Germany, SDM: Discussion of three levels in processing activities (from D2.1)

from https://www.datenschutz-mv.de/static/DS/Dateien/Datenschutzmodell/SDM-Methode_V20b_EN.pdf Emphasis incl reformatting for emphasis by me.

D2.1 Levels of a Processing or Processing Activity

In order to fully cover personal data processing, it has proved useful to distinguish at least three different levels of representation of material parameters or elements when designing or auditing processing activities. It is essential to understand that a ‘processing activity’, for example, is not congruent with the use of a certain technology or a certain technical program.

Level 1 is the processing of personal data in the sense of data protection law.

  • This processing takes place, for example, within the framework of a company operating under private or an authority subject to public law, for whose activities the controller is responsible. This level corresponds to what is often understood as a ‘specialised procedure’ and ‘business process’ with a certain functional sequence of the processing activity. At this level of the understanding of a processing operation, the personal data necessary for a processing operation as well as the legal requirements are determined. The controller defines corresponding roles and authorisations for the personal data and determines the IT systems and processes to be used. The determination of the purpose or purposes of the processing activity is essential for the adequate functioning of this level in terms of data protection.

The practical implementation of the processing and the purpose is located at level 2.

  • On the one hand, this usually includes the role of the clerking as well as the IT application(s), which can also be described more precisely as the ‘specialised application of a specialist procedure’. The processing and the specialist application must completely fulfil the functional and (data protection) legal requirements to which the processing is subject. The specialised application must ensure the purpose limitation. The application must exclude the processing of additional data or additional forms of processing, even if they may befunctionally particularly convenient. The aim is to minimise the risk of undermining the purpose limitation or overstretching the purpose.

Level 3 houses the IT infrastructure that provides functions that are used by a level 2 application.

  • This level of ‘technical services’ includes operating systems, virtual systems, databases, authentication and authorisation systems, routers and firewalls, storage systemssuch as SAN or NAS, CPU clusters, and the communications infrastructure of an organizationsuch as the telephone, LAN, or Internet access. These systems must be designed and used within a processing activity in such a way that the purpose limitation is retained. Typically, technical and organisational measures must be taken to ensure that the purpose limitation or segregation of purposes can be enforced at this level.


and from D2.3:

“The concrete functional design takes place at level 1, at which the need for protection is to be determined or specified by the controller on the basis of the data. This need for protection is inherited by all data, systems and processes used in concrete processing at the various levels. The catalogue of reference measures can be used to check whether technical and organisational measures taken or planned are appropriate to the need for protection “