Abdicability of TOMs - Note by HamBfDI of 18 February 2021


Data subjects can effectively consent to the downgrading of technical organisational measures affecting the processing of their personal data if this is done voluntarily (see HamBfDI note of 18 February 2021). However, the voluntary nature of consent is only given if the controller generally maintains the protective measures required under Art. 32 GDPR and makes them available to the data subject upon request without causing him or her any disadvantages.

The question of whether data subjects can effectively waive requirements for the security of processing required under data protection law by means of consent was already a matter of dispute under the old Section 9 of the BDSG and was often discussed using the example of the possibility of consenting to e-mail communication that was only encrypted in transit (in the case of transmission of particularly sensitive data or data subject to professional secrecy) or even unencrypted. The core issue is whether the data protection requirements are at the disposal of the data subject.

In the final analysis, the HamBfDI affirms this, even if it considers the considerations of those who argue against the disponibility of a minimum standard to be justified.

Abdicability of system data protection?

As an argument against the possibility of consenting to the reduction of security standards, it is argued that in order to establish a European minimum standard, which the GDPR wants to create, it is necessary not to undermine the requirements of Art. 32 GDPR through agreements with the data subjects. It is feared that system data protection will be reduced to a minimum level due to economic considerations if the users of offers with lock-in effects (e.g. social networks) are forced to give their consent - this would also contradict the requirements of privacy by default and privacy by design.    

Nevertheless, the Federal Office for Information Security believes that it is not acceptable to impose a level of protection on the data subject against his or her will and possibly to his or her disadvantage, which he or she expressly rejects. At the same time, the answer to the question of whether system data protection can be waived must be differentiated.

Distinction between data subject and responsible person necessary

For the controller or processor, Art. 32 GDPR is mandatory law and contains binding rules, as Art. 32 GDPR contains an obligation to implement appropriate measures and does not grant the controller or processor the power to decide whether to implement them.

The situation is different in relation to the data subject. The primary object of protection of the GDPR is the fundamental right to data protection (Article 8 of the GDPR). This is at the disposal of its bearer, i.e. the data subject. In an illustrative manner, the Federal Office for the Protection of Individuals with regard to Data Protection (HamBfDI) shows in a first right conclusion that the right of the data subject to consent to the publication of unflattering or sexualised recordings on the internet necessarily includes the right to choose an unsafe transmission channel for the transmission of such recordings. Whether such consent was in the interest of the individual or in the interest of data protection was irrelevant as long as the consent was voluntary. Thus, the protection measures for the processing of the data subject's own personal data could be waived.

Art. 32 GDPR primarily pursues the protection of the data subject, and secondarily the regulatory objective of creating a uniform level of data security in the processing of personal data. This secondary objective is also achieved if a waiver of certain measures by the data subject is allowed by the regulation imposing binding requirements on the controller to create an adequate standard of data security in general.

The HamBfDI also explains that nothing different results from Articles 6 and 7 of the GDPR. This is because these standards only restrict the data subject's fundamental unrestricted freedom of disposition with regard to the "whether" (by allowing the controller to process the data subject's personal data) and not with regard to the "how". In the absence of a provision on a limitation of the freedom of disposition on the "how", it remains unrestricted with regard to the "how".

Obligation to create Art. 32 GDPR-compliant data security standards

Article 25 of the GDPR imposes an obligation on the controller to take appropriate protective measures, irrespective of the specific processing, based on a standardised view of the processing carried out by the controller.

The central statement of the HamBfDI is that the data subject can only make a free decision about waiving compliance with the requirements of Art. 32 of the GDPR if the TOMs required under Art. 32 of the GDPR are at least provided by the controller:

"Therefore, a controller who carries out a processing operation that requires the transfer of sensitive data may not rely on the fact that he cannot in principle guarantee a secure transfer and obtain a blanket consent from the data subject. Rather, the data controller must already provide a secure form of transmission at the time of selecting the means of processing. This does not preclude the data subject from consenting, in relation to a specific processing operation concerning him or her, to the specific measure being carried out without the level of protection required under Article 32 GDPR, provided that the controller can in principle ensure it."

Requirements for consent

The consent would have to meet the requirements of Art. 7 analogous to the GDPR - HamBfDI arrives at an analogous application of the law, since the same standards would have to apply to the consent to the "how" of data processing as to the consent to the "whether" of consent (Art. 7 GDPR applies directly to the latter).

Existence of a safe alternative which must not be associated with unreasonable disadvantages

In particular, consent must be given voluntarily - this presupposes that the data subject has a reasonably safe alternative data processing option that is not associated with unreasonable disadvantages. Unreasonable could be, for example, an unreasonable extension of the processing time or the incurrence of processing costs.

However, unreasonableness can also result from the fact that data subjects are permanently forced to choose the more time-consuming and cost-intensive way of written communication due to printing and mailing costs, because no secure digital processing is possible. The responsible party must therefore ensure from the outset that, for a specifically defined and foreseeable period of time, options for secure digital processing are also opened up that are free of these disadvantages.

Our comment

The rejection of the paternalistic view that the data subject cannot effectively consent to the lowering of minimum data protection standards is convincing. The rejection of the paternalistic view that the data subject cannot effectively consent to the lowering of minimum data protection standards is convincing. Data protection law does not create a right to protect the data subject from himself or herself.

However, it is correct that the effectiveness of consent should leave the data subject with a genuine choice (e.g. secure transmission by post instead of transmission by unencrypted e-mail) and that he or she does not have to give de facto consent in order to use the service offered to him or her by the controller (no "eat or die" situation).

As a matter of principle, data controllers should take appropriate technical and organisational measures to avoid having to rely on their customers' consent to unencrypted communication in the first place, for example, with regard to communication by e-mail. Instead, secure ways should be created to make documents available to the customer (e.g. by setting up access-protected web portals).

Dr Christian Rabe

Dr Christian Rabe
Senior Associate
+49 40 18067 14946