Personal data is continued. In the context of digitization, this is more and more automated processing. Data protection obligations from the General Data Protection Regulation (GDPR) often refer to so-called “Automated Processing”. But what exactly is automated processing? And what are the requirements for you?
What is exactly a processing is defined in Art. 4 No. 2 GDPR and in Art. 46 No. 2 BDSG-Neu. From this, it can be seen that processing is a carried out process that is carried out with and without the help of automatic procedures. Here, personal data is processed, i.e. recorded, stored, changed, transmitted, transmitted, or read out.
Automation in the context of data protection is the processing of personal data using e.g. computers, tablets, smartphones, and servers. Non-automated processing, i.e. written records, will become automated processing if these are stored in a file system. Section 46 No. 4 BDSG-Neu formulates a legal definition for “profiling”.
Accordingly, profiling is every automated processing that processes personal data for the purpose of behavioral analysis and for the prediction of behavior. § 35 NDSG especially determines requirements for automated data processing for the state of Lower Saxony.
If personal data is automatically processed and, in the course of this, comprehensively and systematically evaluated and thereby serve as the basis for a decision, data protection consequences must be carried out in accordance with Art. 35 Para. 3 lit. a).
Read Also: Data Protection In The Employment Contract
General principles for the data processing of personal data
When processing data, the general principles of data protection must be observed. There are special principles for the processing of personal data that are regulated in Art. 5 Para. 1 lit. a) GDPR. The data may only be processed for an appropriate purpose, Art. 5 Para. 1 lit. b), c) GDPR.
In addition, the data must be objectively correct and up-to-date in accordance with Art. 5 Para. 1 lit. d) GDPR. The duration of the processing must also be determined in accordance with Art. 5 Para. 1 Lit. e) GDPR. In addition, according to Art. 5 Para. 1 Lit. f) GDPR, there must be an appropriate level of safety and accountability obligation from Art. 5 Para. 2 GDPR must always be observed.
Requirements for the safety of data processing for automated processing
64 BDSG-Neu defines requirements for the safety of data processing. In accordance with Section 64 (3) BDSG new, a risk assessment must be made. Here, impending risks must be identified, the probability of occurrence determined and the severity of the potential damage must be weighed up. Once this assessment is carried out, measures must then be taken that ensure an appropriate level of safety.
Read Also: Appoint A Data Protection Officer
Measures for the safe processing of data
To ensure the processing of data, some precautions have to be taken. The creation of a directory of processing activities (VVT) and the determination of technical organizational means (TOM) contribute to the safety of processing.
If it is critical processing of data or if special types of personal data are processed, it is necessary to carry out data protection consequences. In addition, the rights of concern should always be observed and the information obligations are observed.