Last review date: 17 December 2024
Yes.
- general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
- requirement to undertake third party due diligence (security assessment of third party providers)
- reasonable security controls
- encryption:
Not a strict legal requirement, but encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption.
- other
By way of an example for a sector specific law, the German Telecommunications Act includes security obligations applicable to providers of telecommunications services and networks. Other specific laws, such as Sec. 393 Social Security Code V, may contain additional requirements.
Last review date: 17 December 2024
- public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks)
- network information security requirements (broader than telecommunications)
- health regulatory requirements
- financial services requirements
- telecommunication requirements
- providers of critical infrastructure
- digital or connected (IoT) products
- other
If yes, please provide brief details of the relevant law or regulation.
Various EU level requirements directly applicable also in Germany (some of which contain a grace period for the implementation). Also a variety of sector specific German laws, e.g. the Telecommunications Act and Sec. 393 Social Security Code V.
- Data privacy
- Securities or public company
- network information security
- health
- financial services
- telecommunications
- critical infrastructure
Last review date: 17 December 2024
Yes.
"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Last updated date: 17 December 2024
Data protection authorities
- in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
- without undue delay and, where feasible, not later than 72 hours after having become aware of it
Affected individuals
- without undue delay (Art. 34 para. 1 GDPR)
- if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
- the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; or
- the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize.
Other:
There shall be public communication or similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects individually) if the communication to the data subject would involve disproportionate effort.
Last review date: 17 December 2024
Controller/ owner
- in case of a personal data breach (irrespective of a risk to the rights and freedoms of the data subjects)
- without undue delay after becoming aware of it (Art. 33 para. 2 GDPR)
Last review date: 17 December 2024
Yes.
- health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
- financial services requirements
- telecommunication requirements
- providers of critical infrastructure
- other
If so, please provide brief details of the relevant law / guidance and indicate which body/bodies must be notified of the breach.
The BSIG sets out general security breach notifications applicable to all providers of critical infrastructures.
Relevant sector-specific laws include e.g. § 11 (1c) Electricity and Gas Supply Act, § 44 b Law on the peaceful use of nuclear energy and protection against its dangers, § 329 (1) sentence 2 Social Security Code V, § 54 Payment Services Supervision Act, § 26 Securities Trading Act.
Breach notification requirements under the BSIG also apply to providers of digital services as well as companies in the special public interest.
Details regarding the identified data security breach notification requirements
- The BSIG sets out various non sector-specific breach notification requirements:
- According to the BSIG as currently in force (Sec. 8b BSIG), operators of critical infrastructures must, without undue delay, and via the contact that must be nominated to BSI by all such providers, notify the BSI of any:
1. disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have led to a failure or to a significant impairment of the functionality of the critical infrastructures they operate,
2. significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have led to a failure or to a significant impairment of the or significant impairment of the functionality of the critical infrastructures they operate.
The report must contain in particular information on the disruption, possible cross-border effects and applicable technical details, in particular the suspected or actual cause, the information technology affected, the type of facility or system affected, the critical service provided and the impact of the disruption on the service. In specified cases, BSI is entitled to require among others affected critical infrastructure operators to hand over relevant information, including personal data, where necessary for handling the breach.
Sec. 8d BSIG includes sector specific exemptions from the general breach notification requirement, for instance for providers of publicly available telecommunication services (see below for information on rules applicable to such providers as one example of overriding sector-specific breach notification requirements).
- Providers of digital services are subject to specific breach notification requirements under the BSIG (Sec. 8c BSIG). Such providers must notify any security incident that has a significant impact on the provision of a digital service they provide within the European Union to the BSI without delay, unless the provider does not have sufficient access to information needed to determine the impact of the breach on the basis of the criteria set out in Sec. 8c BSIG. The content of the notification is as for providers of critical infrastructures unless otherwise prescribed by EU level implementation acts issued by the EU Commission.
