In order to enforce data protection provisions, several laws include sanctions for data protection related offences.
For specific types of data, there exist disclosure obligation against the data subject in case of unlawful data use (§ 42a BDSG). More can be read under “information requirements”. Violations of an information requirement can additionally lead to – sanctions for the actual impermissible data use and – a substantial fine. For telemedia and telecommunication services, information requirements are regulated in the Telemedia Act (TMG) and Telecommunication Act (TKG). §§ 15a TMG and 93(3), 109a (1) and 2 TKG refer in this respect to the Federal Data Protection Act (BDSG).
Regarding law enforcement in relation to data protection offences the BDSG has listed in § 43 BDSG some administrative offences, which can be penalized by fines up to EUR 300,000. Fundamentally the following applies: if important principles and provisions related to data protection are ignored, these violations are found within the catalogue of fines in § 43 BDSG. The violations may occur intentionally (deliberate) or negligently (unintentional).
In addition to the refrained appointment of a data protection officer, these offences include, for example, the incorrect processing according to § 11 (2) BDSG or insufficient disclosure of data subjects in the event of unlawful data use.
The law differentiates in § 43 (1) and (2) of BDSG between two categories of administrative offences, with different maximal fines (EUR 50,000 – EUR 300,000). The fine amount is also determined by the exceeded nominal value of financial gain achieved from the administrative offence.
Occasionally, qualified administrative offences as of § 43 (2) BDSG can also be prosecuted as a criminal offence. In order for an offence to be qualified and thus be prosecuted as a criminal offence, it is required that the offence occurred in a severe manner as described in the law, which increases the gravity of the offence (and thus the penalty). A qualified offence as per § 43 BDSG occurs for example in the case or § 44 (1) BDSG, when data protection related offences occur intentionally in return for payment of with the intent of financial gain (etc.).
Even in the criminal code (StGB) itself, there are provisions in §§ 201 – 206 StGB, more precisely in §§ 202a – d StGB, which sanction data protection violations. That includes:
- Spying out data (§ 202a StGB)
- Interception of data (§ 202b StGB)
- Attempted interception or spying out of data (§ 202c StGB)
- Dealing with stolen data (§ 202d StGB)
The realization of the exemplary offences as described above lead to an increased fine or imprisonment from one to three years.
Occasionally, data protection related provisions can also be classified in context to competition law, which, for instance, enables consumer protection associations to file suits as per the Injunctions Act (UklaG). This is, for example, the case when data protection regulations, which are violated, present market conduct rules according to § 3a UWG (Law Against Unfair Competition). An exemplary market conduct rule is the, according to § 15 Para 3 TMG, permissible use of user data for promotional purposes, which must contain the data subject’s right to revoke at any time. If this reference is not included, then the responsible authority can be challenged with an injunction suit. The same claim shall also be applicable, for example, for an impermissible harassment by advertisement according to § 7 UWG.
If damage is caused to the data subject, for example by impermissible or incorrect collection, processing or use of personal data, then he is entitled to a civil suit for damage compensation (in addition to any offence-related or criminal prosecutions). This is expressly regulated by § 7 BDSG for the non-public sector. The liability is based on the assumption of fault. This means that it is generally assumed that the responsible authority is accountable for the damage. The accountability can, however, be exculpated (=excused) according to § 7 BDSG by complying with the individual necessary diligence. The company is then not liable for compensation.
The provision is restricted to the compensation of material damage (economic or financial – like legal fees on the basis of the, for example, impermissible data use) and is therefore hardly applied in practice.