§ 38 Data protection officers of private bodies
- In addition to Article 37 (1) (b) and (c) of Regulation (EU) 2016/679, the controller and processor shall designate a data protection officer if they constantly employ as a rule at least ten persons dealing with the automated processing of personal data. If the controller or processor undertake processing subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, or if they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research, they shall designate a data protection officer regardless of the number of persons employed in processing
- Section 6 (4), (5), second sentence, and (6) shall apply, Section 6 (4) however shall apply only if designating a data protection officer is mandatory.
Content of the FDPA (new)
Part 1 – Common provisions (§§ 1 - 21)
Chapter 1 - Scope and definitions
Chapter 2 – Legal basis for processing personal data
- § 3 Processing of personal data by public bodies
- § 4 Video surveillance of publicly accessible spaces
Chapter 3 – Data protection officers of public bodies
Chapter 4 – Federal Commissioner for Data Protection and Freedom of Information
- § 8 Establishment
- § 9 Competence
- § 10 Independence
- § 11 Appointment and term of office
- § 12 Official relationship
- § 13 Rights and obligations
- § 14 Tasks
- § 15 Activity reports
- § 16 Powers
Chapter 5 – Representation on the European Data Protection Board, single contact point, cooperation among the federal supervisory authorities and those of the Länder concerning European Union matters
- § 17 Representation on the European Data Protection Board, single contact point
- § 18 Procedures for cooperation among the federal and Länder supervisory authorities
- § 19 Responsibilities
Chapter 6 – Legal remedies
Part 2 – Implementing provisions for processing for purposes in accordance with Article 2 of Regulation (EU) 2016/679 (§§ 22-44)
Chapter 1 – Legal basis for processing personal data
Sub-chapter 1 – Processing of special categories of personal data and processing for other purposes
- § 22 Processing of special categories of personal data
- § 23 Processing for other purposes by public bodies
- § 24 Processing for other purposes by private bodies
- § 25 Transfer of data by public bodies
Sub-chapter 2 – Special processing situations
- § 26 Data processing for employment-related purposes
- § 27 Data processing for purposes of scientific or historical research and for statistical purposes
- § 28 Data processing for archiving purposes in the public interest
- § 29 Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligations
- § 30 Consumer loans
- § 31 Protection of commercial transactions in the case of scoring and credit reports
Chapter 2 – Rights of the data subject
- § 32 Information to be provided where personal data are collected from the data subject
- § 33 Information to be provided where personal data have not been obtained from the data subject
- § 34 Right of access by the data subject
- § 35 Right to erasure
- § 36 Right to object
- § 37 Automated individual decision-making, including profiling
Chapter 3 – Obligations of controllers and processors
Chapter 4 – Supervisory authorities for data processing by private bodies
Chapter 5 – Penalties
- § 41 Application of provisions concerning criminal proceedings and proceedings to impose administrative fines
- § 42 Penal provisions
- § 43 Provisions on administrative fines
Chapter 6 – Legal remedies
Part 3 – Implementing provisions for processing for purposes in accordance with Article 1 (1) of Directive (EU) 2016/680 (§§ 45-84)
Chapter 1 – Scope, definitions and general principles for processing personal data
Chapter 2 – Legal basis for processing personal data
- § 48 Processing of special categories of personal data
- § 49 Processing for other purposes
- § 50 Processing for archiving, scientific and statistical purposes
- § 51 Consent
- § 52 Processing on instructions from the controller
- § 53 Confidentialitys
- § 54 Automated individual decision
Chapter 3 – Rights of the data subject
- § 55 General information on data processing
- § 56 Notification of data subjects
- § 57 Right of access
- § 58 Right to rectification and erasure and to restriction of processing
- § 59 Modalities for exercising the rights of the data subject
- § 60 Right to lodge a complaint with the Federal Commissioner
- § 61 Legal remedies against decisions of the Federal Commissioner or if he or she fails to take action
Chapter 4 – Obligations of controllers and processors
- § 62 Processing carried out on behalf of a controller
- § 63 Joint controllers
- § 64 Requirements for the security of data processing
- § 65 Notifying the Federal Commissioner of a personal data breach
- § 66 Notifying data subjects affected by a personal data breach
- § 67 Conducting a data protection impact assessment
- § 68 Cooperation with the Federal Commissioner
- § 69 Prior consultation of the Federal Commissioner
- § 70 Records of processing activities
- § 71 Data protection by design and by default
- § 72 Distinction between different categories of data subjects
- § 73 Distinction between facts and personal assessments
- § 74 Procedures for data transfers
- § 75 Rectification and erasure of personal data and restriction of processing
- § 76 Logging
- § 77 Confidential reporting of violations
- § 78 General requirements
- § 79 Data transfers with appropriate safeguards
- § 80 Data transfers without appropriate safeguards
- § 81 Other data transfers to recipients in third countries
Chapter 5 – Transfers of data to third countries and to international organizations
Chapter 6 – Cooperation among supervisory authorities
Chapter 7 – Liability and penalties
Part 4 – Special provisions for processing in the context of activities outside the scope of Regulation (EU) 2016/679 und Directive (EU) 2016/680 (§ 85)