§ 1 Scope of the Act

  1. This Act shall apply to the processing of personal data by
    1. public bodies of the Federation,
    2. public bodies of the Länder, where data protection is not governed by Land law and where they
      1. carry out federal law or
      2. act in the capacity of judicial bodies in matters other than administrative matters.

    For private bodies, this Act shall apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system un- less such processing is conducted by natural persons in the course of a purely personal or domestic activity.

  2. Other federal data protection legislation shall take precedence over the provisions of this Act. If such legislation does not govern a matter conclusively or at all which is covered by this Act, then this Act shall apply. The duty to observe the legal obligation of maintaining secrecy or professional or special official confidentiality not based on legal provisions shall remain unaffected.
  3. The provisions of this Act shall take precedence over those of the Administrative Procedure Act where personal data are processed to establish the facts.
  4. This Act shall apply to public bodies. It shall apply to private bodies if
    1. the controller or processor processes personal data in Germany,
    2. personal data are processed in the context of the activities of an establishment of the controller or processor in Germany, or if,
    3. although the controller or processor has no establishment in a Member State of the European Union or another contracting state of the European Economic Area, it does fall within the scope of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the pro- cessing of personal data and on the free movement of such data, and repealing Di- rective 95/46/EC (General Data Protection Regulation) (OJ L 119 of 4 May 2016, p. 1; L 314 of 22 November 2016, p. 72).

    If this Act does not apply in accordance with the second sentence, only Sections 8 to 21 and 39 to 44 shall apply to the controller or processor.

  5. The provisions of this Act shall not apply where the law of the European Union, in particular Regulation (EU) 2016/679 in the applicable version, directly applies.
  6. The contracting states of the European Economic Area and Switzerland shall have equal status with the Member States of the European Union with regard to pro- cessing for purposes in accordance with Article 2 of Regulation (EU) 2016/679. Other states shall be regarded as third countries.
  7. With regard to processing for purposes in accordance with Article 1 (1) of Di- rective (EU) 2016/680 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119 of 4 May 2016, p. 89), the states associated with the implementation, application and development of the Schengen Acquis shall have equal status with the Member States of the European Union. Other states shall be regarded as third countries.
  8. Regulation (EU) 2016/679 and Parts 1 and 2 of this Act shall apply accordingly to processing of personal data by public bodies in the context of activities outside the scope of Regulation (EU) 2016/679 and Directive (EU) 2016/680 unless otherwise provided for in this or another Act.

Content of the FDPA (new)

Part 1 – Common provisions (§§ 1 - 21)

Part 2 – Implementing provisions for processing for purposes in accordance with Article 2 of Regulation (EU) 2016/679 (§§ 22-44)

Chapter 1 – Legal basis for processing personal data
Sub-chapter 1 – Processing of special categories of personal data and processing for other purposes

Sub-chapter 2 – Special processing situations

Chapter 2 – Rights of the data subject

Chapter 3 – Obligations of controllers and processors

Chapter 4 – Supervisory authorities for data processing by private bodies

Chapter 5 – Penalties

Chapter 6 – Legal remedies

Part 3 – Implementing provisions for processing for purposes in accordance with Article 1 (1) of Directive (EU) 2016/680 (§§ 45-84)

Chapter 1 – Scope, definitions and general principles for processing personal data

Chapter 2 – Legal basis for processing personal data

Chapter 3 – Rights of the data subject

Chapter 4 – Obligations of controllers and processors

Chapter 6 – Cooperation among supervisory authorities

Chapter 7 – Liability and penalties

Part 4 – Special provisions for processing in the context of activities outside the scope of Regulation (EU) 2016/679 und Directive (EU) 2016/680 (§ 85)