Data protection in Germany: overview

A guide to data protection in Germany.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

This article is part of the multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

Thomas Jansen and Britta Hinzpeter, DLA Piper UK LLP (Germany)
Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The main legal source of data protection in Germany is the Federal Data Protection Act (Bundesdatenschutzgesetz) (BDSG), which implements Directive 95/46/EC on data protection. Additionally, each German state has a data protection law of its own.

Sectoral laws

Examples of sectoral laws include:

  • Telemedia Act (Telemediengesetz), which applies to providers of telemedia services (such as websites).

  • Telecommunication Act (Telekommunikationsgesetz), which applies to providers of telecommunication services.

  • Criminal Act (Strafgesetzbuch).

  • Social Security Code I, II; IV, V and X, which regulate the processing of health and other personal data in connection with the provision of medical and social security services.

Scope of legislation

2. To whom do the laws apply?

In principle, the state's data protection acts aim to protect personal data from processing and use by public authorities of the states. The BDSG aims to protect personal data from processing and use by federal public authorities and private bodies.

 
3. What data is regulated?

Personal data is regulated and includes any information concerning the personal circumstances of an identified or identifiable individual.

 
4. What acts are regulated?

The collection, processing and use of personal data are regulated. Processing means the storage, modification, transfer, blocking and deletion of personal data.

 
5. What is the jurisdictional scope of the rules?

German data protection law applies to:

  • German data controllers and processors (private and public bodies).

  • Data controllers not located in the European Economic Area (EEA), which collect, process and use personal data in Germany.

  • A German branch of a data controller located within the EEA, which collects, processes or uses personal data in Germany.

 
6. What are the main exemptions (if any)?

German data protection law does not apply if a controller located in another country of the EEA collects, processes or uses personal data within Germany.

Notification

7. Is notification or registration required before processing data?

In theory, the BDSG requires notification. However, in practice, this requirement is waived if the data controller has appointed a data protection officer because these appointments are mandatory for all companies of a certain size.

The obligation to appoint a data protection officer applies if either:

  • More than nine persons are regularly involved in the automated data processing.

  • Sensitive personal data is processed.

When notification is made, the following information must be provided:

  • Name and company of the controller.

  • Owners, management boards, managing directors or other managers appointed in accordance with the law or company regulations, and the persons in charge of data processing.

  • The controller's address.

  • The purposes of the data collection, processing or use.

  • A description of the category or categories of data subject and of the data or categories of data relating to them.

  • The recipients or categories of recipient to whom the data might be disclosed.

  • Standard data retention periods.

  • Plans to transfer data to third countries.

  • A general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to section 9 of the BDSG, to ensure security of processing.

Notification is an informal process in Germany.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Data controllers must safeguard the main data protection principles, which include:

  • The principle of data reduction and data economy. Data processing systems must be designed and selected to collect, process and use as little personal data as possible. In particular, any possibility for aliasing and rendering personal data anonymous must be used if the effort involved is reasonable in relation to the level of data protection provided.

  • The principle of explicit permission. The collection, processing and use of personal data is only admissible if either:

    • it is expressly permitted by the BDSG or any other legal provision;

    • the data subject has expressly consented in advance.

  • The principle of purpose. The purposes for which data will be processed or used must be defined at the point of collection. Personal data can only be processed and used in accordance with this purpose.

  • The principle of direct collection. Personal data must be collected from the data subject, unless:

    • an exemption applies by law; or

    • the collection from the data subject would require disproportionate effort and the justified interests of the data subject are not affected.

  • The principle of access. The data subject is entitled to access information that is stored concerning him (including the source of data, recipients, categories of recipients to whom data is transferred and the purpose of storage). When requested, the data controller must provide this information free of charge.

  • The principle of accuracy. Incorrect personal data must be corrected.

  • The principle of limitation. Personal data must be erased if it is no longer necessary for the purpose for which it has been collected.

 
9. Is the consent of data subjects required before processing personal data?

The collection, processing and use of personal data is only admissible if expressly permitted by the BDSG or any other legal provision, or if the data subject has expressly consented in advance.

General requirements

To be valid under German data protection law, consent declarations must comply with the following (section 4(a), BDSG):

  • Consent must be declared in writing, which means the data subject must sign the declaration. If consent is given together with other declarations or in general terms and conditions, it must be distinguishable in its appearance (for example, through the use of bold, framed or highlighted letters).

  • Consent must be obtained in advance (that is, before personal data is processed).

  • The data subject must be informed of:

    • the purpose of processing; and

    • the identity of all data recipients if personal data is subsequently transferred.

