§ 37 Automated individual decision-making, including profiling

  1. In addition to the exceptions given in Article 22 (2) (a) and (c) of Regulation (EU) 2016/679, the right according to Article 22 (1) of Regulation (EU) 2016/679 not to be subject to a decision based solely on automated processing shall not apply if the decision is made in the context of providing services pursuant to an insurance contract and
    1. the request of the data subject was fulfilled, or
    2. the decision is based on the application of binding rules of remuneration for therapeutic treatment and the controller takes suitable measures, in the event that the request is not granted in full, to safeguard the data subject’s legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision; the controller shall inform the data subject of these rights no later than the notification indicating that the data subject’s request will not be granted in full.
  2. Decisions pursuant to subsection 1 may be based on the processing of health data as referred to in Article 4 no. 15 of Regulation (EU) 2016/679. The controller shall take appropriate and specific measures to safeguard the interests of the data subject in accordance with Section 22 (2), second sentence.

Content of the FDPA (new)

Part 1 – Common provisions (§§ 1 - 21)

Part 2 – Implementing provisions for processing for purposes in accordance with Article 2 of Regulation (EU) 2016/679 (§§ 22-44)

Chapter 1 – Legal basis for processing personal data
Sub-chapter 1 – Processing of special categories of personal data and processing for other purposes

Sub-chapter 2 – Special processing situations

Chapter 2 – Rights of the data subject

Chapter 3 – Obligations of controllers and processors

Chapter 4 – Supervisory authorities for data processing by private bodies

Chapter 5 – Penalties

Chapter 6 – Legal remedies

Part 3 – Implementing provisions for processing for purposes in accordance with Article 1 (1) of Directive (EU) 2016/680 (§§ 45-84)

Chapter 1 – Scope, definitions and general principles for processing personal data

Chapter 2 – Legal basis for processing personal data

Chapter 3 – Rights of the data subject

Chapter 4 – Obligations of controllers and processors

Chapter 6 – Cooperation among supervisory authorities

Chapter 7 – Liability and penalties

Part 4 – Special provisions for processing in the context of activities outside the scope of Regulation (EU) 2016/679 und Directive (EU) 2016/680 (§ 85)