Last updated September 2016
General | Data Protection Laws
- National Legislation
- National Regulatory Authority
- Personal Data
- Sensitive Personal Data
- Scope of Application
- Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
- National Legislation
- Marketing by E-mail
- Marketing by Telephone
- Marketing by Fax
General | Data Protection Laws
General data protection laws
The German Federal Data Protection Act (Bundesdatenschutzgesetz) (the “DPA”) implemented the Data Protection Directive into German law. This was subject to major amendments in July 2009 by the Federal Data Protection Act Amendment Law (Novelle des Bundesdatenschutzgesetzes), the majority of which entered into force on 1 September 2009.
In early 2016 the German Government extended German consumer protection bodies’ rights to issue cease and desist letters and to start legal proceedings in case of certain data protection breaches via an amendment to the German Act of Injunctive Relief (Unterlassungsklagegesetz).
Entry into force
The implementing legislation came into force on 23 May 2001, and was amended on 1 September 2009.
Details of the competent national regulatory authority
There are 18 different federal and regional data protection authorities as well as further supervisory bodies responsible for monitoring the implementation of data protection.
Notification or registration scheme and timing
(a) In general, automated processing procedures are required to be registered with the competent supervisory authority in advance.
(b) In particular, automated processing procedures must be registered if the data controller commercially stores personal data for the purpose of transfer or market research.
In either case there is no charge for registration.
In relation to (a) above, a registration is not required if: (i) the data controller has appointed a data protection official (which is usually the case in Germany); or (ii) as a rule, a maximum of nine employees are permanently involved in the collection, processing or use of personal data and either consent has been obtained or the use of the data is required for the establishment, implementation or termination of a contractual obligation with the data subject.
In relation to (b) above, there are no exemptions.
Appointment of a data protection officer
Every private entity with: (i) more than nine persons permanently engaged in automated data processing; or (ii) at least 20 persons engaged in non-automated processing, is obliged to appoint a data protection official. The data protection official must be appointed within one month following the beginning of the data processing. Data protection officials enjoy special protection against dismissal.
The definition of personal data in the DPA is “any information concerning the personal or material circumstances of an identified or identifiable individual”. However, the requirement that the information concerns a “personal or material circumstance” is interpreted very broadly (see the Federal Constitutional Court’s decision in Volkszählungsurteil) so in practice this definition is very similar to the standard definition of personal data.
In addition, it is commonly considered that whether or not an individual is identifiable and thus information regarding this individual might be qualified as personal data must be considered from the point of view of the person who is in possession of the information (and should not consider information held by third parties). In this respect, the German interpretation of personal data differs slightly from the Opinion on Personal Data.
Guidance from data protection authorities indicates that static IP addresses should be treated as personal data. In addition some authorities and some courts (see County Court of Berlin, file number: 5 C 314/06 and 23 S 3/07; County Court of Cologne, file number: 28 O 339/07) consider dynamic IP addresses (in the hands of someone other than the individual’s ISP) to be personal data though the German Federal Government and other authorities disagree.
Is information about legal entities personal data?
No. However, information about sole traders (Einzelkaufleute) and partnerships (Personengesellschaften) is personal data if, and to the extent, such information interferes with the personal circumstances of the traders and partners involved. Furthermore, to the extent details of a legal entity are protected by the telecommunications secrecy, they are considered personal data according to the German Telecommunications Act.
What are the rules for processing personal data?
Generally, personal data may be processed if one of the standard conditions for processing personal data is met.
However, there is a slight difference in the implementation of the legitimate interests condition. Under the DPA, personal data may be processed to the extent necessary to safeguard the legitimate interests: (i) of the controller, provided there is no reason to assume that the data subject has an overriding interest in ruling out the possibility of processing, or (ii) of third parties, provided there is no reason to believe that the data subject has a legitimate interest in ruling out the processing. In other words, where the legitimate interest is that of a third party, there is no possibility to weigh the competing interests. The mere existence of legitimate interest of data subject is sufficient to rule out this condition.
