deenx-default

GDPR - Relevant Articles

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The GDPR has been directly applicable law in all Member States since 25 May 2018.

The articles reproduced below are particularly relevant to the use and maintenance of open-source components: the principles of processing (especially integrity, confidentiality and accountability), the requirements for data protection by design, the technical and organisational measures according to the "state of the art", the notification obligations in the event of data breaches and the rules for calculating administrative fines. The text is the official English version of the Regulation.

Begriffsbestimmungen (Art. 4) #

Art. 4 Nr. 1 - personenbezogene Daten #

'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Art. 4 Nr. 7 - Verantwortlicher #

'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Art. 4 Nr. 8 - Auftragsverarbeiter #

'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Art. 4 Nr. 12 - Verletzung des Schutzes personenbezogener Daten #

'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Grundsätze für die Verarbeitung (Art. 5) #

Art. 5 sets out the principles against which every processing of personal data is measured. Of particular relevance for open-source governance are point (f) (integrity and confidentiality) and paragraph 2 (accountability): the controller must be able to demonstrate compliance with all principles - without proof, no defence.

Art. 5 Abs. 1 lit. f #

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

Art. 5 Abs. 2 - Rechenschaftspflicht #

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').

Datenschutz durch Technikgestaltung (Art. 25) #

Art. 25 requires that data protection principles are taken into account already when selecting and designing the technical means - specifically "taking into account the state of the art". An outdated or unmaintained open-source component falls below the state of the art by definition.

Art. 25 Abs. 1 #

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Auftragsverarbeiter (Art. 28) #

Any entity that processes personal data on behalf of a controller - MSPs, SaaS providers, agencies, system integrators - may only do so with "sufficient guarantees" of appropriate technical and organisational measures. This obligation applies directly towards customers: if the guarantees are missing, the engagement itself is unlawful.

Art. 28 Abs. 1 #

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Sicherheit der Verarbeitung (Art. 32) #

Art. 32 is the central provision for technical and organisational measures (TOMs). It expressly requires that confidentiality, integrity, availability and resilience of processing systems and services are ensured on an "ongoing" basis - and that the effectiveness of the measures taken is regularly tested. Orphaned or unmaintained open-source components break both requirements: ongoing resilience is no longer assured, and a one-time component selection does not satisfy the obligation for regular testing.

Art. 32 Abs. 1 #

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Art. 32 Abs. 2 #

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Meldung von Schutzverletzungen (Art. 33) #

Art. 33 sets the notorious 72-hour deadline: the controller must notify a data breach to the supervisory authority within 72 hours of becoming aware of it. The notification must include the categories and approximate number of affected data records, the likely consequences and the remedial measures taken - information that cannot be delivered within the deadline without full knowledge of one's own software components (SBOM).

Art. 33 Abs. 1 #

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Art. 33 Abs. 3 #

The notification referred to in paragraph 1 shall at least: (a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the personal data breach; (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Art. 33 Abs. 5 - Dokumentationspflicht #

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Benachrichtigung Betroffener (Art. 34) #

Art. 34 Abs. 1 #

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Geldbußen (Art. 83) #

Art. 83 governs the imposition of administrative fines. Of key relevance for OTTRIA are paragraph 2 point (d) (technical and organisational measures under Art. 25 and 32 are expressly taken into account as mitigating factors) as well as paragraph 4 (up to EUR 10 million or 2% of worldwide annual turnover for infringements of Art. 25 to 39) and paragraph 5 (up to EUR 20 million or 4% for infringements of the principles under Art. 5).

Art. 83 Abs. 2 #

Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

Art. 83 Abs. 4 - Bußgeldrahmen bis 10 Mio. Euro / 2 % #

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; (b) the obligations of the certification body pursuant to Articles 42 and 43; (c) the obligations of the monitoring body pursuant to Article 41(4).

Art. 83 Abs. 5 - Bußgeldrahmen bis 20 Mio. Euro / 4 % #

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; (b) the data subjects' rights pursuant to Articles 12 to 22; (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; (d) any obligations pursuant to Member State law adopted under Chapter IX; (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

Quelle #

Official English text: Regulation (EU) 2016/679.