On November 10, 2012, the German working group on technical and organizational data protection matters published guidelines (in German) on the technical and organizational separation requirements for automated data processing on shared IT systems (the “Guidelines”). The working group is part of the Conference of the German Data Protection Commissioners, which recently concluded its 84th Conference in Frankfurt (Oder).

German data protection law contains detailed technical and organizational security measures applicable to the processing of personal data. One such measure requires separate processing for personal data collected for different purposes. The Guidelines elaborate on the practical implications of that requirement, including a step-by-step assessment to facilitate compliance, and provide useful information for scenarios involving shared IT infrastructure such as cloud computing solutions and other software as a service (SaaS) products.