The German data protection law is mainly regulated by the Federal Data Protection Act (BDSG) (link to the Act), which implements the general EU Data Protection Directive 95/46/EC issued in 1995 by the European Parliament. In addition to Federal regulation, each Federal State also has its own state data protection law. In addition to these general regulations, there are special provisions for different areas, i.e. sectoral data protection law.
The EU Data Protection Directive was to be implemented by the different Member States in their national law, with a considerable margin. The Member States of the EU and the EEA (European Economic Area) and countries outside this group must decide amongst themselves regarding the decision as to which national data protection law shall be applicable in an individual case.
- Within the EU/ the EEA: According to the principle of establishment the place at which the relevant office has its business headquarters shall be decisive.
The Member State, in which the actual processing takes place, is not decisive.
- Outside the EU/ the EEA: The mirrored principle shall apply outside the EU. As per the Territorial principle, fundamentally, the data protection law of that nation is applied, in which the data is processed. The office of the responsible person – as opposed to European data processing processes – is not decisive.
An exception to the territorial principle outside the EU shall always be applicable if there is mere transit of data. As the data is not factually processed, and is not notice of in the transit country, the principle of establishment is applied. The establishment of the relevant office is decisive, but not the national law of the Transit place, § 1 (5) BDSG).
An exception to the principle of establishment within the EU applies once the responsible office in a foreign country allows a domestic branch office to process its data. Then, the so-called territorial principle shall be applicable. The establishment of the processing (branch) office is decisive, but not the national law of the “responsible office” (§1 (5) BDSG).
The Federal Data Protection Act (BDSG)
The basic idea of the Data Protection Directive 95/46/EC adopted in 1995 was the establishment of a uniform, trans-European data protection standard and the free flow of personal data between Member States. The regulation particularly followed the objective of consistently safeguarding the fundamental freedom and the fundamental rights of the natural person on European level. The objective determined in § 1 (1) BDSG accordingly regulates the protection and the guarantee of the Right to informational self-determination. Every person should fundamentally be able to decide himself/herself about the use of his/her data.
The BDSG is exclusively applicable for the collection, processing or use of personal data, that is, it includes all information about a living, natural person. However, data on juridical person or multiple persons and groups are not included. It even applies to information, which only establishes an indirect reference to a natural person. If non-personal data allows inference drawn from the, for example, name or other identity characteristics of a natural person, then this data shall also be governed by the BDSG.
The BDSG is divided into several sections. The first section includes all general provisions for all the addressees of the Directive. The second section addresses only the public sector, the third section only the non-public sector. The remaining sections 4-6 include special provisions, fine and penal provisions as well as transitional provisions.
Regulation principles of the BDSG
Overview of the most important provisions
Prohibition with right of permission
As per Article 7of the EU Directive, the prohibition with right of permission forms the core of German data protection law. The collection, processing and use of personal data is fundamentally prohibited (§ 4 (1) BDSG). Every handling of personal data must be legitimated on a statutorily provided legal basis or by consent of the data subject.
Principle of binding purpose
The admissibility of data use depends compulsorily on its purpose which is to be determined in advance. Data collection without a previously specified purpose (data retention) and a related legal basis is not permissible. Accordingly, changes to the purpose are only possible if the new purpose can also be reinforced by a legal basis. The determination of the purpose must be clear and lawful and, in case of change of purpose, should not differ from the originally determined purpose.
Principle of necessity
The principle of necessity is a characteristic of the principle of proportionality. The intervention in the personal sphere of the data subject is only allowed to the extent as is essential to reach the permissible purpose. The data used must be indispensable, and not just useful, for achieving the purpose. There are more characteristics of this principle in the law: § 3a BDSG regulates the obligation to limit die amount of data and to use them very sparingly.
The principle of transparency
Data processing processes must be transparent for data subjects. Only this guarantees that the data subject can assert the rights available to him for protecting his right to informational self-determination. Characteristics of this principle are found within the BDSG in the principle of direct collection of personal date, which prescribes collection of personal data directly from the data subject (§ 4 (2) BDSG). This is completed by the right to information of the data subject (§§ 19, 34 BDSG) during the period of time the data is processed and used.
Obligation for data security
If handling data is justified, the law establishes an additional obligation of providing proper data security. Processing offices have to take technical and organizational measures to ensure data protection, § 9 BDSG and the Annex to that.
Federal state data protection law (LDSG)
As a special feature of German law, there are federal state data protection laws in individual federal states, which must be applied, if the provincial administration officials and other public authorities (local authorities) use personal data.
Links to the data protection laws of the states:
- Mecklenburg-Western Pomerania
- Lower Saxony
- North Rhine-Westphalia
Area-specific data protection laws
In addition to the regulations expressly termed as “Data protection law”, there are other provisions with data protection regulations in many other laws.
In this respect, the principle of subsidiarity is applicable: An equally important special regulation replaces the general regulation, § 1 (3) BDSG.