When selecting an external service provider, care should be taken to ensure that the provider can demonstrate the required standards and certifications and adheres to the BSI guidelines on the procedure for IT forensic investigations . In these guidelines, the BSI also provides a definition of what exactly is meant by IT forensics: “IT forensics is the strictly methodical analysis of data on data storage devices and in computer networks to clarify incidents, taking into account the possibilities of strategic preparation, particularly from the perspective of the operator of an IT system within a company.”
Legal basis for the use of IT forensics within a company
The legal basis depends on the purpose of the IT forensic investigation. If the investigation involves an employee incident (e.g., theft of customer data, usa business fax list misuse of cash register or ERP systems to divert funds, etc.), the BDSG (German Federal Data Protection Act) is likely applicable. The GDPR also applies. Possible legal bases are presented below. However, since IT forensics can vary greatly in terms of data and purpose, this must always be assessed on a case-by-case basis.
Detection of a crime
Section 26 (1) sentence 2 of the Federal Data Protection Act (BDSG) can be used to support the collection of employee data that is necessary to detect criminal offenses committed in the employment relationship.
For the purpose of detecting criminal offenses, sales catalog app: how to promote it? personal data of employees may. Only be processed if document factual evidence substantiates the suspicion that the dat. Subject has committed a criminal offense in the employment relationship and the processing is necessary for detection. Furthermore, the employee’s legitimate interest in excluding processing must not outweigh the legitimate interest; in particular, the nature and extent must not be disproportionate to the reason. Sufficient initial suspicion must be based on sufficiently concrete facts that go beyond “vague” indications, so that an IT forensic investigation “in the blue” is inadmissible (cf. Gola, 2019, p. 389, para. 1746). A proportionality test must be conducted.
Breach of duty by an employee
If necessary, an IT forensic measure can be based on. Section 26 (1) Sentence 1 of the Federal Data Protection Act (BDSG). Personal data of employees may be process for . The purposes of the employment relationship if this is necessary for its implementation. Therefore, if a measure is necessary because, for example, email data a breach of duty by an employee is suspected. Section 26 (1) Sentence 1 of the Federal Data Protection Act (BDSG) applies. It must be examined whether the measure is actually necessary or whether less restrictive means are available.
Processing of health data in the context of IT forensics
Health data may be processed pursuant to Section or defend civil law claims. Proportionality must also be observed here. The other legal bases of Article 9 (2) GDPR are unlikely to apply beyond this, or only in individual cases.
Forensic measures to ensure IT security
However, if personal data is processed purely for the data processing should not take place in the employee context. Even if third-party data is involved, this does not constitute the processing of employee data. The relevant legal basis for the processing is the legitimate interest pursuant to Art. 6 (1) (f) GDPR. In individual cases, processing may take place pursuant to Art. 6 (1) (c) GDPR, provided there is a corresponding order or legal basis.
Transfer of data to police or other third parties
However, no other less restrictive means may be available. Interests worthy of protection must be weighed. However, if a criminal offense has been committed, the company’s interest is likely to prevail.