Selected Topics in English
About Stiftung Datenschutz
The Stiftung Datenschutz (Foundation for Data Protection) was established by the German Federal Government in 2013. The non-profit incorporated foundation is based in Leipzig, Saxony. The NPO offers a neutral forum for debates around effective and efficient data policy and develops recommendations for privacy politics. Acting independently in the field of data privacy, Stiftung Datenschutz links politics and the public, academics and business. It complements existing organizations and initiatives while liaising closely with German data protection authorities on state and federal levels.
Stiftung Datenschutz acts as an independent information and discussion platform. Its aim is to develop proposals for improving data privacy, to work on them in projects with experts from the relevant circles, and to discuss them publicly. The foundation does not act as a research institution, but as an interface between science, business, society and politics. This structure and focus is also the foundation's unique selling point: Neither data protection supervisory authorities nor trade associations or other organizations offer a neutral discussion platform that deals exclusively with data protection.
Stiftung Datenschutz aims to promote solutions that combine effective protection of fundamental rights with sufficient scope for technological progress and new business models. In our view, it should not be "innovation or data protection" but "innovation and data protection". We aim to provide a lobby for data privacy. We use information measures to counter GDPR myths and want to clarify what data protection law - when interpreted and applied pragmatically – can enable and does not inhibit.
Data Protection Discourse
In our new format, Data Protection Discourse, we bring together different opinions and perspectives to make data protection easier to understand and thus promote it. Prof. Dr. Christiane Wendehorst from the Institute for Innovation and Digitalization in Law at the University of Vienna and Maximilian Schrems, CEO of NOYB – European Center for Digital Rights, kicked off the series. In conversation with Frederick Richter, they put the ongoing debate on GDPR reform into context. See the video with english subtitles.
The consensus was that the GDPR does not always work in practice. This is partly because the one-size-fits-all approach does not suit everyone. According to Wendehorst, the legislation demands too little from large data-processing corporations and too much from small associations. She therefore advocates that large software manufacturers or service providers should be held primarily liable. Schrems supports this, arguing that the aspect of order processing in particular has not been well thought out. It is simply impossible to check the processing organizations in detail.
Wendehorst would also like to define a list of data offenses that are prohibited at all times and for everyone. According to Schrems, a whitelist would be just as necessary to ensure greater security for permitted data processing operations. Our two guests also considered who the GDPR should actually apply to and to what extent. Wendehorst and Schrems do not consider the number of employees to be a plausible basis. It would be better to base it on the number of people affected. Schrems advocates such thresholds. Although this could still leave some gray areas, thresholds work very well in other areas of law. Think of driver's licenses based on car weight classes.
Traffic regulations are also a good example of law enforcement, which works much better here than with the GDPR. Data protection checks instead of speed checks, so to speak. Wendehorst sums it up: The GDPR often seems like a law that does not have to be obeyed. Schrems complains that data protection authorities have failed to convey a sense of general prevention. Unfortunately, there is often a lack of resources and expertise, but also a lack of political will to really control the big players.
Anonymisation of Personal Data
Data is at the heart of the digital transformation. The exchange of personal data between public and private entities is steadily increasing. The European Data Strategy is intended to help the EU take a leading role in the international competition for data-driven business models.
At the end of 2022, a team led by Prof. Dr. Rolf Schwartmann from the Research Centre for Media Law at Cologne University of Applied Sciences and the Gesellschaft für Datenschutz und Datensicherheit (GDD) e.V. (Society for Data Protection and Data Security) was commissioned by the Stiftung Datenschutz (Data Protection Foundation) to draw up a set of basic rules for the anonymisation of personal data.
PROJECT CONSENT & PERSONAL INFORMATION MANAGEMENT SERVICES
In our networked world the disclosure of personal information has long been a part of everyday life. People can't benefit from the digital services available without consenting to the use of personal details. However, the associated data protection policies are usually long and often remain unread because of their legal jargon, technical complexity and lack of time. As a result the content of such "data protection terms and conditions" is more or less agreed to blindly. More and more requests for data protection consent also cause data owners to be overwhelmed by the need to make decisions, deadening them into a state of 'rational ignorance' and finally to a devaluation of the significance of providing consent. In real life the ideal data protection situation of 'informed consent' is a rarity.
In a project funded by the Federal Ministry of the Interior the non-profit Federal Foundation for Data Protection compared a number of different data consent projects. We also investigated the legal and economic conditions for the implementation of consent platforms. The study looks at possible ways of using technology to facilitate the legal validity of the consent process in terms of greater self-determination and user control. Proposals are developed on how the process of consent in data protection law and practice can be made more practicable and provided with technical support.
THE RIGHT TO DATA PORTABILITY
When the General Data Protection Regulation became effective in May 2018, every person in the EU was given for the first time have the right “to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format”. In our project, the Stiftung Datenschutz has examined possible ways of practically implementing the right to data portability.
TRUSTED CLOUD DATA PROTECTION PROFILE
Supported by the Federal Ministry of Economics, a consortium consisting of members from enterprises, data protection authorities and legal scholars developed a framework for a free and secure standard for data protection in cloud services, as required by the Federal Data Protection Act.
The TCDP standard is currently under the administration of the independent Foundation for Data Protection. Preparations are underway to adapt TCDP to the European Data Protection Regulation, which will come into effect in May, 2018.
The TCDP standard was developed to create a certification standard that meets all criteria defined in the FDPA. A cloud service provider with the TCDP certificate can be considered compliant with FDPA requirements, saving their clients the obligation to control the technical and organizational measures. The certification process can be tailored to the needs of the cloud service provider.
Download Brochures
"Data Protection at Work – A Handout for Employees" is intended to provide the necessary background and present the legally required information in a practical manner.
"Data Protection in a Nutshell – What Employees Need to Know" summarizes the most important points briefly and succinctly. For all those who want compact and practical information on the requirements of company data protection.
