A guide to data protection in Germany.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The main legal source of data protection in Germany is the Federal Data Protection Act (Bundesdatenschutzgesetz) (BDSG), which implements Directive 95/46/EC on data protection. Additionally, each German state has a data protection law of its own.
Examples of sectoral laws include:
Telemedia Act (Telemediengesetz), which applies to providers of telemedia services (such as websites).
Telecommunication Act (Telekommunikationsgesetz), which applies to providers of telecommunication services.
Criminal Act (Strafgesetzbuch).
Social Security Code I, II; IV, V and X, which regulate the processing of health and other personal data in connection with the provision of medical and social security services.
In principle, the state's data protection acts aim to protect personal data from processing and use by public authorities of the states. The BDSG aims to protect personal data from processing and use by federal public authorities and private bodies.
Personal data is regulated and includes any information concerning the personal circumstances of an identified or identifiable individual.
The collection, processing and use of personal data are regulated. Processing means the storage, modification, transfer, blocking and deletion of personal data.
German data protection law applies to:
German data controllers and processors (private and public bodies).
Data controllers not located in the European Economic Area (EEA), which collect, process and use personal data in Germany.
A German branch of a data controller located within the EEA, which collects, processes or uses personal data in Germany.
German data protection law does not apply if a controller located in another country of the EEA collects, processes or uses personal data within Germany.
In theory, the BDSG requires notification. However, in practice, this requirement is waived if the data controller has appointed a data protection officer because these appointments are mandatory for all companies of a certain size.
The obligation to appoint a data protection officer applies if either:
More than nine persons are regularly involved in the automated data processing.
Sensitive personal data is processed.
When notification is made, the following information must be provided:
Name and company of the controller.
Owners, management boards, managing directors or other managers appointed in accordance with the law or company regulations, and the persons in charge of data processing.
The controller's address.
The purposes of the data collection, processing or use.
A description of the category or categories of data subject and of the data or categories of data relating to them.
The recipients or categories of recipient to whom the data might be disclosed.
Standard data retention periods.
Plans to transfer data to third countries.
A general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to section 9 of the BDSG, to ensure security of processing.
Notification is an informal process in Germany.
Data controllers must safeguard the main data protection principles, which include:
The principle of data reduction and data economy. Data processing systems must be designed and selected to collect, process and use as little personal data as possible. In particular, any possibility for aliasing and rendering personal data anonymous must be used if the effort involved is reasonable in relation to the level of data protection provided.
The principle of explicit permission. The collection, processing and use of personal data is only admissible if either:
it is expressly permitted by the BDSG or any other legal provision;
the data subject has expressly consented in advance.
The principle of purpose. The purposes for which data will be processed or used must be defined at the point of collection. Personal data can only be processed and used in accordance with this purpose.
The principle of direct collection. Personal data must be collected from the data subject, unless:
an exemption applies by law; or
the collection from the data subject would require disproportionate effort and the justified interests of the data subject are not affected.
The principle of access. The data subject is entitled to access information that is stored concerning him (including the source of data, recipients, categories of recipients to whom data is transferred and the purpose of storage). When requested, the data controller must provide this information free of charge.
The principle of accuracy. Incorrect personal data must be corrected.
The principle of limitation. Personal data must be erased if it is no longer necessary for the purpose for which it has been collected.
The collection, processing and use of personal data is only admissible if expressly permitted by the BDSG or any other legal provision, or if the data subject has expressly consented in advance.
To be valid under German data protection law, consent declarations must comply with the following (section 4(a), BDSG):
Consent must be declared in writing, which means the data subject must sign the declaration. If consent is given together with other declarations or in general terms and conditions, it must be distinguishable in its appearance (for example, through the use of bold, framed or highlighted letters).
Consent must be obtained in advance (that is, before personal data is processed).
The data subject must be informed of:
the purpose of processing; and
the identity of all data recipients if personal data is subsequently transferred.
The data subject must be expressly informed if sensitive personal data is processed.
In principle, consent can also be obtained electronically (for example, by means of an opt-in option), however:
the consent declaration must be recorded;
the data subject must be able to access his consent declaration any time; and
the data subject must be informed of his right to revoke consent on his own discretion any time with future effect (an opt-out).
Consent must be declared voluntarily and expressly.
There are no particular rules regarding the consent of minors. In general, the consent of a minor is valid if he was capable of understanding the extent and meaning of the declaration. While capability depends on the individual, an age of 12 to 14 years is regarded as the general threshold.
In the absence of consent, the data controller must rely on a statutory provision allowing the data processing.
For example, the collection, processing or use of personal data as a means of fulfilling one's own business purposes is allowed if one of the following applies (section 28, paragraph 1, no. 1 to 3, BDSG):
It is necessary to create, perform or terminate a legal obligation or quasi-legal obligation with the data subject.
It is necessary to safeguard legitimate interests of the controller and there is no reason to assume that the data subject has an overriding legitimate interest in ruling out the possibility of processing or use.
