Close this search box.
Worth reading:

The updated Standard Data Protection Model (SDM) – Version 2.0



In November 2019, the federal and state data protection authorities agreed on a revised version of the Standard Data Protection Model (SDM).

The purpose of the SDM

On 68 pages, a test method is documented, with which not only data protection officers but also companies and authorities can assess whether their applications process personal data in a data protection-compliant manner.

The working group goes on to detail: “The Standard Data Protection Model (SDM) provides a tool to support the selection and evaluation of technical and organizational measures that ensure and provide evidence that personal data is processed in accordance with the requirements of the GDPR.”

To this end, the SDM first captures the legal requirements of the GDPR and then maps them to the assurance objectives of

  • Data minimization
  • Availability
  • Integrity
  • Confidentiality
  • Transparency
  • Non-interconnectivity and
  • Intervenability


What is new in the updated version now?

The requirements of the GDPR with regard to the above-mentioned objectives are formulated and described more comprehensively
More attention is paid to the management of consent, as well as to the implementation of supervisory orders

As before

the establishment of a data protection management system in compliance with a Plan-Do-Check-Act cycle (PDCA) is described and recommended:

Source: Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder (Datenschutzkonferenz)

In activeMind’s view, what is really interesting for data protection practice are “the generic measures for the assurance objectives already laid out in the methodology, which are named in Part D. This is because what is named here is likely to be regarded as standard by the supervisory authorities. This is because what is mentioned here is likely to be regarded as standard by the supervisory authorities. A critical examination of the measures listed here is therefore necessary in any case, even if one decides against implementation as a result.”

The more detailed catalogs of generic measures, on the other hand, are not yet available across countries at the moment. Currently, there are only building blocks from individual states for individual goals (e.g., from Mecklenburg-Vorpommern).

It is not (yet) known when these announced catalogs will appear. What is certain, however, is that these catalogs will be very helpful to companies in complying with the minimum standards.

Image: Conference of the Independent Data Protection Authorities of the Federal Government and the Länder (Data Protection Conference)

Note: This is a machine translation. It is neither 100% complete or 100% correct. We can therefore not guarantee the result.



Related articles


General information on address/data quality

Intro, why is this topic relevant, why is it strategically so important? For all companies seeking direct contact with their customers, the customer database is

General information on ERP/CRM

Are there providers that offer ERP and CRM systems from a single source? ERP CRM software: Small and medium-sized enterprises (SMEs) usually face a particular


General information on eCommerce

eCommerce, a second pillar alongside the point of sale! COVID has made eCommerce and online marketing even more important. Whether in the business-to-business or business-to-consumer

Our newsletter is free, but not for nothing..

…you will receive exclusive benefits such as analyses and comments on software products,
Legal and Marketing Technology, and much more…