Can a certification body become an IPS officer

How can websites be checked for data protection and data security?

Checking websites for data protection and data security from the user's point of view is the profile of our internet privacy standards. Internet portals - whether online shops, citizen portals, customer accounts or company presentations - can be checked with ips. ips is a nationwide valid standard that was developed with Peter Schaar, the former Federal Commissioner for Data Protection. The seal of approval is recommended by the Federal Ministry of Justice, consumer protection associations and numerous specialist journals. It is recognized as a test standard for data protection and IT security by numerous state data protection authorities. The ips criteria catalog is continuously adapted to the current legal situation and contains the essential requirements for online services from data protection, multimedia and consumer protection law. The quality criteria thus correspond to the highest audit approach of data protection supervisory authorities or auditors. The ips certificate is officially recognized by compliance with the D21 quality criteria for the award of trustworthy online shops (see www.internet-guetesiegel.de).

How is the website checked?

As an ips auditor, I check a website comprehensively, legally and technically, and work together with the customer to achieve a positive check result. As an option, I also check our customers 'web servers for security gaps - so our customers' services are optimally protected against data loss. As an auditor, I have to be an independent specialist. This means that I am not allowed to advise companies whose web portals I check and also have no legal or personal connection with customers. The ips seal of approval is generally valid for 2 years.

During the corona pandemic, the ips seal of approval has proven itself particularly with providers of video conference portals, especially with the customer target group in the medical sector (doctors, hospitals, nursing homes, therapists, etc.).

This is primarily due to the special requirements placed on the technical procedures for video consultation hours [1]. We have identified these requirements as special criteria in the ips video consultation hour module.

In contrast to a GDPR audit on site at the customer, I do not look at any documents on site or the customer's server rooms during the ips audit, but rather check all relevant criteria of the ips criteria catalog in exchange with the customer using the URL to be checked and using Customer information and documents received (e.g. ISO 27001 certificates for servers) and evaluate the results using a point scheme within the individual modules. In addition, I check technical aspects with numerous tools, such as the presence of sufficient website encryption or the use of cookies, tracking tools and other mechanisms in the background of a website. A technical expert checks the IT security requirements separately (e.g. whether data transmissions via chat functions or video transmissions are peer-to-peer-encrypted (mostly: end-to-end encrypted)).

What modules are there?

The following ips modules in the current version of the criteria catalog, which can be called up free of charge, are used for auditing:

  • Info retrieval (module M1)
  • Individual service (module M2)
  • Consumer protection (module M3)
  • Data protection management (module M4).
  • Requirements for the technical procedures for video consultation (Module M5)

The criteria, the procedure and the modules can be found here.

The online offer must take various legal provisions into account. The provisions of the EU General Data Protection Regulation (GDPR) must be considered at the forefront. In particular, the regulations on the admissibility of data collection and processing according to Art. 6 and Art. 9 GDPR apply, as well as the data protection principles of Art. 5 GDPR. Furthermore, technical and organizational measures to protect the data must be assessed, as they result from Art. 32 GDPR. The respective offer must meet transparency and data minimization as well as the principles of privacy by design and privacy by default. Every customer provides a telemedia offer with a web portal so that the Telemedia Act (TMG) applies. The test criteria include, for example, the imprint obligation of § 5 TMG. If processes for distance selling or e-commerce (e.g. in the form of a shop) are involved, in addition to the data protection regulations, the regulations for distance selling, electronic business transactions, general terms and conditions in accordance with the German Civil Code (BGB) must be checked. The services "behind" the web portal (e.g. CRM systems, software, apps for smartphones / tablets) are not audited. ips is a "website seal".

Our customers have the option of commissioning a penetration test directly from us in order to implement the best possible security standards or to efficiently close security gaps. Our IT experts recognized by the BSI carry out the penetration test as a gray box test [2].

