§ 42 Penal provisions

  1. The following actions done deliberately and without authorization with regard to the personal data of a large number of people which are not publicly accessible shall be punishable with imprisonment of up to three years or a fine:
    1. transferring the data to a third party or
    2. otherwise making them accessible

    for commercial purposes.

  2. The following actions done with regard to personal data which are not publicly accessible shall be punishable with imprisonment of up to two years or a fine:
    1. processing without authorization, or
    2. fraudulently acquiring

    and doing so in return for payment or with the intention of enriching oneself or someone else or harming someone.

  3. Such offences shall be prosecuted only if a complaint is filed. The data subject, the controller, the Federal Commissioner and the supervisory authority shall be entitled to file complaints.
  4. A notification pursuant to Article 33 of Regulation (EU) 2016/679 or a communication pursuant to Article 34 (1) of Regulation (EU) 2016/679 may be used in criminal proceedings against the person required to provide a notification or a communication or relatives as referred to in Section 52 (1) of the Code of Criminal Procedure only with the consent of the person required to provide a notification or a communication.

Content of the FDPA (new)

Part 1 – Common provisions (§§ 1 - 21)

Part 2 – Implementing provisions for processing for purposes in accordance with Article 2 of Regulation (EU) 2016/679 (§§ 22-44)

Chapter 1 – Legal basis for processing personal data
Sub-chapter 1 – Processing of special categories of personal data and processing for other purposes

Sub-chapter 2 – Special processing situations

Chapter 2 – Rights of the data subject

Chapter 3 – Obligations of controllers and processors

Chapter 4 – Supervisory authorities for data processing by private bodies

Chapter 5 – Penalties

Chapter 6 – Legal remedies

Part 3 – Implementing provisions for processing for purposes in accordance with Article 1 (1) of Directive (EU) 2016/680 (§§ 45-84)

Chapter 1 – Scope, definitions and general principles for processing personal data

Chapter 2 – Legal basis for processing personal data

Chapter 3 – Rights of the data subject

Chapter 4 – Obligations of controllers and processors

Chapter 6 – Cooperation among supervisory authorities

Chapter 7 – Liability and penalties

Part 4 – Special provisions for processing in the context of activities outside the scope of Regulation (EU) 2016/679 und Directive (EU) 2016/680 (§ 85)