Legal basis according to German data protection law

Each processing must be based on the consent of the data subject or there must be a legal basis, which is permitting the processing.

Consent of the data subject

Effectiveness prerequisites

Consent must always be obtained before the respective data processing procedure. It cannot be obtained subsequently – that is “retrospectively”.

Consent must be expressed

  • voluntarily,
  • in an informed manner and
  • definitely (that is concretely)
  • in the correct form.

In order for a consent to be voluntary, the data subject must express it at “one’s own free will” (cf. § 4a Para 1.1 BDSG). Partially, a “prohibition of coupling” (§ 28 Para 3b.1 BDSG) exists, in the sense that the expressed consent connected to a contract may not be combined with further purposes.

An informed consent is given if the data subject has been instructed in a clear and explicit manner about all the purposes and circumstances of data processing.

As to how far the consent is sufficiently determined or concrete, depends upon the usage situation. The consent must correspond to each step of the data processing phase. The more complicated the data processing, that much more detailed its explanation must be. Ambiguities go at the expense of the responsible.

Other effectiveness prerequisites

The submission of consent

The consent must be declared personally or by an authorized representative. The explanation must be issued in written form. A written confirmed consent is also possible. In this case, the responsible authority must confirm the consent to the data subject within a written document. An electronic consent is also possible. In this case the written form is replaced by an extensive transcript.


The option of revoking a consent once granted is part of the right to informational self-determination. The effective withdrawal occurs with immediate effect for the future; not retrospectively. In this, the most important principles are:

  • the contractual exclusion of the revocation is not possible
  • the revocation does not need to be in a specific form
  • The option of revocation is free of charge
  • Receiver of the revocation by the data subject is the responsible authority

After the data processing begins, the data subject can revoke its consent with the so-called “Principle of good faith” (§ 242 BGB), yet only under certain restrictions.

Consent within the terms and conditions (AGB)

If the regulations on consent are implemented within other contract components such as in the pre-formulated AGB, then this must clearly be highlighted. Otherwise, the consent is ineffective.

Statutory legal basis in the private sector

The most important legal bases in the BDSG are § 28 and § 32. Within those bases are listed several individual cases, in which personal data may be processed in everyday business without prior consent. The principle of binding purpose has to be considered within those regulations. The processing can only take place for the specific purpose determined in advance (§ 28 (1.2)).

The most important cases in practice, in which the law allows data processing without consent, are:

  • Data processing for fulfilling a contract or legal transaction with the data subject (§ 28 (1) no. 1 BDSG).
  • § 32 Para 1 also regulates this case for employment relationships.
  • Data processing on the basis of legal obligations and legitimate interests of the responsible persons (§ 28 (1) no. 2 BDSG)
  • Data processing on the basis of vital interests of the data subject s (for example: § 28 (6) no. 1 BDSG).
  • Data processing for safeguarding of public interests or tasks to fulfill public interests (e.g. § 28 (2) no. 2b BDSG)
  • Data processing for postal advertising (§ 28 (3) BDSG)
  • Data processing from public sources or if the company had a right, to publish the respective data (§ 28 (1) no. 3 BDSG)
  • Data processing for further purposes other than those determined originally (§ 28 (2) BDSG).
    In exceptional cases, data can also be used for purposes other than those determined originally. This is the case, if, for example, the company or the third party has a legitimate interest in the processing. In the case of publicly accessible data or for purposes of law enforcement, there can be an exception to the principle of binding purpose.

Information obligation in case of data protection violations (§ 42a BDSG)

If specific types of data are become known to third parties illegally, the law provides a reporting obligation. If disproportionate impairments threaten the rights of the data subject, then the responsible authority must inform, both, its supervisory as well as the data subject of this. If companies fail to comply with this obligation, then they shall be liable to fines of up to EUR 300,000.00 (§ 43 (2) no. 7 BDSG).

Data, in which cases such a reporting obligation can exist, is:

  • sensitive data
  • personal data, which is subject to professional secrecy
  • personal data with reference to (even mere suspicion) punishable actions and administrative offences
  • personal data related to bank or credit card accounts

With regard to content, the notice must contain information about the unauthorised revelation and possible countermeasures for adverse consequences. Moreover, the responsible authority is further instructed to take all the reasonably possible measures for limiting possible damage.

For the telecommunication and tele media sectors, there are corresponding parallel provisions, which, for example, regulate reporting obligations about user data and inventory data (§§ 15a and §§ 93 (3) TMG and §§ 109a (1) and (2) TKG).