datenrecht.ch

FDPIC: Final reports on Xplain, fed­pol and BAZG

The FDPIC published the final reports in his inve­sti­ga­ti­on into the facts of the Xplain AG, fed­pol and BAZG cases on April 25, 2024. publishedafter a very expe­di­tious cla­ri­fi­ca­ti­on of the facts by the stan­dards of the FDPIC.

Back­ground

The back­ground to this was the well-known dou­ble extor­ti­onRan­som­wa­re attack on Xplain. A fair­ly detail­ed descrip­ti­on can be found at Insi­de ITas well as a Inter­view with the CEO of Xplain from Febru­ary 2024.

The attackers, a group cal­led Playhad cap­tu­red a lar­ge amount of data in May 2023. This was cri­ti­cal becau­se Xplain had been working pri­ma­ri­ly as an IT pro­vi­der for the Fede­ral Admi­ni­stra­ti­on in the area of inter­nal secu­ri­ty sin­ce 2000, e.g. for the Fede­ral Office for Cus­toms and Bor­der Secu­ri­ty (BAZG). The affec­ted systems – refe­rence instal­la­ti­ons, deve­lo­p­ment, test, admi­ni­stra­ti­on and build envi­ron­ments – appar­ent­ly con­tai­ned around 1.5 TB of data, of which around 600 GB was exfil­tra­ted and – becau­se Xplain had refrai­ned from paying a ran­som – around 430 GB (146,623 files; but a lar­ge pro­por­ti­on were dupli­ca­tes) was published; pre­su­ma­b­ly wit­hout the attackers exami­ning the con­tent of the data more clo­se­ly. The NCSC, which led the fede­ral government’s hand­ling of the inci­dent, has com­pi­led a report on the affec­ted data and published.

Data from Xplain, fed­pol, the FOJ and other agen­ci­es assi­gned to the FDJP, as well as the DDPS, Seco and other can­to­nal and fede­ral aut­ho­ri­ties were main­ly affec­ted. The data also con­tai­ned per­so­nal data, in addi­ti­on to some data objects clas­si­fi­ed as inter­nal or con­fi­den­ti­al – but not secret. The FDPIC illu­stra­tes the inci­dent as follows:

Admi­ni­stra­ti­ve inve­sti­ga­ti­on by the Fede­ral Council

As a result of the attack, the FDPIC and the Fede­ral Coun­cil com­mis­sio­ned Ober­son Abels to con­duct an admi­ni­stra­ti­ve inve­sti­ga­ti­on from the end of August 2023. report dated March 28, 2024 was con­clu­ded (cri­mi­nal pro­ce­e­dings by the BA are still ongo­ing). The sub­ject of the inve­sti­ga­ti­on was how Xplain came into pos­ses­si­on of pro­duc­ti­ve data from the Fede­ral Admi­ni­stra­ti­on, whe­ther this was due to a lack of suf­fi­ci­ent TOMs and whe­ther the Fede­ral Admi­ni­stra­ti­on brea­ched its obli­ga­ti­ons in moni­to­ring Xplain.

The report came to the con­clu­si­on that the­re were pro­cess defi­ci­en­ci­es on the part of the fede­ral govern­ment (e.g. lack of dual con­trol prin­ci­ple when trans­fer­ring pro­duc­ti­ve data to Xplain), that Xplain had not been ade­qua­te­ly moni­to­red and that the fede­ral govern­ment had also vio­la­ted data pro­tec­tion obli­ga­ti­ons in rela­ti­on to Xplain as a pro­ces­sor. Appar­ent­ly, the­re was also a lack of cla­ri­ty regar­ding the frag­men­ted respon­si­bi­li­ties within the various fede­ral agen­ci­es invol­ved. A depen­den­cy on Xplain was also established.

At its mee­ting on May 1, 2024, the Fede­ral Coun­cil the­r­e­fo­re deci­dedto take mea­su­res. He expects the situa­ti­on to impro­ve as ear­ly as Janu­ary 1, 2024 as a result of the ISGbut it has deci­ded on fur­ther mea­su­res to be imple­men­ted by the end of 2024:

  • addi­tio­nal secu­ri­ty requi­re­ments for coope­ra­ti­on with sup­pliers (crea­ted by the end of 2024) to streng­then con­trol and audit capabilities;
  • Func­tion-rela­ted trai­ning con­cept for trai­ning and sen­si­tiz­ing employees with regard to safe­ty requirements;
  • Over­view of the fede­ral aut­ho­ri­ties’ exi­sting means of communication;

The DDPS is also tas­ked with revie­w­ing the Confederation’s basic ICT pro­tec­tion by the end of 2024 and pro­po­sing any neces­sa­ry adjust­ments. The BACS will also “demon­stra­te” how coor­di­na­ti­on bet­ween the Con­fe­de­ra­ti­on, can­tons and sup­pliers will take place when deal­ing with cyber­at­tacks and what cri­te­ria will be used to assess the ext­ent of cyberattacks.

Final report on Xplain

Tran­si­tio­nal law

In the final report on Xplain, the FDPIC comes to the con­clu­si­on that various recom­men­da­ti­ons should be made. Howe­ver, as with all fac­tu­al inve­sti­ga­ti­ons initia­ted under the old law, the pro­blem ari­ses that they were or are to be con­clu­ded for­mal­ly and sub­stan­tively under the old FADP in accordance with tran­si­tio­nal law (Art. 70 FADP). As a result, the FDPIC’s fin­dings and, whe­re appli­ca­ble, recom­men­da­ti­ons are essen­ti­al­ly of a legal-histo­ri­cal natu­re, becau­se unli­ke the FDPIC when con­duc­ting the fact-fin­ding, the addres­sees of the fact-fin­ding have been sub­ject to the new FADP sin­ce Sep­tem­ber 1, 2023. The que­sti­on the­r­e­fo­re ari­ses as to whe­ther the FDPIC’s recom­men­da­ti­ons would also be rele­vant under the new law. The FDPIC the­r­e­fo­re repea­ted­ly refers to the new law in the final report in order to give the con­side­ra­ti­ons a litt­le more weight; howe­ver, the­re is no actu­al exami­na­ti­on of the ext­ent to which the new law actual­ly cor­re­sponds to the old FADP.

Added to this is the fact that Art. 70 FADP only pro­vi­des for the old law to con­ti­n­ue to app­ly to the actu­al cla­ri­fi­ca­ti­on of the facts. Sin­ce any action brought befo­re the Fede­ral Admi­ni­stra­ti­ve Court by the FDPIC or the addres­see of the cla­ri­fi­ca­ti­on would open a new, sepa­ra­te pro­ce­du­re – it is not an appeal pro­ce­du­re – a sepa­ra­te tran­si­tio­nal pro­vi­si­on would be requi­red for this. In the absence of such a pro­vi­si­on, neither the FDPIC nor the addres­see of the final report can bring an action befo­re the Fede­ral Admi­ni­stra­ti­ve Court (the addres­sees had a right of action under Art. 35 lit. b VGG, which was dele­ted by the new FADP).

If a recom­men­da­ti­on is rejec­ted or not imple­men­ted, the FDPIC would the­r­e­fo­re only have an inve­sti­ga­ti­on under the new DPA. Sin­ce the VwVG was only applied ana­log­ous­ly to the cla­ri­fi­ca­ti­on of the facts, the FDPIC would have to reas­sess the facts accor­ding to the rules of the VwVG and eva­lua­te them accor­ding to the new law. In other words, the tran­si­tio­nal pro­vi­si­on of Art. 70 FADP is ina­de­qua­te in its approach, but is beco­ming less and less important (many fac­tu­al cla­ri­fi­ca­ti­ons are no lon­ger pending).

