Privacy in Germany: overview

A Q&A guide to privacy in Germany.

The Q&A guide gives a high-level overview of privacy rules and principles, including what national laws regulate the right to respect for private and family life and freedom of expression; to whom the rules apply and what privacy rights are granted and imposed. It also covers the jurisdictional scope of the privacy law rules and the remedies available to redress infringement.

To compare answers across multiple jurisdictions, visit the Privacy Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Legislation

1. What national laws (if any) regulate the right to respect for private and family life and freedom of expression?

The Constitution (Grundgesetz) (GG) provides for fundamental human rights, including:

  • The right to respect private and family life.

  • Freedom of expression.

  • The "right to informational self-determination".

The ratio of the constitutional rights is embedded in a number of national laws such as the Federal Data Protection Act (Bundesdatenschutzgesetz) (BDSG), which is the primary piece of legislation governing the protection of individual privacy.

Germany is also a signatory to the European Convention on Human Rights (ECHR), which has a similar level of protection as the GG. Therefore, the constitutional rights under the GG are interpreted in light of the ECHR.

 
2. Who can commence proceedings to protect privacy?

Natural persons affected by a violation of data protection regulations can commence proceedings to protect their privacy.

Legal entities are not protected under German data protection laws but they can commence proceedings for violations of trade and business secrets.

Consumer associations can commence proceedings under the Injunctions Act (Unterlassungsklagengesetz) if an undertaking is in breach of data protection regulation affecting consumers or fails to provide a comprehensive privacy statement (for example, on a website) in line with German regulation, governed by the Telemedia Act (Telemediengesetz).

 
3. What privacy rights are granted and imposed?

In principle, data subjects have certain rights under German data protection law.

The data subject must, at his request, be provided with information concerning:

  • The identity of the controller.

  • The purpose of collection, processing or use.

  • The categories of recipients (if there is reason for the data subject to assume that his data will be transferred to them).

The data subject can request the correction, erasure or blocking of personal data and has the right to object to any collection, processing or use of his data.

There are exemptions to these privacy rights, see Data Protection in Germany: overview, Questions 12 ( www.practicallaw.com/3-502-4080) and 13 ( www.practicallaw.com/3-502-4080) .

 
4. What is the jurisdictional scope of the privacy law rules?

German data protection laws apply to cases where:

  • The data controller (that is, the entity or person responsible for the data and its processing) is located in Germany and processing is carried out in Germany or within the EU.

  • The data controller is located in another EU member state but the collection, processing or use is carried out by a branch in Germany.

  • The data controller is not located in an EU member state but collects, processes or uses personal data in Germany.

 
5. What remedies are available to redress the infringement of those privacy rights?

Where there is an infringement of data protection regulation, data subjects can file a complaint with the competent data protection authority, which can start an investigation. In severe cases of criminal liability, a complaint can also be filed with the police or public prosecutors.

If a data controller causes harm to a data subject through the collection, processing or use of personal data in violation of data protection regulations, the data subject can claim damages for the harm caused. There are no punitive damages under German law.

In some instances, infringements of privacy rights can also be enforced through injunctions (see Question 2).

Data subjects can exercise their right to correction/erasure/blocking of data and their rights to object (see Question 3) and enforce these in judicial proceedings.

 
6. Are there any other ways in which privacy rights can be enforced?

In an employment context, the works council (if there is one) can have co-determination rights under the Works Constitution Act (Betriebsverfassungsgesetz) on the introduction and use of technical devices designed to monitor the behaviour or performance of employees. For example , this can be the case if an employer seeks to implement software for e-mail screening. If a co-determination right exists, the proposed measure must be approved by the works council.

 

Contributor profiles

Norbert Nolte, Partner

Freshfields Bruckhaus Deringer LLP

T +49 221 20 50 7 249
F +49 221 20 50 76 51 54
E norbert.nolte@freshfields.com
W www.freshfields.com

Professional qualifications. Qualified in Germany, 1992

Areas of practice. Data protection; compliance; investigations; corporate crime.

Recent transactions

  • Advising a bank on data protection issues regarding the implementation of an internal monitoring system for electronic communications.
  • Advising a credit card company on using transactional data for marketing purposes.
  • Advising a fashion retailer on data protection issues in connection with video surveillance, including negotiations with data protection authorities and employee representatives.
  • Advising a US automotive manufacturer on data protection issues regarding the implementation of a human resources management system with databases in the US and Europe.
  • Advising a sports betting company on loss of customer data, including co-ordination of interaction with supervisory bodies, prosecuting attorney's office and police.

Languages. German and English.

Christoph Werkmeister, Associate

Freshfields Bruckhaus Deringer LLP

T +49 221 20 50 7 249
F +49 221 20 50 76 52 14
E christoph.werkmeister@freshfields.com
W www.freshfields.com

Professional qualifications. Qualified in Germany, 2013

Areas of practice. Data protection; telecoms; media and IT.

Recent transactions

  • Advising a pharmaceutical company on assessing its current IT and data protection compliance and establishing group-wide policies.
  • Advising a consumer healthcare company on implementing EU Model Contracts and respective change processes.
  • Advising a premium automotive company on the implementation of self-driving car technology and compliance with the upcoming EU data protection regulation.
  • Advising an automobile club on data protection aspects regarding the restructuring of its compliance system.
  • Advising a customer loyalty card company on the use of customer data.

Languages. German and English.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248032051915", "objName" : "Privacy in Germany overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/4-578-2349?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-605a14e:15b13b9492d:-2be", "analyticsSessionCookie" : "2-605a14e:15b13b9492d:-2bd", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }