Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Critical infrastructure: Provisions that address cybersecurity in relation to critical infrastructure are set out in the Act on the BSI and the Regulation for Critical Infrastructure. For instance, under Section 8a of the Act on the BSI, operators of critical infrastructure are obliged to take appropriate technical and organisational measures in order to avoid disruptions to the availability, integrity and confidentiality of their IT systems. Furthermore, operators of critical infrastructure must regularly audit their measures and prove to the BSI that they took appropriate measures to comply with said requirements. As a rule of thumb, operators of critical infrastructure will need to serve 500,000 people to fall under the obligations of the Act on the BSI, but the specifics depend on the sector and the services provided.
Telecommunications services: Providers of telecommunication services (internet access, email accounts, telephone networks) are subject to special data protection regulations which are stipulated in Sections 91 to 107 of the German Telecommunications Act. These provisions aim to safeguard users’ personal data, and in particular their traffic and inventory data. In the course of the introduction of the IT Security Act in 2015, several provisions concerning IT security were added to the Telecommunications Act. According to Sections 109(1) and (2) of the Telecommunications Act, for instance, service providers must deploy and maintain state-of-the-art IT security measures, not only to protect personal data, but also to prevent unauthorised interference with IT infrastructure.
Banking: Although the provisions of the Act on the BSI also apply to the banking sector, an additional obligation to establish and maintain IT security is stipulated in Section 25a(1) of the German Banking Act. Credit institutions (eg, companies that conduct banking business commercially or on a scale that requires a commercially oriented business operation) must ensure that they have in place an effective risk management system, which must include an appropriate emergency plan for IT systems. In addition, such companies must have appropriate technical and organisational measures in place.
Insurance: As they play an essential role in the provision of pensions and healthcare, insurance companies are classified as critical infrastructure within the meaning of the Act on the BSI. As a result, they are subject to the general IT security provisions of the Act on the BSI. Additionally, the German Law on the Supervision of Insurance Companies obliges such companies to comply with certain IT security standards, including the requirement to implement a general risk management system (Section 26).
(b) Certain types of information (personal data, health information, financial information, classified information)?
Personal data: Regulations on personal data – including the lawfulness of processing, the duties of controllers and processors, and the rights of data subjects – are predominantly regulated by the GDPR. Key provisions of the GDPR include:
- Article 6 (lawfulness of processing);
- Article 12 (data subject access rights); and
- Article 32 (security of data processing).
Protection of special categories of personal data: The GDPR sets out specific regulations for special categories of personal data. Pursuant to Article 9(1), this is data that reveals the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data. The processing of special categories of personal data is generally forbidden. Exceptions to this rule are set out in Article 9(2) of the GDPR.
Cybercrime: The provisions on cybercrime and personal data are supplemented by Section 42 of the Federal Data Protection Act. According to Section 42, for instance, the unlawful provision to third parties of access to personal data concerning a large number of data subjects is punishable by imprisonment for up to three years or by a fine, if this is conducted in an organised and professional way.