According to the judgment of the European Court of Justice (ECJ) of July 16, 2020 in the case C-311/18 ("Schrems II"), the requirements for American sub-service providers or those whose parent company is headquartered in the USA and who as Processors act, grown enormously. The processing of data during a video consultation, also on behalf, may only be carried out in Germany, in a member state of the European Union or in a state that is equivalent to this in accordance with Section 35 (7) of the First Book of the Social Code, or if an adequacy decision in accordance with Article 45 of the Regulation (EU ) 2016/679 is available in a third country. An adequacy decision (the so-called Privacy Shield) for data transfers to the U.S.A. has been declared invalid, standard contractual clauses must offer a level of protection that corresponds to that in the EU. Due to legal bases in the USA, in particular the US Cloud Act (in force since the end of March 2018), US authorities are permitted to release data that US IT service providers or Internet companies save abroad. Contrary to the title of the law, it does not necessarily have to do with cloud services. In this case, CLOUD stands for “Clarifying Lawful Overseas Use of Data Act”. The law ensures that it no longer matters whether data is stored “in the cloud” or in a certain data center - whether at home or abroad. The CLOUD Act obliges US companies to disclose data even if local laws at the location of the data store prohibit this. That is the crux of the problem. The disclosure of data does not require that there is an international mutual legal assistance agreement that regulates such cases.

The ECJ has made it clear that there is no adequate level of protection for U.S. authorities without additional guarantees or protective measures to prevent data being released / passed on to US authorities. Service provider can give. This has become a real problem for many providers of web portals, as in the past they liked to use well-functioning IT service providers from Google, Amazon, Microsoft and other providers. For the web portals that process health data belonging to the special categories of personal data according to Art. 9 GDPR, and whose providers have also committed to maintaining patient confidentiality under criminal law, service providers from the USA are becoming an insurmountable hurdle to the Protect those affected.

Attempts by large companies to adapt their standard contractual clauses so that they respond to inquiring American authorities, please contact the data subject yourself and inform them of the inquiry are well-intentioned attempts. However, they fail where the law prohibits companies from doing this.

The technical examination of video consultation hours shows me in practice that so-called "turn servers" [3] appear all too often in the USA. The turn server should therefore not save any data, but only provide for the forwarding of the data.

For this reason, the provider must ensure and prove in the audit that no personal (health) data can be stored, tapped or forwarded through the use of a turn server.

In the end, as an independent auditor, I decide on the weighting of the ips modules individually, depending on the sensitivity of the collected and processed data and the total number of modules. If all criteria are met, the seal of approval can be awarded. If the criteria are not or only partially met, I summarize this in a so-called "review protocol" and agree a deadline with my customers for rectification. If this passes unused, the process ends with a negative audit report without a seal of approval. In the event of a positive outcome, there is a personnel separation between the auditing and the award of the seal of approval by submitting my audit report to our registration office for a conclusiveness check. If the certification body agrees with my result, the seal of approval is awarded and my customers receive our report as a detailed test certificate, a certificate and our digital ips logo, which is to be placed on the tested websites. It then links to a brief report (on our website) about the results of my examination. I will then be happy to provide the ips logo for marketing purposes at no additional cost when the seal of approval is issued.

[1] Section 291g paragraph 4 or 5 SGB V (Annex 31b to the federal shell contract - doctors or Annex 16 to the federal shell contract - dentists) between the National Association of Statutory Health Insurance Physicians and the National Association of Statutory Health Insurance Physicians (KBV) or the National Association of Statutory Health Insurance Dentists (KZBV)

[2] A gray box test starts with the provision of login data by the client, but without further information about the network structure and the hardware and software used. In addition to the vulnerability scan, conceptual weaknesses and logical errors in the processes of the software used are tested.

[3] Turn servers must almost always be used when encrypted data traffic is exchanged between two peers who are not in the same local network (as is the case with video consultation hours between doctor and patient). So-called "Symmetric NAT routers" (NAT - Network Address Translation), which ensure the security of your own network, prevent at least one client from being unable to be reached from the outside in audio / video communication, as there is a direct socket between is not possible for the clients. A "turn server" is then necessary here. The term stands for Traversal Using Relays around NAT and is a protocol for forwarding network traffic. This enables two clients to exchange data without a direct connection (“Relay Server”). It forwards the data traffic between peers in spite of the Symmetric NAT router, virtually overcoming it.

Ilka Schaarschmidt || General | Seal of approval, internet privacy standards, ips