  • The data subject must be expressly informed if sensitive personal data is processed.

  • In principle, consent can also be obtained electronically (for example, by means of an opt-in option), however:

    • the consent declaration must be recorded;

    • the data subject must be able to access his consent declaration any time; and

    • the data subject must be informed of his right to revoke consent on his own discretion any time with future effect (an opt-out).

  • Consent must be declared voluntarily and expressly.

Minors

There are no particular rules regarding the consent of minors. In general, the consent of a minor is valid if he was capable of understanding the extent and meaning of the declaration. While capability depends on the individual, an age of 12 to 14 years is regarded as the general threshold.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

In the absence of consent, the data controller must rely on a statutory provision allowing the data processing.

For example, the collection, processing or use of personal data as a means of fulfilling one's own business purposes is allowed if one of the following applies (section 28, paragraph 1, no. 1 to 3, BDSG):

  • It is necessary to create, perform or terminate a legal obligation or quasi-legal obligation with the data subject.

  • It is necessary to safeguard legitimate interests of the controller and there is no reason to assume that the data subject has an overriding legitimate interest in ruling out the possibility of processing or use.

  • The personal data is generally accessible or the controller would be allowed to publish it, unless the data subject has a clear and overriding interest.

The processing of employee data is subject to a separate provision (contained in section 32 of the BDSG) according to which the collection, processing and use of employee data is only permitted regarding decisions on the establishment, implementation and termination of contracts.

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Sensitive personal data can only be processed if either:

  • It is necessary:

    • to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent;

    • to assert, exercise or defend legal claims and there is no reason to assume that the data subject has an overriding legitimate interest in ruling out the possibility of collection, processing or use; or

    • for the purposes of scientific research, where:

      • the scientific interest in carrying out the research project significantly outweighs the data subject's interest in ruling out the possibility of collection, processing and use; and

      • the purpose of the research cannot be achieved any other way or would require a disproportionate effort.

  • It has already been made public by the data subject.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

When personal data is collected from the data subject, he must be informed of:

  • The identity of the data controller.

  • The purpose of collection, processing or use.

  • The categories of potential data recipients, if the data subject could not anticipate that his personal data will be transferred to these recipient(s).

If personal data is stored for the first time without the data subject's knowledge, the data subject must be notified of:

  • The fact his data is being stored.

  • The type of data stored.

  • The purpose of collection, processing or use.

  • The identity of the data controller.

  • The categories of potential data recipients if the data subject could not anticipate that his personal data will be transferred to these recipient(s).

Exemptions apply if any of the following apply:

  • The data subject has been adequately informed by other means.

  • The storage of personal data is expressly provided for or required by law (for example, due to a document retention obligation).

  • The personal data:

    • exclusively serves data security or protection control purposes; and

    • informing the data subject would require a disproportionate effort by the data controller.

  • A statutory provision or a legitimate interest of a third party requires secrecy.

  • Personal data is:

    • stored for one's own purposes;

    • taken from public sources; and

    • informing the data subject would require a disproportionate effort by the data controller.

 
13. What other specific rights are granted to data subjects?

Rights of access

When requested by the data subject, the controller must provide the following information without undue delay:

  • The content of recorded data (including information relating to the source of the data).

  • The recipients or categories of recipients to which the data is transferred.

  • The purpose of recording the data.

In general, this information must be provided free of charge.

Where personal data is transferred for marketing purposes to third parties (under section 28(3) of the BDSG), the transferring body must:

  • Record the source of the data and the recipient for two years following the transfer.

  • Provide the data subject with information about the source of the data and the recipient on request.

Rights to object

The data subject can object to:

  • The processing of his data (save in certain circumstances).

  • The use of his data for marketing purposes.

He must be notified of the cessation of the processing and use.

 
14. Do data subjects have a right to request the deletion of their data?

Data subjects can ask the data controller to rectify, complete, update, block or delete his personal data if it is sensitive, inaccurate, incomplete, ambiguous, expired, or its collection, usage, disclosure or storage is prohibited.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

The data controller must take all useful precautions, having regard to the nature of the data and the risks of the processing, to:

  • Preserve the security of the data.

  • Prevent the alteration or damage of data.

  • Prevent access by non-authorised third parties.

Data security measures must:

  • Prevent unauthorised persons from gaining access to data processing systems for processing or using personal data (access control).

  • Prevent data processing systems from being used without authorisation (access control).

