recommended to use, for example, the "VdS 3473", which usually represents a preliminary stage for a possible ISO/IEC 27001 and BSI IT-basic-protection certification.
Please see 3.1 De Jure or De Facto Standards.
The Control and Transparency Act
Pursuant to the Control and Transparency Act (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich, KonTraG), which came into force on 27 April 1998, the management of a company is obliged to implement a system for the early identification of developments and risks threatening the continued existence of the company.
The Stock Corporation Act
The German Stock Corporation Act (Gesetz betreffend die Gesellschaften mit beschränkter Haftung, GmbHG) stipulates that the management board shall be personally liable if it fails to monitor developments that could pose a risk to the company in the future by means of risk management and take appropriate measures to prevent them (Section 91 (2) and Section 93 (2) of the German Stock Corporation Act). Virtually the same requirements apply in the following cases.
Data Protection Officers
The GDPR establishes the concept of the data protection officer (DPO) at European level. The obligation to appoint a data protection officer affects companies according to their core activities; ie, activities that are essential for achieving the company's objectives. If these include the processing of sensitive personal data on a large scale or a form of data processing that has particularly far-reaching consequences for the rights of the data subjects, a DPO must be appointed.
There are two ways for groups and companies to fulfil their obligation to appoint a DPO. Either they appoint an employee as internal DPO or an external DPO is appointed.
The tasks of the data protection officer include:
Nevertheless, the company itself remains responsible for compliance with data protection regulations. Failure to appoint a company DPO constitutes an administrative offence subject to a fine.
As stated above, the management of a company is obliged to implement a system for the early identification of developments and risks threatening the continued existence of the company; this includes measures such as internal risk assessments, vulnerability scanning and penetration tests.
Privacy Impact Assessments
Furthermore, Article 35 of the GDPR introduced the instrument of a privacy impact assessment (PIA) or data protection impact assessment (DPIA). A PIA or DPIA must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. The Article 29 Working Party published a list of ten criteria that indicate that the processing bears a high risk to the rights and freedoms of a natural person.
In the course of a PIA or DPIA the effects of data processing on data subjects must be evaluated and effective IT security measures established. Operators of critical infrastructures even have to implement preventative protection measures according to the "state of the art" in order to protect the critical infrastructure from a cyber-attack.
ENISA provides practical advice and solutions to the public and private sector institutions of member states and to EU institutions. Please see 2.3 Over-Arching Cybersecurity Agency for additional information.
Article 32 of the GDPR provides security requirements for the processing of personal data. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In this process they shall take into account various aspects, such as the state of the art; the costs of implementation; the nature, scope, context and purposes of processing; as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The technical and organisational measures may include pseudonymisation and encryption or regular testing, assessments and evaluations of the effectiveness of the technical and organisational measures. What constitutes an appropriate level of protection arises, inter alia, from the risks represented by the processing, in particular by destruction, loss or alteration, whether accidental or unlawful, or unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
For additional information, please see 3.3 Legal Requirements.
Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.
Pursuant to Section 8 of the BSIG, operators of critical infrastructures must implement IT security in accordance with the "state of the art" and regularly demonstrate compliance with it to the BSI. They are obliged to take appropriate organisational and technical precautions to avoid disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are essential for the functionality of the critical infrastructures they operate.
If security deficiencies are discovered, the BSI may order their elimination in agreement with the supervisory authorities. In addition, according to Section 8b of the BSIG, the BSI becomes the central reporting office for IT security of critical infrastructures. Operators must report significant faults in their IT to the BSI if such faults could have an impact on the availability of critical services. If reportable faults occur at a critical information infrastructure (KRITIS) operator, the BSI may, if necessary, also require the manufacturers of the corresponding IT products and systems to co-operate. Furthermore, according to Section 7a of the BSIG, the BSI is granted the authority to examine IT products for their security in order to perform its tasks.
For additional information, please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.
Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.
Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.
In relation to the manner in which data and IT security is regulated within an IoT platform, there is no IoT platform-specific regulatory framework that has been enacted in Germany. However, the prevalent data privacy and IT security regulations cover aspects of the IoT industry and supply chain landscape. There are also certain technical regulations that that govern the same.
With regard to the collection and use of personal data, which is often done by consumer IoT devices (eg, location data), the GDPR applies, along with federal data protection rules. Depending upon the industry sector, there may be additional sector-specific rules to be adhered to (eg, telecommunications sector). Article 32(1) of the GDPR lists certain technical and organisational measures (TOMs) to be taken by the controller to protect personal data. Furthermore, and technologically upstream of the TOMs, Article 25(1) of the GDPR stipulates the principle of data protection by design. According to this principle, the data controller is obliged to take into account the protection of personal data during the development of a product. However, it must be noted that the requirements posed by the GDPR are technologically neutral and Article 32(1) only lists a few possible measures as examples. Nevertheless, the required security level is high and could result in a significant improvement in IT security to the IoT if properly implemented.
