Privacy Principles

The EU General Data Protection Regulation requires CSSA to provide members and third parties with transparent information about the processing of their data. The processing of personal data is essential for the performance of statutory tasks and objectives of CSSA e.V. (cf. section 3 of the statutes). The following data protection regulations were therefore agreed by the CSSA General Assembly:

1 Membership data

CSSA processes all data necessary for the establishment, maintenance and billing of membership in the association. This includes

Such data is a prerequisite for membership in CSSA and the basis of the association’s work. The information is stored in the computer system of the CSSA Office and processed by administrative office staff, the Management Board and, if necessary, by additional officeholders. Personal data is protected from third-party access by suitable technical and organizational means.

CSSA only processes other member data and information if it is useful to promote the purpose of the association and if there is no indication that the data subject has a legitimate interest which outweighs the association’s interest in the data processing.

Personal data may be passed on to a data processor if it is necessary for public relations work, the provisioning of association-internal web pages, the organization of events, and for the association’s bookkeeping. In such a case, CSSA ensures, through appropriate data processing contracts, that the data is adequately protected and not used for other purposes.

2 Public relations work

To fulfil the statutory tasks and objectives of the association, the Management Board and the CSSA Office inform the interested public about the association’s tasks, activities, members and organizational structure on a public website (https://www.cssa.de). Following notification, sound and image recordings can be made of participants and speakers during events for the purposes of press and public relations work.

Separate consent from the members is not required either for the collection or the transmission or the disclosure of such data, unless a data subject objects and the interests or basic rights and fundamental freedoms of the data subject that require the protection of personal data outweigh this.

When a user uses the website, no personal data of the user is logged and no IP addresses are stored.

3 Passing on data

CSSA encourages collaboration among its members as well as their networking with other institutions and contacts from the field of IT security as part of numerous events, working groups and activities.

3.1. Association activities

The Management Board and CSSA Office therefore inform the members about events and results of the association's activities, in particular about the state of collaboration and the contributions of individual members.
For this purpose, personal data of members can be processed and disclosed within the association without their separate consent, unless a data subject objects and the interests or basic rights and fundamental freedoms of the data subject that require the protection of personal data outweigh this.

3.2. Members directories

Where association-internal directories of members are created, they will only contain data which the data subjects themselves provided for this purpose. Members of the Management and other members are provided with member directories only if knowledge of the respective specific member data is necessary to fulfil statutory purposes. The Management Board and the CSSA Office hand over such data of other members only if they are assured that the addresses will not be used for other purposes.

3.3. Internal collaboration platforms

The exchange of IT security-relevant information and data (e.g. descriptions of incidents and threats, indicators of compromise) is one of the essential statutory activities of CSSA. This is done within the association both face-to-face and via an electronic sharing platform. In addition, CSSA provides its members with additional information exchange platforms such as a documentation wiki, a secure data room and an electronic chat feature. In this context, personal data is protected from third-party access with suitable technical and organisational means. The structure and the security concept of the platforms are documented in the CSSA Office.

3.4. External collaborations

To promote networking and cooperation with relevant institutions and experts from the field of IT security, the Management Board and the CSSA Office can, if necessary, pass on contacts (name, function, other contact details) of members to external partners, unless the data subject objects and the interests or basic rights and fundamental freedoms of the data subject that require the protection of personal data outweigh this. Members will be informed when their contact details are passed on.

4 Processing data of third parties

In accordance with Art. 6 para. 1 Lit. f) GDPR, the association also processes data of persons other than association members to fulfil its statutory objectives. This is necessary to protect the legitimate interests of the association and is done without separate consent, unless the interests or basic rights and fundamental freedoms of the data subject outweigh his.

5 Archiving, blocking and deletion

In the event of a member’s resignation, expulsion or death, the member’s personal data is archived. In accordance with tax regulations, personal data of the resigning member relating to fund administration is retained for up to ten years from the date of the written confirmation of the resignation by the Management Board.

6 The legal basis of the data processing

At CSSA, the data is processed based on the statutory provisions laid out in Art. 6 para. 1 Lit. b) and f) GDPR to fulfil its statutory objectives and only in exceptional cases solely on the basis of the voluntary consent of the data subject.

7 The rights of data subjects

All persons affected by the data processing of CSSA have the right to obtain information about the relevant personal data. They can also request the correction of incorrect data. In certain circumstances, they also have the right to have the data deleted, the right to the restriction of the data processing and the right to data portability.

However, the processing of the data at CSSA is also carried out on the basis of the legal regulations of Art. 6 para. 1 Lit. b) and f) GDPR. The processing requires the voluntary consent within the meaning of Art. 6 para. 1 Lit. a) only in exceptional cases. The data subjects have the right to revoke consent for future processing only in these cases.

All persons affected by the data processing of CSSA also have the right to lodge a complaint with the supervisory authority for data protection if they are of the opinion that the processing of their personal data is unlawful. The address of the competent supervisory authority is: State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, PO box 20 04 44, 40102 Düsseldorf.

8 The duties of the management board

The Management Board is authorized to take the precautions necessary for data protection for the association, in particular to draw up procedure logs for the association, appoint data protection officers, introduce forms for declarations of commitment and consent or approve authorisation concepts.
If the Management Board has not appointed a data protection officer, questions can be addressed to and the rights of data subjects vis-à-vis CSSA are to be exercised by giving notice to the CSSA Office, CSSA e.V., Pariser Platz 6, 10117 Berlin.