1. INTRODUCTION

1.1. Issuing body

The first Standard Data Protection Model ('SDM V1') was developed in 2016 by the German Data Protection Conference ('DSK'), a coalition of all regional data protection authorities ('DPAs') and the Federal Commissioner for Data Protection and Freedom of Information ('BfDI'). Subsequently, the Schleswig-Holstein State Commissioner for Data Protection ('ULD') released, on 6 November 2019, an updated version of SDM V1 ('SDM V2') which was adopted by the DSK the same day.

The DSK adopted, on 17 April 2020, SDM V2.0b, which corresponds with SDM V2 in terms of content, but includes editorial amendments and instructions on the use of the catalogue of reference measures in Chapter E6.

Moreover, on 24 November 2022, the DSK released an updated version of the SDM (only available in German here) ('SDM V3'), which introduces both content and editorial changes to the SDM V2 and the SDM V2.0b. Specifically, the SDM V3 adds two new Sections (D2.1 and D2.5) and amends the pre-existing Section D3.

Compared to the SDM V2, the SDM V3 remains largely unchanged.

1.2. Foundations and purpose

The SDM V3 aims at systematising mandatory as well as optional, procedural, and cross-procedural data protection measures and facilitating their respective assessment. The SDM V3 can be used by state and federal DPAs, as well as by controllers for the planning and operation of procedures for the processing of personal data.

As the SDM V1 was published before the entry into force of the General Data Protection Regulation (Regulation 2016/679) ('GDPR'), SDM V3 aims to ensure uniform data protection consulting and test practices in relation to technical and organisation measures pursuant to the GDPR.

1.3. Compliance benefits

The SDM acts as a bridge between law and technology and thus supports a continuous dialogue between stakeholders from the technical, legal, and organisational areas. In particular, the SDM V3 records the legal requirements of the GDPR, assigns them to the protection goals ('the Protection Goals') of data minimisation, availability, integrity, confidentiality, transparency, unlinkability, and intervenability, and transforms them into technical and organisational measures.

SDM V2.0b clarified that the DSK has not issued a statement making the recommendations of the catalogue of reference measures binding. However, it highlights that the measures constitute good practice and that legal requirements might mean that the recommendations will be binding nonetheless and as such data controllers and processors must verify this to ensure the appropriate security measures are used to protect the personal data being processed.

1.4. Related legislation, frameworks, standards, and supplemental resources

German DPAs have not yet released supplementary resources for SDM V3.

The ULD has issued the following supplementary resources regarding SDM V2:

• Guidance page on SDM V2 (only available in German here); and
• Conference papers on SDM V2 (only available in German here).

The State Commissioner for Data Protection and Freedom of Information Mecklenburg-Vorpommern ('LfDI Mecklenburg-Vorpommern') has issued the following supplementary resources regarding SDM V2:

• Catalogue of Measures (only accessible in German here) ('the Catalogue'); and
• Modules ('the Modules') to achieve the Protection Goals established in the SDM V2:
  • Module 11 on data storage (only available in German here) ('the Storage Module');
  • Module 41 on Planning and Specification (only available in German here) ('the Planning and Specification Module’);
  • Module 42 on Documentation (only available in German here) ('the Documentation Module');
  • Module 43 on Record Keeping (only available in German here) ('the Record Keeping Module');
  • Module 50 on Separation (only available in German here);
  • Module 60 on Deletion and Elimination (only available in German here);
  • Module 61 on Correction (only available in German here); and
  • Module 62 on Restriction of Processing (only available in German here).

2. SCOPE OF APPLICATION

The SDM V3 can be used in Germany and as well as in an international context, by DPAs as well as organisations and institutions in the private and public sectors to ensure that the GDPR is effectively implemented.

SDM V3 applies to the planning, implementation, and operation of processing activities involving the processing of personal data and their assessment.

The SDM V3 is arranged into five parts:

• Part A, which provides a description of the purpose, scope, and structure of the SDM V3;
• Part B, which compiles the various data protection requirements of the GDPR;
• Part C, which organises the requirements of the GDPR outlined in Part B into the Protection Goals;
• Part D, which provides for technical and organisational measures for the practical implementation of the Protection Goals; and
• Part E, which provides an account of the organisational framework of the SDM V3.

In particular, the SDM V3 incorporates and systematises the legal requirements of German data protection law and the GDPR into seven Protection Goals:

• data minimisation;
• availability;
• integrity;
• confidentiality;
• unlinkability;
• transparency; and
• intervenability.

