2.11 General Data Protection Regulation

Compliance of an organization with the European Union's General Data Protection Regulation (GDPR) can only be ensured by the implementation of both appropriate technical and organizational measures.

For an organization participating in an IDS based ecosystem, the necessary technical measures for compliance with GDPR are provided by the software by which the IDS-RAM is implemented. However, responsibility and accountability with respect to GDPR compliance remains on the side of the organization itself. This means that the organization has to implement adequate organizational measures for the protection of personal data. This set of measures may be set up on the basis of a risk assessment regarding personal data (processing) and -- if the risk level exceeds a certain threshold -- a data protection impact assessment.

Consequently, the organizations participating and their data processing within an IDS-based ecosystem have to be considered for GDPR compliance. Therefore, it cannot be said in general that IDS-RAM compliance leads to GDPR compliance. Instead, the role of IDS with regard to GDPR compliance is to support the participating organization in the implementation of technical measures and offer advice regarding the implementation of organizational measures. As a result, the IDS participant is enabled to implement appropriate measures for GDPR-compliant processing and transfer of personal data within the scope of the IDS technology and related features (see also: GDPR-related Requirements and Recommendations for the IDS Reference Architecture Model.

Last updated

© 2016 – 2024 | All Rights Reserved | International Data Spaces Association