Data protection in social administration
The digitalisation of public administration is in full swing. The Online Access Act (OZG) obliges the federal, state and local authorities to provide all administrative services digitally. This also applies to social services that place special requirements on social data protection. In addition to the General Data Protection Regulation (GDPR ), Sections 67 et seq. of the German Social Code (SGB X) contain special requirements for social welfare organisations.
Local authority decision-makers are faced with the challenge of creating digital services that are both citizen-friendly and legally compliant. How can an administration ensure that digital application systems and communication meet the high standards of social data protection?
The GDPR regulates general data protection in the European Union and takes precedence over the BDSG. Social data protection in accordance with SGB X, on the other hand, is specifically designed for social data that is particularly sensitive (e.g. health, income and benefit data). The most important differences are
Criterion | Social data protection (§§ 67 ff. SGB X) | GDPR |
Scope of application | Applies to social authorities and social organisations | Applies to all data processing bodies |
Legal basis | Processing only with explicit legal basis or consent of the data subject | Processing possible in accordance with Art. 6 GDPR, also in the case of legitimate interest |
Data security | Strict measures required in accordance with Sections 67a ff. of SGB X | Security measures in accordance with Art. 32 GDPR |
Data transmission | Strongly regulated processing and purpose limitation | More flexible rules for disclosure |
While the GDPR formulates general data protection requirements, social data protection sets stricter requirements for the purpose limitation, security and transfer of data in certain areas. This has a direct impact on the digitalisation of administration.
Municipalities and social authorities that offer digital application procedures must ensure that technical and organisational measures meet the high data protection requirements.
If an external non-public body is involved which processes data in any form, the possibility of commissioning is governed by Section 80 SGB X. First of all, this is generally only a processing of social data on behalf of a third party if the social security institution remains authorised to issue instructions to the third party.
Processing is only permitted if the data controller (social security organisation) may experience disruptions in its operations or if the transferred work can be carried out considerably more cost-effectively. If this is the case, a data processing contract with a precise description of services must be concluded and submitted to the legal or technical supervisory authority.
While Section 80 SGB X only regulates the "whether" of data processing, Art. 28, 32 GDPR determines the "how". The processor must provide sufficient guarantees that the technical and organisational measures ensure GDPR-compliant processing. In this respect, the processor must demonstrate what it is doing to protect personal data.
Please note: Ultimately, the responsibility for processing in accordance with Section 80 SGB X remains with the client, i.e. the social security organisation.
If written form is required for a document, this can be replaced by a qualified electronic signature (qeS), e-mail inbox, etc. in accordance with Section 36a (2) SGB I. Due to the non-formal nature of the social administration procedure (Section 9 SGB X), written form is not required in many cases and usually only applies to the notification. In this case, an appropriate channel for communication that replaces the written form must be used or the decision must be sent in writing.
Any other communication between citizens and social security institutions, such as applications or enquiries, is not per se bound to a specific form. Nevertheless, it must be ensured that secure GDPR-compliant transmission takes place and that the necessary technical and organisational measures are observed.
Municipalities, federal states and institutions face a variety of challenges when implementing digital administrative processes. LeistungsLotse supports you with practical advice and customized solutions. If you need support with digital implementation, we are on hand with help and advice. Together we can create a modern and efficient administration!
Contact usThe administration is faced with the major task of implementing digital processes that both facilitate access for citizens and fulfil the strict data protection requirements. Decision-makers in local authorities must ensure that
✅ the requirements of social data protection are met,
✅ data processors are carefully selected and
✅ communication is secure and citizen-friendly at the same time.
The digitalisation of public administration is an opportunity - but it requires well thought-out technical, organisational and legal solutions in order to reconcile compliance, efficiency and proximity to citizens.
You can ask questions anonymously here which will be answered publicly. Your email address won't be published and is only used to notify you about the answer.
