Review Course for Exam Preparation PDF

Review course for exam preparation Topics relevant to the exam Introduction to EU law Fundamental Rights Data Protection Law (GDPR, BDSG, ePrivacy/TTDSG) Cybersecurity Law: NIS-2 Directive, RCE-Directive, Cybersecurity Act, BSIG Cyberresilience: Cyberresilience Act Cybersecurity in consumer protection law and civil law Organisation of the exam Please select the correct answer by placing a cross or similarly (clearly) marking it (unclear answers may not be scored correctly). →If you would like to change your answer, please make this clear (e.g. additional arrow on the selected answer, underline it, etc.). →Please do not use a pencil and eraser, but a clearly and good visible pen. Unless otherwise stated, one answer is correct! If more than 1 answer is correct → the question must be answered in full by selecting all the correct answers How are laws made? European Union - Supranational political and economic union of 27 member states - Executive branch: - State governments represented in European Council - European Commission - Legislative branch: EU Parliament - Judicial branch: Court of Justice of European Union Federal Republic of Germany Separation of power: - Executive branch: government of federal ministers & chancellor - Legislative branch: Bundestag (parliament) Legislature and Bundesrat (representatives of federal states) - Judicial branch: federal courts 16 Federal States → Baden-Württemberg Executive - Executive branch: state government - Legislative branch: Landtag (parliament) Judiciary - Judicial branch: state courts Hierarchy of law Primacy of application of Union law ‒ EU primary law (EU treaties) ‒ Secondary law Regulation Directive Grundgesetz authorization Bundesgesetze Agreements under international law directly Bundesverordnungen applicable transformation in Landesgesetze transformation in national law national law V. Legislative procedure ordinary legislative procedure Opinion by EU Proposal by Readings in Adoption Adoption Commission EU Parliament & Parliament Council Trilogue + public Commission Council position position consultation Interpretation of legal texts Wording → dictionary, Problem: often several meanings in everyday and technical language Historical interpretation → Legislative materials: the legislator's conception, intent and motives Systematic interpretation → structure of the law, comparison to other provisions, headings, titles teleological interpretation → meaning and purpose of a law, Legal principle should be a fair and appropriate regulation, avoid unjust and irrelevant results Conformity with constitutional law if there are several ways of interpreting the law, the one that best complies with the Conformity with Union law constitution / Union law should be applied 3. Catalogues of fundamental rights in Europe international convention by Council of Europe (parties: 46 Council of German Constitution same legal status as the Europe member states) Highest rank regarding European Union treaties Judgements have no direct German law → all federal / Relevant, if case is impact, but German courts state laws have to respect determined by EU law have to consider judgments constitution in their own decisions violation of fundamental rights? Scope of protection? Does a legal obligation interfere with guaranteed rights? Justification? Is there an important interest that justifies the interference? Proportionality? Are different interests balanced out properly? violation of fundamental rights? Scope of protection? Does a legal obligation interfere with guaranteed Interpretation of legal text rights? Justification? German Constitution: Restriction of Is there an important interest fundamental rights defined for each that justifies the interference? right (Grundrechtsschranken) EU Charter: Art. 52 (1) → Any Proportionality? limitation on the exercise of the Are different interests rights and freedoms recognised by balanced out properly? this Charter must be provided for by necessary for attaining the law and respect the essence of legitimate objectives and not exceed the limits of what is those rights and freedoms. appropriate and necessary in order to achieve those objectives Suitable for the objective pursued? Necessary: relatively mildest means Appropriate for attaining the objective 3 functions of fundamental rights Fundamental Rights Fundamental rights Basic rights to function as right of include the state's duty to participation (state defense against state protect also against benefits, welfare actions interference by private state) parties Fundamental Rights Right to private life / data protection / informational self determination German Constitution EU Charter ECHR Not explicitly written in Art. 7 Respect for private and family Art. 8 ECHR Right to respect for constitution life private and family life Art. 1 (1) in combination with Everyone has the right to respect for his 1. Everyone has the right to respect for or her private and family life, home and his private and family life, his home Art. 2 (1) GG build the general communications. and his correspondence. right of personality Art. 8 Protection of personal data 2. There shall be no interference by a Right to informational self 1. Everyone has the right to the public authority with the exercise of determination is an expression protection of personal data concerning this right except such as is in of the general right of him or her. accordance with the law and is personality necessary in a democratic society in 2. Such data must be processed fairly the interests of national security, Right of ensuring the for specified purposes and on the basis public safety or the economic well- confidentiality and integrity of the consent of the person concerned being of the country, for the prevention or some other legitimate basis laid down of disorder or crime, for the protection of information technology by law. Everyone has the right of access of health or morals, or for the systems is an expression of the to data which has been collected protection of the rights and freedoms general right of personality concerning him or her, and the right to of others. have it rectified. Art. 10 GG: Protection of 3. Compliance with these rules shall be telecommunication subject to control by an independent Art. 13 GG: Protection of authority. private home Data Protection Law Regulation Interpretation and thus implementation §§ in member states of the EU directives was very different → low level of harmonization „Update“ by a Regulation: (EU) 2016/679 §§ (General Data Protection Regulation - BDSG GDPR) of April 27, 2016 directly applicable law in all member states without the need of §§ an additional implementation into the laws of the member states §§ §§ But: escape clauses give limited leeway for member states for specific regulations → GDPR called an „atypical hybrid“ 18.01.2025 15 Applicability: GDPR → Important Definitions: Personal Data, Processing personal data wholly or partly not-automated automated processing processing ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, part of a filing intended to form part of a filing whether or not by automated means, such as collection, system system recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction „identified or identifiable“ all the means reasonably likely to be used by the controller or by another person →not necessary that that information alone allows the data subject to be identified →not required that all the information enabling the identification of the data subject must be in the hands of one person →all objective factors, such as the ▪ costs of and ▪ the amount of time required for identification, ▪ taking into consideration the available technology at the time of the processing and technological developments 18.01.2025 17 Typical mistakes This is only data about things not persons ! The object can be assigned to a natural person and the data allows conclusions to be drawn about this person Identification is often possible via contextual All names in the data set have been deleted, the data is therefore anonymous ! information Personal reference also exists in the case of pseudonymization and if it is possible to access data from third parties by legal means, unless: this The data is anonymous, without the help of third parties I cannot identify the person. ! would require a disproportionate amount of time and cost In the area of electronic communication, the Anonymization removes all data protection TTDSG also applies in part to non-personal data requirements ! 18.01.2025 18 Roles & Persons determine responsibilities & duties in agreement data processing Independent supervisory authorities decides about purposes / means Monitoring application of GDPR Can give advice, impose fines Contract (Minimum content specified in Joint Controllers Controller Art. 28 GDPR) Processor Rights Obligations inform about Data Protection Data Protection essence of Officer (Art. 37 – 39 Officer (Art. 37 – 39 arrangement GDPR) GDPR) data subject = natural person 19 Roles & Persons determine responsibilities & duties in agreement data processing Independent supervisory authorities decides about Controller(s) purposes / means Processor(s) Monitoring application of GDPR One or more controllers responsible to fulfil Can processes personal data give advice, on behalf of theimpose fines data protection obligations Contract (Minimum controller content specified in natural Joint or legal person, Controllers public authority, agency Controller does not Art. 28 GDPR) pursue its own processing purposes → Processor or other body no further legal basis necessary for processing determines the purposes Rights and means of the Obligations Duties to assist the controller in the processing of personal data implementation of data protection obligations inform about controller or the specific criteria for its Data Protection ControlData Protection and instruction rights of the controller → essence of Officer (Art. 37 – 39 Officer (Art. 37 – 39 nomination may be provided for by Union or controller shall use only processors providing arrangement GDPR) GDPR) Member State law sufficient guarantees to implement appropriate Every controller requires a legal basis for technical and organisational measures processing personal data data subject = natural person 20 Territorial Scope 00100 0100101000 101 10 000 00 01 00 or processing 10 01 10 01001 0100 010010100 01 00 01 01 001 00 processing domicile principle market place principle legal exclave − establishment of a controller − processing of personal data place where Member State law or a processor in the Union, of data subjects who are in applies by virtue of