 This year had a data protection fail. Personally, raised your hands. Any data protection fails in the audience. I can see, as interpreter, I can see 10 hands. Maybe to honest, who knows someone who has had a personal data fail? Yeah, many more hands raised. And for whom of you were close relatives affected? I know your pain. I'm completely happy that I can introduce Ivor Freude and Stefan Brink to you with the GDPR fail show about GDPR, but also in freedom of information, and hopefully a very entertaining 90-minute show. An applause for these two, please. Hi. We can't see much from here. Yeah, a very nice evening to you. We'll simply start with something to loosen up, and we'll see if our technology works at the same time. GDPR, privacy by design, data protection, impact assessment, technical and organizational measures. I hate paper, red tape. Data, oh dear. Data, I hate data so much, and ordering. I hate that even more, filing and all that. It's about personal data, name, email, account number, perhaps where they live, but also age, size, and weight, and the tax number are under protection obligations. Data, yeah, data. We have to protect the data. Data is not a little thing. First, take the effort, then reap the rewards. Protecting data from all these hackers and spies and all that nonsense that happens if you use the same password for several services and leave your laptop open and lying around, or lose that paper with all the passwords on it. Data, oh yeah, data. We must protect the data, all the data. We have to maintain them, and order them, file them, file them, file them. Data, yeah, data. I love data so much. We have to maintain them. Look after them, then they are much more useful. All right, now to the foundations, the fundamentals of the GDPR and the German Data Protection Act. You have to know what you have and why and prove that they are safe. That's why the EU had seven principles that they came up with, according to which you record and transmit and establish your protection measures, and these are fairness, purpose, minimization, correctness, limitation of storage, integrity, and accountability. And that's what you need for your privacy statement. Data, oh yeah, data. You have to protect the data. Yeah, the data. We have to maintain it and file it. We have to file it, file it, file it. Data, oh yeah, data. I love data so much. We have to maintain it and look after it, then they are much more useful. In case we don't understand something, have a hard time interpreting the law, Data Protection Commissioners will help us. It's free of costs. Data, oh yeah, data. We have to protect the data. So what does that mean for you in life? I promise that I'll take as much care as I can. And then I can finally go back to my work. Data, oh yeah, data. I love data so much. We have to maintain it and look after it, then they are much more useful. And finally, remember your processing manual and your privacy statement. And then we can start. OK, OK. Right, and then we start. So we'll start. How do we start, Alvar? Well, GDPR or FAILs, we'll just get some victims from the audience, which will help us get the most difficult rules in the GDPR, and get to grips with them somehow, right? OK, good idea. We have four chairs. OK, I see lots of volunteers. I'm looking for four of them. Right, wow. I still don't see a lot. One person showing up, someone shouted out. In the back there, that's the second one. Get onto the stage. We need two more. OK, the third one there. Right, the last one, last candidate. Hello. OK, that looks good. OK, you choose a color, there's Andreas. Sit down, please, welcome. Stefan, hi. Jonas, hi. Olli, great. So do sit down. Of course, I didn't remember all the names. Andreas, Jonas, Katrin, and Olli. Olli. OK, I don't know if I'll be able to remember this. Well, but these are all personal data, and these people have all invented pseudonyms, obviously. And each of you will get a sheet. Yes. You know all the big prizes, don't you? Or do you know the big prize? No one knows the big prize. That's a good proposition, a very good proposition. That's very good. Or I haven't made it yet, to cut in rubber and wendeline. Yes, something like that. And the tentacle is also missing. Yes, there's something like that. OK. We have a lot of exciting questions for you. We've come up with some very interesting questions for all of you, and you all have the same chance to win. You'll be taken through two rounds, and the best two will then get into the final. And that was it, basically. The rest will explain itself. So shall we start? We still need four other candidates. Four more volunteers, please. But you stay on stage. But you should be able to do some limited amount of maths because we need people that can calculate from the first row. Because these people need to tally up the points because I didn't manage to get this kind of elaborate task program, which is tallying up the points. We'll just get some people from the first row. They can all calculate and come in quite sure of that. They look that way. So who would like to count points for Andreas? Yeah, you two belong together. But you are not biased. You're not related to Andreas or anything. OK, so you'll count his points. That's not an easy feat. Because there will be many points, but you will manage. And sometimes candidates will fall back to zero, but they can catch up again. To be a Jonas, another pseudonym, who will count Jonas's points? You can call me Musli as well. Do we have someone? OK, please speak into the microphone. Second volunteer for counting Jonas's points. You just have to count. Come on. Great. So you'll count Musli. And you can whatever. Well, please do not travel the points. Triple the points. But who will count for Katrin? Fairly, cleanly, and observantly, and doubly. No, someone over there, perhaps, they're all looking away now, and we'll just point to someone that would be mean, though. But if the advantage, these people will have to stay until the end. So we'll have four people in the audience at least. OK, you two belong together. I'm going to tell you what you have to count up and you remember the points. And who will do this for Oli? And that way we'll get the 90 minutes failed as well. No one over there. You two belong together. You'll count for Oli. Don't cheat. And you'll all start with zero. You can all remember that. And then we will start with round one. We'll start with the very easy tasks. There's always going to be four options, four choices. And you have papers, sheets that you will hold up with the letters A to D. But the others should not see which letter you will choose, just the secretive. OK, we'll start easy, Alvar. Who, what does data protection protect? What do you think? A, data? Is it data that's protected? Or B, security of data? Gegen. C, what is protected? C, A data? B, security of data? C, the offenders? Or D, self-determination about personal information? Could you repeat the question, please? Ah, what we forgot to say, each of these four has an audience joker. Well, no, I didn't forget that. That's only in round two. So if I understood correctly, if you ask about protecting against, is it protecting of what? So what does data protection protect? Data, security of data, offenders, or self-determination about personal information? Toot. Beep. Sehr schön. Beautiful. These sheets are maximally transparent. And the correct answer, of course, is D, which means 23 points for Andreas. Musli