Legal con­side­ra­ti­ons

From a legal per­spec­ti­ve, the final report has two main topics: the role of Xplain and com­pli­ance with data secu­ri­ty. Here, the FDPIC reli­es on his fin­dings of fact, which Xplain had clas­si­fi­ed as incorrect.

From the FDPIC’s per­spec­ti­ve, Xplain was acti­ve in two roles:

  • As the per­son respon­si­ble for their own processing:

    Xplain acts as the con­trol­ler inso­far as per­so­nal data about cus­to­mers, employees, etc. are pro­ce­s­sed. In doing so, Xplain must com­ply with the basic prin­ci­ples of the Data Pro­tec­tion Act […].

  • As order pro­ces­sor, as far as Xplain Soft­ware developed:

    Xplain’s core busi­ness is the deve­lo­p­ment of stan­dard soft­ware for home­land secu­ri­ty […]. As part of this acti­vi­ty, per­so­nal data of the cli­ent is also trans­fer­red to Xplain, in par­ti­cu­lar in the con­text of pro­ject data and bug fixes […]. It is irrele­vant that the trans­fer of this data is only a side effect of Xplain’s actu­al task. It is also irrele­vant that this data pro­ce­s­sing is minor com­pared to Xplain’s core acti­vi­ties. […] As the con­trac­tu­al agree­ments show, the pro­ce­s­sing of per­so­nal data is inclu­ded in par­ti­cu­lar in the ser­vices agreed with Xplain […]. In this con­stel­la­ti­on, Xplain is to be qua­li­fi­ed as a pro­ces­sor within the mea­ning of Art. 10a aDSG.

The FDPIC does not spend time here ana­ly­zing the roles in more detail. Accor­ding to the in par­ti­cu­lar from the BayL­DAbut also repre­sen­ted by the EDSA and also recei­ved in Switz­er­landCen­ter of gra­vi­ty theo­ry”, the decisi­ve fac­tor would be whe­ther the pro­ce­s­sing of per­so­nal data is the actu­al object of the ser­vice pro­vi­si­on (order pro­ce­s­sing, e.g. in the case of hosting or SaaS ser­vices) or mere­ly a side effect of a dif­fe­rent ser­vice (acti­vi­ty as a con­trol­ler, e.g. ser­vices of the libe­ral professions).

This is pro­ba­b­ly in the inte­rests of the fede­ral agen­ci­es – if Xplain were a con­trol­ler, the que­sti­on would ari­se as to whe­ther Xplain may be pro­vi­ded with per­so­nal data at all, which is much easier in the case of a pro­ces­sor. It should be noted that a con­trol­ler can also be an auxi­lia­ry per­son in the sen­se of (offi­ci­al) sec­re­cy law and may be con­sul­ted accor­din­gly if he or she lege artis is appoin­ted and included.

But Xplain also has ano­ther role to play: that of the respon­si­ble becau­se the rele­vant spe­ci­fi­ca­ti­ons are not com­plied with during order pro­ce­s­sing:

In its func­tion as pro­ces­sor, Xplain must pro­cess per­so­nal data in accordance with the ins­truc­tions of the con­trol­ler, in par­ti­cu­lar in accordance with the con­trac­tu­al requi­re­ments and within the scope of what the cli­ent is per­mit­ted to do its­elf (Art. 10a para. 1 lit. aDPA).

If Xplain does not com­ply with the­se requi­re­ments, it will its­elf beco­me the data con­trol­ler under data pro­tec­tion law.

The pre­sent case shows that Xplain did not dele­te the per­so­nal data trans­mit­ted to it in accordance with the con­tract […]. Xplain is respon­si­ble for the sto­rage of this per­so­nal data – which was later published on the darknet.

