FUTURELAB
  • Blog
  • Das futureLAB
  • KI
    • KI Lab
    • Brezelcast
    • KI Hackathon
  • Datenschutz
    • All Grundsätze Rechte der betroffenen Person Verantwortlicher und Auftragsverarbeiter
      Datenschutzmuster

      Transparency and Traceability

      12. August 2023

      Datenschutzmuster

      Purpose Limitation

      12. August 2023

      Datenschutzmuster

      Data Minimization

      12. August 2023

      Datenschutzmuster

      Accuracy

      12. August 2023

      Grundsätze

      Transparency and Traceability

      12. August 2023

      Grundsätze

      Purpose Limitation

      12. August 2023

      Grundsätze

      Data Minimization

      12. August 2023

      Grundsätze

      Accuracy

      12. August 2023

      Rechte der betroffenen Person

      Information Obligation

      11. August 2023

      Rechte der betroffenen Person

      Right of Access by the Data Subject

      11. August 2023

      Rechte der betroffenen Person

      Right to Rectification

      11. August 2023

      Rechte der betroffenen Person

      Right to Erasure

      11. August 2023

      Verantwortlicher und Auftragsverarbeiter

      Privacy by Default

      10. August 2023

    • Datenschutzmuster
  • Process Mining
  • Veranstaltungen
  • Mitmachen
  • Das Team
  • Kontakt
Author

Waidelich, Lukas

Waidelich, Lukas

Wettbewerb

Hackathon: Data Analytics in der Cloud

by Waidelich, Lukas 6. September 2023
written by Waidelich, Lukas

Ende September dreht sich alles rund um das Thema Datenanalyse in der Cloud

Der sechste Hackathon Pforzheim findet am 23. und 24. September statt. Im Fokus steht dieses Jahr das Thema Data Analytics in der Cloud. Eingeladen sind alle, die Lust am Programmieren haben und im Team an neuen Ideen und Lösungen arbeiten möchten. Ziel ist es, neue Konzepte am Rechner zu entwickeln, mit denen Künstliche Intelligenz bei der cloud-basierten Datenanalyse eingesetzt werden kann. Dabei stehen den Teilnehmern auch in diesem Jahr fachkundige Mentoren mit Rat und Tat zur Seite.

Die Veranstalter sehen im Hackathon eine großartige Möglichkeit, neue IT-Technologien und deren Mehrwerte in den Fokus zu rücken. Gerechnet wird mit bis zu 100 Teilnehmern. Im Rahmen der „Smart City Pforzheim“ ist der Hackathon mittlerweile eine weit über Pforzheim hinaus bekannte Veranstaltung und ein Aushängeschild – auch wenn es darum geht, mehr IT-Fachkräfte anzuziehen.

Auch in diesem Jahr arbeiten verschiedene Partner beim Hackathon zusammen und bieten Programmierern und IT-Enthusiasten eine spannende Aufgabenstellung. Aber nicht nur das Thema ist dieses Jahr einzigartig: Der Hackathon findet an einer ganz besonderen Location statt, und zwar in der Großkompensatorenhalle der Firma Witzenmann. Hier werden normalerweise seit der Nachkriegszeit größte Kompensatoren für die Schwerindustrie – bis zu 20m im Durchmesser hergestellt.

Der Hackathon steht auch in diesem Jahr nicht nur erfahrenen Programmierinnen und Programmierern offen, sondern richtet sich explizit auch an alle interessierten Bürgerinnen und Bürger: Selbst ohne Vorkenntnisse können Teilnehmerinnen und Teilnehmer mitmachen und zuvor in einem Crashkurs der Hochschule Grundlagen des Programmierens erlernen.

Der Hackathon wird veranstaltet von den Pforzheimer Unternehmen campaigners Network, medialesson und Witzenmann sowie der Stadt Pforzheim. Als Technologie-Partner unterstützt Microsoft erneut die Veranstaltung. Weitere Partner und Sponsoren sind der Eigenbetrieb Wirtschaft und Stadtmarketing Pforzheim (WSP), die Hochschule Pforzheim, das KI-Lab Nordschwarzwald und der Digital Hub Nordschwarzwald. Das Event ist außerdem Teil der „Smart City Pforzheim“-Initiative. Die Medienpartner der Veranstaltung sind die „Pforzheimer Zeitung“ und Unit 08.