will go without. Katrin, 23, and Oli, 23. You'll all remember that. So three times 23. OK. Second question, since when do we have data protection laws? Maybe since May 2018, maybe since 1995, maybe since May 1949, or maybe since 1970. So A, May 2018, B, 1995, C, May 1949, and D, 1970. Since when do we have data protection laws? Decide now. This is less spread. Great. I don't have to count it down at all. It's very simple. We'll start simply. We'll solve some of that. May 2018, yes, there was a data protection law, the GDPR. But of course, that was not the first one by far. In 1995, there was the data protection directive at the EU level. Quite old, but not old enough. May 1949 was the basic law of the German constitutions in 1970. That was in fact when the first data protection law was passed in the German federal state of Hesse. So zero for Muesli. Didn't he have, you know, he had to see. Oh. Katrin, 23 to you. I don't know if it's 23 plus 23. If you can calculate that, but try. And over there, no points. Next round, Ava, come on. Next round. Who is the father of the GDPR? That's going to be very difficult. Who is the father of the GDPR? First, is that Jan-Philipp Albrecht? B, oh, we have a problem now. Is it Jan-Philipp Albrecht? Slightly different spelling there. C, is it Jan-Philipp Albrecht? Or D, is it Horst Seehofer, the current interior minister in Germany? OK, they're all looking at the spelling varieties of Jan-Philipp Albrecht's name. You're completely correct to take a look there. You can all decipher this, can you? So you see the difference, don't you? Between A and B, there's another P coming. Between B and C, there's a hyphen added. Or D, Horst Seehofer. If you choose D, it's going to be very simple for you. Right, now, try your luck. C, Olli, come on. Oh, wonderful, you've finished, Andreas. Zero points for Andreas. A, wrong, zero points. Katrin, wrong, zero points. And Olli got it right. B is correct. Jan-Philipp Albrecht does not have a hyphen in his name, but two P's at the end of the fillip. Olli, how long have you been training secretly? Not long at all. Next question, great. Where does the number 203 come from? Where does the number 203 come from? Good question. Who can explain the number 23, question to the audience? Who got that idea and where from? Before we just embarrass ourselves completely and try to tell the story ourselves, who wants to tell the story? Oh, that's right. I think he would like to... He didn't want to tell, so why should they tell the tale? I have no idea at all. Come on, please tell. We'll just insert Google Tron and 23. Before we say something that's wrong. Okay, next question. Which important principle has Alvar learned when he started working at the data protection office from the lawyers? A, the principle. Lawyers, legal people are always right. B, it depends. C, well, surely it's in the law. Just look it up. Or D, we are God. Okay, the question, which important principle has Alvar learned from the legal people? A, the legal people are always right. B, it depends. C, well, it's there in the law. Or D, we are God. And from now on, I will follow a strategy. Ah, a tactic. So we have one B. Andreas, 23 points to you. Maybe you should fold it up so that it cannot be seen through the sheets. Musli, well, it doesn't have. Musli, the zero points. Katrin, 23 points. Right, it's correct. And Olli, again, correct again. What is the correct solution? Can you see? B, very good. Alvar, next round. Okay, Alvar, next round. Ah, now it's good. Which of the following ciphersuits should you select? Should you choose? Where's that coming from on that screen? There seemed the last question, the previous question. Which of the following ciphersuits should you select? TLS, ADC, ADCSA with RLC4128SHA. That's A or B. TLS, DH, RSA, export with DS40CBCSHA. Or C, TLS, DH, ERSA with AS128CBCSHA. 256, or TLS, ECDH, RSA with AS256CBCSHA384. So, maybe you should take a quick look. Exactly, here's the monitor. A lot of luck with that. Without the monitor, it would be easier. Without the monitor, it would be easier. Okay. Have you made your choice? Let's see your letters. Cool. Olli, I can't see. Show it to me, please. You've got C. That's correct. 23 points for Catherine. No points for Müsli and Andreas. Please resolve. Why? Okay, you just guessed. Why? The rest is just bollocks. The rest just makes sense. Exactly. I could just remember the last digits and that would be nice. These are all existing cypher seeds. Not in my world. Alvar claims that they're all real. No, it's been broken, RS4. B, we don't want as well. C and D, don't look that bad. D you could use in an emergency if you can't use perfect forward secrecy. If you log the data and years later, you get the key. It's going to be broken. C encryption is a tiny bit weaker, but it has perfect forward secrecy. So that's better. Nobody objects. Wrong direction. Again, wrong direction. This is the correct regression. Who is juristically responsible? Legally responsible. The manufacturer A. The manufacturer B. The organization C. The administrator D. The data protection official. We have a story. We can tell it. This software is known for... An office wants to use a software which has data leaks to somewhere. Some call it telemetry. And somebody says... That's not allowed. And who is responsible? Responsible oversight agency says that is not allowed. Now, where does the agency turn to? Whom does the agency turn to? Who is responsible? Have you all chosen something? I'm breaking out of my strategy to choose only A. That seems to be a good strategy. I'm stopping my strategy to select only A. And there is... Answer B is correct. Wherever decides what to use is responsible. The organization, for example a company. If you have to use a software which does strange things, doesn't have proper data, if you have to use it as admin, you have to make sure that it's correct. If you as a data controller use software, you are responsible. The first round is done. This round is up. Let's see what is the points. 92 points for Andreas. Worth an applause. Müsli, that can't be much less. Müsli, not much less. 23 points for Müsli. Who counted for Katrin? 125 points for Katrin. Müsli, how much? Yes, of course. All you get the 50 Euro later. The insecurities in communication. How many points? Well... The audience member said 125, but that's not a multiple of 23, so it was corrected to 115, and the 50 Euro fee will be handed over later. Okay, so now there's going to be a jeopardy-style panel to select question form, data fails, fake news, hacker information, freedom of information and question mark other categories, and there are different values, of course, to choose from. And if you lose your category, then you'll be... You're having a hard time. There are certain risk fields hidden here where you have to gamble a certain amount of points. And there are a few jokers in there and a few surprises that we will just not mention at this point. Katrin. And there is risk hidden, and that means that the number that's shown here does not apply, you select which... how many of your points you want to gamble. Now, those that get it wrong will be taken down, but due to the great counting method of your calculator you're in front, so you choose. So is the audience joker now active? Yes, one time you can ask the audience if you don't know. And those who've turned it can also pass on the turn to whoever shows up first. Okay, I see. So you can