public the Union, where the international law − regardless of whether the processing activities are processing takes place in the related to: Union or not − offering of goods or services − monitoring of their 18.01.2025 behavior 21 - data collected for specified, explicit and legitimate - legal basis for processing purposes lawfulness, purpose - not further processed in a - provide information to data fairness and limitation manner that is incompatible subjects transparency with those purposes - right of access personal data is adequate, relevant integrity and data and limited to what is - data security accountability necessary in relation confidentiality minimisation to the purposes for which it is processed - right to erasure (“right to be forgotten”) - data kept accurate and, where storage necessary, up to date - right to restriction of accuracy processing limitation - right to rectification 18.01.2025 22 Overview: Legal Basis for processing personal data Depending on purpose and context on a case-by-case basis Processing of personal data requires at least one legal basis!! Further Conditions: Special categories of personal data by Art. 6 GDPR specifications by member state law / sector specific consent electronic communication (ePrivacy) explicit consent contract employment collective agreements employment, social security, social protection law vital interest vital interest legitimate interest research purposes manifestly made public legal obligation social law trade law tax law research public duties public law …. 18/01/2025 23 Examples for legal basis consent Optional cookies on website Request to receive newsletters Contract of sale: payment data (e.g. credit card number) contract Car insurance contract: vehicle brand, categorie and age, mileage per year, age / number of drivers, … vital interest Very limited scope → emergencies, e.g. to protect someones life an airline of data subject or another communicates personal data of an injured person to the hospital natural person Video surveillance in a supermarket / in a building legitimate interest Submitting data of a customer, who refuses to pay the bill, to a debt collection of controller or a third party agency and / or a lawyer in order to settle a legal dispute processing of customer data according to § 312e BGB → send e-mail to confirm an online order legal obligation obligations to store documents according to § 257 HGB → Retention of documents about business transactions by merchants for specific period of time public duties Processing personal data of doctors, dentists, etc. in order to issue a license to practice medicine, regulated by the law of the Member States 24 Consent Problems: − freely given dependencies, imbalance of power − specific no separate consent for different processing operations − Informed conditional for a contract − unambiguous − active − revocable I agree I disagree I agree Settings Personal Settings 18.01.2025 25 Privacy by Design: Risk based approach Time of planning ‒ Controller / processor shall implement appropriate processing technical and organisational measures appropriate to the risks n tio implementa ‒ Risks regarding the rights and freedoms of natural persons costs physical, material or non-material damage nature e.g. discrimination, identity theft or fraud, financial loss, , sc market Supply op damage to the reputation, loss of confidentiality e, state of economic or social disadvantages co the art nte prevented from exercising rights & freedoms and/or control xt & purpose o over their personal data, like unauthorised reversal of risks: pseudonymisation, profiling, predicting personal behaviour, likelihood & etc. severity ‒ If high risk: Data Protection Impact assessment (PIA) f pr o ce ss 18.01.2025 ing 26 Technical measures Anonymisation Pseudonymisation Recital 26: 5The principles of data Art. 4 (5) GDPR: means the processing of protection should therefore not apply to personal data in such a manner that the personal data can no longer be attributed anonymous information, namely to a specific data subject without the use of information which does not relate to an additional information, provided that such identified or identifiable natural person or additional information is kept separately and is subject to technical and to personal data rendered anonymous in organisational measures to ensure that the such a manner that the data subject is not personal data are not attributed to an or no longer identifiable. 6This Regulation identified or identifiable natural person; does not therefore concern the processing Recital 26: 2Personal data which have of such anonymous information, including undergone pseudonymisation, which could for statistical or research purposes. be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. 