Jetzt kostenfrei anmelden

Alle Informationen rund um das Event gibt es online unter: www.hackathon-pforzheim.de

6. September 2023 0 comment
Allgemein

Rubrik zur Datenschutzforschung ist online!

by Waidelich, Lukas 21. August 2023
written by Waidelich, Lukas

Datenschutz wird in der Allgemeinheit eher als langweiliges, komplexes und innovationshemmendes Themengebiet wahrgenommen. Tatsächlich spielt der Datenschutz eine wichtige Rolle in unserer digitalisierten Welt und basiert auf dem Recht auf Privatsphäre, dass in der EU als Grundrecht verankert ist

Datenschutz ist essentiell für individuelle Freiheit und Privatsphäre, indem er das Recht auf Kontrolle über persönliche Daten sichert und vor Überwachung schützt. Er verhindert Missbrauch, von Identitätsdiebstahl bis zur unerlaubten Verbreitung von Daten. Datenschutz fördert Vertrauen zwischen Unternehmen und Verbrauchern, treibt Innovation an und schützt vor Diskriminierung. Er ist ein Grundpfeiler der Rechtsstaatlichkeit und gewährleistet, dass alle rechtmäßig handeln. Datenschutz stärkt die Cybersicherheit, indem er persönliche Daten vor böswilliger Nutzung schützt. In einer globalisierten Welt sind internationale Datenschutzstandards unerlässlich, um den sicheren Datenaustausch über Ländergrenzen hinweg sicherzustellen.

Datenschutz ist demnach nicht nur eine „lästige rechtliche Anforderung“, sondern vielmehr ein wichtiger gesellschaftlicher (moralischer) Wert, der eine gerechtere und sicherere digitale Zukunft ermöglicht: Er schützt die individuelle Freiheit, ermöglicht einen wirksamen Schutz der Privatsphäre und gewährleistet (Daten-)Sicherheit.

Aus diesem Grund widmen wir uns verstärkt der Datenschutzforschung. Dazu haben wir mit dem „Datenschutz“ eine neue Forschungsrubrik eingerichtet. Dort finden sich die neuesten Infos zu unseren Aktivitäten. Als Highlight präsentieren wir dort unsere Datenschutzmuster, die aus mehreren wissenschaftlichen Arbeiten hervorgegangen sind. Schaut gerne vorbei und meldet euch bei Kooperationsbedarf gerne bei uns!

21. August 2023 0 comment
DatenschutzmusterGrundsätze

Transparency and Traceability

by Waidelich, Lukas 12. August 2023
written by Waidelich, Lukas

GDPR Requirements
Personal data shall be processed in a transparent manner that is understandable to the data subject (Article 5 (1a)).

Resulting Challenge
The manner in which a service operates, and all relevant data processed in relation to an individual shall be identified and disclosed. It has to be stressed that disclosure and expulsion are a continuous requirement for the service. The core challenge is therefore to provide an interface that discloses information to the data subject, to fulfill transparency and traceability as required.

Technical Solution Approach
Three technical aspects have to be taken into account in order to meet the requirements of transparency and traceability:

  1. Overview of collected data: even before using the service, the provider must deliver a list of all data that is possibly collected by a service. For this aspect, the technical solution approach of Information Obligation (6) is recommended for implementation.
  2. Disclosure of stored data: Refer to the technical solution of the pattern Right of Access.
  3. Disclosure of data processing: this aspect is the utmost challenge. Ideally, all cloud processes relevant to the data subject should be disclosed in a transparent manner. In addition to the privacy statement, the disclosure of code (open source) can provide technically perceptive individuals with a deeper understanding of the way data is processed. At the very least, however, the provider should answer the key questions of the following checklist before collecting the d

Checklist:

  • Have the questions of the checklist Information Obligation (6) been answered?
  • Does the declaration of service contain procedures for processing of personal data?
  • Is an explanation provided, that describes how collected data is handled and how a possible transfer of the data (to third parties) is handled?
12. August 2023 0 comment
DatenschutzmusterGrundsätze

Purpose Limitation

by Waidelich, Lukas 12. August 2023
written by Waidelich, Lukas

GDPR Requirements
Personal data must only be collected for specified, explicit and legitimate purposes and may not be further processed in an incompatible manner. Further processing for archival purposes of public interest, for scientific or historical research purposes or for statistical purposes (Article 89 (1)) must not be considered incompatible with the original purposes (Article 5 (1b)).

