Data protection supervision according to German law


a. state supervision 

As an external administrative, the federal government supervises for the data processing for official as well as non-official authorities.

aa) Federal and state representative for data protection

The Federal Commissioner for data security (BfDI) is responsible for public authorities according to § 24 (1) BDSG. The state data protection commissioners of the individual states take over the supervisions via the public authorities of the states (provincial administration authorities, municipalities).

bb) Supervisory authorities for the private sector

In addition to a company’s self-monitoring, the states also assume data protection related supervision over non-public authorities as per §38 (6) BDSG. The organisational units and supervisory authorities established for that purpose are set up or regulated differently in each federal state.

  1. Tasks and rights

Verifications of data protection in the company are possible with and without reason. Especially companies processing high-risk data should expect unannounced inspection visits by supervisory authorities.

Supervisory authorities have extensive information, inspection and access rights. According to § 38 (3) BDSG, the responsible authority must provide the supervisory authority with all necessary information as quickly as possible, free of charge and extensively. They have authorization to view any documents necessary for examinations at any time during office hours and have general access to the business premises.

In the event of impermissible data use, the inspection or control authorities can inform the data subject and the relevant authority about the possible consequence of a fine or administrative offence (cf. § 43 BDSG). Furthermore, they can instruct the responsible authority to refrain from or eliminate further data use, impose penalties and ultimately forbid the respective procedure.

  1. Competence: Addresses and links to the state data protection commissioners

Baden-Württemberg
http://www.baden-wuerttemberg.datenschutz.de/ihr-weg-zu-uns/
– Bayern
https://www.datenschutz-bayern.de/nav/0405.html
– Berlin
https://datenschutz-berlin.de/content/berlin/berliner-beauftragter/kontakt
– Brandenburg
http://www.lda.brandenburg.de/cms/detail.php/bb1.c.241171.de
– Hamburg
https://www.datenschutz-hamburg.de/wir-ueber-uns-kontakt/wie-erreichen-sie-uns.html
– Hessen
https://www.datenschutz.hessen.de/impressum.htm
– Mecklenburg-Western Pomerania
https://www.datenschutz-mv.de/behoerde/kontakt.html
– Lower Saxony
http://www.lfd.niedersachsen.de/portal/live.php?navigation_id=12929&article_id=56137&_psmand=48
– North Rhine-Westphalia
https://www.ldi.nrw.de/metanavi_Kontakt/
– Rhineland-Palatinate
https://www.datenschutz.rlp.de/de/kontakt.php
– Saarland
https://datenschutz.saarland.de/ueber-uns/kontakt/
– Saxony
https://www.saechsdsb.de/die-behoerde/kontakt2
– Saxony-Anhalt
http://www.sachsen-anhalt.de/meta/impressum/

– Schleswig-Holstein
https://www.datenschutzzentrum.de/impressum/

– Thuringia
https://www.tlfdi.de/tlfdi/kontakt/

b. Self-control 

The data protection control carried out by the companies themselves substantiates the preventive, that is, precautionary character of data protection. With regard to dealing with personal data, the companies bear the operational risk for the incorrect or impermissible task fulfillment by the employees. The self-control of the employees and demanding data security systems should be up to the standards of German data protection. The companies have amongst other the following main obligations:

aa) Reporting obligation (§§ 4d, e BDSG)

Every automated data processing procedure must be reported to the relevant supervisory authority before launching, § 4e BDSG specifies the details.  However, this reporting obligation does not apply if as per §4d (2) BDSG an internal or external data protection officer is appointed either voluntarily or by legal obligation.

bb) Prior checks (§ 4d Para 5 BDSG)

Beyond the basic reporting obligation, prior checks require a content-related process verification according to §4d (5) BDSG. Data processing of personal data are not controlled in relation to individual steps but rather of the whole process in “its entity”.
Only certain data have to undergo a prior check. Data that require a prior check according to § 4d (5) BDSG are either sensitive data according to § 3 (9) BDSG or data that contain evaluations about a data subject’s ability, performance or behavior (e.g. data for assessing creditworthiness). In order to protect the right to informational self-determination, all data are taken into account that pose substantial risks for the rights and liberties of data subjects, such as video surveillance or personnel management.

There are exceptions if data is processed for contractual purposes or an existing consent of the data subject exists.

Für die Erstellung der Vorabkontrolle bietet der untenstehende Link ein kostenfreies Muster:

https://www.activemind.de/datenschutz/dokumente/vorabkontrolle/

cc) Procedure index (§ 4g (2) BDSG)

The procedure index is connected to the reporting obligation according to §§4d (2), 4e (1) BDSG and the prior checks required by § 4d Para 3 BDSG. It is an index of all those procedures where personal data is processed. The data protection officer must be provided according to § 4g (2) with all information required in § 4e BDSG as well as a list of all persons with access to that data. Meaningful additional information such as the legal basis for saving data or possible exceptions to the notification obligation to the data subject should be included in the index.

The procedure index also enables external control by the supervisory authorities.

To create a procedure index, the link below provides free documents and a sample:

https://www.activemind.de/datenschutz/dokumente/verfahrensverzeichnis/

dd) Appointment of a data protection officer

According to §4f (1) BDSG, public institutions must appoint a data protection officer. In the non-public sector, the appointment of a data protection officer is only mandatory if there are more than 9 employees. Under certain circumstances the appointment of a data protection officer can be mandatory by law regardless of the number of employees.