18.01.2025 27 10 typical mistakes regarding anonymisation ‒ Pseudonymisation is the same as ‒ Encryption is anonymisation anonymisation ‒ Anonymisation is always possible ‒ Once anonymous always anonymous ‒ Anonymization must prevent 100% re- ‒ Anonymization is not measurable identification risks ‒ Anonymization can be fully automated ‒ Anonymized data is useless ‒ Anonymization procedures are ‒ Nobody has an interest in de- universally transferable anonymization AEDP - agencia espanola protección datos/EDPS - European Data Protection Supervisor, Joint paper on 10 misunderstandings related to anonymization: https://edps.europa.eu/system/files/2021-04/21-04- 28 27_aepd-edps_anonymisation_en_5.pdf ‒ appropriate measures with respect to the actual or eventual risks must be taken Data Security: ‒ Examples for security measures: Risk based approach − Pseudonymisation, encryption − ensure confidentiality, integrity, availability and resilience of processing systems and services; n − ability to restore availability and access to personal data in the tio implementa event of a physical or technical incident; costs − regularly testing (e.g. Pentesting) nature , sc ‒ to assess appropriate security level: consider risks like: market Supply op ‒ destruction, loss, alteration, unauthorised disclosure, or e, state of co unauthorised access to personal data. the art nte ‒ accidental or unlawful xt & purpose o risks: likelihood & ‒ to demonstrate compliance: severity ‒ Code of conduct as referred to in Art. 40 ‒ approved certification mechanism as referred to in Art. 42 f pr ‒ ensure that persons acting under the authority of controller / o ce ss 18.01.2025 ing processor only process data on the instructions of the controller 29 Data protection by design Security of processing Data protection impact assessment − Technical design limits risks and − Risk based approach → required − Applicable, if data processing implements data protection security level must be assessed likely to result in a high risk to principles, esp. data minimisation individually the rights and freedoms of natural persons − open to new technologies → − GDPR gives only examples for „appropriate“ technical & security measures − Examples in GDPR organisational measures − Adherence to an approved code − Positive / Negative list by of conduct or an approved authorities certification mechanism may be − seek the advice of the data used as one element to protection officer demonstrate compliance − Instrument for describing, assessing and mitigating risks Data protection by default Preparation − by default, only personal data which is necessary for each Evaluation Execution specific purpose of the processing should be processed → privacy friendly default settings Implementation 18.01.2025 30 Data Processing in & outside EU Third Country = Countries outside EU & EEA (European Economic Area) Operation on Premise or Adequacy decision of the Unsafe third country: location of provider within EU Commission: Transfer Safeguards required, EU / EEA Data transfer does not - e.g. standard contractual → Location of data processing: require any further clauses (= model contracts) Server locations within EU / EEA guarantees or binding corporate rules, if → ! No integration of sub- enforceable in the third → e.g. Argentina, Canada, country service providers from third Israel, Japan, South Korea, countries Switzerland and some more - additional technical measures if necessary. → List ec.europa.eu Derogation rules for specific cases = no regular data transfers 31 18.01.2025 Checklist GDPR applicable? Processing of personal data? Material and territorial scope Controller or processor? Legitimate use of personal data? Purpose of processing? Legitimate basis? Technical and organisational measures Compliance with data protection principles 18.01.2025 32 Art. 6 (1) GDPR - Consent by data subject? Checklist - Contract with data subject? - Vital interest of data subject / another natural person GDPR applicable? - Legitimate interest of Processing of personal data? controller / third party, not Material and territorial scope overridden by interests of data Controller or processor? subject - Task in public interest Legitimate use of personal data? - Legal obligation Purpose of processing? Art. 9 (2) GDPR special Legitimate basis? categories of personal data Technical and organisational measures → Special requirements Compliance with data protection principles Sector specific / member state law - E.g. employment context 18.01.2025 - E.g. electronic communication 33 Checklist Privacy by Design and by Default → Identification and assessment GDPR applicable? of risks Processing of personal data? → Implementation of protecting Material and territorial scope measures acc. to risk based Controller or processor? approach Data Security Legitimate use of personal data? → Implementation of protecting Purpose of processing? measures acc. to risk based Legitimate basis? approach Technical and organisational measures Privacy Impact Assessment Compliance with data protection principles → PIA necessary? → Implementation of PIA (regularly repeated) 18.01.2025 34 lawfulness, Checklist fairness and purpose limitation transparency integrity and accountability data minimisation confidentiality GDPR applicable? storage limitation accuracy Processing of personal data? Checklist Material and territorial scope - Information provided? Controller or processor? - Data subjects' rights - Right of access Legitimate use of personal data? - Right to rectification Purpose of processing? - Right to erasure Legitimate basis? - Right to restriction of Technical and organisational measures processing Compliance with data protection - Right to data portability principles - Right to object - Rights regarding automated 18.01.2025 individual decision making35 Cybersecurity law NIS-2 Directive Goals, Content & changes to previous Directive NIS 2 