That is neither enti­re­ly true nor enti­re­ly fal­se. For­mu­la­ted in such abso­lu­te terms, the­re would be no pro­ces­sor in breach of con­tract, only the desi­gna­ted con­trol­ler. Howe­ver, the con­cept of con­trol­ler is not that broad – as is well known, it requi­res suf­fi­ci­ent influence on the pur­po­ses and means of pro­ce­s­sing. If a pro­ces­sor vio­la­tes a secu­ri­ty requi­re­ment, this does not make them a con­trol­ler. Such a chan­ge of role only ari­ses if the con­trol­ler car­ri­es out its own pro­ce­s­sing for its own moti­ves – pur­po­se – or sets essen­ti­al means of pro­ce­s­sing. Howe­ver, this hap­pens when data is stored bey­ond what is con­trac­tual­ly sti­pu­la­ted; in this case, the pro­ces­sor actual­ly beco­mes a con­trol­ler. It is the­r­e­fo­re in the inte­rest of the pro­ces­sor, for exam­p­le, to express­ly regu­la­te fur­ther sto­rage in back­ups etc. – if this is not done and data is not dele­ted after the end of the actu­al pro­ce­s­sing of the order, the pro­ces­sor is a con­trol­ler who is most likely in breach of his obli­ga­ti­ons (e.g. to inform the data subjects).

The FDPIC con­ti­nues to hold:

  • The com­mis­sio­ning fede­ral agen­ci­es were allo­wed to gene­ral­ly assu­me that Xplain has taken appro­pria­te TOMs“sin­ce Xplain, as the con­trol­ler, is sub­ject to the aDSG and must com­ply with atzt 7 aDSG”. This is a some­what stran­ge justi­fi­ca­ti­on, but it is cor­rect that a pro­ces­sor is also sub­ject to the pro­ce­s­sing prin­ci­ples, inclu­ding data secu­ri­ty, and the­r­e­fo­re has its own obli­ga­ti­ons, and that the con­trol­ler may have a cer­tain degree of con­fi­dence in com­pli­ance with the cor­re­spon­ding obli­ga­ti­ons. It is the­r­e­fo­re not gene­ral­ly man­da­to­ry to include a list of TOMs in a DPA, even if this is com­mon (often, howe­ver, with meanin­g­less descrip­ti­ons of very gene­ric TOMs).
  • Inso­far as the per­son respon­si­ble Spe­ci­fic safe­ty requi­re­ments Howe­ver, he must con­trac­tual­ly bind them. (In addi­ti­on, the Basic ICT pro­tec­tion of the fede­ral admi­ni­stra­ti­on sti­pu­la­tes that the ICT secu­ri­ty requi­re­ments of the Con­fe­de­ra­ti­on are to be regu­la­ted by bin­ding contract).
  • The per­son respon­si­ble must check the imple­men­ta­ti­on of and com­pli­ance with the secu­ri­ty mea­su­res – not wrong, but not gene­ra­lizable to all order processing:

    The The pro­ces­sor its­elf must car­ry out audits and unusu­al secu­ri­ty inci­dents to the con­trol­ler. This alre­a­dy results from the basic pro­tec­ti­ve mea­su­res of Art. 7 aDSG and from the prin­ci­ple of good faith. The con­trol­ler may requi­re an audit right and also obtain audit reports from the processor.

  • The sto­rage of per­so­nal data bey­ond what is neces­sa­ry vio­la­tes the prin­ci­ple of data pro­tec­tion. Pro­por­tio­na­li­ty.
  • Xplain had neglec­ted its duty to noti­fy the secu­ri­ty breach (alt­hough such a duty only exi­sted under the aDSG on a con­trac­tu­al basis or in cer­tain con­stel­la­ti­ons as a con­se­quence of the secu­ri­ty principle):

    Imme­dia­te­ly after the ran­som­wa­re inci­dent, Xplain took various mea­su­res to mini­mi­ze the dama­ge […]. It is striking that Xplain was obvious­ly not awa­re of the serious­ness of the inci­dent and did not take the Fede­ral Admi­ni­stra­ti­on only infor­med ten days after the inci­dentalt­hough a peri­od of 24 hours was agreed for such incidents.