always pass without losing points, but if you show up and get the wrong answer when the question is passed, then you will lose points. And what do we do if no one is showing up? Okay, we'll see. Katrin, you go. Data failed 64. Okay, let's see if your construction works. Yes. This is a question that you will read out. Okay. Hashing and personal relation. Let's imagine an enterprise is building some telephony app and records email addresses and phone numbers and says, these are not personal data because we've hashed them with SHA 256. Now the question are these data anonymous or personal and why those hashed data for whom for the authority that is sending the data or the organization that receives them for the processor of those data. So the company that has calculated the hash, all that's left is the hash. I don't know if this is going to be a hint. First you'll have to say, do you accept the question or are you going to pass? I'm going to accept the question. Jonas, is this an exclusive or an inclusive or that can be important? Well, you always have to remember he plays against you. Yeah, yeah. So now would be the moment for you to answer the question. Well, we just talked about the SSA 256 hashes and said that it's actually a one-way road, there's no way back. So in that regard, you can't get back to the phone numbers from the hash. That's what you said when we had this other question. Did I say that that hashes cannot be reversed? So you say it's anonymous? No, that's why I'm asking for whom and for whom is it anonymous? Because the number that calculates the company that calculates as hashes may still have the key for that lying around and could reverse it. Are there keys with hashes? There are no keys. I was thinking of cryptography. They're not salted and not peppered either. I have been debating with many people whether hash is still personal or anonymous. And my belief is that it's anonymous, but there's always two different opinions. So you decide. It depends. The answer is it depends and we will exclude the interior minister. So question is this data anonymous or personal and why? And that irritates me, this and why? Because I would say anonymous, but the and why would only make sense if it's personal would be the right answer. No. Is it a trap? Well, personally I believe that hashes of this quality are anonymous data. How quickly will you calculate 10 million hashes back into a phone number? One hour was the case with SH8256. How many phone numbers do we have in Germany? It's not so many. 100 million, a billion maybe. So a few seconds you will need. So sadly, no, that's wrong. Just simply by brute force you can try out the hash for all the phone numbers and once you hit it, you have the right number. It's a bit more difficult with passwords, but a simple example and that has been subject to a court decision. Maybe you've heard about a Facebook custom audience where you can transfer hashes of email addresses to Facebook and the colleagues in the area prohibited local companies to supply Facebook audiences with email lists and transmit that to Facebook. What is it used for? It's used by Facebook and then match which people are registered with the same email address. So in effect, the company will give the information to Facebook that this person is our customer whether it's by hash or by direct email address doesn't really matter at all because Facebook can always use the images of the customers they know about and calculate the same hash and that's why these companies were prohibited and the Bavarian administrative court the highest administrative court in Bavaria in Munich did confirm this decision. So hashes of email addresses and phone numbers are personal data. Okay, let's go a bit slow ever. So 64 points down that's the difference between plus and minus. Do you know about it? From the 125, right? Well, let's move on the next round. What is left? I think it's Andreas now, you choose. Okay, I'll use information 23 anonymous application So we're in the area of freedom of information so it's going to be the reverse game. It's not about what the state knows about. It registers of our data but what we want to know from the state. So we ask about data and ask the authorities to hand out data. The question is, can I hand submit such an application anonymously? Can I submit it in a way that the authority does not know who is applying and do they still have to process the application? Andreas, what do you think? Is that a question for you or will you pass? Well, I'll just consider how I will do this how I would get the reply because with fragt in start that might be a nice idea. If I could still then as an applicant be identifiable, I would just guess and I think that it's a good question because the legal system in Germany does always feature an applicant I'll just pass the question on ah, he passes it on, who wants to answer it? 50-50 chance Olli, do you say something? Oh, 23 Okay, I'll take it and what's your answer? I'll answer that the question is no the application can not be processed further if the applicant is anonymous I don't know, do I need to give a reason? No No, you don't have to because it's actually wrong so 23 points deducted negative You can submit free of information request anonymously, many authorities do not know this many authorities will then ask Beck who are you and you can respond, no, you cannot ask that anonymous applications work, but the state laws are improved in quotes because anonymous applications are being forbidden in certain German federal states, that is quite mean but that's the exception to the rule the rule is that applications can be handed in and honestly if you use frakt in start, the website they are offering that service of handing in your request anonymously Stefan, you can now choose Okay, I'll choose the 128 Hmm, yeah Common data leaks We often hear about data leaks and we often very often hear about disks which were lost or CCBCC errors in emails or hacker attacks but the most common thing is missing here, what's the most common thing? This is clear CCBCC is clear because the the recipients see all the other recipients and hacker attacks are hard to explain but these are the most common except for the really most common one that's still missing so everyone thinks about where is the most common data leak I guess the first thing would be not encrypted emails I shouldn't ask questions how they're reported or how they actually happen so by the GDPR data leaks have to be registered reported and also the things that the company did so that it won't happen in the future and a couple of other things for example if we say that doesn't suffice so which is the most common way for data leaks to happen I would guess loss of personal data but that's a data leak how did this happen? what activity led to this? I guess hacker attack is also undefined I don't know the right solution isn't on the board I guess it's companies that accidentally leak email or password data to github account or networks I still have a question you say data leaks but could it also happen in other medium well then I guess it's just exchanging a business card it's just business cards that are exchanged and it happens there so the real answer is it doesn't work but I'm looking for it but everyone knows it right it's the wrong the sending of personal data to the wrong recipients might be wrongly addressed mail or email or fax all of these happen very often hundreds of thousands