Sovereignty Needs Calculator

Data volume and usage

Data volume:

a few hundred files, data sets or digital objects
more than 10,000 files, records or digital objects
more than 100,000 files, records or digital objectse

Number of affected natural persons:

Fewer than 100 natural persons are affected
More than 100 natural persons are affected by the data processing.

Do you assume that it is possible to link the processed data with other datasets in order to filter for information?

Is the data end-to-end encrypted before it leaves your device and enters the IT infrastructure?

Personal data & data type

Normal protection requirements

Name
Gender
Address
Profession
Year of birth
Titel
Contact details
Phone directory data
Nationality
Individual’s phone number
Individual’s email address

High protection requirement

Contract partner’s name and address
Date of birth
Marital status
Family relationships and circle of acquaintances
Income
Social benefits
Taxes
Administrative offenses
Data on business and contractual relationships
Context regarding a contracting party (e.g., subject of an agreed service)
Personal data that can serve as a lifelong anchor for profiling

High protection needs (continued)

Data on racial and ethnic origin
Data on political opinions
Religious or philosophical beliefs
Trade union membership
Data on the sexual life or sexual orientation of an individual
Processing of uniquely identifying, highly linkable data
Data that may affect the reputation of the individual concerned
Data concerning the protected private life of the individual (e.g., diaries)
Health data within the meaning of Art. 4(15) GDPR
Degree of disability
Processing of data with inherent lack of transparency for the data subject
Data on rental agreements

Patient administration data (excluding particularly sensitive data)
Working time data
Membership directories
Population register
Certificates and examination results
Insurance data
Assessments and professional career
Traffic violations
Access credentials for a service
Contents of a person’s communications (e.g. emails, letters, phone calls)
Precise location data of a person
Personal financial data (e.g. account balance, credit card number, individual transactions)
Credit reports
Telecommunications traffic data

Access & Confidentiality

Professional confidentiality or very high protection requirements

Data covered by professional, telecommunications, or client confidentiality
Data whose disclosure could cause significant concrete harm to the affected individuals
Debts
Particularly sensitive social data
Personnel management data, e.g. performance evaluations, career history
Data on criminal records and criminal proceedings
Special categories of health data according to Art. 4(15) GDPR
Personality profiles with significant insight into an individual’s personality
Garnishments
Data that could lead to social stigmatization

Confidential business information

Corporate strategy documents
Marketing strategy documents
Quotes, orders, invoices
Product development documents
Patent application documents
Business plan documents
Internal financial analyses
Similar items

Authorization: Has the data subject given voluntary and fully informed consent?

Consent for AUDITOR – Data Protection Class 0
Consent for AUDITOR – Data Protection Class 1
Consent for AUDITOR – Data Protection Class 2
Consent for AUDITOR – Data Protection Class 3
No consent has been given

Significance of the affected processes ...

How does it impact your business?

IT/OT outage or short-term service disruptions (e.g., due to sabotage or political blockade)?

No significant impact
Although it causes financial damage, we can mitigate or avoid it
Causes complete shutdown with significant financial damage
We are critical infrastructure, and a shutdown would affect parts of the population

Change/cancellation of used services (SaaS, PaaS, IaaS), e.g., due to massive price increases?

Then we will look for alternatives
Significant financial damage, urgent search for alternatives
We cannot afford such cuts and will have to pay higher prices
We already have redundant systems and would not be significantly affected

Data leak (exfiltration of your business data or that of your customers) or data manipulation, e.g., by cybercriminals, competitors, or geopolitical adversaries?

Routine for the data protection department. No significant impact on business
Severe reputational damage, resulting in significant financial loss
We are critical infrastructure. Security risk for parts of the population

Loss of data, e.g., data is no longer provided by the service provider, or backup decryption keys are unavailable?

We can do without lost data
We also have hard copies. The event would not have a fatal impact
Our business relies in part on confidential data that cannot be lost

Legal system	Protection class	Description
Non-EU legal system	N/A	Partial data acquisition as part of the provider’s business model / Partial contracts for pseudo-compliance
EU legal system	I	Compliance by fulfilling legal requirements
	II	Control through transparency, audits, certificates, and attestations
	III	Control through in-house technology or remote attestation
	III+S	Sovereignty through portability and sovereignty anchors

Sovereignty Needs Calculator

Ergebnis