The personal data is generally accessible or the controller would be allowed to publish it, unless the data subject has a clear and overriding interest.
The processing of employee data is subject to a separate provision (contained in section 32 of the BDSG) according to which the collection, processing and use of employee data is only permitted regarding decisions on the establishment, implementation and termination of contracts.
Sensitive personal data can only be processed if either:
It is necessary:
to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent;
to assert, exercise or defend legal claims and there is no reason to assume that the data subject has an overriding legitimate interest in ruling out the possibility of collection, processing or use; or
for the purposes of scientific research, where:
the scientific interest in carrying out the research project significantly outweighs the data subject's interest in ruling out the possibility of collection, processing and use; and
the purpose of the research cannot be achieved any other way or would require a disproportionate effort.
It has already been made public by the data subject.
When personal data is collected from the data subject, he must be informed of:
The identity of the data controller.
The purpose of collection, processing or use.
The categories of potential data recipients, if the data subject could not anticipate that his personal data will be transferred to these recipient(s).
If personal data is stored for the first time without the data subject's knowledge, the data subject must be notified of:
The fact his data is being stored.
The type of data stored.
The purpose of collection, processing or use.
The identity of the data controller.
The categories of potential data recipients if the data subject could not anticipate that his personal data will be transferred to these recipient(s).
Exemptions apply if any of the following apply:
The data subject has been adequately informed by other means.
The storage of personal data is expressly provided for or required by law (for example, due to a document retention obligation).
The personal data:
exclusively serves data security or protection control purposes; and
informing the data subject would require a disproportionate effort by the data controller.
A statutory provision or a legitimate interest of a third party requires secrecy.
Personal data is:
stored for one's own purposes;
taken from public sources; and
informing the data subject would require a disproportionate effort by the data controller.
When requested by the data subject, the controller must provide the following information without undue delay:
The content of recorded data (including information relating to the source of the data).
The recipients or categories of recipients to which the data is transferred.
The purpose of recording the data.
In general, this information must be provided free of charge.
Where personal data is transferred for marketing purposes to third parties (under section 28(3) of the BDSG), the transferring body must:
Record the source of the data and the recipient for two years following the transfer.
Provide the data subject with information about the source of the data and the recipient on request.
The data subject can object to:
The processing of his data (save in certain circumstances).
The use of his data for marketing purposes.
He must be notified of the cessation of the processing and use.
Data subjects can ask the data controller to rectify, complete, update, block or delete his personal data if it is sensitive, inaccurate, incomplete, ambiguous, expired, or its collection, usage, disclosure or storage is prohibited.
The data controller must take all useful precautions, having regard to the nature of the data and the risks of the processing, to:
Preserve the security of the data.
Prevent the alteration or damage of data.
Prevent access by non-authorised third parties.
Data security measures must:
Prevent unauthorised persons from gaining access to data processing systems for processing or using personal data (access control).
Prevent data processing systems from being used without authorisation (access control).
Ensure that persons authorised to use a data processing system have access only to the data they are authorised to access, and ensure that personal data cannot be read, copied, altered or removed without authorisation during processing, use and after recording (access control).
Ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities (disclosure control).
Ensure that it is possible to check and ascertain whether personal data have been accessed, altered or removed from data processing systems and if so, by whom (input control).
Ensure that personal data processed on behalf of others are processed strictly in compliance with the controller's instructions (job control).
Ensure that personal data is protected against accidental destruction or loss (availability control).
Ensure that data collected for different purposes can be processed separately.
A breach notification requirement applies if both of the following apply (section 42, BDSG):
Particularly sensitive data (such as bank credit card data, telecommunications and online collected data, and data related to criminal offences) are abused or lost, and a third party acquires knowledge of the contents.
There is a serious threat of interference with the interests of the relevant data subjects.
Data controllers must inform supervisory authorities and the relevant data subjects.
A processor can only process personal data under the data controller's instructions in compliance with the mandatory provision on commissioned data processing (section 11, BDSG).
The contract between the processor and the data controller must specify the following:
The subject and duration of the work to be carried out.
The extent, type and purpose of the intended collection, processing or use of data, the type of data and category of data subjects.
The technical and organisational measures to be taken under section 9 of the BDSG.
The rectification, deletion and blocking of data.
The processor's obligations under section 11, paragraph 4 of the BDSG, particularly in relation to monitoring.
Any right to issue subcontracts.
The controller's right to monitor the processor and the processor's corresponding obligation to co-operate.
Rules applicable if the processor or its employees violates:
provisions relating to the protection of personal data; or
terms specified by the controller, which are subject to the obligation to notify.
The extent of the controller's authority to issue instructions to the processor.
The return of data storage media and the deletion of data recorded by the processor after the work is completed.
The data controller must inform all subscribers or users of an electronic communication service (such as a website) in a clear and comprehensive manner of:
The purpose of any cookie which will be stored on his terminal equipment.
The means available to object to the implementation of cookies.
The subscriber or user must consent to the implementation of a cookie after receiving this information. (The data controller of a website is usually the website operator, but may be the advertising network or another entity that is responsible for placing cookies on users' equipment.)
