Data subjects’ rights according to German data protection law

To ward off interventions in the right of informational self-determination (§ 6 (1) BDSG), the data subject has the right to disclosure (§§ 19, 34 BDSG) and the right to rectify incorrect personal data records as well as blocking or deleting (§§ 20, 35 BDSG), among other things.

These rights cannot be restricted or excluded by a legal transaction, by contract or biased agreement, § 6 (1).

Though not specified within the law, the right to invoke and right to revoke are equally protected. Invalid legal transactions are – for example – direct waiver by the concerned party or an agreed contractual penalty in case the concerned party makes use of those rights.
The concerned party can approach any authority in this respect, which is entitled to save. The responsible authority is then obliged, if necessary, as per § 6 (2), to forward the request of the concerned party to the relevant department.
The rights of the concerned party are extensively regulated. In case of non-compliance, monetary fines between EUR 50,000.00 – EUR 300,000.00 can be levied (§ 43 (3)).

Notification (§ 6 together with § 33)

§ 33 determines that, from the time of saving the data, but latest upon transmission for business purposes, the concerned person must be notified.
The notification must be “immediate”. A culpable delay already triggers an offence as per § 43 (1) no. 8.
The notification must contain at least the following information:

  1. That data is saved
  2. Type of personal data
  3. Intended purpose (reason and use specifications) of the personal data
  4. Identity of the responsible authority

In case of business transmission (functional transmission), the notification must additionally include information about:

  • the initial transmission process
  • the types of personal data transmitted.

§ 33 (2) provides for some exceptions in which there need be no notification. This regulation is conclusive and in cases of doubt must strictly be implemented to the advantage of the concerned person.

Exceptions

The notification can be omitted as an exception, if

  1. the concerned person has already gained knowledge in another manner of the saving or transfer of data (§ 33 (2) no. 1)
  2. The saving occurred on the basis of a statutory, statute-based or contractual prohibition of deletion or only for purposes of data security and additionally come at a disproportionately high expenditure for the responsible authority to notify. (§ 33 (2) no. 2)
  3. The secrecy obligation arises based on the nature of the personal data or by law (§ 33 (2) no. 3)
  4. The saving or transmission is obligatory by law (§ 33 (2) no. 4)
  5. The saving or transmission is necessary for scientific purposes and additionally come at a disproportionately high expenditure for the responsible authority to notify (§ 33 (2) no. 5)
  6. The authorized public office has stated to the responsible authority that the publication of the data would form a risk to public security or order or would otherwise be harmful to the welfare of the federation or the state (§ 33 (2) no. 6)
  7. The saved data are for own purposes and derived from public sources, and a notification would come at an disproportionate expenditure for the responsible authority to due to the extensive number of cases (§ 33 (2) no. 7a)
    or
    The saved data are for own purposes and a notification would jeopardize the business objective, unless the interests of the concerned party outweigh (§ 33 (2) no. 7b)
  8. The personal data for market and opinion research was retrieved from generally accessible sources and a notification would come at a disproportionately high expenditure due to of the extensive number of cases (§ 33 (2) no. 9).

In case of saving for business transmissions, the notification obligation is omitted if:

  1. The data is retrieved from a generally accessible place, as long as it only refers to the individuals, who published the data (§ 33 (2) no. 8a) or
  2. it concerns listed data or data summarized otherwise (§ 29 (2)) and there is no protection-worthy interest of the concerned person to the exclusion of transmission.

The above-listed cases of exclusion regularly include a weighing between the interests of the concerned person with the expenditure of notification. In the varieties of (§ 33 (2) no. 7a, no. 8 and no.9) in particular the extensive amount of cases involved form a possible argument for a disproportionately high expenditure; however, it mostly does not outweigh the interests of the concerned person. This is especially the case when data that does not require notification (e.g. from official sources) is saved collectively with the data that requires notification.

Disclosure (§ 6 in conjunction with § 34)

The responsible authority is obliged to disclose certain information upon request of the concerned person. The following must be communicated to the concerned person:

  1. all the data saved on a person, including the source
  2. the assigned authority in the contract data processing
  3. the purpose of saving.

In this respect, in § 34 (1a), (2), and (3), further special provisions are applicable, including scoring. It can be assumed that in case a notification obligation does not exist, there is also no obligation to disclosure.

If the concerned person demands information, it must be given to him free of charge and in text form. In this connection, please note the following:

  1. The free inspection is restricted to a one-time requirement every calendar year. If there are frequent claims, fees can be levied.
  2. An exception to this is if concrete clues suggest the suspicion that the data has been saved incorrectly or without a legal basis.
  3. If information is provided only after payment, then the responsible authority must inform the concerned person, that he can personally provide knowledge about his data (§ 34 (9)).

Correction obligation (§ 6 together with § 35)

Incorrect data must be corrected – at least – upon request of the concerned person.

Deletion obligation

If there is no purpose or legal basis (any more), personal data must be deleted, so long as there are no statutory retention timeframes. In the latter case, data must be blocked during retention and must be deleted after the retention period is over.

Blocking replaces “deletion” in some exceptional cases. Blocking cannot be selected as an alternative to deletion, based on discretion; rather, it is subject to statutorily determined exceptions. These must be given when, among other things, retention periods or protection-worthy interests of the concerned person are opposed. If neither the correctness can be proven by the responsible persons nor the incorrectness can by proven by the concerned person as regards personal data, then such data must also be blocked.

Other rights (post-reporting obligation & revocation)

§ 35 (5) enables the concerned person to always file an objection against the processing of his data, if there is over-weighing interest.
If an authority is obligated for a data correction, it is subject to the so-called post-reporting obligation, within the framework of which, all authorities are included, to which the personal data is forwarded for saving.