Doing business in Germany? Here’s a useful comparative guide so you can see how your current controls would be interpreted and accepted (or not) in German law…:
German law distinguishes between ‘cybersecurity’, ‘data protection’ and ‘cybercrime’.
‘Cybersecurity’ can generally be equated with the term ‘security of information technology’. According to Section 2(2) of the Act on the Federal Office for Information Security, ‘security of information technology’ refers to compliance with certain security standards in relation to the availability, integrity or confidentiality of information, by means of both security precautions:
- in IT systems, components and processes; and
- for the use of IT systems, components and processes.
The main objective of cybersecurity is to prevent data destruction, loss, alteration or unauthorised disclosure by implementing hardware and software solutions.
‘Data protection’ concerns the protection of information relating to an identified or identifiable natural person. While ‘cybersecurity’ can refer to any information, ‘data protection’ addresses only information that refers to an individual, making data protection part of the fundamental right of personality. Nevertheless, the processing of personal data requires a high level of cybersecurity. Accordingly, the European Data Protection Regulation (GDPR) requires the implementation of, among other things, state-of-the-art technology to ensure a level of security appropriate to the risk of the processing of personal data.
‘Cybercrime’ refers to crimes that are committed through or directed against the Internet, data networks and IT systems. Currently, the most common cybercrimes involve the infection and manipulation of computer systems with malware – for example, in order to access and misuse personal data (eg, identity theft) or to encrypt users’ data in order to extort ‘ransom money’ from them (ransomware).