Thanks to the Privacy and Information Security Blog I became aware of a very interesting development within the Germany with regards to amendments to German Data Protection legislation. On July 3rd the German Federal Parliament passed a number of changes to the German Federal Data Protection Act and will come into force on the 1st of September 2009.
Some of the key items are regarding data breaches and the requirements now facing German companies. Any such companies suffering a security breach relating to the following;
- Sensitive data as defined in the German Federal Data Protection Act
- Personal data that is subjected to professional or official confidentiality requirements
- Financial information such as credit card or bank details
- Information relating to criminal offenses
- Data held on cusotmers by Telcommunications companies
Should a breach on any of the above be deemed to “likely to have a serious impact” on the affected individuals and notification of the breach will not affect any criminal proceedings and the appropriate measures have been taken to secure the data then the affected organisation will be obliged to notify the affected people. This notification should be made to both the Data Protection Authority and to the affected individuals. Should the breach affect a large number of people then the notification should be made by placing a half page advertisement in daily national newspapers or other media that would provide similar coverage.
More information on the changes can be found here (PDF file). Hopefully Ireland will soon follow suit.