heise PlusAbo
Anzeige

German data protection: Standardized test for messengers in preparation

Data protection authorities want to check the visible parts of messengers. New criteria should help with this. How good are these guidelines?

listen Print view
The twelve yellow EU stars on a blue background; a white padlock and the letters GDPR can be seen in the circle; the blue background is a map of Europe

(Image: peterschreiber.media/Shutterstock.com)

2 min. read
iX Magazin
By

Data protection aspects of the visible parts of messenger services should be monitored using standardized test methods, says the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter fĂĽr den Datenschutz und die Informationsfreiheit, BfDI). To this end, the office has drawn up a catalog of test criteria for messenger front-ends, which has been available for public consultation for three months since Thursday. Anyone can comment on the details.

It contains mandatory, recommended and optional requirements for GDPR-compliant messenger front-ends (and, where applicable, their compliance with the European Electronic Communications Code (Europäischer Kodex für die elektronische Kommunikation, EKEK). The catalog is primarily intended to support data protection authorities in their work, but it may well help companies to review and improve their offerings.

260 pages full of details

The document is detailed and over 260 pages long. Its structure is basically based on the structure of the GDPR (General Data Protection Regulation). In some cases, requirements for the backend are also included, especially as this cannot always be meaningfully separated from the frontend. However, the focus is explicitly on checking messenger frontends.

Videos by heise

The terms MUST, SHOULD and CAN in the catalog are based on the definitions from RFC 2119. MUST is essential for compliance with the GDPR. This also applies to SHOULD, although exceptions are conceivable in justified cases. CAN criteria are advisable for good data protection design, but their absence does not undermine the minimum requirements of the GDPR.

The catalog was mainly developed by Professor Mathieu Cunche from the French Institute of Applied Sciences in Lyon (INSA Lyon) and the BfDI department. The Federal Data Protection Commissioner will only accept comments as part of the consultation in the form of a PDF form sent by email by 15 November 2024 at the latest. Both specialist users and "civil society" are expressly invited to comment on the test catalog.

Add "submitted" to the dictionary (ds)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten