Data protection in IT companies
October 7, 2009 | 100,00 EUR | answered by Andreas Scholz
One of our customers demands that we confirm in writing that all data managed in our application (we are an IT company and develop software) is treated or managed according to the guidelines applicable in Germany.
In this regard, my question is: Which guidelines are relevant to us according to data protection law when developing the software? Which legal regulations do I need to consider?
Kind regards,
B. Casier
Dear inquirer,
depending on the type of software service you are dealing with, the importance of data protection may be more or less relevant.
The subject of data protection is the protection of individuals against the misuse of their personal data, § 1 BDSG. According to § 1 para. 2 no. 3 BDSG.
This law applies to the collection, processing, and use of personal data by
The provisions of the BDSG apply to you as a non-public company if you
1. process, use or collect data using data processing systems or
2. process, use or collect data in or from non-automated files, unless the collection, processing or use of the data is exclusively for personal or family activities (which would probably not apply in your case). If the processing of data falls within the scope of your activities as described above, then the provisions of the BDSG are indeed relevant for you.
Sections 28 et seq. of the BDSG would be relevant for you. This means that you have an extensive obligation to inform and obtain consent from the data subject if you want to use their data. You would also have a comprehensive obligation to anonymize the data in question.
Since you are talking about software development, I assume that data protection aspects are unlikely to play a significant role for you. I assume that you are not involved in empirically collecting data about target groups to incorporate the insights gained into software development. If this is not the case or if you believe that there are indeed aspects of your activities that are related to data protection, please let me know in a follow-up question.
If you are only involved in developing software according to a customer's wishes, you are still obligated to handle data that has been entrusted to you for the execution of your assignment confidentially. This is often also agreed upon in the contract. However, this aspect does not involve a specific data protection issue, but rather concerns the appropriate handling of information disclosed by the contracting party. This information should not be disclosed to third parties in a way that would be detrimental to the disclosing party.
In general, if you do not collect data from third parties for processing or storage, you do not need to worry about violating data protection regulations. Please let me know if you believe that your activities may have data protection implications. Also, please inform me about the nature of these activities so that I can provide a final opinion.
I hope I have provided you with an initial legal orientation. If you have any follow-up questions or uncertainties about the facts, please use the follow-up question.
Sincerely,
Andreas Scholz, Attorney