Directive (Directive EU 2022/2555) A harmonised legal framework for the EU-wide development of national cybersecurity capacities stronger cooperation between the member states of the European Union →obliges member states to adopt a national cyber security strategy →Single Point of Contact (SPoC) serves to ensure cross-border cooperation between the authorities of the member states →national Computer Security Incident Response Teams (CSIRTs) are to be appointed, which are responsible for dealing with risks and incidents imposes stricter requirements on national authorities minimum security requirements and reporting obligations for specific sectors →extension of the scope of application → “Important entities” and “essential entities” →introduces stricter supervisory measures for national authorities, stricter enforcement requirements and standardises the sanction options in the member states Content of NIS-2 Specifications for security Setting requirements for Supervision and concept of Member States private and public facilities enforcement - National security - Applicable on essential - Different levels strategies, cyber crisis and important entities regarding essential frameworks, EU reports - Governance: duties & entities (regular & peer reviews liability of management supervision) and - organisations (SPoC, - appropriate cyber security important entities (only CSIRT) & cooperation risk management ex post supervision) (CSIRT network, measures - Higher fines for Cooperation Group, - Reporting obligations of essential entities EU-CyCLONe) significant incidents possible NIS-Documents National Cyber Security Strategy Report on the state of cybersecurity in NIS 2 Directive (Directive EU 2022/2555) the Union National Cyber Crisis Management Framework Peer Reviews NIS-Organisations Single Point Computer Security of Contact Incident Response CSIRTs Cooperation European cyber crisis Teams (CSIRT) network Group liaison organisation Member States network (EU-CyCLONe) European Union framework of the strategic objectives, resources biennal report adopted by ENISA required and appropriate policy and regulatory NIS-Documents Union-level cybersecurity risk measures assessment, taking account of the cyber National Cyber Security Strategy threat landscape Report on the state of cybersecurity in → Capabilities of public and private sector NIS 2 Directive (Directive EU 2022/2555) establish cyber crisis management authorities the Union for large-scale Nationalcybersecurity incidents and crises Cyber Crisis Management adopt a national large-scale Frameworkcybersecurity Voluntary incident and crisis response plan carried outPeer Reviews by cybersecurity experts NIS-Organisations responsible for incident strategic handling in accordance with exchange shall exercise a cooperation Increase the a well-defined process information, liaison function and level of Single Point provideComputer assistance; provide to ensure cross- exchange of preparedness of Contact monitor Security Incident threats; inform; assistance & border and CSIRTs information European Cooperation for large- cyber crisis Response provide Teams risk/incident guidelines cross-sectoral network among Group liaisonscale organisation analyses(CSIRT) (also proactive cross-border cooperation Member networkcybersecurity (EU-CyCLONe) Member States scanning) incidents States and incidents act as a coordinator for Union coordinated vulnerability disclosure European Union Applicability: Art. 2 NIS-2 NIS 2 Directive (Directive EU 2022/2555) large/medium-sized enterprises Member States may provide for this Art. 2 (1) Directive to apply to: public administration entities at local level; education institutions, in particular where Critical sector: Special cases: identified as they carry out critical research activities essential or important entities Sectors with Art. 2 (2) Directive does not apply to public Regardless of size high criticality administration entities that carry out (Annex I) activities in the areas of national security, Other critical identified as critical entities public security, defence or law enforcement, sectors acc. to RCE-Directive including the prevention, investigation, (Annex II) Art. 2 (3) detection and prosecution of criminal offences, unless where an entity acts as a trust service provider entities providing domain name registration services Further exemptions by Member states Art. 2 (4) possible Applicability: Art. 2 NIS-2 Annex I NIS-2 Annex II NIS-2 large/medium-sized enterprises Art. 2 (1) Critical sector: Special cases: identified as essential or important entities Sectors with Art. 2 (2) Regardless of size high criticality NIS 2 Directive (2022) (Annex I) Other critical identified as critical entities sectors acc. to RCE-Directive (Annex II) Art. 2 (3) entities providing domain name registration services Art. 2 (4) Concept of Regulation NIS 2 Directive (Directive EU 2022/2555) Essential entities Important entities Governance, Cybersecurity risk-management measures, Art. 20, 21 NIS-2 Reporting obligations, Art. 23 NIS-2 The differences between Essential and Important Entities in NIS2 relate primarily to the scope of state supervision and sanction options. Supervisory and enforcement measures in Supervisory and enforcement measures in relation to essential entities, Art. 32 NIS-2 relation to important entities, Art. 