The­re is ano­ther inte­re­st­ing point: the FDPIC exami­nes the Com­pli­ance with the mini­mum requi­re­ments for data secu­ri­ty by Xplain and iden­ti­fi­es vio­la­ti­ons – but wit­hout naming or estab­li­shing an abstract rule for deter­mi­ning the mini­mum stan­dard of pro­tec­tion. The FDPIC right­ly sta­tes that the fact of a secu­ri­ty inci­dent should not lead to the con­clu­si­on that the TOMs are ina­de­qua­te (a noti­on that is not sup­port­ed in Art. 4 para. 2 PrHG is expres­sed par­ti­cu­lar­ly clearly):

The mere fact that per­so­nal data from Xplain’s file ser­ver was published on the dark­net does not mean that the mea­su­res were ina­de­qua­te. A resi­du­al risk of a data breach remains with every data pro­ce­s­sing ope­ra­ti­on. The decisi­ve fac­tor is whe­ther mea­su­res appro­pria­te to the risk of data pro­ce­s­sing were taken.

This should also be bor­ne in mind when trans­fer­ring per­so­nal data abroad. Howe­ver, the FDPIC pro­ce­eds by naming secu­ri­ty mea­su­res that had not been taken – e.g. the ope­ra­ti­on of a SOC or the map­ping of con­trac­tu­al requi­re­ments in its own pro­ce­s­ses – and comes to the con­clu­si­on that the FDPIC has not taken any secu­ri­ty mea­su­res. direct­ly to the con­clu­si­on that data secu­ri­ty requi­re­ments were vio­la­ted as a result. Even if this makes sen­se as a result and the FDPIC limits hims­elf to rather gene­ric recom­men­da­ti­ons, the pro­ce­du­re is actual­ly legal­ly incom­ple­te. The FDPIC should have exami­ned the fac­tors accor­ding to Art. 1 GDPR – or rather: accor­ding to Art. 8 ff. and 20 ff. aDPA, i.e. he should have

  • have to explain how the risks for tho­se affec­ted ex ante the scope of dis­creti­on of the controller,
  • have to assess the sta­te of the art, and
  • the cost of imple­men­ting fur­ther pos­si­ble mea­su­res, taking into account the effec­ti­ve­ness of the pos­si­ble measures.

This is also demon­stra­ted by the pre­sent proceedings:

  • Secu­ri­ty mea­su­res are very often neglec­ted in a cli­ma­te of trust and are only cri­ti­cal­ly exami­ned once a breach has occur­red. This demon­stra­tes the importance of exter­nal audits (e.g. pen­tests or other secu­ri­ty reviews), espe­ci­al­ly in the case of clo­se and long-term collaboration.
  • It is not imper­mis­si­ble to lea­ve obli­ga­ti­ons in the area of data secu­ri­ty to the pro­ces­sor, in fact it is the rule. It is dif­fi­cult to say how far the controller’s respon­si­bi­li­ty extends and how far the processor’s respon­si­bi­li­ty extends – but a key TOM for both par­ties is to regu­la­te pre­cis­e­ly this interface.
  • Safe­ty is also a pro­cess issue. Pro­ce­s­ses must exist and be prac­ti­ced. They will not work in an emer­gen­cy if they do not func­tion in stan­dard operation.
  • Com­pa­nies often have a fal­se sen­se of secu­ri­ty when it comes to their own pro­ce­s­ses, pro­ba­b­ly for two rea­sons: First­ly, inter­nal pro­ce­s­sing is felt to take place in a pro­tec­ted space – inter­nal pro­cess defi­ci­en­ci­es are unat­trac­ti­ve from this per­spec­ti­ve, but harm­less. Second­ly, it is known in the abstract how fre­quent cyber attacks have beco­me, but this does not lead to a fee­ling of thre­at, very wron­gly though.
  • Con­ta­mi­na­ti­on of systems with per­so­nal or other sen­si­ti­ve data can have reper­cus­sions. This applies not only to the sto­rage of cus­to­mer data by IT ser­vice pro­vi­ders, but also to the fail­ure to dele­te or anony­mi­ze data on your own systems that may be affec­ted by a breach, which can lead to a need to pro­vi­de expl­ana­ti­ons to tho­se affected.

