10.4  GDPR and Governikus DATA Boreum

Introduction

The General Data Protection Regulation, GDPR, of the European Union regulates protection of individual-related data and the rights of citizens with respect to their individual-related data. With Governikus DATA Boreum the Governikus KG provides software that processes individual-related data. The following description gives respective statements to functions of Governikus DATA Boreum.

Download and installation

While downloading Governikus DATA Boreum, communication between the user's computer and the download server of Governikus KG is SSL encrypted. The IP address of the user's computer is saved anonymised in the download server's protocol by nullifying the last two of the four IP-address-blocks. Thus, backtracking the user is no longer possible.

No individual-related data is contained within the installation and program packages of Governikus DATA Boreum, neither in the online version (when called, program-data is inspected for currentness and, if required, reloaded) nor in the offline version (when called, program data is loaded without inspecting its currentness).

Certificates with individual-related data

Certificates can be used for signing files, for validating certificates and for validating signatures. These certificates may contain individual-related data. Certificates may contain the name of the certificate owner (Common Name = CN). Further individual-related data can be contained within certificates, if issuer or certificate owner provided these. This also applies for pseudonyms in certificates, hence this also counts as individual-related data.

Using certificates that are issued for individuals is necessary for creating qualified electronic signatures. Without this data the signing function cannot be executed, hence the agreement of the individual involved is implicitly presumed for processing the individual-related data. The certificate issuer, which is the certificate authority, is responsible for privacy compliant issuing and publishing of certificates.

Configuration of Governikus DATA Boreum

Configuration of Governikus DATA Boreum is saved in an XML file. By default, it is saved in the user's profile directory. The directory can be changed by the user:

·     Windows: The user's profile directory is here: C:\Users\<username>

·     Linux: The user's profile directory is here: /home/<username>

The configuration file is named boreum.xml. Short of two exceptions, the configuration file does not contain individual-related data.

·     Validation: For validation requests, a connection to the Validation Service must be configured. The Validation Service signs its responses that contain the validation result. For these signatures to be validated by Governikus DATA Boreum, the signature certificate of the Validation Service must be present in Governikus DATA Boreum's configuration. Usually, the signature certificate originates from an internal PKI. However, a signature certificate can be used, that may contain individual-related data.

Log files

Log files of Governikus DATA Boreum do not contain individual-related data. Certificates are neither stored in the log file while signing nor on validating.

Inspection sheet

The inspection sheet describes the result of a certificate validation or a signature validation respectively. It contains individual-related data of the respective certificates. Without this data an inspection cannot be processed. The inspection sheet is saved to the same directory that contains the file whose certificate or signature has been inspected. Automated deletion is not initiated. Governikus DATA Boreum user is responsible for saving inspection sheets in a protected environment and for deleting these, if keeping is no longer necessary.

Data minimisation

Data minimisation is considered throughout the software design. As a basic principle, only data is processed that is needed for functionality of Governikus DATA Boreum. No data is collected.

Protection of data against unauthorised third-party access

The user has the responsibility for saving certificates, inspection sheets and signed files. If the user follows the "recommendations for operating Governikus DATA Boreum" as explained in chapter 10.1, appropriate protection is achieved. It is the responsibility of the user to implement these recommendations and is thus out of scope of Governikus KG.