of times we wanted to send the prescription to the pharmacy but we sent it to the wrong person it wasn't in there so I guess we won't deduct points from anyone so maybe as background that's just the most simple thing that can happen for example doctors that send the reports to the wrong recipient it doesn't really matter I mean how many possible recipients are there that doesn't really happen they say it isn't really high risk so you still have to inform the actual victims of the data leak but most people don't do that can I tell you an anecdote I have contacts with some of the people who are involved with this and then I talked about exactly this example and then what happens if the doctor what happens if you send the wrong report and two of the people who were there just happened to them so when in conclusion this really happens way too often Andreas asked what happens with these data leaks so people have to report the data leaks to us so that's article 34 or 35 of the GDPR if it happens to bigger groups it depends on how the report is delivered to the affected people sometimes you have to think about if the data leak was really severe that reminds me it's 34 and 33 and not 35 in the GDPR but email encryption that's something I really like because that's a data leak that probably happens a lot but it's never reported ok 1024 I actually wanted the data face but we never had the question mark so what's behind that ah right risk so I'll just fix this do I have to look at this whole stuff now no that won't help you at all sorry I don't know the question myself I hadn't memorized it what about this template I have to expand it what is it again ok now I can reload I thought that was the question oh dear right can you just tell a story or something so we had question mark 1024 oh yeah that's a little movie that you are about that you should show now show us a movie by Mr. K. from B risk instructions in which areas can the federal data protection commissioner instruct the federal states data protection commissioners in the German federal states in which areas ok a question maybe one or other will recognize this guy no not bad I'll just have to search that video that wasn't the plan to show it now and what is risk yeah what does it mean risk means that you have to choose how many points of your 1024 you want to gamble all of them you could gamble 1024 points if you had do negative points exist will ask Müsli still 23 do you want to gamble all of them so negative he'll end at zero and that will be it so for 23 points we'll just listen closely that's the German data protection commissioner I am the German data protection commissioner I turn it down to much let's restart right I cover I'm the German data protection commissioner for data protection and freedom of information now my question about GDPR and the data protection act in which areas can the German data protection commissioner instruct the federal states data protection commissioners not that I heard this but it was in the slide earlier maybe we should add that these 1024 point questions were all rather difficult now the question of course is you have 10 seconds okay I can't blow that long the question from Mr. Kebber was in which areas can the federal data protection commissioner instruct the German federal state data protection commissioners what areas actually exist in which legal areas legal issues you could say in which issues can the instruction be made maybe we can maybe we can give a hint about the number of areas of the binary numbers there are many options there so no no forget that hint no now you should reach your answer audience Joker great do you still have this how should we do it does anyone know let's look through the audience the angel with the microphone will now look for someone who knows and otherwise we'll just vote who wants to step into the reach for Muesli he will have to of course decide whether he will accept the answer someone is showing up in the very back okay where was that raised hand let's hope that we found someone who knows it's a clearly answerable question well since I haven't got so many points to lose I'll say zero yes correct answer so 1024 points for Muesli no no no 23 23 he only had 23 points to gamble it was the risk question you had to gamble with certain number of points because that question was far too simple for 1024 it was because someone knew the answer so now let's explain the Federal Data Protection Commissioner has no relation to the Federal State Data Protection Commissioners there are different areas the Federal Data Protection Commissioner is many tasks with federal authorities and the data protection there and the Federal State Data Protection Commissioners are involved with data protection at the Federal State organizations, authorities and also have supervision about private enterprises so they deal with everything that takes place in terms of private data processing the Federal Data Protection Commissioner has a small area where he will deal with telecommunication law but mainly the areas of supervision are completely separate so he has nothing to tell us and we have nothing to tell him so the answer is completely right and there is no area which instructions can be made ok great you can now choose the next question, we will have to speed things up a bit ok Hecker which number? how much? ok I will choose 1024 you are really on a roll here ok risk again how much do you want to bet? all 64 points? I really I didn't come up with a Hecker question that I was sure I didn't know what could answer ok I'm gonna bet all of them ok I have to tell you something this is a risk question, how many points do you want to bet? 64 ok I first have to tell the story HRM member of the company has a suitcase in a car it was a locked case in a locked car the suitcase was lost or rather stolen including the laptop 10 days later the company receives blackmail please send us X number of bitcoins for in the hundreds of thousands at the address below and the blackmail was sending personal data that was on that laptop so HR payroll information and 24 hours later the company reports a data breach or a data leak can the government organization the supervising authority impose a penalty so the question is what's the reasoning, who do they have to inform do you want to solve it? can the supervising body impose a penalty do I have to solve all of them? ok I'm passing I'll take it but then you only get 64 points because he bet 64 why am I getting his points I want to go back to 0 ok 64 ok I only got some 50 something so can the supervisory authority impose a penalty yes because usually after 24 hours the breach has to be reported and either there was a bad cryptography on it even if they got the laptop obviously they could read it the company has to at a minimum inform the body because there is HR or rather personally identifiable information on it for example health related information so I would assume that the relevant people had the data on their laptop so all of them have to be informed yeah I'm glad I didn't take that question yeah I really think we can avoid all 64 points to her ok next question next round what did we learn from this? yes encrypt your loadbooks otherwise this could be very expensive it happens all the time it's not just laptops also stationary desktop computers it's really not that hard anymore to encrypt it yeah please also encrypt all of the USB sticks and if you find a USB stick on the