Background

In light of the growing concern over cybersecurity and the increasing complexity of medical device supply chains, the Medical Device Coordination Group has released updated guidance on cybersecurity for medical devices (the Guidance). The Guidance is intended to supplement the essential requirements listed in Annex I of the Medical Devices Regulations (Regulations 745/2017 and

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here).

Summary of findings in the Report

We previously reported on our blog that the Lower Saxony DPA has released the checklist it used in assessing the GDPR readiness of the audited organizations (Checklist). This Checklist is a helpful tool for determining where organizations have GDPR compliance gaps.

The Lower Saxony DPA has now summarized its findings of the audits. It has grouped the audited organizations based on a traffic light system:

  • Green (= mainly satisfactory): 9 organizations
  • Yellow (= some deficiencies): 32 organizations
  • Red (= major deficiencies): 8 organizations

The Report also highlights the GDPR compliance items that still raise the most and the least concerns:

  • Most deficiencies: IT security, data protection impact assessments (DPIA)
  • Medium deficiencies: records of processing activities (ROPA), consent, data subject rights
  • Low deficiencies: data processing agreements, data protection officers (DPO), notification of data breaches, accountability


Continue Reading German DPA releases findings of GDPR readiness audits of 50 organizations

On 3 November 2017, the German regulator for the financial sector, the Federal Financial Supervisory Authority (“BaFin”), published a new circular titled Rundschreiben 10/2017 (BA) vom 3. November 2017 – Bankaufsichtliche Anforderungen an die IT (in English: Circular 10/2017 – Regulatory Requirements for IT-Systems – “BAIT”). The BAIT is available in German language at the BaFin’s website. The final version of the BAIT incorporates a number of revisions that result from the submissions made by stakeholders in the course of a prior public consultation.

Scope of the BAIT

The BAIT’s purpose is to give guidance on the BaFin’s interpretation of the statutory requirements under Section 25a(1) s. 3 no. 4 and 5 and Section 25b of the German Banking Act (Kreditwirtschaftsgesetz – KWG). The BAIT sets out the BaFin’s understanding of how reasonable technical/organisational features of IT systems used within financial institutions should look like, taking in particular into account the requirements for IT security and a sufficient emergency concept. The BAIT also addresses the increased engagement of third party IT suppliers that carry out a wide range of processes on behalf of regulated financial institutions, Section 25b of the German Banking Act.

Continue Reading German Federal Financial Supervisory Authority (BaFin) publishes circular on regulatory requirements for financial institutions’ IT systems

On 25 July 2015 in Germany, the new IT Security Act entered into force. The law aims to improve IT security in companies and public bodies, especially in the field of critical infrastructure, thus stipulating minimum security standards and reporting obligations for operators and providers of communication systems.

The law will affect institutions listed as “critical infrastructure” such as energy, information technology, telecommunications, transport and traffic, health, water, and food supply, as well as finance and insurance firms.
The new cyber-security law obliges firms and federal agencies to certify for minimum cyber-security standards and obtain Federal Office of Information Security (BSI) clearance. Operators of critical infrastructure will have to report significant security incidents and even suspected cyber-attacks to the BSI. It gives companies two years to introduce cyber-security measures. Fines of 100,000 Euro for non-compliance will be enforced.

Continue Reading Germany passes new cyber-security law