  • Ensure that persons authorised to use a data processing system have access only to the data they are authorised to access, and ensure that personal data cannot be read, copied, altered or removed without authorisation during processing, use and after recording (access control).

  • Ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities (disclosure control).

  • Ensure that it is possible to check and ascertain whether personal data have been accessed, altered or removed from data processing systems and if so, by whom (input control).

  • Ensure that personal data processed on behalf of others are processed strictly in compliance with the controller's instructions (job control).

  • Ensure that personal data is protected against accidental destruction or loss (availability control).

  • Ensure that data collected for different purposes can be processed separately.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

A breach notification requirement applies if both of the following apply (section 42, BDSG):

  • Particularly sensitive data (such as bank credit card data, telecommunications and online collected data, and data related to criminal offences) are abused or lost, and a third party acquires knowledge of the contents.

  • There is a serious threat of interference with the interests of the relevant data subjects.

Data controllers must inform supervisory authorities and the relevant data subjects.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

A processor can only process personal data under the data controller's instructions in compliance with the mandatory provision on commissioned data processing (section 11, BDSG).

The contract between the processor and the data controller must specify the following:

  • The subject and duration of the work to be carried out.

  • The extent, type and purpose of the intended collection, processing or use of data, the type of data and category of data subjects.

  • The technical and organisational measures to be taken under section 9 of the BDSG.

  • The rectification, deletion and blocking of data.

  • The processor's obligations under section 11, paragraph 4 of the BDSG, particularly in relation to monitoring.

  • Any right to issue subcontracts.

  • The controller's right to monitor the processor and the processor's corresponding obligation to co-operate.

  • Rules applicable if the processor or its employees violates:

    • provisions relating to the protection of personal data; or

    • terms specified by the controller, which are subject to the obligation to notify.

  • The extent of the controller's authority to issue instructions to the processor.

  • The return of data storage media and the deletion of data recorded by the processor after the work is completed.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

The data controller must inform all subscribers or users of an electronic communication service (such as a website) in a clear and comprehensive manner of:

  • The purpose of any cookie which will be stored on his terminal equipment.

  • The means available to object to the implementation of cookies.

The subscriber or user must consent to the implementation of a cookie after receiving this information. (The data controller of a website is usually the website operator, but may be the advertising network or another entity that is responsible for placing cookies on users' equipment.)

Opting out by amended browser settings is sufficient under current data protection laws. However, this is likely to change with the implementation of Directive 2002/58/EC on the protection of privacy in the electronic communications sector (E-Privacy Directive) into German law. Express opt-in consent may be required in the future.

The opt-out requirement does not apply if the cookie is either:

  • Exclusively intended to enable or facilitate communication by electronic means.

  • Strictly necessary for the provisions of an online communication service at the user's express request (such as session ID and cookie saving user language).

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

The term "marketing" is interpreted widely as any measure that is intended to promote services or products in any way. The sending of electronic unsolicited marketing communication (by e-mail and SMS) is illegal, unless the addressee has expressly consented in advance (opt-in) (section 7(2) no. 3, Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb) (UWG)).

An exemption applies if (section 7(3), UWG):

  • The entrepreneur has obtained the e-mail address in connection with the sale of goods or services from the customer. (The term "customer" includes both consumers and businesses.)

  • The entrepreneur uses the address for direct advertising of his own similar goods or services.

  • The customer has not objected to this use (opt-out).

  • The customer has been clearly and unequivocally advised, when the address was recorded and each time it is used, that he may opt-out from this use at any time.

Under general marketing laws, marketing e-mails must contain unsubscribe mechanisms (opt-out) (section 13, Telemedia Act).

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The transfer of personal data within a company group is subject to the same restrictions as the transfer between unrelated third parties. The transfer of personal data within the EEA is not subject to additional requirements (other than the need for a legitimate basis). The transfer of personal data to a country outside the EEA is permissible if the following conditions are fulfilled:

  • There is a legal basis for the transfer (that is, in the absence of consent, it must be explicitly permitted by the BDSG or any other legal provision).

  • The data recipient must ensure an adequate level of data protection. The following countries are considered by the European Commission to provide an adequate level of protection:

    • Andorra;

    • Argentina;

    • Australia;

    • Canada;

    • Switzerland;

    • Faroe Islands;

    • Guernsey;

    • State of Israel;

    • Isle of Man;

    • Jersey;

    • US (for transfer of air passenger name records);

    • US (for entities that have adhered to the EU-US Safe Harbour principles).

In addition, adequate safeguards for the protection of personal data can be achieved by entering either:

  • Binding corporate rules (only applicable if the data recipient is a group company).