Additional, special requirements apply to: (i) employee data; (ii) personal data used for marketing and address trading; (iii) scoring; and (iv) market and opinion research.
Are there any formalities to obtain consent to process personal data?
Consent must be based on the data subject’s free decision and should be in writing unless special circumstances dictate otherwise. If consent is to be given together with other declarations (for example, together with general terms and conditions), it must be made distinguishable. It is widely acknowledged that valid consent from employees is hard to obtain as the employees’ dependence on the employers generally excludes the ability to make a free decision.
What is sensitive personal data?
Under the DPA, sensitive personal data means the standard types of sensitive personal data. Information on criminal offences is not considered to be sensitive personal data. Nevertheless, when collecting, processing or storing such information and balancing the interests of the data subject, information on criminal offences (in particular, criminal offences committed by employees) is treated as more sensitive than other personal data.
The DPA also has additional processing rules that apply to the processing of CCTV footage, and German data protection authorities have issued guidelines on the use of CCTV in 2014. The potential new employee data protection law (see above) is expected to explicitly prohibit any use of CCTV in private spaces, such as rest rooms.
Are there additional rules for processing sensitive personal data?
Sensitive personal data may be processed if the standard conditions for processing sensitive personal data are met.
Are there any formalities to obtain consent to process sensitive personal data?
In addition to the requirements and formalities applicable to personal data (see above), such consent must refer expressly to the sensitive personal data which will be processed.
What is the territorial scope of application?
The DPA applies the standard territorial test. However, the Berlin district court has extended the application of the DPA to data protection provisions appearing (from a consumer's point of view) to be part of an organisation's general terms and conditions even if that organisation is not established in Germany.
Who is subject to data protection legislation?
The responsibility for complying with the provisions set out in the DPA is generally borne by the data controller. Data processors are subject to a reduced set of specific requirements such as the obligation to ensure its employees maintain confidentiality when taking up their duties. Additionally, technical and organisational measures must be agreed between the data controller and the data processor. The applicable minimum requirements regarding technical and organisational measures ensuring data security are set forth in the DPA.
Are both manual and electronic records subject to data protection legislation?
Public bodies: Yes.
Private bodies: Yes. However, the DPA applies only to the extent personal data is: (i) processed or used by means of data processing systems or is collected for such systems; or (ii) processed or used in, or from, non-automatic filing systems or is collected for such systems. Employee data, however, is subject to the DPA regardless of whether such data originates from manual or electronic records.
Where a data controller causes harm to the data subject through inadmissible or incorrect collection, processing or use of his personal data, such controller or its supporting organisation must compensate the data subject for the harm caused.
Fair processing information
A data controller must provide the fair processing information to data subjects. If the information is collected under a legal obligation or for the provision of benefits then the individual must be informed if obligation to provide information is mandatory or voluntary and of the consequences of not providing the information.
There is no obligation in the DPA to provide this information in German, though it may be difficult to show the information has been fairly provided if it is not in the language the data subject is familiar with. There is no obligation to refer to the DPA itself in any fair processing information.
Rights to access information
Data subjects may obtain their subject access information by written request to data controllers and such information is generally provided free of charge. If the information is stored in the course of business for transfer purposes (e.g. from a credit agency) the data subject may also request such information once a year free of charge. Any further information requests, however, may incur a charge.
Objection to direct marketing
The data subject has the right to object to personal data being transferred for purposes of advertising and market and opinion research.
The data subject may demand the correction of incorrect data as well as the deletion or blocking of personal data, the storage of which is not, or is no longer, covered by legitimate purposes.
Security requirements in order to protect personal data
Public and private bodies processing personal data, either on their own behalf or on behalf of others (data processors), are obliged to take the technical and organisational measures required to ensure compliance with the provisions of the DPA. The minimum requirements the data controller and the data processor must adhere to relate to access control, transmission control, input control, availability control and the separation of data.
