Elementary Threat · BSI IT-Grundschutz

G 0.38 — Misuse of Personal Data

Updated on 17 April 2026 5 min Reviewed by: Cenedril Editorial

A.5.15A.5.24A.5.25A.5.34A.6.1A.6.2A.6.3A.7.14A.8.1A.8.3A.8.5A.8.10A.8.11A.8.15A.8.19A.8.20A.8.21A.8.26A.8.27A.8.28A.8.29A.8.31A.8.33 BSI IT-GrundschutzISO 27001ISO 27002

In the IT department of a company, employee login and logout records are collected exclusively for access control — that’s what the privacy notice states. One day, HR uses precisely these records to check the attendance of an employee who is allegedly arriving late. This secondary use violates data protection law — a textbook case of misuse of personal data.

The misuse of personal data (G 0.38) sits at the intersection of information security and privacy. Personal data belongs to the particularly sensitive categories of information, and its misuse can significantly impair the social standing and economic circumstances of the individuals affected.

What’s behind it?

Personal data — information about the personal or material circumstances of an identified or identifiable natural person — may only be processed for the purpose for which it was collected. Misuse occurs when this purpose limitation principle is violated, when data is processed without a legal basis, or when it is transferred to third parties without authorisation.

Forms of misuse

Secondary use — Data collected for a specific purpose (e.g. access control) is used for a different purpose (e.g. performance monitoring).
Excessive collection — An organisation gathers more personal data than required for the processing purpose (violation of data minimisation).
Unauthorised disclosure — Personal data is passed on without consent or legal basis — internally to unauthorised departments or externally to business partners, advertising firms or authorities.
Delayed deletion — Data is stored beyond the statutory or contractually agreed retention periods.
Profiling — A comprehensive personal profile is built from diverse data sources, going far beyond the original processing purpose.

Impact

The consequences affect both the data subjects and the responsible organisation. Affected individuals can suffer financial damage (identity theft, damaged credit ratings), experience social disadvantages (discrimination, reputational harm) or undergo psychological stress. For the organisation, GDPR fines (up to 20 million euros or 4% of annual turnover), claims for damages, loss of reputation and loss of customer and partner trust are at stake.

Practical examples

Hotel employee sells guest data. A front-desk employee at a hotel has access to the registration data of all guests — name, address, ID details, payment information. He regularly sells records to an advertising firm. In the weeks after their stay, the guests receive targeted advertising from companies with which they never had any contact.

Access logs used for behaviour monitoring. An HR department uses the login and logout records of the time-tracking system to analyse the working behaviour of individual employees — although, under the works agreement, the logs may only be collected for IT security purposes. The works council learns about this and escalates the incident.

Customer data after the end of the contract. An online retailer stores complete customer data (order history, payment information, addresses) beyond the statutory retention periods even after the business relationship has ended. A supervisory inspection finds that data from over 50,000 former customers has not been deleted in more than ten years.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 23 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.5.34 — Privacy and protection of personal identifiable information (PII): Central control for implementing data protection requirements in the ISMS.
A.8.11 — Data masking: Pseudonymisation and anonymisation reduce the potential for misuse.
A.8.10 — Information deletion: Timely deletion of personal data once the purpose has been fulfilled.
A.8.3 — Information access restriction: The need-to-know principle limits the number of people with access to personal data.
A.6.3 — Information security awareness, education and training: Training on privacy obligations and the consequences of misuse.

Detection:

A.8.15 — Logging: Logging of accesses to datasets containing personal data.
A.8.16 — Monitoring activities: Monitoring detects unusual access patterns to sensitive data.

Response:

A.5.24 — Information security incident management planning and preparation: Reporting obligations for data breaches (GDPR Art. 33: 72-hour window for notifying the supervisory authority, Art. 34: notifying data subjects).
A.5.25 — Assessment and decision on information security events: Structured assessment of whether a privacy incident is notifiable.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.38 with the following modules:

ORP.2 (Personnel) — requirements for confidentiality commitments and privacy training.
ORP.3 (Awareness and training) — awareness training on data protection and purpose limitation.
OPS.1.1.5 (Logging) — requirements for privacy-compliant logging.
SYS.3.2.3 (iOS/iPadOS) — example of device-specific privacy requirements for mobile endpoints.

Sources

BSI: The State of IT Security in Germany — annual report referencing data breaches
BSI IT-Grundschutz: Elementary Threats, G 0.38 — original description of the elementary threat
ISO/IEC 27002:2022 Section 5.34 — implementation guidance on privacy and protection of personal data

ISO 27001 Controls Covering This Threat

A.5.15 Access control A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.34 Privacy and protection of PII A.6.1 Screening A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.3 Information access restriction A.8.5 Secure authentication A.8.10 Information deletion A.8.11 Data masking A.8.15 Logging A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.31 Separation of development, test and production environments A.8.33 Test information

Frequently asked questions

What counts as misuse of personal data?

Misuse occurs when personal data is collected without legal basis, processed for a purpose other than the original one, shared without consent, deleted too late or collected in excessive quantity. Using log data for behavioural monitoring of employees, when it was collected only for access control, is also misuse.

Who can misuse personal data?

Anyone with access: employees, administrators, external service providers and attackers who have gained unauthorised access. Insider misuse is particularly insidious because it occurs with legitimate credentials and is technically difficult to distinguish from normal work behaviour.

How do GDPR and ISO 27001 relate to data protection?

The GDPR defines the legal requirements for protecting personal data. ISO 27001 provides the framework for the technical and organisational measures that implement those requirements. Control A.5.34 of ISO 27002 addresses privacy explicitly and requires compliance with applicable data protection laws as part of the ISMS.