Legal and technical expert opinion

 

The IT product’s compliance with data protection requirements

 

 

- PTM 2.0 -

 

by

 

 

nugg.ad AG
Rotherstr. 16
10245 Berlin
Germany

 

 

prepared by:

 

 

Andreas Bethke

Dipl. Inf. (FH)

at the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein), accredited technical expert for IT products

Papenbergallee 34

25548 Kellinghusen

Germany

tel  +49 (0)4822 – 37 89 05

fax  +49 (0)4822 – 37 89 04

mob +49 (0)179 – 321 97 88

email ab@datenschutzkontor.de

 

 

Stephan Hansen-Oest

Lawyer

at the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein), accredited legal expert for IT products

Neustadt 56

24939 Flensburg

Germany

tel +49 (0)461 – 90 91 356

fax +49 (0)461 – 90 91 357

mob +49 (0)171 – 20 44 98 1

email sh@datenschutzkontor.de

 

 

 

Version: 16/09/2009

 

 

A. Introduction

On 25/09/2007 the product manufacturer received certification for its software “Predictive Targeting Network (PTN)”, version 2.0. The certification was issued for a limited period of time and will therefore expire soon, i.e. as per 16/09/2009. In the meantime, the product manufacturer has made some improvements to the service, which have been implemented in the course of the successful EuroPriSe certification. However, the product still bears the version number 2.0 as otherwise no changes have been made to the method, which could be relevant for an assessment with view to data protection. By providing this expert opinion, the product manufacturer intends to have the IT method PTN 2.0 recertified for the privacy seal for IT products by the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein - ULD).

 

 

The expert opinion is based on version 1.2 of the requirements specification.

 

 

B.  Time of testing

The product was tested on 10/09/2009 and 16/09/2009.

 

 

C. Changes to the product and innovation

In the course of the certification procedure for EuroPriSe, the product PTN 2.0 underwent changes leading to improvements in the product, which can be rated as meeting the data protection requirements.

 

 

The updated version of the product underwent the following changes:

 

 

- the lifetime of cookies has been reduced from 12 months to a maximum of 26 weeks. Also, the lifetime of non-personal data in the nugg.ad database which are processed and used to calculate statistical models have been reduced further (i. e. to 26 weeks as well)

 

 

- the Privacy Policy on the nugg.ad website (http://www.nugg.ad) has been amended so as to take into account the interpretation of the term “personal“ under European law and the related implications as to whether “cookies” can be linked to an identifiable natural person. The Privacy Policy of nugg.ad can be accessed at  http://www.nugg.ad/de/produkte/datenschutz.html.

 

 

- The list of criteria used for the delivery of advertising material has been revised.  Thus, the categories “reproduction” (sex life + health), “pregnancy fashion”, “doctors”, “opticians” and “man seeks / woman seeks” have been deleted to avoid any supposed reference to sensitive data within the meaning of section 3 subsection 9 of the Federal Data Protection Act (BDSG) in the first place.  

 

 

- The model contract used by nugg.ad for the processing of data by contractors has been improved and reworded.

 

No additional functions were added that would be relevant for the assessment of the product in terms of data protection.

 

 

D. Assessment regarding the requirements under data protection laws

In the meantime, there have been changes in the Federal Data Protection Act (BDSG) which took effect as of 01/09/2009.  The amendments to sections 28, 29 BDSG are irrelevant for IT method PTN 2.0, as their content does not lead to any new assessment of the legal situation.

 

 

However, the amendments made to section 11 BDSG are in fact relevant, as they impose more stringent requirements on written instructions to be given to contractor data processors.  According to section 11 subsection 2 BDSG as amended the written instructions given to such processor must contain the following:

 

 

1.  the subject and duration of the work to be carried out,

2.  the extent, type and purpose of the intended collection, processing or use of
data, the type of data and category of data subjects,

3.  the technical and organisational measures to be taken under section 9,

4.  the rectification, erasure and blocking of data,

5.  the processor’s obligations under subsection 4, in particular monitoring,

6.  any right to issue subcontracts,

7.  the controller’s rights to monitor and the processor’s corresponding
obligations to accept and cooperate,

8.  violations by the processor or its employees of provisions to protect personal
data or of the terms specified by the controller which are subject to the obligation to notify,

9.  the extent of the controller’s authority to issue instructions to the processor,

10.  the return of data storage media and the erasure of data recorded by the
processor after the work has been completed.

 

 

nugg.ad offers to its clients a model processing agreement to be entered into which is annexed to the main contract. This had already contained the provisions now set forth in section 11 BDSG as amended.

 

 

Regarding the term, the agreement refers to the main contract which is a permissible procedure. The extent, type and purpose of the processing are set forth in section 2 of the agreement. The controller’s rights to monitor are set forth in section 6 of the agreement. In addition, the agreement provides for the return of data/data storage media and includes the processor’s notification duties in the event of a breach.

 

 

In total, the model agreement meets the requirements of section 11 BDSG amended as of 01/09/2009.

 

 

Further, section 11 BDSG as amended now contains a concrete duty of the controller to verify compliance with the technical and organisational measures taken by the processor before data processing begins and regularly thereafter, and to document the result. This new requirement can be met by the nugg.ad method as well.

 

 

The Telemedia Act (TMG) too has been amended with effect as of 01/09/2009. However, the amendments made therein have been of a mere editorial nature with the exception of section 15a TMG. For the assessment of the method in terms of data protection laws, the new section 15a TMG is irrelevant in the present case.

 

 

The changes to the method do not result in a different assessment of the method in terms of data protection laws. Rather, it can be noted that the product through improvements in its application has further improved from a data protection point of view.

 

 

E. Summary

The product “PTN 2.0” of nugg.ad AG can still be rated as exemplary overall. There are no concerns with view to recertification.

 

 

I hereby confirm that the above-named IT product complies with the legal requirements pertaining to data protection and data security.

 

 

 

Andreas Bethke / Dipl. Inf. (FH) Lawyer

at the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein), accredited technical expert for IT products

 

 

Stephan Hansen-Oest / Lawyer

at the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein), accredited legal expert for IT products