Opting out by amended browser settings is sufficient under current data protection laws. However, this is likely to change with the implementation of Directive 2002/58/EC on the protection of privacy in the electronic communications sector (E-Privacy Directive) into German law. Express opt-in consent may be required in the future.
The opt-out requirement does not apply if the cookie is either:
Exclusively intended to enable or facilitate communication by electronic means.
Strictly necessary for the provisions of an online communication service at the user's express request (such as session ID and cookie saving user language).
The term "marketing" is interpreted widely as any measure that is intended to promote services or products in any way. The sending of electronic unsolicited marketing communication (by e-mail and SMS) is illegal, unless the addressee has expressly consented in advance (opt-in) (section 7(2) no. 3, Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb) (UWG)).
An exemption applies if (section 7(3), UWG):
The entrepreneur has obtained the e-mail address in connection with the sale of goods or services from the customer. (The term "customer" includes both consumers and businesses.)
The entrepreneur uses the address for direct advertising of his own similar goods or services.
The customer has not objected to this use (opt-out).
The customer has been clearly and unequivocally advised, when the address was recorded and each time it is used, that he may opt-out from this use at any time.
Under general marketing laws, marketing e-mails must contain unsubscribe mechanisms (opt-out) (section 13, Telemedia Act).
The transfer of personal data within a company group is subject to the same restrictions as the transfer between unrelated third parties. The transfer of personal data within the EEA is not subject to additional requirements (other than the need for a legitimate basis). The transfer of personal data to a country outside the EEA is permissible if the following conditions are fulfilled:
There is a legal basis for the transfer (that is, in the absence of consent, it must be explicitly permitted by the BDSG or any other legal provision).
The data recipient must ensure an adequate level of data protection. The following countries are considered by the European Commission to provide an adequate level of protection:
Andorra;
Argentina;
Australia;
Canada;
Switzerland;
Faroe Islands;
Guernsey;
State of Israel;
Isle of Man;
Jersey;
US (for transfer of air passenger name records);
US (for entities that have adhered to the EU-US Safe Harbour principles).
In addition, adequate safeguards for the protection of personal data can be achieved by entering either:
Binding corporate rules (only applicable if the data recipient is a group company).
A data protection agreement based on the EU model clauses of the European Commission.
Where an adequate level of data protection is not ensured, a transfer can still be made if:
The data subject has given his consent.
The transfer is necessary:
for the performance of a contract between the data subject;
for the conclusion or performance of a contract which has been or will be concluded in the interest of the data subject between the controller and a third party; or
to protect the vital interests of the data subject.
The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims.
The transfer is made from a register, which is intended to provide information to the public.
National authorities have approved the EU Model Clauses. Where data is transferred from controllers to processors, additional processing requirements under section 11 of the BDSG must be met (see Question 17).
There must be a legal basis for the transfer (that is, in the absence of consent, it must be explicitly permitted by the BDSG or any other legal provision), even if personal data is transferred cross-border (see Question 20).
The national regulator does not need to approve the data transfer agreement.
The supervisory authority can (section 38, BDSG):
Appoint an auditor with the power to:
enter the property and premises of the data controller during business hours;
inspect business documents, data bases and the data processing program.
Data controllers must provide requested information to the auditor without undue delay.
Order measures to remedy violations identified in the collection, processing or use of personal data, or technical or organisational problems.
Prohibit the collection, processing or use, or the use of particular procedures if the violations or problems are not remedied within a reasonable time, despite orders and despite the imposition of a fine (in cases involving serious violations or problems, especially those related to a special threat to privacy).
Demand the dismissal of a data protection official if he does not have the necessary specialised knowledge and reliability to perform his duties.
Data protection laws are actively enforced in Germany. Violations are subject to the following:
A maximum EUR300,000 fine for administrative offences.
In the case of wilful behaviour or if conducted in exchange for a financial benefit (criminal offence), a violation of data protection law may be a criminal offence punishable with imprisonment of up to two years or a fine, which depends on how serious the violation is.
Reputation damages, which are not direct financial damages but damages caused, for example, by negative press. (Recent data protection scandals showed that reputation damages are usually quite severe if data protection breaches become public.)
Confiscation of profit and benefit derived from a violation by the authority.
Civil liability and injunctive relief are further potential risks under competition law.
Main areas of responsibility. In addition to the federal regulator, each state has a separate regulator. All private companies are supervised by the data protection regulator of the state of their residence with the exception of telecommunications companies, which are directly supervised by the federal regulator.
T +49 89 23 23 72 110
F +49 89 23 23 72 100
E thomas.jansen@dlapiper.com
W www.dlapiper.com
Qualified. Germany, 1996
Areas of practice. Technology law; data protection.
Recent transactions
T +49 89 23 23 72 112
F +49 89 23 23 72 100
E britta.hinzpeter@dlapiper.com
W www.dlapiper.com
Qualified. Germany, 2005
Areas of practice. Technology law; data protection.
Recent transactions
