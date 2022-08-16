Private company data has been easily accessible on “handelsregister.de” since the beginning of August. The German Association for Data sees an urgent need for action.

The German Association for Data Protection (DVD), which claims to represent the interests of “data” citizens, calls for the intervention of politicians and regulatory and supervisory authorities in the case of the “handelsregister.de” platform. DVD chairman Frank Spaeing demanded on Monday “Until the register information has been implemented in compliance with data protection, the online platform must be switched off or at least access restricted again.”

The stumbling block: Since August 1, 2022, all entries in the , cooperative, partnership and association registers can be accessed free of charge via the without further restrictions. The documents, which have since been easily accessible to the general public, often contain sensitive personal data such as addresses, dates of birth, bank details and even signatures, for example from club directors or company employees, to which c’t recently drew attention.

According to the DVD, this current practice invites data abuse. The civil rights are therefore calling for sensitive data to be deleted from the registers involved or to be blacked out. In addition, the legal basis would have to be corrected.

right of objection required

“Especially with the register of associations, many people are endangered by the online publication,” warns Spaeing. It would be fatal if those affected “were deterred from their special voluntary commitment” by the careless release of data.

DVD board member Thilo Weichert also shares the blame with the old federal government, since it “implemented the General Data Protection Regulation (GDPR) “in many respects in disregard of European legal requirements”. The former Schleswig-Holstein data protection officer emphasizes: In order to prevent the misuse of online data in the short term, those affected should at least be granted the right to object to the publication of particularly sensitive individual information in the register.

Background: With the law to implement the EU digitization directive, which was passed more than a year ago under the black-red coalition, the register information was standardized, the access restrictions were eliminated. With the 2019 rules, the EU wants to simplify the formation of companies and the availability of register information.

Counteracting identity theft prevention

“The online accessibility of registers pursues the welcome goal of more transparency in business life,” explains the DVD. However, Article 161 of the directive makes it unmistakably clear that the GDPR must be observed during implementation. This means that even when realizing public interests, interests worthy of protection and the rights of those affected to information and objection must be observed. However, the legislature explicitly excluded the latter in this country.

Instead of implementing this correctly, the German administration made it easy for itself and put the previously decentralized registers, which were only accessible with effort, one-to-one on the Internet, the association criticizes. This thwarts an explicit goal of the Digitization Directive – the prevention of identity theft: the sometimes sensitive data could be used to identify yourself as another person online and misused for criminal activities.

The IT security expert Lilith Wittmann had previously announced that she would build an open source tool for the platform in order to “free” the commercial register data. That should make it even easier to retrieve content from the portal. But it was “more complicated than expected”, which is why she initially only provided a 100 gigabyte “research data set”.