parking lot please don't just put it into the slot you can choose informationsfreiheit freedom of information 64 infofreiheitländer freedom of information on a state level so I have to improvise a little bit to find the right video here hello my name is Isabel Gruß I'm a reference in the data protection agency in Hessen data protection is important but not given how many states have not passed a law regarding data and data security how many states in Germany do not have an information of freedom act yet I want to pass ok so there are 16 states which one of those doesn't have a freedom of information act yet for 64 points yes 64 points what about my points now so you passed nothing happens for you who wants to solve it ok special offer who can at least name one state that doesn't have a freedom of information act yet come on someone who is the first one to name one bavarian is right bavarian is right ok what else is there bavarian lower Saxony working on a draft Saxonia and obviously Saxony doesn't have one either that sounds fair, that's 64 points for Catherine next round let's take fake news 42 fake news 42 the kindergarten the kindergarten we are looking for the kindergarten this looks good hello my name is Wolfram Baller I'm mayor and I got the following question very often my child was photographed in the kindergarten and now it's in the internet so Catherine do you want to solve no they're not allowed to do that it's ok if you do photograph in the kindergarten it's fine but if you uploaded somewhere in the internet on social media somewhere I've totally lost so that's not allowed that's 42 points for you so still your turn can you still keep count let's take question mark 42 that looks interesting 42 points oh you just get 64 points 42 42 points Catherine go on I pressed it somewhere somewhere that's so nice information freedom 10024 now you want to now you want to that's a really difficult question in which country which country has passed the first law for freedom of information in the world audience joker and in which year was it passed so audience joker who knows it who can tell Catherine all the way back there now I'm very interested how this will work so the first freedom of information act worldwide worldwide correct 1766 1766 I probably know who that was 1024 points for Catherine what was the country Sweden Germany many thanks whoever it was I didn't see thank you I'll donate some money now let's take something I surely don't know a hacker 42 changing passwords after after which period of time admins should make users change their passwords how often should passwords be changed I'll solve actually until the standard term was three months it's just regarding any issues any incidents so maybe there is no time period at all because short time periods will lead to people writing passwords down and pitting them to the screen correct and if your admin in your company somewhere tells you to change your passwords every 30 or 90 days or something then point them to our password guidelines which you can get from our website where it says no you shouldn't enforce password changes only if there is a reason an occasion so that was as many as how many was that 42 points right yes 42 points you'll keep the tally you can do some above a thousand surely just continue maybe someone else you can pass on the question okay information 128 in freedom of information and human rights or basic rights is there a basic rights to freedom of information in Germany we've all learned that the right to information self-determination is a basic right as determined by the German constitutional court but the right to get information from authorities Catherine is good that you are a legal expert is that a basic right I pass that's a clever decision Andreas question and I'll say no because it's not in the basic law in the constitution but it's in the freedom of information law which is a federal law but not a basic law nice try but sadly wrong in freedom of information is a basic right it's an article 5 of the constitution where it says that people can inform themselves from public sources what you said about the interplay between state laws which are the FOI laws and German basic rights at the time a state passes a freedom of information law that the data becomes a public source and you then have a constitutional right to access that source so sadly we'll have to deduct points from you 128 does it still have any? no none so zero points we have two people from at zero you are out and Ollie how is he doing? 92 so everything is still open in the running there because you gave such a nice answer you can choose the next question what do you want to have? what do you choose? then I'll take hacker 64 so hacker 64 and you have a hacker attack and attacker took the email address of a customer of an online shop and copied it tell us three important measures that the shop owner has to take now you want to solve Andreas so the first two I would probably come up with but the third I'll just pass so who wants to solve now okay I'll take it they have to inform the customers they have to inform the authorities and they have to invalidate the login credentials well I was actually waiting for a different one but yeah that's okay that's alright give them the points the first one would have been yeah well obviously mitigate the problem i.e. solve the leak or the bread vector so how many points was that it was 64 right yeah 64 so you can also choose the next category now well we still have to do fake news can we look at I'll take the 128 okay it's a joker nice did you leave Olli behind? next round okay I'll try where could he be a joker data leaks 23 the first boost so the first fine imposed on a company in Germany so since the latest change in the law the fines were raised massively so there was a first fine imposed by the state commissioner for data protection in Baden-Wittenbeck so what was that about what was the first fine done for it was on Heise obviously no one wants to have it it was the platform called Knudels what they did was they had unencrypted passwords on a database and it was 80,000 euros 20 it was 20,000 euros as a fine for having clear text passwords saved in there database that were copied is it possible for me to know that website with my age? well it depends it could be difficult, it depends can we ask you for your age? of course Sehofer knows about it 23 points per captain okay you're calculating right? Datenpanz 42 data fails 42 the class book the class book translator doesn't know the translation of it's a book where the behavior of pupils is registered by the teacher at school at the data protection agency or the class book or the class book has been lost do I have to report that fail? it's a very good question and the colleague questions I have to ask the colleagues can somebody help me? Katrin, do you want to solve? Katrin, do you want to solve? the basic and basic school in the elementary school in the class book registers who is there and who was missing I'd say it's very difficult normally I'd say okay there's no automated data processing it's just in a book but it's systematic it's ordered class books are the epitome of systematic order that's right and that's full marks for Katrin GDPR does not just protect automatically registered data but all kinds of data that are systematically collected and completely rightly you said that the systematic order of information in a class register is something