Recom­men­da­ti­ons

The FDPIC recom­mends the fol­lo­wing mea­su­res to Xplain:

With regard to data secu­ri­ty:

  • Xplain shall take appro­pria­te TOMs in accordance with the law and the con­trac­tu­al requi­re­ments of the Fede­ral Admi­ni­stra­ti­on with regard to 
    • the pro­ce­s­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data in the con­text of sup­port and main­ten­an­ce processes,
    • the pro­ce­s­sing of per­so­nal data under qua­li­fi­ed con­fi­den­tia­li­ty protection
    • the deve­lo­p­ment of soft­ware in the sen­si­ti­ve area of home­land security.
  • Xplain regu­lar­ly veri­fi­es the­se TOMs of the Fede­ral Admi­ni­stra­ti­on by 
    • estab­lishes an ISMS (wher­eby this is to be cer­ti­fi­ed accor­ding to an inter­na­tio­nal­ly reco­gnized stan­dard as long as Xplain coope­ra­tes with the Fede­ral Admi­ni­stra­ti­on in the area of inter­nal security);
    • estab­lished a risk manage­ment system and
    • mea­su­res are eva­lua­ted on an ongo­ing basis;
  • Xplain “sen­si­ti­zes” its employees
  • Xplain con­ducts peri­odic inter­nal and exter­nal audits.

With refe­rence to fur­ther prin­ci­ples:

  • Xplain inte­gra­tes the con­trac­tu­al obli­ga­ti­ons into its own pro­ce­s­ses, and
  • imple­ments a dele­ti­on con­cept in accordance with legal and con­trac­tu­al requirements.

Publi­ca­ti­on of the final report

It was dis­pu­ted whe­ther and how the final report should be published. Xplain had unsuc­cessful­ly reque­sted that the report not be published, appar­ent­ly essen­ti­al­ly becau­se the facts of the case had not been pro­per­ly estab­lished. Xplain had also deman­ded exten­si­ve redac­tions, appar­ent­ly going as far as anony­mi­zing the final report. The FDPIC made cer­tain redac­tions as usu­al, but not to such an ext­ent, part­ly becau­se anony­mizati­on would not have been pos­si­ble in this case.

Howe­ver, the que­sti­on ari­ses as to how far the FDPIC’s publi­ca­ti­on prac­ti­ce may go. Under both the old and the new FADP, the FDPIC can inform the public about fin­dings and rulings, i.e. today also about inve­sti­ga­ti­ons and rulings, but only “in cases of gene­ral inte­rest” (Art. 57 para. 2 FADP; Art. 30 para. 2 aDSG). This wor­ding is mis­lea­ding: the FDPIC can­not pro­vi­de gene­ral infor­ma­ti­on in such cases, but only if the­re is a spe­ci­fic public inte­rest in the infor­ma­ti­on. A num­ber of fac­tors must be taken into account:

  • Not every inte­rest of the public is a public inte­rest – this applies to the media as well as to the FDPIC. Not ever­ything that the media want to wri­te about is in the public inte­rest. Media publi­ci­ty the­r­e­fo­re does not justi­fy every publi­ca­ti­on. On the con­tra­ry, it can even be a rea­son to refrain from publication.
  • The public’s inte­rest in the acti­vi­ties of the FDPIC in gene­ral is not to be satis­fied by the publi­ca­ti­on of a final report, but through acti­vi­ty reports or media releases.
  • The FDPIC’s inte­rest in pro­ving its own effec­ti­ve­ness is not a public interest.
  • The public inte­rest in infor­ma­ti­on does not requi­re detail­ed infor­ma­ti­on. The public’s atten­ti­on span is short.
  • The inte­rest in the fur­ther deve­lo­p­ment of the law and know­ledge of the FDPIC’s prac­ti­ce is a public inte­rest. It could and should be satis­fied by gui­de­lines and the like, not by final reports, which are often very super­fi­ci­al­ly justi­fi­ed from a legal point of view.