The Catalogue can be consulted for each individual processing activity as to whether the actual measures taken correspond to the legally required measures. The SDM V3 and the Catalogue also provide a basis for the planning and implementation of the data protection specific certifications according to Article 42 of the GDPR and the Data Protection Impact Assessment ('DPIA') required in certain cases (Article 35 of the GDPR).

The Modules contained in the Catalogue provide specific technical and organisational measures on a variety of topic areas which are designed to reflect the respective requirements of each Protection Goal. Although the Modules were developed to complement the SDM V1, they are due to be integrated into the SDM in the future, and therefore remain a supplementary resource to the SDM V3. The Modules are currently still in their development phase and are published successively. They are drafted by regional data protection authorities, however, as of yet have not been adopted by the DSK.

3. KEY DEFINITIONS | BASIC CONCEPTS

In general, the definitions of the GDPR apply in the SDM V3, in particular for terms such as data minimisation, integrity, confidentiality, transparency, availability, intervenability (Section B1 of SDM V3).

4. DATA PROCESSING

Transparency and free access

The principle of transparency is laid down in Article 5(1)(a) of the GDPR and reflected in numerous provisions in the GDPR, notably with respect to data subjects' rights to be informed. A data controller must provide for the exercise of these rights, both at an organisational and, if necessary, a technical level. Transparency is addressed in Section B1.1 of the SDM V3.

Generic technical and organisational measures, provided in Section D1.5 of the SDM V3, to achieve this Protection Goals include:

• documentation of processing activities, in particular regarding business processes, data storage and data flows as well as IT systems and processes used;
• documentation of assessments, disclosure of data and privacy impact assessments;
• the documentation of data breach notifications and correspondence with data subjects and data protection authorities;
• logging of access and modifications; and
• verification of data sources.

Purpose specification, use limitation, and suitability

Article 5(1)(b) of the GDPR provides for the purpose limitation principle, while Article 6 provides that there must be a legal basis for the processing of data. These are encapsulated by the Protection Goal of data separation, which seeks to ensure that that there is a distinct and identifiable purpose and legal basis for each and every processing operation. Earmarking is addressed in B1.2 of the SDM V3.

Measures provided for in Part D of the SDM V3 to ensure these Protection Goals include:

• the regulation and limitation of the rights to process, use and transfer data;
• the establishment of role concepts with differentiated access rights;
• the establishment of measures prohibiting backdoors and assurance of updates;
• pseudonymisation (which is specifically mentioned in Article 40(2)(d) of the GDPR); and
• restrictions on use, processing, and transfers of data, among other things.

Data minimisation, storage limitation, and accuracy

The Protection Goal of data minimisation transposes the corresponding principle of Article 5(1)(c) of the GDPR, which states that personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Data minimisation is addressed in Section B1.3, accuracy in B1.4, and storage limitation in B1.5 of the SDM V3.

Measures to ensure data minimisation are provided in Part D1.7 of the SDM V3 and include:

• limitations on the types of information that may be collected on a data subject;
• limitations on the processing options available in processing operations;
• the establishment of default features that limit data processing to what is necessary to achieve the processing purpose;
• the implementation of data masks that supress data fields; and
• rules for controlling processes to change processing activities.

The Storage Module provides further technical measures to achieve privacy compliant storage of data.

5. MANAGEMENT SYSTEM

Monitoring, measurement, analysis, and evaluation

Section D4 of the SDM V3 provides information on data protection management, detailing legal bases (D4.1), necessary preparations (D4.2), and specifications and examinations (D4.3). Moreover, Section D4.4 of the SDM V3 contains a detailed step-by-step approach on the data protection management process based on the concept of planning, implementing, checking, and improving.

Moreover, the newly introduced Section D2.1 of the SDM V3 recommends breaking a processing activity into operations or into phases of a data life cycle, in order to examine the same from a data protection perspective. More in detail, Section D2.1 of the SDM 3 suggests considering nine groups of processing operations, to summarise the non-exhaustive list of elementary processing operations listed under Article 4(2) of the GDPR. Said nine groups are:

• collecting;
• processing;
• preserving;
• editing;
• using;
• making available;
• merging;
• restricting; and
• deleting.

In principle, each of the above nine processing sub-groups can be assessed with regard to its conformity with GDPR requirements. Alternatively, Section D2.1 of the SDM 3 suggests that a more compact life cycle model consisting of 4 phases could also be considered.

