Digitalisation in administration - opportunity and challenge
The digitalisation of public administration is in full swing. The Online Access Act (OZG) obliges the federal, state and local authorities to provide all administrative services digitally. This also applies to social services that place special requirements on social data protection. In addition to the General Data Protection Regulation (GDPR ), Sections 67 et seq. of the German Social Code (SGB X) contain special requirements for social welfare organisations.
Local authority decision-makers are faced with the challenge of creating digital services that are both citizen-friendly and legally compliant. How can an administration ensure that digital application systems and communication meet the high standards of social data protection?
Special features of social data protection compared to the GDPR
The GDPR regulates general data protection in the European Union and takes precedence over the BDSG. Social data protection in accordance with SGB X, on the other hand, is specifically designed for social data that is particularly sensitive (e.g. health, income and benefit data). The most important differences are
Criterion | Social data protection (§§ 67 ff. SGB X) | GDPR |
Scope of application | Applies to social authorities and social organisations | Applies to all data processing bodies |
Legal basis | Processing only with explicit legal basis or consent of the data subject | Processing possible in accordance with Art. 6 GDPR, also in the case of legitimate interest |
Data security | Strict measures required in accordance with Sections 67a ff. of SGB X | Security measures in accordance with Art. 32 GDPR |
Data transmission | Strongly regulated processing and purpose limitation | More flexible rules for disclosure |
While the GDPR formulates general data protection requirements, social data protection sets stricter requirements for the purpose limitation, security and transfer of data in certain areas. This has a direct impact on the digitalisation of administration.
Requirements for digital systems in social administration
Municipalities and social authorities that offer digital application procedures must ensure that technical and organisational measures meet the high data protection requirements.
a) Processing social data on behalf of others
If an external non-public body is involved which processes data in any form, the possibility of commissioning is governed by Section 80 SGB X. First of all, this is generally only a processing of social data on behalf of a third party if the social security institution remains authorised to issue instructions to the third party.
Processing is only permitted if the data controller (social security organisation) may experience disruptions in its operations or if the transferred work can be carried out considerably more cost-effectively. If this is the case, a data processing contract with a precise description of services must be concluded and submitted to the legal or technical supervisory authority.
b) Data security
While Section 80 SGB X only regulates the "whether" of data processing, Art. 28, 32 GDPR determines the "how". The processor must provide sufficient guarantees that the technical and organisational measures ensure GDPR-compliant processing. In this respect, the processor must demonstrate what it is doing to protect personal data.
Please note: Ultimately, the responsibility for processing in accordance with Section 80 SGB X remains with the client, i.e. the social security organisation.
Requirements for digital communication between citizens and authorities
If written form is required for a document, this can be replaced by a qualified electronic signature (qeS), e-mail inbox, etc. in accordance with Section 36a (2) SGB I. Due to the non-formal nature of the social administration procedure (Section 9 SGB X), written form is not required in many cases and usually only applies to the notification. In this case, an appropriate channel for communication that replaces the written form must be used or the decision must be sent in writing.
Any other communication between citizens and social security institutions, such as applications or enquiries, is not per se bound to a specific form. Nevertheless, it must be ensured that secure GDPR-compliant transmission takes place and that the necessary technical and organisational measures are observed.