33 NIS-2 Governance, Art. 20 NIS-2 NIS 2 Directive (Directive EU 2022/2555) Member States shall ensure that the management bodies of essential and important entities approve appropriate cybersecurity risk-management measures oversee its implementation and can be held liable for infringements Training: members of the management bodies of essential and important entities shall be required to follow training shall encourage to to offer similar training to their employees Cybersecurity risk-management measures, Art. 21 NIS-2 Assessing proportionality of measures: NIS 2 Directive (Directive EU 2022/2555) Member State law shall ensure that: essential and important entities take appropriate and cost of proportionate technical, implementation operational and organisational measures to manage the risks enti posed to the security of network ty’s siz and information systems [..] and likelihood of e to prevent or minimise the impact occurrence of incidents and of incidents on recipients of their their severity services and on other services degree of the entity’s →state-of-the-art exposure to risks, societal and economic →Relevant European or impact of incidents international standards All-hazards approach RCE Directive Comparison NIS-2 & RCE RCE Annex I NIS-2 Annex II NIS-2 RCE Directive (Directive EU 2022/2557) „critical entities“ = identified by Member States according to a risk assessment belonging to one of the categories entity provides essential service and incident would have significant disruptive effects on one or more essential services means a service which is crucial for resilience = a critical entity’s ability to the maintenance of vital societal functions, economic activities, prevent, protect against, respond to, public health and safety, or the resist, mitigate, absorb, accommodate environment and recover from an incident RCE-Documents National Resilience Strategy Support Member States prepare Union-level overview of cross-border and cross-sectoral risks to the provision of essential services, organise advisory missions RCE-Organisations facilitate information exchange among Member RCE Directive States and experts across the Union liaison function support the Commission to ensure cross- and facilitate cooperation Competent Single Point border among Member States Authority of Contact cooperation and the exchange of information Critical Entities Member States Resilience Group European Union Resilience of critical entities Risk assessment, Art. 12 Resilience Measures, Art. 13 RCE Directive (Directive EU 2022/2557) ‒ on the basis of Member State ‒ appropriate and proportionate risk assessments technical, security and ‒ Every four years organisational measures to ensure their resilience Background Checks, Art. 14 Incident notification, Art. 15 ‒ about certain persons ‒ to the competent authority evaluating a potential security risk to the critical entity Cybersecurity Act Main topics Cybersecurity Act (Regulation (EU) 2019/881) EU certification scheme introduction of a uniform European certification framework for ICT ENISA products, services and processes permanent mandate for ENISA valid in and recognized by all EU (European Union Agency for Member States Cybersecurity) →improve transparency and provide act as a reference point for evidence of compliance to a given advice and expertise on level of trust cybersecurity →on a voluntary basis support Member States, Union certified according to various institutions, bodies, offices and criteria and assigned the agencies in improving predefined security levels of cybersecurity “basic”, “substantial” and “high”. Cyberresilience Act Objective: New EU cybersecurity rules ensure safer hardware and software mandatory cybersecurity requirements for all connected products: hardware and software Products with different levels of risk associated shall have different security requirements →all products put on the EU market will need to be cyber secure Cyberresilience Act (CRA) manufacturers of hardware and software will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market products will bear the CE marking to indicate that they comply with the Regulation's requirements legal obligation for manufacturers to provide consumers with timely security updates after the purchase during time products are expected to be used Applicability products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network Cyberresilience Act (CRA) means any software or hardware product and its remote data processing solutions, (including software or hardware components being placed on the market separately) → any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge Concept: levels of criticality Critical Important Critical products with digital elements Standard Important products with Categories shall be digital elements specified by delegated Cyberresilience Act (CRA) Standard products with present a cybersecurity acts by the Commission digital elements risk → meet the essential core functionality → shall be required to obtain requirements belongs to category listet a European cybersecurity → manufacturer‘s in Annex of CRA certificate under a processes comply with divided in Class I and II European cybersecurity vulnerability handling → increased conformity certification scheme requirements assessment procedures pursuant to the Cybersecurity Act