The content of Section D2.1 of the SDM V3 is closely related to the new Section D2.5 of the same, which looks at SDM modelling techniques. Specifically, Section D2.5 of the SDM V3 shows the systematic relationship among:

• Section D2.1 of the SDM V3, which introduces nine groups of elementary operations and four phases of a data life cycle, against which a processing activity can be examined;
• Section D2.2 of the SDM V3, which recommends examining a processing activity at three levels; and
• Section D2.4 of the SDM V3, which introduces three components against which a processing activity can be modelled. On Section D2.4 of the SDM V3, please see section below 'Accountability and Recordkeeping'.

Further, the SDM V3 highlights that it is usually necessary to analyse personal data processing operations according to the above three aspects, in order to gain a meaningful overall picture of the risks of processing activities. To this end, the SDM introduces the so-called 'SDM Cube', which provides support for a systematic and complete examination of a processing activity.

Risk management

Section D3 of the SDM V3 includes measures on risks and protection, stating that a risk according to the GDPR is the possibility of an event that causes or is suitable to cause damage to the rights and freedoms of a natural person or a group of natural persons.

Section D3 of the SDM V3 continues stating that there are two dimensions to take into account when establishing measures dealing with risks: the significance of the damage for the rights and freedoms of the concerned person and the likelihood that the even and damage will occur.

Furthermore, Section D3 of the SDM V3 states that the determination of the level of risk is a prerequisite for determining technical and organisational measures and the degree of their effectiveness to eliminate or reduce the risk.

Moreover, Section D3 of the SDM V3 states that, as a rule, the higher the risk, the more prudent and effective the measures must be, and that regular assessments of the risk and, where necessary, improvements must be implemented.

In order to determine if a processing activity poses a high risk to the data subject, an analysis process must take place, as described in detail in Section D3.2 of the SDM V2.

Section D3.4 of the SDM V2 further details technical and organisational measures in case of a high risk.

The SDM V3 introduces within Section D3.1 a distinction between four types of risks, and corresponding protective measures:

• risk type A: the interference with the fundamental rights of natural persons by the processing is not sufficiently low.
• risk type B: the measures adopted to reduce the intensity of the interference with a processing operation are not complete, not sufficiently effective, or are not continuously monitored, tested, and evaluated to a sufficient extent;
• risk type C: the information security measures are not complete, not sufficiently effective, or are not continuously monitored, tested, and evaluated to a sufficient extent; and
• risk type D: the information security measures are not sufficiently operated in accordance with data protection, in the sense of risk types A and B.

However, please note that the examination of the proportionality of the interference with fundamental rights of a processing operation is not covered by the SDM. Said legal examination as well as the examination of the applicable legal basis according to Article 6 and, if applicable, Article 9 of the GDPR must take place before the SDM is applied. Thus, the treatment of the aforementioned risk type A is not directly subject to the application of the SDM.

Operating concepts

Section E2 of the SDM V3, which is part of the organisational framework conditions, includes an operating concept which helps to clarify roles and responsibilities, and ensures the applicability of the SDM V3.

Planning and documentation

The Planning and Specification Module provides information on how to describe the structure and functioning of the entity dealing with data, using a transparent approach. The Documentation Module and the Record Keeping Module provide further technical measures to achieve privacy compliant documentation and recording of processes and material data.

6. DATA SECURITY

With regards to data security and prevention, the DSM V3 suggests measures based on the principles of confidentiality, integrity and availability.

Confidentiality

The Protection Goal of confidentiality derives primarily from Article 5(1)(f) of the GDPR and seeks to the protect against unauthorised and unlawful processing of data. Generally, a violation of confidentiality constitutes a violation of the GDPR.

Measures provided in Part D of the SDM V3 to achieve the Protection Goal of confidentiality include:

• the implementation of a secure authentication process;
• the creation of a rights and role concept based on the principle of necessity and identity management;
• the definition and control of organisational processes, internal regulations and contractual obligations;
• the encryption of stored or transferred data; and
• the limitation of authorised personnel to those who are legally responsible, appropriately qualified, reliable (if necessary, with security clearance) and formally approved, and with whom no conflict of interests may arise in the exercise of their duties.

Integrity

The Protection Goal of integrity reflects Article 5(1)(f) of the GDPR. This Protection Goal aims to ensure protection against unauthorised modifications and deletions.

Measures provided in the SDM V3 to achieve this Protection Goal include:

• the restriction of writing and modification permissions;
• the use of checksums, electronic seals and signatures in data processing in accordance with a cryptographic concept;
• the documentation of assignment of rights and roles;
• deletion or correction of wrong data;
• the implementation of processes ensuring data is up to date; and
• protection against external influences (e.g. malware).

