Data incidents in practice: The DSGVO and data carriers

Björn Holeschak, Leiter Datenschutz EIKONA Systems GmbH
Woman works on her laptop and changes her email distribution list to be DSGVO compliant to protect herself from cyber attacks

Im Zusammenhang mit Datenpannen, werden häufig offene E-Mail-Verteiler und Cyberangriffe genannt. Doch das sind nicht die einzigen Datenschutzverletzungen der DSGVO. Unbeachtet sind häufig Datenträger, die trotz einer digitalen Arbeitswelt, auch heute noch zu einer Vielzahl an Datenpannen führen.

What are data carriers within the meaning of the DSGVO?

The DSGVO defines a data carrier as any medium on which personal data can be depicted, written or stored. Thus, data carriers include business cards, photos, paper documents, CDs, USB sticks, external hard drives, laptops or hard drive storage in the server.

Increased risk of data protection mishaps due to home office

Many think that the loss or theft of data media often happens in the mobile field service, which may carry unencrypted customer data on a storage medium. However, the growing trend towards home offices is underestimated, as more and more employees take data carriers home for work. It is difficult for a company to assess how secure the data carriers in the home office really are. Therefore, a data protection policy for home offices with data carriers is essential.

The risk of a housebreaking is often underestimated because there are hardly any valuables at home. If an incident does occur, even the business laptop can be stolen. For this reason, personal data should always be stored in such a way that burglars cannot use it. The prerequisite for this is consistent data carrier encryption, i.e. making the data "unreadable" without the right key, and the secure deletion of sensitive data on unencrypted storage media.

The loss or theft of devices, data carriers or documents occupies third place with 10.19% of reported data protection incidents. (according to statistics of the data protection supervisory authority of Hesse)

Flea market find: Data carriers are often not disposed of in a DSGVO-compliant manner

It is not only in the event of a loss or theft of data media that data can end up in the wrong hands. For example, when old or defective storage media end up in the trash or are sold without prior security measures. Although DIN 66399, which regulates the nationwide destruction of files, has been in force since 1 October 2012, many companies are still not aware of the correct disposal and those responsible have not yet adapted the corresponding concepts and inventory contracts. In some cases, hard drives were found at flea markets on which sensitive data was stored unencrypted and insufficiently deleted bank records.

Disposal has to be documented

To avoid a data protection breach, USB sticks and hard drives, as well as paper documents containing personal data, must not be disposed of in the normal trash. Rather, there must be collection containers for defective hard drives within a protected data centre, for example. These are deposited there for disposal and destroyed by an appropriate company with the specified security level. The most important thing here: complete documentation when commissioning disposal, because here too there is a risk of data protection deficiencies. The documentation can be regularly checked by supervisory authorities.

Store data carriers correctly

Sensitive data in particular, such as patient files, which are subject to a very long retention period (in some cases 30 years), must be stored correctly and thus protected from damage. The Hessian Commissioner for Data Protection and Freedom of Information recommends that when storing data in the basement, the humidity and temperature should be regulated so that they always remain the same.


Check the obligation to notify in the event of data carrier mishaps

Companies affected by data protection mishaps such as theft, loss, undocumented destruction or incorrect disposal should definitely check the obligation to notify data protection breaches according to Art. 33 DSGVO. This is because data mishaps in connection with data carriers can directly jeopardise the protection goals of the DSGVO. In online data breach notification forms, the supervisory authorities also list incidents involving data carriers. Definitions of loss and theft under the DSGVO:

  • Loss of the data carrier = loss of availability.
  • Theft of the data carrier = loss of availability

AND confidentiality, if applicable. Even though virtualisation is becoming more and more widespread, data carriers are still an important medium for companies. It is important here that the data carriers are sufficiently encrypted.

Björn Holeschak
Björn Holeschak
Team Lead, Data Protection

Drawing on his profound data protection expertise, he tackles data protection challenges with renewed vigor every single day. He understands the dangers and stumbling blocks in intimate detail and gives customers practical advice.

Add a comment

Please add 4 and 7.