Ahead of the adoption of the European Network Information Security (NIS) Directive, the German Parliament adopted the IT Security Act (IT-Sicherheitsgesetz) in June 2015 under which so-called critical infrastructures (in particular in the banking, insurance, energy, health, telecoms and transport industries) will have to implement and audit state-of-the-art technical and organisational measures regarding their IT. Industry-wide solutions might be adopted. Cyber attacks will have to be reported to and a contact person made available for the German Federal IT Security Agency (Bundesamt für Sicherheit in der Informationstechnik).
Specific rules governing processing by third party agents (processors)
In the event that a data processor is handling personal data on behalf of a data controller, the data processor and the data controller need to conclude a written agreement about the commissioned processing of data which must include a specific set of minimum requirements comprising the standard processor obligations and additional requirements such as a description of the object and duration of the processing and an obligation on the data processor to notify the data controller of any security breaches. Where data processors are commissioned to handle data, the responsibility for compliance with the provisions of the DPA is borne by the data controller. Therefore, the data controller must ensure that the data is processed strictly in accordance with its instructions.
Notice of breach laws
Private entities must notify the competent regulatory authority and the persons affected if their data has been unlawfully disclosed to third parties (whether by illegitimate transfer, data leakage or hacker attack) if there is a danger of serious prejudice to the interests of the person affected (for example, the loss of credit card or patient data). If it is too difficult to directly notify all persons affected, a notice must be published in two daily newspapers.
Further notice of breach obligations apply to those providing telemedia services under the German Telemedia Act (Telemediengesetz) (the “TMA”).
Notification and approval of national regulator (including notification of use of Model Contracts)
The DPA does not contain an obligation to notify the authority when transferring personal data to countries outside the EEA when using Model Contracts. However, some data protection authorities in northern Germany request a submission of signed Model Contracts for information purposes. Furthermore, if the Model Contracts are modified then approval must be sought and some of the German data protection authorities require a copy of the signed Model Contracts to be submitted by the data exporter. In a joint statement of July 2013, the German data protection authorities have stated that in the light of the PRISM/NSA allegations they are currently no longer approving (where such approval is required at all) any data transfers abroad (at least as to data transfers to the US). Some local data protection authorities have, however, made exceptions to such a general rule.
Use of binding corporate rules
Besides the standard conditions for transborder dataflow, the competent authority may allow individual transfers of certain categories of personal data to non-EEA countries if adequate safeguards with respect to the protection of privacy are guaranteed. Binding corporate rules are a method for such protection and require approval by the competent supervisory authority. Germany is part of the mutual recognition club for binding corporate rules. Some German data protection authorities request the individual data transfers under such binding corporate rules are approved in addition to the approval of the binding corporate rules. However, as set out above, it is unclear whether in the light of the PRISM/NSA allegations an approval would currently be granted at all (at least as to data transfers to the US).
Should a data controller infringe the data subject’s rights under the DPA, the data subject is entitled to injunctive relief and compensation for damages. In addition, a violation of the DPA may result in administrative fines and penalties. Fines should aim to confiscate, in particular, profits and therefore be higher than any potential economic gain resulting from the breach of the DPA.
Consumer protection bodies can issue cease and desist letters and start court proceedings where data protection provisions appear (from a consumer’s perspective) to be part of an organisation’s general terms and conditions. Under an amended German Act of Injunctive Relief, the rights of the German consumer protection bodies to issue cease and desist letters and to start legal proceedings have been extended (see General data protection laws, above).
With respect to any information about investigations and prosecutions in Germany, three things should be noted: (i) reliable information is very hard to obtain. This is due to the fact that in Germany there are several responsible authorities acting independently (please see the section entitled “Details of the competent national regulatory authority” above). In addition, the reports published by the various data protection authorities do not contain details of penalties imposed or the facts of the relevant cases; (ii) in Germany there is a distinction between criminal sanctions (Straftaten) and administrative fines (Ordnungswidrigkeiten) both of which are applicable in relation to data protection infringements; and (iii) the sanctions regime was significantly amended in September 2009. To date, there is no established practice under the new regime.