Final reports in terms of fed­pol and BAZG

In con­trast to Xplain, the cla­ri­fi­ca­ti­on of the facts in the case of fed­pol and BAZG was not direc­ted at Xplain’s inter­nal pro­ce­s­ses, but at the actions of the aut­ho­ri­ties them­sel­ves. Howe­ver, the con­tents of the final reports overlap.

Howe­ver, the FDPIC once again cle­ar­ly con­firms that the con­trol­ler may have a cer­tain basic trust in the processor:

The per­son respon­si­ble must pro­vi­de the con­trac­tor with clear spe­ci­fi­ca­ti­ons for safe­ty mea­su­res and moni­tor their imple­men­ta­ti­on and com­pli­ance. If the con­trac­tor its­elf is sub­ject to the aDSG, the con­trol­ler can assu­me that the tech­ni­cal and orga­nizatio­nal data secu­ri­ty mea­su­res (Art. 7 aDSG) are appro­pria­te­ly fulfilled.

Howe­ver, the con­trol­ler may still have to moni­tor the processor:

The con­trol­ler is the­r­e­fo­re obli­ged to careful­ly sel­ect, ins­truct and train the pro­ces­sor. moni­tor as far as neces­sa­ry.

On the merits, the FDPIC sees short­co­mings in par­ti­cu­lar in the con­trac­tu­al invol­vement of Xplain, in the reli­ance on a pre­su­med audit by the FOCA, which was alre­a­dy using an appli­ca­ti­on used by fed­pol, and in the lack of moni­to­ring measures.

The FDPIC recom­mends the fol­lo­wing to both fed­pol and the FOCA:

  • The pro­ce­s­sing of order data was not cle­ar­ly regu­la­ted. The pro­ce­s­sing of com­mis­sio­ned data should the­r­e­fo­re be spe­ci­fi­ed in such a way that the par­ties “make them­sel­ves awa­re” of whe­ther and under what con­di­ti­ons per­so­nal data may lea­ve the fede­ral government’s systems. He recom­mends the following: 
    • To check when it is neces­sa­ry for per­so­nal data to lea­ve the Confederation’s systems and be stored in Xplain systems as part of sup­port processes;
    • to deter­mi­ne the neces­sa­ry TOMs in each case, and in par­ti­cu­lar to ensu­re the prin­ci­ples of data mini­mizati­on and data secu­ri­ty if sto­rage at Xplain is necessary;
    • to record the cor­re­spon­ding data trans­fers in clear agreements.
  • If fed­pol con­ti­nues to work with Xplain (which is appar­ent­ly the case – the depen­den­cy iden­ti­fi­ed by the inve­sti­ga­ti­on report will con­ti­n­ue), “data pro­tec­tion cri­te­ria must be taken into account”. The data pro­tec­tion pro­ce­s­ses and com­pli­ance with them must be regu­lar­ly monitored. 
    • The next time fed­pol deci­des on fur­ther coope­ra­ti­on, it must check whe­ther a cer­ti­fi­ed ISMS is in place.
    • The data pro­tec­tion pro­ce­s­ses and com­pli­ance with them must be regu­lar­ly moni­to­red by means of inter­nal or exter­nal checks or other evidence.
  • In addi­ti­on, employees must be con­ti­nuous­ly “sen­si­ti­zed” to data pro­tec­tion risks.
  • Con­tracts in the area of data secu­ri­ty must be spe­ci­fi­ed and, if neces­sa­ry, standardized.

The FDPIC also recom­mends that fed­pol, in the case of appli­ca­ti­ons used by ano­ther fede­ral office, should at least have its own SCHUBAN to be car­ri­ed out.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be

Sub­scri­be to news →