Availability

The Protection Goal of availability is explicitly included in Article 32(1) of the GDPR, in the context of security of data processing. It is also anchored in Article 5(1)(e) of the GDPR. The principle also applies to the obligations to provide information and access to the data subject (Articles 13 and 15 of the GDPR). This Protection Goal is also a basic prerequisite for the right to data portability (Article 20 GDPR).

Measures provided in Part D of the SDM V3 to achieve this Protection Goal include:

• preparation of data backups and processes for data recovery;
• protection against external influences (e.g. malware);
• the establishment of an emergency concept to recreate processing activities; and
• implementation of repair strategies and alternative processes.

Resilience

Section B1.19 of the SDM V3 highlights that in order to comply with the principle of resilience, measures must be taken to ensure that systems and services used for data processing maintain the characteristics that ensure privacy-compliant data processing

7. ACCOUNTABILITY AND RECORDKEEPING

Section D2.4 of the SDM V3 details that for each processing activity and its components, especially for processes across different systems, responsibilities should be clearly set out and documented in the list of processing activities in accordance with Article 30 of the GDPR. Section D2.4 of the SDM V3 highlights that tasks resulting from a responsibility, can be delegated in the form of individual responsibilities. These responsibilities are typically defined as 'roles' in a comprehensive authorisation and role concept and subsequently assigned accordingly. Furthermore, Section D2.4 of the SDM V3 states that the responsibility of a process owner can be based on individual processing steps (so-called sub-processes) or to the entire processing activity across all process levels in the sense of an overall responsibility. Moreover, the responsibilities may extend to different roles with partial responsibilities.

Section B1.19 of the SDM V3 provides that the confidentiality of personal data must be ensured even if the underlying systems and services are unexpectedly subject to high workloads. If confidentiality is breached, it must be ensured that measures to remedy and mitigate the breach of personal data are taken.

Section D1.5 and B1.8 of the SDM V3 provide that contracts with internal staff as well as external service providers and other third parties that process data or to who data is transferred and the assignment of responsibilities in this regard must be documented.

8. DATA SUBJECT RIGHTS

Section B1.10 of the SDM V3 provides that responsible persons must facilitate the exercise data subject rights. This includes the acceptance and examination of requests by data subjects.

Section B1.11 of the SDM V3 details that responsible persons must correct the data without delay when requested.

Section B1.12 of the SDM V3 details the deletion of data, stating that the responsible person must delete data to the extent that the data in question can no longer be processed. Data must be deleted without delay. If this is not possible, the responsible person must have an appropriate procedure in place. Section B1.13 of the SDM V3 provides information on the reduction of data processing. It is detailed that a technical measure must be implemented to mark the data, that shall only partially be processed.

Moreover, B1.14 of the SDM V3 provides information on data portability, stating that data must be machine readable and in a common format to ensure interoperability.

Section B1.15 of the SDM V3 details possibilities to intervene in processes of automated decision-making. In particular, it states that responsible persons must take appropriate measures to ensure that the rights and freedoms and the legitimate interest of the data subject are respected and that the right to obtain an intervention by the responsible person is granted. This right includes that the data subject can appeal a decision. This right also requires that the responsible person may intervene and, where necessary correct a decision.

Section B1.16 of the SDM V3 further details measures with regards to profiling activities, stating that technical and organisational measures must be established that ensure that factors that lead to incorrect personal data or decisions that discriminate the concerned persons can be corrected and that reduce the risk of mistakes to a minimum. In general, the process of data processing shall be free of mistakes and discrimination.

Intervenability

The Protection Goal of intervenability is derived from GDPR provisions on rectification, restriction, erasure, and the right to objection (see Articles 16, 17, 18, 19, and 21 of the GDPR). Pursuant to Article 5(1)(d) of the GDPR, the controller must provide for such rights, both at an organisational and, where required, technical level.

Measures provided in Part D of the SDM V3 to achieve this Protection Goal include:

• provision of differentiated options for consent, withdrawal and objection;
• creation of necessary data fields (e.g. for notifications, consents and objections, documenting handling of malfunctions and problem-solving methods);
• implementation of standardised query and dialogue interfaces for affected data subjects;
• provision of options to deactivate individual functionalities without detriment to the overall functioning of the relevant system;
• identification and authentication of data subjects that want to make use of their rights; and
• the establishment of a point of contact for affected data subjects.