Resulting Challenge
Processing purposes must be clearly identifiable from data protection declaration. Data may only be accessible for the processing operations that are necessary for the stated purpose.

Technical Solution Approach
Provision of a statement describing the purposes of personal data processing. In addition, two cases must be distinguished for the service implementation.

  1. Data is stored centrally: We recommend to logically divide processes according to processing purposes (business capability). The data is stored together with the declared purpose. This enables access control of the processing processes to the stored data with the processing purpose as access policy.
  2. Each process stores data (decentralized): This includes that each service component stores data independently and redundantly. The processing of data must remain clearly assigned to purposes.

Checklist:

  • Are clear and legitimate processing purposes established?
  • Does the privacy statement describe all processing purposes?
  • Are processing operations (service components) divided into processing purposes?
  • Is stored data explicitly assigned with purpose attributes? Is data exclusively stored for a specific purpose in isolated processing components (operations)?
12. August 2023 0 comment
DatenschutzmusterGrundsätze

Data Minimization

by Waidelich, Lukas 12. August 2023
written by Waidelich, Lukas

GDPR Requirements: Personal data must be adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing (Article 5 (1c)).

Resulting Challenge: Reduce the amount of data processed and the number of stakeholders. Furthermore, the minimum amount of personal data necessary for processing purposes shall be identified.

Technical Solution Approach: In the design phase of a software system, the data model must be tested and adapted regarding its processing purpose. Changes in the need for certain data as well as regarding certain processing purposes may also arise during operation and evolution of a service. This requires an architecture in which the data model is adaptable.

Checklist:

  • Which data structure is minimal and still serves the service requirements for operation?
  • Has data (or attributes of data) that is not (any longer) necessary for processing purposes been deleted?
12. August 2023 0 comment
DatenschutzmusterGrundsätze

Accuracy

by Waidelich, Lukas 12. August 2023
written by Waidelich, Lukas

GDPR Requirements
Personal data must be correct and up to date. All reasonable measures must be taken to ensure that personal data, which is inaccurate in relation to the purposes for which it is processed, is deleted or rectified without delay (Article 5 (1d)).

Resulting Challenge
The system must provide an interface for the erasure or rectification of personal da-ta. A possibility for regular user verification of personal data should be created.

Technical Solution Approach
A corresponding interface (API) in the application as well as in the backend must facilitate notification of inaccuracies and subsequent revision of personal data. In particular, the technical measures for the right to correction are very useful here.

Checklist:

  • See Right to Restriction of Processing (10) and Right to Erasure (9).
12. August 2023 0 comment
DatenschutzmusterGrundsätze

Storage Limitation

by Waidelich, Lukas 12. August 2023
written by Waidelich, Lukas

GDPR Requirements
Personal data must be stored in a form, which permits identification of the data subjects only if it is necessary for the purposes for which they are processed (Article. 5 (1e)).

Resulting Challenge
The storage duration of personal data must be defined. In fulfilling the purpose, personal data must be removed from the system or the link to the personal data must be removed in such a way that the identification of the data subject is no longer possible. This is particularly difficult to achieve.

Technical Solution Approach
The data model must include a data lifecycle. The lifecycle is based on time and attributes that declare a processing purpose. If the data is encrypted, an irreversible deletion of the key is sufficient to make the data non-identifiable. Other anonymization mechanisms, such as Differential Privacy (Dwork 2008) are possible, but extremely difficult to implement in practice.

