Summarize data protection and privacy laws and regulations in Germany.
- [Instructor] Now we'll cover the federal republic of Germany where serious breaches are punished by imprisonment for a maximum period of two years. There are actually three types of breaches in Germany. While minor breaches have no administrative or financial penalty, moderate breaches have an administrative financial penalty of up to 50,000 euro, and serious breaches can have a penalty of up to 300,000 euro. The data protection act is applicable to all federal public authorities, state public authorities, and all non-public entities that are processing personally identifiable information. The act does not show any significant limitation to the scope of PII. This means all data, practically all data, that provides information about personal or factual relationships of an identified or at least identifiable natural person are covered by the data protection act. In fact, according to the data protection authority, even email and IP addresses are classified as personal identifiable information in Germany. Notice must be provided to every individual whose personal data is being processed. The information notice must at a minimum contain the type of data, the identification of the data controller, and the purpose for processing. As a general rule, appropriate steps must be taken to ensure that the data is correct and accurate for the purpose for which it is obtained and processed. The data controller must implement appropriate technical and organizational measures to protect PII against loss or any form of unlawful processing. These measures must guarantee an appropriate level of security taking in to account the state of the art and the cost of implementation. Transfers of data outside of a European Economic Area are only allowed to countries or territories that are considered by the European Commission to provide an adequate level of data protection. Relevant exemptions for this are European Union approved data transfer agreement, and any binding cooperate rules. With respect to data transfers to the United States, the US safe harbor agreement has now been replaced by the EU-US Privacy Shield agreement. Cloud computing services are services for commissioned data processing on behalf of the respective data controller. Hence, the data controller has to meet all requirements for assigning data processors. Also, the data processing authority has issued a guidance paper on the use of cloud computing services.
- Cloud computing drivers
- Deployment and services models
- Attack vectors
- Cyberthreats to financial services
- Regional requirements for data privacy and protection
- Regional risk and compliance requirements
- Case studies in financial cloud security