9. CROSS-BORDER DATA TRANSFERS AND LOCALISATION

Section B3 of the SDM V3 details that Article 58(2) of the GDPR allows data protection authorities to order the suspension of data transfers to third parties. In order to be able to implement such orders, the receivers of personal data must be able to be localised and data transfers must be realised according to the criteria of the country that receives the data.

Section D1.3 of the SDM V3 states that typical measures to protect the principle of confidentiality include the encryption of transferred data and processes to manage and protect cryptographic information.

Section D2 of the SDM V3 highlights that Article 30 of the GDPR requires that data international transfers to third countries are part of processing activities and therefore must be recorded.

10. VENDOR MANAGEMENT

Vendor risk management

Section A4 of the SDM V3 states that deviations from Protection Goals that must be avoided always include unauthorised processing activities by third parties.

Section B of the SDM V3 details that in order to reduce risk, including in relation to unauthorised access by third parties, the responsible person is obliged to select, implement and check the effectiveness of the appropriate technical and organisational measures (see Articles 28(3)(d) and 32 of the GDPR).

Technical service providers

Section C1.4 of the SDM V3 provides a definition of unauthorised persons in the context of the principle of confidentiality and access to personal data. In particular, it states that unauthorised persons are not only third parties outside the responsible body, but also employees of technical service providers who are responsible for providing a certain service but do not require access to personal data, or persons in organisational units that have no connection whatsoever with a processing activity or with to the respective data subject and respective organisational plans and the allocation of responsibilities.

Section D2.3 of the SDM V3 provides that if the processing activity includes contract processing in accordance with Article 28 of the GDPR it must be ensured that the processor carries out their tasks in accordance with the instructions of the responsible person and in conformity with the data protection laws. The responsibility for data processing is always within the responsible person according to Article 4(7) of the GDPR.

Contracts with external service providers

Section D1.5 of the SDM V3 details that measures to ensure the principle of transparency include the documentation of contracts with external service providers and third parties from whom data is collected or to whom data is transmitted.

Record of third-party disclosures and documentation

Sections B1.7 and C1.4 of the SDM V3 deal with the Protection Goal of confidentiality meaning that no unauthorised person can have knowledge of access to data. Unauthorised persons are not only third parties outside the responsible body, but also employees of technical service providers who are responsible for providing the service do not require access to personal data, or persons in organisational units that have no connection whatsoever with a processing activity or with to the respective data subject.

Sections D1.5 and B1.8 of the SDM V3 provide that contracts with internal staff as well as external service providers and other third parties that process data or to who data is transferred and the assignment of responsibilities in this regard must be documented.

Section D4.3 of the SDM V3 highlights that, when assessing third party access, organisations must consider:

• who should be denied access to which data; and
• which processes, systems and services are potentially vulnerable to unauthorised access.

Moreover, Section D4.3 of the SDM V3 details that the extent of the authorised access is initially independent from the technology and to be derived from the respective business processes.

11. INCIDENT AND BREACH

Data breach records

Section B1.1 of the SDM V3 states that the obligation to notify in case of a data breach is part of the principle of transparency. Section D1.4 of the SDM V3 highlights that a typical measure to comply with transparency is to record the management of data breaches.

Data breach notification to authorities

Section B1.8 of the SDM V3, dealing with accountability, details the obligation to provide the responsible supervisory authority with all necessary information according to Article 58(1)(a) and (e) of the GDPR. In particular, it states that the responsible person must notify data breaches to the supervisory authorities according to Article 33 of the GDPR.

Incident response

According to Section B1.22 of the SDM V3, the responsible person must, according to Article 33 and 34 of the GDPR and in combination with Article 24 and 32 of the GDPR, implement technical and organisational measures to resolve data breaches and to alleviate consequences for data subjects.

12. PRIVACY BY DESIGN

Section B1.17 of the SDM V3 provides information on Data Protection by Design.

Section D1.8 of the SDM V3 provides that the principle of Privacy by Design ('PbD') must be taken into account on all levels, and that technical and organisational measures must be determined and begin to be implemented in the planning stage. Moreover, PbD requires that applications should be configured in a privacy-compliant way and include the principle of data minimisation. In particular, the principle of PbD requires that only data that is necessary for the specific purpose is collected, processed and stored. Moreover, data must not be linked to other data unless this is necessary for the designated purpose. Moreover, it is required that data subject rights are implemented in all applications and that change-management processes are in place. These change-management processes are also important in case that a relevant data protection law is amended. Moreover, data subjects and other concerned persons must be able to examine processing activities.

13. ADDITIONAL REQUIREMENTS

No further information.

Authored by OneTrust DataGuidance DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.