- Certain companies in the special public interest must submit a self-declaration on IT security to the Federal Office of for Information Security (Sec. 8f para. 7 BSIG) and from the time at which they are obliged to submit such self-declaration, must report the following incidents to the without undue delay to the BSI via a contact they must register with the BSI:
1. disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have led to a failure or to a significant impairment of the provision of value creation,
2. significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that could lead to a failure or significant impairment of the provision of value creation.
The notification must contain information on the disruption, the technical details, in particular the suspected or actual cause, the information technology affected, and the type of facility or system affected.
- Specified companies in the special public interest must, according to Sec. 8f para. 8 BSIG report the following incidents to the BSI without undue delay:
1. disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have led to an incident in accordance with the Hazardous Incident Ordinance as amended,
2. significant disruptions to the availability, integrity, authenticity and confidentiality of their IT systems, components or processes that could lead to an incident in accordance with the Hazardous Incident Ordinance as amended.
The notification must contain information on the incident, technical details, in particular the suspected or actual cause, the information technology affected, and the type of facility or system affected.
- According to the BSIG as currently in force (Sec. 8b BSIG), operators of critical infrastructures must, without undue delay, and via the contact that must be nominated to BSI by all such providers, notify the BSI of any:
- Telecommunications law-based incident and breach notification requirements as one example of sector-specific requirements:
- The German Telecommunications Act includes specific breach notification requirements (Sec. 168 German Telecommunications Act), which apply to anyone who provides a public telecommunications network or publicly available telecommunications services.
A security incident means any event having an adverse effect on the security of telecommunications networks or telecommunications services. This includes incidents that lead to a reduction of availability of the services provided over a network as well as incidents that lead to an unauthorized access to users' telecommunications or data processing systems. Only incidents with a significant impact need to be notified, which needs to be assessed by the provider; non-exhaustive criteria from this assessment are set out in the law and in applicable guidance. The Federal Network Agency and the Federal Office for Information Security have to be informed. The authorities must be informed without undue delay (Sec. 168 para 1 of the German Telecommunications Act, "unverzüglich"). The notification must be made using a specific form provided by the authorities, which also sets out the information to be provided and the contact data for submitting the notification. If not all information is available initially, a first notification must be filed and a subsequent notification once all relevant information is available. The notification must generally be made via email or telefax. After the incident has been remedied, a final report must be filed without undue delay, but latest three days after the incident has been remedied.
In case of a particular and significant danger of a security incident, the affected users must be informed about available protection measures and remedies, which may be taken by the users, and in certain cases also on the danger as such.
- Furthermore, providers of publicly available telecommunication services must notify personal data breaches based on the specific requirements set out in Sec. 169 of the German Telecommunications Act (in connection with Regulation (EU) No. 611/2013):
A data breach occurs when the protection of personal data is violated - that is, there is a violation of data security that leads to the loss, unlawful deletion, modification, storage, dissemination or other illegitimate use of personal data, as well as the unlawful access to these. Both the Federal Network Agency and the Federal Commissioner for Data Protection and Freedom of Information have to be informed. The authorities have to be informed by the provider of publicly available telecommunication services without undue delay. Regarding this notification under Sec. 169 of the German Telecommunications Act this means that notification must be made within 24 hours from the point in time where the data breach has been detected (i.e. the provider has sufficient knowledge of a breach which may have caused a violation of the protection of personal data). Where not all required information is available at this point in time yet, a second notification must be made without undue delay, however latest within three days from the first notification (at a minimum, all information available at this point in time must be provided). There is no materiality threshold for this notification to the relevant authorities. The notification must be made using a specific form provided by the authorities (which also sets out the information to be provided), which must be used also for a second notification.
It is mandatory to inform affected individuals, without undue delay, in cases where it is reasonable to expect that the infringement severely violates the rights or protectable interests of such individuals (subject to exceptions, e.g., where certain security measures have been taken and documented). Users must always be informed without undue delay if the breach results from users' data processing equipment.
Providers must document personal data breaches in a registry that must be provided to the authorities upon request. Breaches that reach back more than five years need not be taken into account.
- The German Telecommunications Act includes specific breach notification requirements (Sec. 168 German Telecommunications Act), which apply to anyone who provides a public telecommunications network or publicly available telecommunications services.