… by organizational units of the TU Braunschweig (October 2020)
1 Preliminary remark
Commercial messenger services enjoy great popularity. They are cost-effective solutions, especially for calls abroad. However, their use is not without risks for information and IT security and from a data protection perspective
2 Guideline
The TU Braunschweig expressly points out that the use of external messenger services may constitute a legal violation!
If possible, please use the TU Messenger
(https://messenger.tu-braunschweig.de/).
If you communicate with external partners, make sure that no personal data is transmitted. The TU Braunschweig recommends
Although some messenger services now use end-to-end encryption, which means that message content cannot be read by anyone other than the sender and the recipient of the message, the storage and sharing of metadata and, in particular, access to the users’ contact lists are very problematic and, in particular, raise data protection concerns.
With other messenger services, not only is there the problem of data collection, but chats are not encrypted by default and video calls in general are not encrypted, so that anyone can access message content by the right means. Especially when exchanging personal data, this represents a massive security gap and a breach of privacy. Furthermore, these messenger services do not explain in the privacy policy how this data is stored on servers (whether encrypted or not) and where the corresponding servers are located.
Other messenger services also place little value on data protection. End-to-end encryption is only available to a limited extent and the encryption must first be activated by the user.
If you are invited to a conversation on other messenger services by a third party, you must decide for yourself whether these products are sufficiently secure for the information and data you are sharing.
These data protection problems essentially arise when using messenger services:
- The transmission of contacts from the user’s address book to Messenger services.
- The transfer of personal data to the USA.
- The use of personal data by Messenger services.
- The transfer of the user’s data to other companies in the Group.
Therefore, the use of external messenger services on computers is prohibited if:
- They must meet specific safety requirements, for example because
- The computers control technical systems,
- the computers whose software does not comply with the general security standards due to technical necessities – in accordance with the exceptions of the IT security guidelines of the TU Braunschweig (e.g. no current operating system updates, missing anti-virus software, continuous operation, deviations from password guidelines),
- Confidential data are processed on them, such as
- personal data which are subject to the data protection laws, e.g. e-mail addresses,
- examination documents,
- confidential financial data,
- Sensitive research results.
3 Incomplete list of Messenger and communication services not to be used
- AIM
- Apple Facetime
- Apple iMessage
- Facebook Messenger
- Google Hangout
- Google Meet
- Telegram
- Tiktok
- Skype (the free version)
- SnapChat
- Viber
- Yahoo Messenger
- Discord
- and many more!
4 Glossary
End-to-end encryption: If a chat is encrypted end-to-end, only the participants of that chat can access the content. If encryption has been reliably implemented, app operators cannot read and release the data. End-to-end encryption is also known as Peer-to-Peer (P2P) encryption.
5 Possible legal consequences of non-compliance
If a violation of the law occurs through the use of external messenger services, this can have serious consequences both for the TU Braunschweig and for the employee concerned:
5.1 Data protection law
The inherent risk of violating the GDPR (General Data Protection Regulation) rules when using external messenger services can become criminally relevant. In addition to the risk of damage to the reputation and liability for damages of the TU Braunschweig according to Art. 82 DSGVO, high fines (50,000 € according to § 59 NDSG) are possible.
5.2 Criminal law
Injuries due to personal life and confidentiality (§§ 201 ff. StGB) and offenses in office are punishable by the StGB. With regard to the latter, there is in particular a criminal liability due to a – possibly negligently committed – betrayal of secrets within the meaning of § 353b StGB (fine or imprisonment of up to one year possible).
5.3 Patent law, copyright
In addition to possible criminal prosecution, infringements of patent rights may result in legal warnings, preliminary injunctions, actions for injunction and claims for damages (cf. Sections 139 et seq. PatG). The same applies to copyright infringements (cf. § 97 UrhG, for example by disclosing the results of research by others).
5.4 Personnel law
If a ban on the use of certain messenger services is breached, the employees concerned may face warnings, claims for damages and, in the worst case, even dismissal if a ban on the use of such services is imposed.
5.5 Law on the protection of business secrets (GeschGehG)
In addition to claims for removal and injunctive relief, liability for damages to third parties is conceivable if the TU Braunschweig or its employees commit an infringement of the law in individual cases within the meaning of §§ 4, 10 GeschGehG
However, the TU Braunschweig may not benefit from the protection of the new GeschGehG if the use of external messenger services is not prohibited in principle. According to § 2 No. 1 b) GeschGehG, a trade secret is information which is subject to appropriate secrecy measures by its rightful owner under the circumstances. If the use of external messenger services at the TU Braunschweig is possible without sanctions, it is questionable whether appropriate secrecy measures are in place.
If you have any further questions, please contact the data protection management