What is the SDM

The officer for data protection and freedom of information

A method for data protection advice and auditing based on uniform warranty goals

Version 2.0b of the standard data protection model was adopted at the 99th conference of the independent data protection authorities of the federal and state governments (DSK) on April 17, 2020.

The legal requirements of the General Data Protection Regulation (GDPR) are now fully covered by the standard data protection model (SDM) and systematized with the help of the guarantee objectives. The catalog of generic measures enables a low-threshold entry into the practical application of the SDM. The data protection management described in the SDM guides those responsible through all phases of the processing of personal data and thus enables the continuous maintenance of legally secure processing.

The European General Data Protection Regulation (2016/679 / EU-GDPR) came into force on May 25, 2016 and, after a two-year transition period, has been in effect throughout the European Union since May 25, 2018. The GDPR contains regulations for the protection of natural persons when processing personal data. It protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. Articles 5, 12, 24, 25 and 32 GDPR contain basic requirements for the processing of personal data. The GDPR requires suitable technical and organizational measures to appropriately reduce the risks to the rights and freedoms of natural persons. This applies both to measures to guarantee the rights of data subjects (Chapter III GDPR) and to measures to implement the data protection principles (Art. 25 (1) GDPR), including data minimization (Art. 25 (2) GDPR) and to ensure security the processing (Art. 32 Paragraph 1). The principle of data protection through technology design and data protection-friendly default settings (Article 25 GDPR) calls for the person responsible to deal with data protection requirements at a very early stage when planning processing. The GDPR requires a procedure for the regular review, assessment and evaluation of the effectiveness of the technical and organizational measures (Article 24 (1) sentence 2, Article 32 (1) sentence 1 (d) GDPR). In Article 5 GDPR, essential principles for the processing of personal data are formulated: Processing must take place lawfully, in good faith, traceable, earmarked, limited to what is necessary, on the basis of correct data, and integrity and confidentiality must take place. In addition, personal data may generally only be stored in a form that allows the data subjects to be identified for as long as is necessary. Compliance with the principles must be demonstrable (“accountability”). The standard data protection model (SDM) offers suitable mechanisms to translate these legal requirements of the GDPR into technical and organizational measures. For this purpose, the SDM first records the legal requirements of the GDPR and then assigns them to the guarantee goals of data minimization, availability, integrity, confidentiality, transparency, non-chaining and intervenability.

The SDM thus transfers the legal requirements of the GDPR to the warranty objectives in the technical and organizational measures required by the regulation, which are described in the reference measures catalog of the SDM. It thus supports the transformation of abstract legal requirements into concrete technical and organizational measures.