Can a DAO be required to implement certain data security measures?

A DAO is required to implement certain data security measures, if it is subject to at least one
relevant obligation. Such an obligation may, on the one hand, arise directly from law, in particular from specific data protection and cybersecurity laws. This depends on the single case, in particular on the activities of the given DAO.

Regarding personal data, currently the GDPR is most likely to be relevant for the German market. e.g. Art. 32 GDPR requires that the controller and the processor implement appropriate technical and organizational measures to ensure a level of security regarding the affected personal data. Even if no personal data is affected, the DAO may be subject to certain data security obligations. Such obligations may arise in particular from the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – BSIG). Consequently, the DAO is only obliged to observe these obligations, if it falls within the scope of the regulation, from which the given obligation arises. The applicability of the GDPR requires that the DAO is established in the territory of the EU and processes personal data in a wholly or partly automated manner. The most likely relevant obligations set out in the BSIG (see § 8c) apply if the given DAO offers digital services as defined in § 2 (12).

On the other hand, such obligations may be based on contract, in particular, on explicit
contractual clauses. Relevant obligations may under certain circumstances arise from the
general diligence obligations between the contractual parties.