Since the introduction of the GDPR, however, there has been no noticeable improvement in IT security in the area of the IoT in practice. The enforcement of the GDPR is even more complicated with regards to the supply chain of IoT devices, since measures under the GDPR may only be directed against the controller. This means that data protection authorities cannot take action against manufacturers, suppliers, importers or sellers, even if the controller evades access by the authorities.
The German IT Security Act 2015 focuses on telecommunications and media companies, as well as service providers operating in "critical infrastructure". Such infrastructure relates to telecommunications, technology, health and water. Any such market player is obliged to take effective measures in order to prevent IT security issues.
Art. 1(1) of the EU Cybersecurity Act (Act) defines a framework for the establishment of a European cybersecurity certification for ICT products, ICT services and ICT processes. The Act could be applicable to IoT devices if they represent ICT products. However, it must be noted that the Act does not impose any binding requirements on the IT security of IoT devices in general. Instead, Articles 46 et seq of the Act provides only a voluntary certification framework, which does not create any obligations for the manufacturers to carry out certification or even third-party scrutiny procedures.
Since 1994, the BSI, has published an annual catalogue detailing over 1,600 best practices and recommendations on how to secure IT infrastructure (the Grundschutz Catalogue). Upon demonstrating compliance with the Grundschutz Catalogue, organisations may obtain certification under BSI Standards 200-1 to 200-3. One of the chapters relates explicitly to IoT devices. Even though they are not legally binding, the Grundschutz Catalogue recommendations have gained considerable relevance since a number of statutory provisions refer to the Catalogue's content and thresholds.
In May 2019, the German Institute of Standardisation published a new standard called Information Technology – IoT capable devices – Minimum Requirements for Information Security (ie, the DIN SPEC 27072). It provides for the requirements to change the standard password after initial use, authentication requirements, establishment of dedicated update mechanisms, etc. However, the scope of DIN SPEC 27072 is limited to IT security in relation to consumer IoT devices.
The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The BSIG uses the word “malfunction” or “disruption” rather than data breach or incident. Relevant is a malfunction to the availability, integrity, authenticity and confidentiality of information technology systems, components or processes that (can) lead to a malfunction or significant impairment of the functionality of the critical infrastructures.
Any data that is personal data according to Article 4 No 1 of the GDPR is covered.
All systems that are used to process personal data are covered.
Pursuant to EU Regulation 2017/745, medical devices are subject to cybersecurity requirements when they include software components. However, in the wake of the COVID-19 pandemic, the entry into force of the regulation has been postponed to 26 May 2021.
There are no special or additional legal requirements concerning industrial control systems. However, whenever there is processing of personal data, the GDPR is applicable.
There are no special or additional legal requirements concerning the internet of things. However, whenever there is processing of personal data, the GDPR is applicable.
ENISA has published a list of good practices with respect to security of the internet of things in the context of smart manufacturing and developed an interactive web-based online tool aimed at guiding IoT operators and smart infrastructure firms when conducting risk assessments.
Article 33 of the GDPR provides that in the event of a breach of the protection of personal data, the controller must notify the competent supervisory authority without delay and, if possible, within 72 hours. To facilitate notification, the supervisory authorities have set up extensive input masks that can be processed online.
Notification may only be dispensed with if the violation "is not likely to pose a risk to the rights and freedoms of natural persons". However, when processing data on behalf of a contractor, the contractor must immediately inform the responsible party ("controller") about the data breach and support the responsible party in reporting the data breach by providing the responsible party with the information available to them (Article 28 paragraph 3 litera f, GDPR).
Where the breach of the protection of personal data is likely to present a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the breach without delay (Article 34 paragraph 1, GDPR).
Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the BSI any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that (can) lead to a failure or significant impairment of the functionality.
The body of the independent federal and state data protection authorities (Datenschutzkonferenz, or DSK) has published a short paper that serves as a first orientation (especially for the private sector) to the manner in which to conduct a risk assessment. According to this, the risk assessment should be done in the following phases.
In order to identify data protection risks, the following questions can be used as a starting point.
Estimation of the Probability of Occurrence and Severity of Possible Damage
The probability of occurrence and severity are estimated for each potential loss. In general, they cannot be mathematically summarised or calculated. One way of measuring a risk is to show a gradation of the severity and probability of occurrence of a possible loss on a scale, with four values: slight/low, manageable, substantial and big/high.
Allocation to Risk Grades
Once the probability of occurrence and the severity of possible losses have been determined, they must be assigned to the risk categories "low risk", "risk" and "high risk". If the potential damage is large and the probability of occurrence is high, there is a high risk. If, on the other hand, the possible damage is small and the probability of occurrence low, there is a low risk.
Sector-Specific Risk Management
Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the Federal Office for Information Security any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes. However, a notification is not required if the disturbance does not and/or cannot lead to a significant impairment of the operability of the operated critical system.