you can imagine so that is a breach that has to be reported and if that would be a repeated problem at the primary and secondary school of Hintertupfingen we would have to look into that and see if maybe we need to do something more let's take the question marks again 128 now that is an urn has been washed ashore do you like to tell the story? at a beach an urn washes ashore and the number of the of the cremation can be found read on the urn is that personal data? the cremation number may be registered in some kind of list somewhere and that might lead to the name of the deceased now Katrin would you like to solve this? you're conferring I just wanted to see if I should pass on the question to someone who wants to earn a few points with it but in some cemetery register that is not very unique but the person in this urn is dead mostly that is the case we protect living people who marks 128 points to Katrin that is the fact the GDPR does not apply to deceased people that is the lesson to learn from this question next question let's finish off freedom of information freedom of information 42 it's a guesstimation question for everybody so everybody has to do a guesstimate and the question is how many countries in the world have freedom of information act? there is free information I'm going to give you 193 countries in the world so the question is how many of those have passed a freedom of information act the one who is closest gets the full marks I'm going to choose 58 I'm going to say 3 okay 42 what happens if I also say 42 what happens if I also say 42 well then we do a tie breaker so for tactical reasons maybe choose 41 or 43 so you choose this 43 clear victory for Andreas 130 it is 130 roundabout so with your 58 you were actually pretty bad but you're still closest so 4 points for Andreas and you may choose the next category and you may choose the next category I'm pokering and using data failed 1024 maximum fine the question is how high exactly is the maximum fine for a non-reported data fail do you want to solve? I have an idea but I'm still going to use my audience joker I'm pretty sure that some people, that several people know the exact number so who can help Andreas someone is piping up to Andreas you choose 4% of revenue yearly revenue or 20 million whatever sorry I didn't get the number it's both wrong it's both wrong it's 2% of yearly revenue he's laughing Andreas the rules are as they are you just lost 1024 points your own fault the maximum fine is the so called small fine real bad errors cost 4% formal errors cost 2% of revenue, yearly revenue 10 million is the 2% of global revenue lower limit very good but lost all points you may choose okay I'll go high and take 1024 again GDPR so that is my favorite question I'm not going to spoil it just ask the question when did the GDPR come into force we would like the exact date please 23rd of May 2018 that's it's quite a good answer I would have said 25th of May May 2018 sounds very good but unfortunately it's wrong 24th of May 2016 is May correct well decide anyway it's about 2016 we are not happy with just a year we want the exact date one will give us the month the date and the person the year 21st of May would anyone else like to lose all their points Katrin would you like to solve this chat it will be in force as it is published in the European register and that was in 2016 that was when the GDPR was finalized the negotiations and it was then published in the register of laws and that's when it came into force it wasn't 25th of May 2018 that was the moment when it became effective it was in force it was out there but it became effective on the 25th of May 2018 and that in fact was the yes now wasn't it something strange like the 45th day after publication so that's article 99 now you only need to know what the 45th day after publication was the 1024 questions are extremely hard so I would suggest that you would not want to answer questions about which day in May it was it was the 24th on the 20th day after publication in the register it was published on the 4th of May 16th or 17th of May it was passed didn't I say 24th of May 2016 yes you did but you then decided not to answer the question oh you are evil we are the supervisor of your authority but at least you'll get to choose the next question okay I'm gonna choose hacker 128 hacker 128 is not a joker oh wow okay are you still keeping track okay this is getting close okay let's choose question marks 64 so this is about scoring and your residential address is it allowed to use the information that the person lives in a high-rise building when calculating the score value and if it's detrimental to the score that the person gets so these kind of scoring systems they try to determine if you're a solvent if you can pay for your bills so there are companies like Shufa that's the most important one that creates a score and the question now is if they calculate the score are they allowed to take into account the effect that they're living in a high-rise building so for example if someone lives in a detached house or in a semi-detached house that's probably a better value so Kasschen do you want to answer I'm passing so please choose someone who actually has a score already I probably already have a pretty bad score but I'd say in principle yes it's probably disallowed to choose the residential address but in this particular case it's not about the address itself but rather about some property of that so in this case I'd say yes and yeah this is something we can count it is allowed to count that information there is another problem to calculate the score with just this information if someone thinks this is unfair please write to the Shufa so I just want to say that I've asked the Shufa before how they calculate the score and I'm still waiting for the answer there is actually very interesting very interesting ruling by the constitutional court and they say this is a great secret of the Shufa and they don't have to tell you we actually have the open Shufa project and they should actually have to they could force them to come up with this secret and yeah this is another one of those things where we use Fragdenstadt and we want to encourage you to participate in this to give them some more questions that I can ask to the state a method for creating the score by the Shufa so Andreas your turn well there is not much left I'm choosing fake news 64 true or false and why here comes the question since the date of the constitution do landlords have to screw off the double shields since the GDPR has gone into effect do landlords have to remove double shields there are companies for example house and property companies in Baden-Württemberg the question is is this correct or not or does the date of the constitution not Andreas Andreas says no they don't have to be removed 64 points for Andreas correct very nice his double shield is still there if it sounds silly it's not data protection it's your turn okay I'll just take the three question marks 23 actually there's an exclamation mark in there two question marks one exclamation mark 23 photos okay we're dealing with photos again is the audience allowed to take photos from us of us on the stage here well according to camp regulations come on come on Andreas would you like to answer a question I would answer yes because we are part of a public event with respective consent is that your final answer well it's only 23 points yes I'll stick with it I