Conformity Assessment Modules Module A (internal production control) comprises self-assessment, i.e. the manufacturer assesses the conformity of its product without the involvement of a notified body. In Module B (EU-type examination), the notified body assesses the conformity of the product (the so-called sample). The manufacturer Act (CRA) then manufactures all other products according to this compliant sample (Module C (internal production control)). The manufacturer must ensure that each product conforms to the sample from module B. Module B must always be combined with Module C in the CRA. In Module H (full quality assurance), the notified body assesses the Cyberresilience manufacturer's quality assurance, i.e. the notified body checks whether the manufacturer's quality assurance process results in products that conform to the CRA. If this is the case, the manufacturer can manufacture all further products according to this process. Art. 32 Obligations for manufacturers, importers and distributors Manufacturer Importers Distributors Conformity Ensure that verify (with due Cyberresilience Act (CRA) assessment manufacturers care) that complied with manufacturers and Information, requirements and instructions & importers complied documentation Check or provide with requirements necessary and provided Updates during documents, support period declarations and necessary information documents and Reporting obligations information Manufacturer‘s obligations undergo a process of & make available technical conformity assessment documentation to demonstrate whether the specified requirements relating to a product have been fulfilled self-assessment or a third- party conformity assessment depending on the level of risk → draw up the EU & identication number, contact details declaration of conformity and are able to affix the CE marking Source: European Commission, Cyberresilience Act Factsheet, https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act All products sold in the EU that contain ‘digital elements’ must fulfill essential cybersecurity requirements Products with digital elements = products that can be connected to a device or a network = software and hardware = consumer products and B2B / industrial products Cyberresilience Act (CRA) Differing conformity assessment procedures (Modules) according to risk profile → standard, important and critical a transitional period is planned so that market participants have sufficient time to prepare for the new requirements All products with digital elements must fulfill a minimum level of cybersecurity Take cybersecurity into account →during product development → carry out risk assessment →conceptual principle of ‘security by design’ connected products should be designed with cybersecurity in mind and keep the attack surface as small as possible Cyberresilience Act (CRA) →‘secure by default’ configuration principle Prove requirements → declaration of conformity Disclose vulnerabilities → via new single reporting platform Secure during a defined support period → Security updates must be made available and vulnerabilities must be handled throughout the entire product life cycle (support period is generally min. 5 years) Consumer Protection & Civil Law Contract Law: B2C vs. B2B Consumer Protection Rights Contractual Rights Company Private Person Company Company NEW: ‒ Digital product ‒ Product defect (cumulative) ‒ Obligations depending on type of Directive 2019/770 contract ‒ Digital content ‒ Objective requirements Sale: NEW cumulative definition of ‒ Digital service ‒ Subjective requirements defects (obj./subj. requirements) at ‒ Goods with digital elements ‒ Obligation to update time of delivery Directive 2019/771 ‒ Tangible movable items ‒ Period of availability (if defined) Rent: continuing obligation during inseparable connected with rental period ‒ Expected period of time by consumer digital content/service (e.g. Work (Werkvertrag): success owed → tendency towards usual period of IoT-Products) use of product / good Service: performance lege artis 18/01/2025 63 Applicability of Consumer Protection Law ‒ Contract between consumer and company („trader“ / “seller”) ‒ Payment of a price (or a digital representation of value) or provision personal data ‒ Provision of personal data by consumers in order to receive a service corresponds to payment (monetary equivalent), but: legal treatment of the exchange "payment with data" very controversial ‒ Exempt where data exclusively processed for performance of contract Digital content / service Good with digital element → No direct claim Obliged person supplier of digital product (trader) seller against the manufacturer if this is not identical requirements including IT security including IT security with the seller/trader updates & for provision period or reasonably reasonably expected period or versions expected period; Latest version provision period (if permanent available (unless agreed provision agreed) otherwise) 64 Training & practice cases CJEU Judgments of 5 December 2023, Ref.: C-683/21 and C-807/21 Is a public body which commissions a company to develop a mobile IT application to be regarded as a controller within the meaning of that provision, even if it has not itself carried out any processing operations relating to personal data, has not given express consent to carry out the