Generally, data protection breaches may be punished by a fine of up to EUR 50,000 per breach or, in certain cases, up to EUR 300,000 per breach. Additionally, further administrative offences have been introduced, which include deficiencies in ordering commissioned data processing (Auftragsdatenverarbeitung) and insufficient monitoring by the data controller.
In October 2009, however, the data protection authority of Berlin imposed a fine of EUR 1,123,503.50 on Deutsche Bahn AG because of significant violations of data protection law. This is the highest administrative fine ever imposed in Germany due to non-compliance with data protection law.
In 2013 and 2014, Frankfurt and Berlin courts decided that certain terms and conditions (including data protection provisions) of Samsung, Facebook, Google and Apple were invalid.
The various federal and state data protection authorities in Germany have the power to take enforcement actions. They themselves (or in co-operation with other administrative authorities) may: (i) fine organisations (administrative fines); (ii) order that any discovered breaches be remedied; and (iii) in the event of serious infringements, ban certain procedures.
However, prosecutions for criminal offences must be brought before the German Criminal Courts (by public prosecutors) who can impose fines or imprisonment.
Consumer protection bodies may issue cease and desist letters and start court proceedings where data protection provisions appear (from a consumer’s perspective) to be part of general terms and conditions. Consumer protection bodies’ rights are likely to be extended in the future to cover a larger set of breaches of data protection (see General data protection laws, above). This extension is expected to significantly increase the number of cease and desist letters and legal procedures in practice.
ePrivacy | Marketing and cookies
The German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb) (the “UCA”) dated 3 July 2004 and the revised German Telecommunications Act (Telekommunikationsgesetz) (the “TA”) dated 22 June 2004 (with the TA being applicable only to telecommunications service providers in addition to the UCA) both implemented Article 13 of the Privacy and Electronic Communications Directive. Further, the TMA may be amended to implement the Citizens’ Rights Directive as regards the storage of cookies.
The TMA might be amended to implement the Citizens’ Rights Directive. A draft bill, published in June 2011, foresees the necessity to obtain consent to store any cookies on the user’s terminal equipment unless the cookie is strictly necessary for the provision of a service to that subscriber or user. However, the German government has – against the view of the supervisory authorities – taken the position that, due to the already existing provisions of the TMA, no changes are required.
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
Direct marketing via e-mail principally requires the prior explicit consent of the recipient.
Conditions for direct marketing by e-mail to corporate subscribers
Direct marketing via e-mail principally requires the prior explicit consent of the recipient. The Federal Court of Justice confirmed that a single unsolicited e-mail sent to a corporate subscriber infringes the applicable law (Federal Court of Justice, file number: I ZR 218/07).
Exemptions and other issues
The similar products and services exemptions apply.
The UCA also prohibits direct marketing e-mails from being sent if: (i) the identity of the sender is disguised or concealed; or (ii) if an opt-out address is not provided.
The sender must also include the eCommerce information.
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Individual calls (without the use of automated calling systems) to individual subscribers who are consumers for the purposes of direct marketing are subject to the explicit prior consent of the subscriber.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
Individual calls to corporate subscribers (and individuals who are not acting in their capacity as consumers) are only possible with their explicit or implied consent. Hence, in contrast to calls vis-à-vis consumers, implied consent is sufficient. However, German case law indicates that such an implied consent is subject to quite strict requirements.
Exemptions and other issues
No exemptions apply.
Marketing by Fax
Conditions for direct marketing by fax to individual subscribers
The use of fax for the purposes of direct marketing is only allowed in respect of individual subscribers (i.e. consumers) who have given their prior explicit consent.
Conditions for direct marketing by fax to corporate subscribers
The use of fax for the purposes of direct marketing is only allowed in respect of corporate subscribers who have given their prior explicit consent.
Exemptions and other issues
No exemptions apply.