will accept that yeah I just wanted to raise the tension a bit yes would have been enough even if the introduction meeting said that you'd have to ask before taking questions yes but that is house law or house rules the organizers can say that you can only take a photo after you've called out the german interior minister they are allowed to do that but what is legally permissible is another question and legally yes of course it is allowed to take photos of anyone you want the problem only arises when you want to distribute those photos and that's where data protection comes in but beforehand taking photos is fully allowed difficult question because any out of fear or ignorance starts to prohibit taking photos in schools for example so school directors say you are not allowed to take photos anymore completely superfluous that's nothing to do with data protection at all you can take photos of your own children and other people's children as long as you don't publish them online what is prohibited is publishing those photos without consent by the parents for example if you take photos it's always allowed very little restriction if you somewhere photograph your name in secret through their bedroom window that is probably a breach of personality rate but in terms of data protection you can take photos as much as you want keep them to yourselves you can look at them as often as you want but as soon as you want to publish them online you have to obtain consent or have to have a contractual basis or something like that so we have a public event here so public for an entrance fee of 295 euros I think that is a rumor well public doesn't mean it has to be free of charge it just has to be that people can participate on a general basis even in a public bath where there's an entrance fee this is a public place we're talking about the data protection law though we're talking about an image or something because I'm just gaining here on credulous that is the difference between data protection law and personality law yes we'll get to almost the end we have two questions left Andreas your turn to choose okay no matter how much I get right now you're still ahead of me so I'll choose hacker 23 hacker 23 oh we already had that we already had that one we obviously already had that one okay how is that possible a bug there must be a bug so I guess I'll choose fake news 23 fake news 23 we already saved some time okay so we save time now to still get the point okay true or false and why processing of data is only valid with the consent of the person affected so is this statement correct if I am using the data from some third party do I need the consent do you want to solve Andreas so I wish it was but obviously it's not right because Shufa wouldn't exist otherwise so yes answer correct 23 points one is a score okay so consent is an important basis but not the only one there's always a legitimate reason for example if you wave your rights in a contractual form so consent is one but it's not the central or even the most important one so that was the second round and this is the moment where we have to say goodbye to two people so let's look at the scoreboard so Andreas has how many points now 164 please applaud 74 so how many does Müsli have 110 110 that's less but still worthy of an applause so how many does Katrin have over 9000 1632 it looks like you can stay here and how many does Olli have 92 I'm sorry that's not enough so that's why we have to say goodbye to Olli with a warm applause you're getting a consolation prize stay there and you're going to come back on stage later now to the final of the two first contestants top contestants of the first of the second row of the second round the points that you're going to get in the last round are going to be multiplicators you have no points and he has won he gets his result so the first points to win the first points isn't very interesting and then it's going to be interesting external turn of both too complicated much too complicated you're both going to be asked about what kind of video surveillance are their most complaints which of these draws the most complaints in a pool of employees in private houses on cemeteries Andreas what's your choice you choose b employees Katrin chooses c in private houses c is correct Katrin has one point it's really like that most complaints about video surveillance that we get is that I survey my neighbor and either they survey back or they go to the police complain very difficult for us as well second question that again is a video question Mr. Meyer when I was in a patrol car I can only tell you the bends great and now do you know what I do now now I'll ask I'm now going to ask about number plates and this this woman I'm not going to let this great woman pass me by one or two time only chance so I'm now going to query that number plate in my database okay now this fake police person here this fake policeman what is the exact question we are dealing with a policeman who has seen a fantastic woman on his patrol and she was in a car with a number plate and he memorized the number plate and now he has access to the police database and he goes ahead and looks up the number plate to find out the name of that lady residence maybe contact details such as mobile phone number and goes ahead and the question in that context is is that police person policeman allowed what happens to him if he goes ahead and does it now it's Katrin's turn to start first is he allowed no no no well he's a policeman police databases are made for policemen yes they're made for police people if they have a a case to process and if they are authorized to look at that data I'm sure that he's not investigating this woman and the interest does not count well maybe she went around the bend in illegal ways but he didn't say that true what would happen to him well trouble with the authorities protection commissioner and the federal state data protection commissioner and a fine Andreas what do you think is he allowed and what would happen of course not that was in the press recently and he will receive a fine nice good you're both correct a point to both of you applause by the way according to the GDPR regulation there was actually a point of contest that if anyone in public service for example police people if it's allowed to give them a fine or not a lot of people were of the opinion that this is impossible but some others also said yeah it is and in this case the police person received a fine of 1500 euros because he had interest in the person that was not within the course of the duty and as a police person they're always allowed to use their respective databases but as a private person they're not so two points one for each of you it was a question in the audience ah yeah who actually supervises this so yeah partly us the question is how do we get a notice of this or how would we suspect this in this particular case for example if the woman notices that the police guy is here how is he able to call me on a private number they shouldn't be able to know it and by now we can talk about this quite openly so by now the police databases are now watched with sort of a honeypot every access is logged and we do superficial checks all of the requests that are being done maybe every 100 requests is looked at they're supervised by an internal data protection officer at the police and they try to determine if it was an official case that they were working on or if they had