specific processing operations or to make that mobile application available to the public and has not purchased the mobile application? processed personal order placed app in app store data of users Who is the ‘controller’ in the relevant sense, especially if there is co-operation with other bodies? Does a fine require that the underlying offence can be attributed to a specific person in the company and must this person belong to the management level? Is culpability necessary? The controller is the person who alone or jointly with others decides on the purposes and means of processing personal data. It is therefore not a question of who actually carries out the processing. The controller is the person who influences the processing in their own interest and at least participates in the decision on the purposes and means. → Whoever arranges for data to be processed and how it is processed is responsible. Responsibility therefore also exists if another organisation is prompted to process data. It is sufficient that data is processed on the decision and at the instigation of the controller in their name or interest. It is irrelevant whether the controller comes into contact with the data itself. The court makes it clear that a fine can only be imposed if the person responsible is at fault. Intent is not necessary, negligence is sufficient. It is also sufficient that the breach can be reasonably attributed to the responsible person as an organisation. It is not relevant whether persons from the management level acted or had any knowledge of the event. It is also not necessary for it to be known who specifically committed the offence. The decisive factor is that the offence could have been prevented with the appropriate care. Case: Handwritten Notes During their door-to-door advertising, the “preachers” of Jehovah's Witnesses made notes about the people they met, for example about their religious beliefs or family circumstances. The notes serve as a memory aid for the preachers for later visits, without the people concerned being informed or giving their consent. According to Jehovah's Witnesses, however, the notes are neither forwarded to the community nor stored anywhere else in a central location. The community itself only keeps a list of those people who have asked not to receive any further visits. They argue, the notes are merely personal notes for which the community is not responsible under data protection law. → GDPR applicable? Case: Handwritten Notes Notes made by Jehovah's Witnesses about the people they meet during their home visits are subject to European data protection law. The private notebooks of “preachers” can also be data files, the CJEU ruled. Although handwritten data is not processed automatically and is not stored centrally, it can still fall under the term “file” according to the CJEU. It is sufficient if the data can be easily retrieved at a later date; a special directory or sorting into a filing system is not required for this. 18.01.2025 69 Case: dynamic IP-adress CJEU ruling of 19 October 2016 (case reference: C-582/14) Are dynamic IP-addresses personal data with the effect, that a provider of an online media service is responsible to fulfill data protection rights regarding the users of this online media service, when he/she receives the dynamic IP-address? In this ruling, the CJEU found that IP addresses could constitute public authority personal data if the provider of the online media service received provider of the online internet access additional information from the media service provider internet access provider. → Ruling was interpreted in a way, that the theoretical possibility to re-identify the person behind the IP address is sufficient (even if not intended), as long this requires no disproportionate effort or is de- facto impossible Case: European General Court (EGC) Judgment of 26 April 2023, Ref.: T-557/20 Names of the respondents were replaced by an alphanumeric code consisting of a 33-digit randomly generated identification number Does pseudonymised data lose its personal reference if the recipient has no way of re-identifying the person? Because then the data would be anonymised and the GDPR would no longer apply for the recipient The pseudonymisation of data can also have an anonymising effect. In the case of pseudonymisation, the personal reference is initially removed. However, it is still possible to assign the data to a person and identify them. The judges of the EGC are of the opinion that the theoretical possibility of identification alone is not sufficient. The re-identification of the person must also be practically and legally possible. In this case, the EGC found that the recipient's perspective is decisive when assessing the personal nature of data. If the data was passed on pseudonymised, it could potentially become anonymous data when it is passed on. →If the recipient does not have access to the additional information or if access is not practically feasible, then the pseudonymised data would become anonymised data from the perspective of the recipient. →The recipient has no obligation to fulfill data protection rights under GDPR (unless there are other possibilities of identification in the transmitted documents)

Review Course for Exam Preparation PDF

Document Details

Tags

Related

Summary

Full Transcript