Checklist:

  • Is the data associated with a limited storage period (due to a specific purpose)?
  • If anonymization is required: Is an appropriate anonymization mechanism in use to safe the stored data?
  • If the data is encrypted: Is it possible to delete the encryption key irreversibly?
12. August 2023 0 comment
DatenschutzmusterRechte der betroffenen Person

Information Obligation

by Waidelich, Lukas 11. August 2023
written by Waidelich, Lukas

GDPR Requirements
At the time of the collection of personal data, all information must be communicated to the data subject (Article 13 (1), (2) + Article 14 (1), (2)).

Resulting Challenge
According to the EU-GDPR guidelines, the information must be understandable, easily accessible and communicated in clear and simple language in a written or electronic declaration to the data subject. However, awareness of the privacy statement must be a mandatory requirement for successful use of digital services. In addition, the data protection declaration must always be (even after the information has been provided) and easy to find (through max. 2 steps).

Technical Solution Approach
The data protection declaration must be shown to the affected person as text/image symbols in the application before the user registers. The subsequent registration may only be possible after the successful knowledge of the data protection declaration has been recorded. During use, the data protection declaration must be easy to find in the user interface at any time.

Checklist:

  • Does the notification provide the following information: Name, contact details of the person responsible for data collection, contact details of the data protection officer, purposes of data processing and their legal basis, recipient of personal data, intention to transfer to a third country, duration of storage, right of access, rectification, deletion, limitation, revocation and complaint to a regulatory authority?
  • Provision of personal data required by law or by contract?
  • Do you use profiling? If so, notification of logic and implications involved?
  • Is the data protection declaration easy to understand and easy to find at any time?
11. August 2023 0 comment
DatenschutzmusterRechte der betroffenen Person

Right of Access by the Data Subject

by Waidelich, Lukas 11. August 2023
written by Waidelich, Lukas

GDPR Requirements
The data subject has a right of access to the following information: Processing purposes, categories of personal data, recipients or categories of recipients (third countries, organizations), planned storage time, right of rectification and erasure, right of appeal, origin of the data if the personal data was not directly collected, automated decision making including profiling (Article 15, (1)), safeguards in the case of data transfer to a third country (Article 15 (2)), copies of the personal data (Article 15(3)).

Resulting Challenge
Data subjects can make use of a request for information. The person responsible must be able to answer this request in written or electronic form. In this case, the person responsible must use all reasonable means to verify the identity of the data subject seeking information. If there are reasonable reasons to doubt the identity, the person responsible may request additional information. If the data subject cannot be identified, the person responsible may refuse to provide the information.

Technical Solution Approach
To support this challenge technically, flexible interfaces are necessary, which make it possible to request data from the system. For example, Representational State Transfer (REST) interfaces or other interface solutions could be used to retrieve data from the system explicitly. Accordingly, standard queries must be defined that extract relevant information (see EU-GDPR specification) from the backend. The information must then be identified to the user in the front-end by means of text and, if necessary, images. If the user only wishes to obtain specific information, selection functions must be provided. Depending on the selection, only the corresponding information is provided.

Checklist:

  • Does the system provide a way to obtain information about a person and the data related to that person?
  • Does the system include mechanisms to authenticate clients (person) which request information?
11. August 2023 0 comment
DatenschutzmusterRechte der betroffenen Person

Right to Rectification

by Waidelich, Lukas 11. August 2023
written by Waidelich, Lukas

GDPR Requirements
The data subject has the right to obtain from the controller the rectification without delay of incomplete or inaccurate personal data concerning him or her (Article 16).

Resulting Challenge
The user must be able to request that his or her personal data be rectified or completed. In order to provide such a function, the system must have a flexible architecture. Data must be adaptable during operation. The processing, on the other hand, must be simple and quick.

Technical Solution Approach
For the processing of the data within the backend, interfaces must be provided that enable subsequent processing of the data. Microservices in combination with REST interfaces can be used for this purpose. Depending on the processing process, different interfaces can be provided to enable flexible (on-the-fly) data processing.