private reasons to do so and this actually works quite well in those areas there are no accesses on these databases anymore that are not logged which is great because in this particular context this is very important and very sensible to do so to the one for Catherine so this is a bug we already had that one today we already over time anyway so we're gonna just pass on to the next question that's the wrong question we had that that's the right one Mr. Kelba I'm the federal commissioner for data protection and information protection my question what is the maximum fine that a federal agency can be fined does anyone remember Mr. Sparbia Mr. Sparbia was in a previous game show again what's the maximum fine that a federal agency can has to pay zero Catherine answers none Andreas says the same I have some ideas it would make more sense to act against the personally responsible person two correct answers three to two for Catherine bit of background for the last question offices just as agencies just as corporations can be fined but several states have decreed that agencies cannot be fined in other nations in Europe there's different agencies can be fined in Germany no way to find a federal agency okay and now we're back with our actor okay yeah of course I know I cannot but the Mr. Mayor you have this website there's a legal problem, second problem the Mayor wants to evaluate the website statistics how many men access our website, how many women you can do all kinds of analytics I don't quite know so can I use an analysis tool on my website asks the Mayor I think there's a large search engine there US based do we need consent for this or can we just run this please ask your husband who knows all the technical details what is the legal status I just don't know maybe your husband knows something that would be nice if you could ask him right now you are the husband of the colleague of this guy could someone translate that was Southwest German dialect and yes that was hard for the interpreter to understand too I have it in better audio quality but I didn't manage to get it worked into the video and edited it's about whether Google analytics can be used and in this case can Google analytics be used by an authority the one that this guy works for that is the first question shall we go through all three yes the second question is is an enterprise allowed to use Google analytics and thirdly if it is allowed would these organizations have to adhere to so Andreas Jotun first question is an authority allowed to use Google analytics I'll say no really and also to the second question are enterprises allowed to use Google analytics no again and third question what they have to adhere to what they have to look out for what they would do use this they would have to remove the IP address the last two bytes of it at least that's what I know from pvc but with Google analytics it's clear that Google will not do this that's why I'm saying no so two no's and a response from Katrin authorities are completely agree no it's just not on and enterprises yes they can use Google analytics but they should take care to use these anonymizing variant where the last two bytes are made anonymous of pseudom and of course they have to include this in their privacy statement and they have to state a legal foundation which they do this but in my opinion this does not require consent it will be legitimate interest would be enough good, Alva how would we score this? zero points both cases I'll be quick so what is correct authorities are not allowed you can explain that better than I can authorities would need a legal foundation what would be possible would be a consent by the visitors of a authority website all those that are affected by the measurement of website reach but consent is excluded because according to the legal foundation and consent will not give me any further legitimate interest 6111 is not a grounds for processing so that's the end of that so that's what you two said that's correct so far are enterprises allowed yes well it's always possible to obtain consent but that would have to be informed consent would have to be voluntary that's not often the case the third question is not first allowed yes and thirdly what has to be taken care of and we have a great FAQ on our website regarding this which you will find if you use this large search engine to look for tracking in websites only six items just a few pages and that tells you what companies have to take care of if they use Google analytics and the simplest answer is just don't bother use anything where you don't need all this stuff such as Matomo or Matomo is the successor software of PIVIC right yes exactly so host the data yourselves the statistical data you want to collect and don't pass it on to a third party if you use Google analytics in the Google analytics standard settings you need informed voluntary active previous and retractable consent by the users it's not it will not suffice what you see on many websites if you continue using this website you will consent to the use of cookies I have never seen a cookie banner that keep those five conditions first informed you have to be told are you do you agree that all everything you do on this website is going to be to transfer to Google or whoever operates this service I've never seen a statement like that active no tracking is allowed before you've said yes voluntary it must be possible to answer yes and no retractable you have to be able to rescind your consent to take back your consent previous voluntary active what did I forget one thing I forgot so these are the obstacles it's all in the FAQ on our website and that is the position of the supervisor authorities so none of you answered all three questions correctly it's still a three to two score and that gives us a winner for tonight and that's Katrin yes do stand up we'll now go to the awarding ceremony I'd like to ask the two colleagues Müsli and Olli back to the stage because there'll be actually there will prizes Katrin first of all there's this fantastic certificate number two you can enter your own names there Olli would you pass it on and number four and then Katrin you will win the original south southwest German Swabian Maltasian soup whatever Maltasian are an original ventilator to you Andreas and lots of materials from the data protection commissioner and and then that same speciality in chocolate form and a gift from the Porsche company which you can exchange and I would say yes thanks a lot to all people that participated we overrun drastically but now it's over short remark from me I would like to make we have this wonderful protection principle of transparency in the GDPR and it will not have escaped you I know some stuff much about crypto I do data protection professionally as a lawyer sorry it's not excluded but I have tried to be as very responsible and pass a few questions on and I didn't answer everything correctly so even lawyers can be wrong so lawyers are always right or legal people are always right that wasn't true anyway it was the wrong answer but the questions were extremely good and I would really like to thank you this was great Katrin now you'll have to live with that victory thanks to all of you to all that took part Alba and I will thank everyone that you have stayed with us for so long and have fun in the next few years and with all these beautiful failures GDPR wise and we'll keep reporting about them have a great time bye bye