Allowing unsecure protocols/Storing unencrypted data

Allowing unsecure protocols and/or allowing the storage of unencrypted data negatively affects the security of data processing:

  1. Allowing unsecure protocols:

    If this option is selected and an insecure protocol (e.g. http) is used, the transmission is not encrypted. Any person who has access to the transmission can read the data, as long as the data is not additionally encrypted (see point 2).

  2. Allowing the storage of unencrypted data:

    If this option is selected and a storage location profile without its own file encryption is used, the files are saved in plain text. Any person who has access to the files can read their contents.

The impediment of data security caused by choosing one or both of these options may, therefore, especially if personal data (i.e. data relating to an identified or identifiable natural person) is affected, cause the violation of data protection regulations (such as the GDPR and other comparable and applicable country-specific data protection regulations, hereinafter “country-specific regulations”).

Additionally, if one or both options are selected, a confidential handling of the data provided is not guaranteed. Therefore, commercially relevant data could be read/processed by unauthorized persons.

According to the GDPR and, where applicable, other country-specific regulations, personal data must be processed in such a way that ensures the adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, accidental destruction or accidental damage through appropriate technical and organizational measures (so called “integrity and confidentiality”).

According to the GDPR, and where applicable, other country-specific regulations, the person responsible and the processor must take appropriate technical and structural measures to ensure a level of protection appropriate for the level of risk. These measures include pseudonymization and encryption of personal data and the ability to ensure the confidentiality, integrity and resilience of the system and services related to the processing of data permanently. The same might apply to commercially relevant data due to the confidentiality which needs to be maintained based on applicable laws, regulations, and agreements.

The SmartExporter user and especially the SAP® administrator, who defines the authorizations and settings in the SAP® system for the use of SmartExporter, are the responsible persons or at least the processors within the meaning of the GDPR and possibly other country-specific data protection regulations. As the provider of SmartExporter, Audicon is not covered by the GDPR’s scope of application, but hereby explicitly points out the data protection obligations of the user/processor under GDPR and potential other country-specific regulations.

The use of unsecure protocols and the storage of unencrypted data would not comply with the security requirements of the GDPR in the case of processing personal data, unless measures are taken which make sure that access is restricted only to authorized persons. Violations of data protection regulations such as the GDPR can lead not only to claims for damages but also to considerable fines. Furthermore, the non-confidential handling of data can lead to claims for damages under the relevant laws and regulations as well as the respective agreements concluded with third parties in the event that those provide for or require a confidential handling of data (not only personal data but also commercially relevant data).

 

 

Disclaimer

Copyright © 2022 Audicon GmbH. All rights reserved.