Checklist

  • Does the system support rectification of personal data?
  • Can data be changed specifically and separately?
  • Is changed data immediately available?
11. August 2023 0 comment
DatenschutzmusterRechte der betroffenen Person

Right to Erasure

by Waidelich, Lukas 11. August 2023
written by Waidelich, Lukas

GDPR Requirements
A user may request the deletion of personal data concerning him or her. The data controller is obliged to delete data, if the request is justified (Article 17 (1 a-f)). This includes the revocation of consent. The request for deletion shall be forwarded to other affected data controllers as well (Article 17 (2)). Furthermore, some case define exceptions to this rule (Article 17 (3)).

Resulting Challenge
The EU-GDPR requires a function to erase personal data. Accordingly, the user must be able to order the erasure of his data. It must be ensured that the deletion can be forwarded to other responsible parties.

Technical Solution Approach
Similar to the pattern right to Information Obligation / Right of Access by the Data Subject, an interface must be provided which enables the subsequent erasure of personal data. Data of individual persons must be retrievable and separately erasable. Subsequent reproduction of the data after deletion is not permitted.

Checklist

  • Does the system allow the erasure of user data and accounts?
11. August 2023 0 comment
DatenschutzmusterRechte der betroffenen Person

Right to Restriction of Processing

by Waidelich, Lukas 11. August 2023
written by Waidelich, Lukas

GDPR Requirements
Under certain conditions (Article 18 (1)), the data subject has the right to request limited data processing from the data processors.

Resulting Challenge
The following challenges can be derived from the three paragraphs of the article (Article 18):

  1. Each process must be isolated from the others so that the restriction has no impact on other processes.
  2. Restrictions applied to a process must not lead to the deletion of data. Hence, separation of data and processes must be applied as consequently as needed.
  3. The processing must be resuscitable.

Technical Solution Approach
A microservice architecture tailored to the specific use-case tackles all three challenges. In particular, the data service (usually a database) must be isolated from others. With the help of a fine-granular microservice architecture, processing components can be isolated from each other. This allows to restrict processing. If it is not possible to implement a microservice architecture, it is advisable to encapsulate the processes using standardized interfaces (e.g. REST). Each processing component should have its own separate interface. Data is stored isolated in separate databases (Alpers et al. 2015). By means of user access control, restricted processing can be enacted.

Checklist

  • Is stopping of a single service free of side effects (for other services)?
  • Is each service component (process) encapsulated by an API?
  • Is the database independent of the services?
  • Can a service component (process) recover its previous state and continue processing as expected?
  • Is there a user access control to restrict processing?
11. August 2023 0 comment
Newer Posts
Older Posts

Der futureLAB Blog wird von der Hochschule Pforzheim gestellt. Alle relevanten rechtlichen Informationen finden Sie auf der Seite der Hochschule Pforzheim.

Rechtliches

  • Impressum
  • Datenschutzerklärung

2022 © Pforzheim University of Applied Sciences


Back To Top
FUTURELAB
  • Blog
  • Das futureLAB
  • KI
    • KI Lab
    • Brezelcast
    • KI Hackathon
  • Datenschutz
    • All Grundsätze Rechte der betroffenen Person Verantwortlicher und Auftragsverarbeiter
      Datenschutzmuster

      Transparency and Traceability

      12. August 2023

      Datenschutzmuster

      Purpose Limitation

      12. August 2023

      Datenschutzmuster

      Data Minimization

      12. August 2023

      Datenschutzmuster

      Accuracy

      12. August 2023

      Grundsätze

      Transparency and Traceability

      12. August 2023

      Grundsätze

      Purpose Limitation

      12. August 2023

      Grundsätze

      Data Minimization

      12. August 2023

      Grundsätze

      Accuracy

      12. August 2023

      Rechte der betroffenen Person

      Information Obligation

      11. August 2023

      Rechte der betroffenen Person

      Right of Access by the Data Subject

      11. August 2023

      Rechte der betroffenen Person

      Right to Rectification

      11. August 2023

      Rechte der betroffenen Person

      Right to Erasure

      11. August 2023

      Verantwortlicher und Auftragsverarbeiter

      Privacy by Default

      10. August 2023

    • Datenschutzmuster
  • Process Mining
  • Veranstaltungen
  • Mitmachen
  • Das Team
  • Kontakt