According to the minimum requirements for risk management in banks and financial service providers (MaRisk) issued by BaFin, the following risks are to be classified as material:
The institution must set up appropriate risk management and risk controlling processes that ensure the identification, assessment, management, monitoring and communication of the main risks and associated risk concentrations.
Furthermore, GDPR Recitals 75 and 76 require that when assessing risk, consideration should be given to both, the likelihood and severity of the risk to the rights and freedoms of data subjects. It further states that risk should be evaluated on the basis of objective assessment. Article 29 of the Working Party Guidelines recommend that controllers consider the following specific criteria when assessing the risk of harm:
Lastly, ENISA has produced recommendations for assessing the severity of a potential breach.
The BSI recommends the following basic measures for cybersecurity:
Any conflict or issue with cybersecurity will most likely involve personal data. In that case, the GDPR and the BDSG will be applicable.
This underlines the strong connection between cybersecurity, privacy and data protection.
Under Article 33 of the GDPR, in the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory data protection authority.
This includes information about:
Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the BIS any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that (can) lead to a failure or significant impairment of the functionality.
The notification shall contain information on the failure, on possible cross-border effects and on the technical conditions, in particular the presumed or actual cause, the information technology affected, the type of facility or installation affected, the critical service provided and the impact of the failure on that service.
The BSI founded the Alliance for Cybersecurity in order to strengthen Germany's resistance to cyber-attacks.
Participants in the Alliance for Cybersecurity will have access to an extended range of services, in particular information on the cybersecurity situation, alerts and further background information. Due to the partially confidential nature of this information, the sharing of this content must be restricted and is subject to restrictions under the Traffic Light Protocol (TLP).
Currently, 4,178 companies and institutions are members of the initiative – and more are joining every day.
IT service and consulting companies and IT manufacturers are equally represented in the network as user companies of all sizes and from all sectors. This diversity is an important guarantee for a rich exchange of IT expertise and application experience, from which all participants benefit.
The web-based online service Knuddels, which essentially offers a chat service for people aged 14 and over, was fined EUR20,000 because the user passwords were stored without encryption. The website was hacked, which is why the infringement was discovered. Knuddels therefore co-operated with the supervisory authority, which is an important factor in the fine remaining modest.
The highest fine imposed by German data protection authorities is EUR14.6 million. The real estate company Deutsche Wohnen SE stored personal data of its tenants without checking whether this was lawful and necessary. Despite a previous request in 2017 to remedy the deficiencies in data protection, no improvement was achieved. Deutsche Wohnen SE has announced that it will take action against the fine.
The Berlin-based company Delivery Hero was fined almost EUR200,000 for not deleting customer data records and for sending illegal advertising emails.
These fines are all based upon violations of the GDPR. As yet, the BSI has not exercised the right to impose a fine for violations of the BSIG.
Please see 8.1 Regulatory Enforcement or Litigation.
The applicable legal standards are provided by the GDPR, the BDSG, the TKG, the BSIG, the EnWG and the EU Cybersecurity Act.
There are no known major private enforcement cases yet.
In Germany, class actions are generally not permitted, as German law does not allow for group actions. In general, each plaintiff must present and prove their individual affectedness, individual damage and the causal link between the two.
The Model Declaratory Action
However, in 2018, the model declaratory action was introduced. This enables claims of a large number of consumers who have suffered similar damage to be efficiently enforced. Registered consumer protection associations have the option to establish factual and legal prerequisites for the existence or non-existence of claims or legal relationships determined in favour of at least ten affected consumers. The model declaratory action is conducted exclusively between the plaintiff, the consumer protection association and the defendant. The affected consumers can register their claims in a register of actions and thus achieve the suspension of the limitation period of their possible claims. The ruling on the model declaratory action has a binding impact on the subsequent actions of the consumers. It is to be expected that this instrument will be used for damage claims according to Article 82 of the GDPR. So far this has not been the case, though.
A few model declaratory actions have been brought in Germany since 2018. It seems that German courts are carefully considering whether or not those bringing the claims fulfil the requirements of a "qualified institution". Where the courts are not satisfied that the claimant associations pursue the rights of consumers, but instead forward their own financial interests, the action is terminated.
The Volkswagen model declaratory action revealed that it took the courts almost one year to hold the first oral hearing. This was because claimants actively encouraged individuals to de-register and pursue their claims individually. The reason behind this is that consumers are often under the impression that stand-alone claims will arrive at a quicker solution. In cases of less complexity, judgments can be expected fairly quickly.
The GDPR provides for draconian penalties for violations. For this reason and because of the reputational and business risks involved, cybersecurity has become a crucial component of due diligence in the mergers and acquisitions sector. The due diligence process shall at least encompass an analysis of the applicable legal requirements regarding cybersecurity, an analysis of cybersecurity practices and, where appropriate, questions to the management department. Share purchase agreements may include guarantees or safeguards of cybersecurity policies and practices, where appropriate.
There is no regulation requiring disclosure for cybersecurity risk profile or experience.
All significant issues have already been addressed.