  • A data protection agreement based on the EU model clauses of the European Commission.

Where an adequate level of data protection is not ensured, a transfer can still be made if:

  • The data subject has given his consent.

  • The transfer is necessary:

    • for the performance of a contract between the data subject;

    • for the conclusion or performance of a contract which has been or will be concluded in the interest of the data subject between the controller and a third party; or

    • to protect the vital interests of the data subject.

  • The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims.

  • The transfer is made from a register, which is intended to provide information to the public.

Data transfer agreements

21. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

National authorities have approved the EU Model Clauses. Where data is transferred from controllers to processors, additional processing requirements under section 11 of the BDSG must be met (see Question 17).

 
22. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

There must be a legal basis for the transfer (that is, in the absence of consent, it must be explicitly permitted by the BDSG or any other legal provision), even if personal data is transferred cross-border (see Question 20).

 
23. Does the relevant national regulator need to approve the data transfer agreement?

The national regulator does not need to approve the data transfer agreement.

 

Enforcement and sanctions

24. What are the enforcement powers of the national regulator?

The supervisory authority can (section 38, BDSG):

  • Appoint an auditor with the power to:

    • enter the property and premises of the data controller during business hours;

    • inspect business documents, data bases and the data processing program.

    Data controllers must provide requested information to the auditor without undue delay.

  • Order measures to remedy violations identified in the collection, processing or use of personal data, or technical or organisational problems.

  • Prohibit the collection, processing or use, or the use of particular procedures if the violations or problems are not remedied within a reasonable time, despite orders and despite the imposition of a fine (in cases involving serious violations or problems, especially those related to a special threat to privacy).

  • Demand the dismissal of a data protection official if he does not have the necessary specialised knowledge and reliability to perform his duties.

 
25. What are the sanctions and remedies for non-compliance with data protection laws?

Data protection laws are actively enforced in Germany. Violations are subject to the following:

  • A maximum EUR300,000 fine for administrative offences.

  • In the case of wilful behaviour or if conducted in exchange for a financial benefit (criminal offence), a violation of data protection law may be a criminal offence punishable with imprisonment of up to two years or a fine, which depends on how serious the violation is.

  • Reputation damages, which are not direct financial damages but damages caused, for example, by negative press. (Recent data protection scandals showed that reputation damages are usually quite severe if data protection breaches become public.)

  • Confiscation of profit and benefit derived from a violation by the authority.

  • Civil liability and injunctive relief are further potential risks under competition law.

 

The regulatory authority

Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit)

W www.bfdi.bund.de

Main areas of responsibility. In addition to the federal regulator, each state has a separate regulator. All private companies are supervised by the data protection regulator of the state of their residence with the exception of telecommunications companies, which are directly supervised by the federal regulator.



Contributor details

Thomas Jansen

DLA Piper UK LLP (Germany)

T +49 89 23 23 72 110
F +49 89 23 23 72 100
E thomas.jansen@dlapiper.com
W www.dlapiper.com

Qualified. Germany, 1996

Areas of practice. Technology law; data protection.

Recent transactions

  • Advised a major outsourcing service provider on data protection and outsourcing issues in an agreement with a Swiss insurance group.
  • Advised a leading US pharmaceutical company on data protection issues in relation to a cross-border data transfer from Europe to the US.
  • Advised a major US hotel group in relation to cross-border data transfer from Europe to the US.
  • Advised a leading US travel and leisure group in relation to a cross-border data transfer from Europe to the US.

Britta Hinzpeter

DLA Piper UK LLP (Germany)

T +49 89 23 23 72 112
F +49 89 23 23 72 100
E britta.hinzpeter@dlapiper.com
W www.dlapiper.com

Qualified. Germany, 2005

Areas of practice. Technology law; data protection.

Recent transactions

  • Supervised a data protection audit project in 24 jurisdictions for a leading US reseller of hardware and software.
  • Advising a leading US security software provider in relation to its online-store, cross-border transfer of personal data, the obligations of a DPO, and the processing of personal data for marketing purposes.
  • Advised a US hardware manufacturer on the use of various data bases, and data transfer outside of Europe for various purposes.
  • Advised a major US pharmaceutical group in relation to compliance programmes and a data breach. Advised a US hardware manufacturer on the use of various databases, and data transfers outside of Europe for various purposes.

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247366520115", "objName" : "Data protection in Germany overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/3-502-4080?source=relatedcontent", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-7615159:14568d5b6ea:762e", "analyticsSessionCookie" : "2-7615159:14568d5b6ea:762f", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }