Data Protection Germany.Pdf

Home , Bundesdatenschutzgesetz, Data security

PLC - Data Protection: Germany Page 1 of 18

Data Protection: Germany

Resource type: Article: know-how Status: Law stated as at 01-Mar-2009 Jurisdiction: Germany A Q&A guide to data protection in Germany.

Stephan Rippert and Katharina A Weimer, Reed Smith LLP

Regulation

1. What national law(s) apply to the collection and use of personal data? If applicable, has Directive 95/46/EC on data protection (Data Protection Directive) been implemented?

Directive 95/46/EC on data protection (Data Protection Directive) was implemented in Germany throu gh the Federal Data Protection Act (Bundesdatenschutzgesetz (DPA)). The DPA is the primary legislation regulating the collection and use of personal data. At state level, each state has enacted data protection regulations covering the collection and use of personal data by public bodies of the states. Collection and use of personal data in specific areas is regulated by area-specific secondary legislation. These areas include:

Telemedia Act (Telemediengesetz (TMG)).

Telecommunications Act (Telekommunikationsgesetz (TKG)).

German Social Code (Sozialgesetzbuch (SGB)).

Interstate Broadcast Treaty (Rundfunkstaatsvertrag (RStV)).

The objective of the DPA is to give individuals rights over their personal information and to require anyone who handles personal data to comply with the regulations of the DPA. The DPA differentiates between the collecting and use of personal data by public authorities and by private persons. In case a public entity acts as data controller, the handling of personal data is mainly regulated by state legislation with the DPA serving as a default regulation.

2. To whom do the rules apply (EU: data controller)?

A "data controller" is defined as any person or body that collects, processes or uses personal data on its own behalf, or instructing others to do so on its behalf (section 3(7), DPA). Data controllers can be public bodies, and private legal or natural persons.

Data controllers do not need to hold or process data themselves. They may instruct a third party with the processing of personal data (see Question 15).

3. What data is regulated (EU: personal data)?

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 2 of 18

The data protection regulations apply to personal data, which is defined as any information concerning the personal or factual circumstances of an identified or identifiable individual (section 3(1), DPA). Therefore, any information which is linkable to an individual is considered personal data. Information can be linked to an individual if the connection to the individual can be made through the data itself or with the help of other information which is or is likely to be available to the data controller. Data which may be unidentifiable for a data controller (for example, because of anonymisation) and therefore not protected under the DPA may well be linkable to an individual for another data controller if the other data controller has the key for allocating the data to the individual.

Personal data includes:

Name, birthday and family relationships.

Contact details such as street address, email address and telephone number.

Insurance number, bank details, religious affiliation and medical data.

The DPA provides special protection for sensitive personal data which are more susceptible to abuse. This includes data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life (section 3(9), DPA).

4. What acts are regulated (EU: processing)?

The DPA regulates all stages of handling of personal data, from collection to deletion of data, under which (section 3, DPA):

"Collection" means the acquisition of data on the data subject.

"Processing" means the storage, modification, transfer, blocking and erasure of personal data.

"Use" means any utilisation of personal data other than processing.

For private-entity data controllers, the DPA only applies in case of automatic data processing (section 3(2), DPA) or in cases where the data processing is not automatic but data is processed in or from a file system or collected for it. "Automatic data processing" means the collection, processing or use of personal data using automatic data processing means. In contrast, a non-automatic file system means any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis.

5. What is the jurisdictional scope of the rules?

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 3 of 18

The jurisdictional scope of the DPA is regulated in section 1(5) of the DPA. The DPA is applicable to data controllers in Germany who process data in Germany. A data controller outside Germany, but within the EU or the European Economic Area (EEA), who processes or uses personal data in Germany is not subject to the DPA. If such data is collected through a German branch, the DPA is applicable.

Data controllers outside the EU or the EEA who collect, process or use personal data in Germany are subject to the DPA, regardless of whether they employ any technical equipment in Germany for such handling of personal data. This does not apply if data carriers are used only for transit purposes through Germany.

6. What are the main exemptions (if any)?

The data protection provisions do not apply if personal data is collected, processed or used for solely personal or familial purposes (section 1(2), DPA), or if the data subject itself has publicised that data. Also the regulations do not apply to the extent personal data are collected, processed or used by other means than data processing systems and non- automatic file systems (see Question 4).

Personal data can be obtained without the initial consent of the individual if data is used for the:

Safeguarding of rightful interests of a third party.

Prevention of risks for the national or public security.

Prosecution of crimes.

Purposes of marketing in case the data is summarised in a list and there are no reasons to suspect that the data subject has an overriding interest in the exclusion of the transfer of use.

7. Is notification or registration required before processing data? If so, please provide brief details.

Although the DPA generally requires notification of the data protection authority before beginning automatic data processing (section 4d, DPA), this rule does not apply if the data controller:

Has appointed a data protection officer.

Handles personal data for its own purposes, provided that not more than nine employees are occupied with handling personal data and either:

the data subject's consent has been obtained;

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 4 of 18

the collecting, processing or use of personal data serves the purposes of a contract or of a quasi-contractual fiduciary relationship with the data subject.

The exceptions do not apply where data is collected through automatic processing for the purpose of transfer or anonymised transfer on a professional basis.

If notification is required, it must include (section 4e, DPA):

Name and business name of the data controller.

Owners, board members, managing directors, or other managers appointed by law or the company's by-laws, and the persons placed in charge of data processing.

Address of the data controller.

Purposes of collecting, processing or use of personal data.

A description of the groups of data subjects and the appurtenant data or categories of data.

Recipients or categories of recipients, to whom the data may be transferred.

Standard periods for the erasure of data.

Any planned data transfer to third countries.

A general description enabling the data protection authority to preliminarily assess whether the measures taken pursuant to section 9 of the DPA are adequate to ensure the safety of the processing.

The data controller must also notify the data protection authority on any changes to the above information (section 4e sentence 2, DPA).

If the automatic processing entails specific risks for the rights and freedoms of the data subject, it is subject to review before commencement. Such risks are deemed to exist in particular in cases where sensitive personal data are processed, and in cases where the processing of personal data is intended to help evaluate the personality of the data subject, including performance, capabilities or behaviour. The review must be carried out by the data protection officer of the data controller.

Main data protection rules and principles

8. What are the main obligations imposed on data controllers to ensure that data is processed properly?

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 5 of 18

Any data collection, processing and use of personal data requires the consent of the individual or a statutory permission legitimising each individual act for the specific purpose for which it is carried out. Further, any data processing is subject to the following principles:

Data avoidance and data minimisation (section 3a, DPA). The design and use of data processing systems must aim to collect, process and use as little personal data as possible, and only to the extent the specific data is required. If possible, pseudonymisation and anonymisation must be used.

Principle of purpose limitation. Personal data may not be collected without first determining the specific purpose for the collection. It may only be used for the specific purpose for which it was originally collected. Any other processing is prohibited.

Data secrecy. Data controllers are required to keep personal data confidential both externally and internally. "Externally" means that data controllers cannot disclose or transmit the data to other parties, even if they are companies of the same group. Internally means that only those employees are granted access to the data who require it; such access must be limited to the scope of the specific purpose.

Transparency. Data processing must be as transparent as possible concerning the concerned data subject. This requires that:

the data controller must inform the individual on the collection, processing, and use, its purpose, the identity of the data controller, and any contemplated transfers of data and the appurtenant recipients;

consent by the data subject must be given freely and be based on sufficient information (see Question 9);

the data subject has the right to access and rectify its personal data.

9. Is the consent of data subjects required before processing personal data? If so:

What rules are there regarding the form and content of consent? Would online consent suffice?

Are there any special rules regarding the giving of consent by minors?

Collection, processing and use of personal data require the consent of the data subject unless it can be based on a statutory permission. Consent must be given on an informed and voluntary basis. The individual can, at any time, withdraw its consent with or without reason. Form and Content of Consent

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 6 of 18

Consent must be given in writing unless exceptions apply (section 4a(1) sentence 3, DPA). Exceptions include telephone surveys or data processing for scientific research if the purpose of the research would be materially impaired by requiring written consent. Written consent also includes consent in electronic form with an electronic signature (section 126a, Civil Code).

If consent forms part of other written documents, that is, in general terms and conditions or employment agreements, the consent must be made visually distinguishable in its appearance (section 4a(1), sentence 4, DPA).

Consent is subject to the following requirements:

It must be based on the free decision of the individual. This can be problematic in relationships of dependency between the data subject and the data controller, such as employment relationships. The requirement of voluntary consent includes the prohibition of linking the provision of services to the collection of data which is not needed for the specific purpose.

The data subject must be informed of the purpose of the intended data collection, processing and use. In specific circumstances or on request, the data subject must be informed of the consequences of withholding the consent, if any (section 4a(1), sentence 2, DPA).

The individual must be informed concerning the data collected and processed and, if passing on those data, the respective conditions. If personal data is transmitted to recipients outside the EU, the data subjects must be informed of the processing requirements applicable in that receiving country and on the associated risks.

If sensitive data is collected, processed or used, the consent has to specifically refer to these data (section 4a(3), DPA).

Online consent

For dealings on the internet, collection, processing and use of personal data is also regulated by the TMG and the TKG. Consent can be obtained electronically, subject to the above content requirements, if the data controller ensures that:

The data subject has declared its consent knowingly and unequivocally,

Consent is recorded.

The data subject can access the content of its consent at any time.

The data subject can revoke its consent for the future at any time.

It is disputed whether electronic consent requires an electronic signature in accordance with

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 7 of 18

the definition of "electronic form" (section 126a, Civil Code). For practicability reasons, it is common practice to provide for consent by indicating a respective icon on the computer screen. Consent by minors

The DPA does not specifically address consent by minors. Consent can be given by minors if they have the required capacity to understand the consequences of consent. Such capacity cannot be affixed to a certain age but must be determined individually, with a view to the processing for which the consent is required. In several instances (for example, certain areas of education, employment or medical treatment), minors can be capable of making their own decisions. Consent given by a minor in these areas is therefore likely to be valid. However, data controllers should be cautious when obtaining consent from minors.

10. If there is no consent, on what other grounds (if any) can processing be justified?

In the absence of consent, processing of personal data can be justified by statutory provisions.

The collection, storage, modification and transfer of personal data or their use for business purposes is admissible if:

It serves the purpose of a contract or a quasi-contractual fiduciary relationship with the data subject, (section 28(1) no.1, DPA).

It is necessary to safeguard legitimate interests of the data controller and there is no reason to assume that the data subject's interest meriting protection in the exclusion of the processing or use outweighs the data controller’s legitimate interest (section 28(1) no. 2, DPA).

The data is publicly accessible or the data controller would be entitled to publish it, unless the data subject's legitimate interest in the exclusion of the processing or use outweights the legitimate interests of the data controller (section 28 (1) no. ,3 DPA).

Transmission or use for other than the originally contemplated purposes is permissible (section 28 (3) no. 3, DPA) if:

It is required to safeguard the legitimate interests of a third party.

It is required for the prevention of risks for the national security or public safety, or for the prosecution of crimes.

It is required for purposes of advertisement, marketing and polling if the data refers to members of a certain group of persons and is summarised in lists or other forms and there is no reason to assume that the individual has an overriding interest in the exclusion of the transmission or use.

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 8 of 18

It is required in the interest of a research organisation for the conduct of scientific research, and the interest in the conduct of this research materially outweighs the data subject's interests, and the purpose of the research cannot be reached by other means, or only with unreasonable effort.

Section 29 of the DPA gives statutory permission for trade businesses dealing with data collection and storage for the purpose of transmission. Such use of data is permissible if this serves advertisement, credit agency business, address dealing or marketing and polling surveys, provided that:

There is no reason to assume that the data subject has an overriding interest.

The data can be collected from publicly available sources or the data controller would be permitted to publish it, unless the data subject's interest meriting protection in the exclusion of the collection, storage or modification obviously takes precedence.

Under these circumstances the transmission is permissible if:

The recipient has substantiated a legitimate interest in knowledge of the data.

The data are summarised data in the sense of section 28(3) no. 3 of the DPA.

The government intends to implement changes to the DPA in 2009. The draft bill, if passed, will introduce a limitation on the use of personal data for advertising, marketing and polling purposes to the extent that it will be limited to advertising for the data controller's company. This means that addresses can no longer be sold to other companies unless the data controller has obtained the data subject's specific consent to this.

11. Do special rules apply in the case of certain types of personal data, for example sensitive data? If so, please provide brief details.

Sensitive personal data includes data relating to:

Racial and ethnic origin.

Political opinions.

Religious or philosophical convictions.

Union membership.

Health.

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 9 of 18

Sex life.

If a data controller wishes to collect or process sensitive personal data, it must either obtain the data subject's explicit consent to such collection or processing, or it must rely on the specific provisions permitting the collection and processing of these special categories of personal data.

Collection, processing and use of personal data for own purposes is only permissible if:

This is necessary for the protection of vital interests of the data subject or a third party, if the data subject is unable to give his consent because of physical or legal grounds.

The data subject has made these data publicly available.

This is necessary to assert, execute or defend legal claims and there is no reason to assume that the data subject's interest meriting protection in the collection, processing or use takes precedence.

This is necessary for the purpose of scientific research, which is subject to further requirements.

Further, collection of sensitive personal data is permissible if it is required for certain medical purposes and the processing is carried out by medical personnel, which is subject to respective obligations of secrecy. In addition, transmission and use of sensitive personal data are permissible for the prevention of risks for national security and public safety, and for the prosecution of material crimes.

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

The data controller must ensure that the data subject is provided with:

The identity of the data controller.

The purpose of collection, processing and use.

The categories of recipients if the data subject does not have to expect transmission to these recipients.

Where data is collected directly from the data subject based on a provision requiring the data subject to provide the information, or if the provision of the information is a requirement for the granting of legal advantages, the data subject must be informed of this. Otherwise, it

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 10 of 18

must be informed of the voluntary nature of the provision of information (section 4(3), DPA).

13. What other specific rights (such as a right of access to personal data or the right to object to processing) are granted to data subjects?

On initial collection of personal data without the data subject's knowledge, the data subject must be informed of the (section 33, DPA):

Storage as such.

Identity of the data controller.

Type of data stored.

Purposes of collection, processing and use.

Potential recipients of the data.

In addition, the data subject has the following rights:

Right to request information (sections 19 and 34, DPA). This includes information on the data stored concerning his person, including the respective data source, the recipient or the categories of recipients, and the purpose of the data storage.

Right of correction in case of incorrect data (sections 20(1) and 35(1), DPA).

Right of erasure. The data has to be erased if:

the storage is illegal;

the data includes information about the person's racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life, criminal actions or administrative offences, and the correctness of this information cannot be proven by the data controller;

the data was processed for the data controller's own purposes and knowledge of the data is no longer required to achieve the purpose of storage;

the data is processed as a business for the purpose of transfer and a review at each end of the fourth calendar year beginning with the initial storage reveals that further storage is not required (section 35(2), BDSG).

Right of blocking (section 35(3), DPA). Instead of erasure, the blocking of data can be requested if erasure:

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 11 of 18

is not possible because of legal, statutory or contractual retention periods;

may impair interests meriting protection of the data subject;

is not possible or only with unreasonable effort, because of the specific nature of storage (sections 20(3) and 35(3), DPA).

Personal data must also be blocked if the correctness is contested by the data subject and neither their correctness nor their incorrectness can be proven.

Right to object to the collection, processing and use of personal data for advertisement and for marketing/polling purposes.

Security requirements

14. What security requirements are imposed in relation to personal data?

Data controllers and data processors must implement technical and organisational measures required under section 9 of the DPA. The main goals are to provide for the availability of services, functions and files, and authenticity and integrity of data. The arrangements are only required if the investment is in reasonable proportion to the contemplated security purpose. This does not release the data controller/data processor from its obligation to implement safety measures if their implementation entails high costs. Rather, a data controller or processor does not have to implement the highest technological standard but only the standard which can reasonably be required.

The annex to section 9 of the DPA requires:

Control of access to the data processing equipment and systems.

Control of access authorisation.

Control of data transfer.

Retroactive input control.

Control of processing in compliance with instructions.

Availability control, that is, protection of data from destruction and loss.

Separation of data collected for different purposes.

To meet these requirements, the applicable methods include protocols, random examinations, use of passwords, security management, function separation, archival storage

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 12 of 18

and virus blocking.

Processing by third parties

15. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Data processing by a third party on behalf of the data controller is explicitly regulated in the DPA (section 11, DPA). It requires:

A written agreement between the data controller and the data processor. It must describe the agreed data processing services in detail, that is:

the individual tasks;

the technical and organisational data security measures (in accordance with the annex to section 9 of the DPA (see Question 14));

potential sub-processing, if applicable, and allow for respective arrangements with sub-processors.

That the data processor must be strictly bound to follow the data controller's processing instructions. In the absence of this:

the data processor will be classified as a data controller itself and assumes all responsibilities under the DPA;

the transfer of the data from the data controller to the data processor would not be privileged and would require either consent or a statutory permission by the individual. If a data processor acts beyond the data controller's instructions or at its own discretion when processing the data, it is automatically held to be a data controller.

The data transfer from the data controller to the data processor is regarded as an internal process and therefore does not require the individual's consent.

Data processing through a data processor must be differentiated from the outsourcing of a function. Privileged data processing is not given if the recipient of data assumes its own legal responsibility in relation to the function for which the data is processed. The differentiation is particularly difficult in relation to centralised HR management in company groups. If the individual group company retains the right to make its own personnel decisions, including data processing decisions, the relationship is likely to be that of data processor-data controller. In contrast, if the central HR management makes the decisions, the entire function is likely to be outsourced.

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 13 of 18

International transfer of data

16. What rules govern the transfer of data outside your jurisdiction?

Data transfers outside Germany must pass two tests:

Requirements for any transfer. Any data transfer constitutes processing of personal data and requires the consent of the individual or a statutory permission (see Questions 9 and 10).

Requirements for transfer outside the EEA. Data transfer outside the EEA is prohibited if the data subject has a legitimate interest in the prevention of the data transfer (sections 4b(1) and (2), DPA). Such legitimate interest is statutorily assumed if and where the recipient does not provide for a level of protection adequate to the protection in the EEA. If the recipient's country of residence provides for an adequate level of protection, it can generally be inferred that the recipient abides by the regulations of its country of residence and therefore maintains an adequate level of protection unless there are indications to the opposite. The European Commission (Commission) has made findings that the following countries offer an adequate level of protection:

Argentina;

Canada (subject to certain conditions);

Guernsey;

Isle of Man;

Switzerland.

The transfer of data outside the EEA is further allowed in the following cases:

As data transfer to a recipient in the US if the recipient has agreed to comply with the Safe Harbour Principles.

The parties use the model contracts authorised by the Commission. The execution of a model contract either between two data controllers or between a data controller and a data processor provides for an adequate level of protection with regard to the specific recipient (section 4c(2), DPA).

A company group can implement binding corporate rules to legitimise the transfer of personal data between the group companies. There is currently a dispute about whether binding corporate rules require approval by the respective national data protection authorities of each country of residence of the individual group companies. To ensure that data transfers are legitimate, data controllers should co-operate with the competent

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 14 of 18

data protection authority.

The requirements of section 4c, DPA are fulfilled. The transfer of personal data to recipients who do not provide an adequate level of protection is permitted if:

the data subject has given its free and informed consent;

the transfer is necessary for the performance of a contract between the data subject and the data controller or for the performance of pre-contractual measures initiated by the data subject;

the transfer is necessary for the conclusion or performance of a contract which the data controller has concluded or will conclude with a third party in the data subject’s interest;

the transfer is necessary to safeguard an important public interest or for the assertion, execution or defence of legal claims before a court;

the transfer is necessary to safeguard vital interests of the data subject;

the transfer is executed from a register for information of the public (subject to certain conditions).

The recipient has to be informed that the data may only be processed in connection with the underlying reason of the transfer.

17. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

The Commission has approved three sets of standard contractual clauses to provide an adequate level of protection between the data transmitter and the recipient. Two sets deal with the situation of two data controllers, while the third set specifically regulates the relationship between a data controller and a data processor located outside the EEA. It is possible to include the model clauses in another agreement, but to gain the benefit from these clauses, they must be implemented without modifications.

It is also possible to obtain the data protection authority's approval for individual data transfers or specific kinds of data transfers if the data controller can prove sufficient guarantees for the protection of the personal rights (section 4c(2), DPA). Such guarantees can in particular be provided for by:

Contractual arrangements other than the EU model clauses.

Binding corporate rules.

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 15 of 18

18. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

In addition to the data transfer agreement, the general requirements of legal data processing must also be met (see Question 16), that is, either consent or a statutory permission of the transfer itself is required.

19. Does the relevant national regulator need to approve the data transfer agreement? If so, please provide brief details.

Transfers under the EU model contracts as well as under the US Safe Harbour Program do not require approval of the relevant data protection authority. Individual agreements do require the approval by the regulator.

With binding corporate rules, there is dispute about whether they are subject to approval or not (see Question 16). This also applies to standard contractual clauses that have been modified by the parties. A data controller should therefore liaise with the competent data protection authority to determine its obligations regarding approval. A formal approval procedure is not in place.

Enforcement and sanctions

20. What are the enforcement powers of the national regulator?

The competent data protection authority can:

Impose administrative fines.

Give orders to remedy technical or organisational faults in the data processing or prohibit the use of specific procedures if the faults are not remedied.

Recall the data protection officer from its position in case the data protection officer does not have the required competences or reliability.

Audit the data controller's premises.

21. What are the sanctions and remedies for non-compliance with the data protection laws? To what extent are the laws actively enforced?

The DPA provides for three different kinds of sanctions for non-compliance with its provisions: Administrative fines

Violation of formality requirements can be punished by a fine of up to EUR25,000 (about

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 16 of 18

US$31,700). Examples of such violations include the failure to timely submit a notification of the data processing to the competent data protection authority or failure to appoint a data protection officer. If the offender violates material provisions, that is, if he processes personal data without authorisation, fines of up to EUR250,000 (about US$316,900) can be imposed.

According to the draft bill, the fines will be increased to EUR50,000 (about US$63,400) and EUR300,000 (approx. US$380,200) respectively. Criminal prosecution

If the above offences are committed for compensation or with an intention to enrich oneself or a third person, or to harm a third person, the offender may be subject to imprisonment of up to two years or to monetary fines (section 44 DPA). Other administrative sanctions

In case of violations of the DPA or other data protection provisions, the competent data protection authority can inform the respective data subject and can visit the data controller's site for audit and inspection purposes. The authority may review:

Business documents.

The index of procedures.

The stored personal data.

The data processing programmes.

In addition, it can recourse to the measures explained in Question 20. Damages

In addition, data subjects whose rights have been infringed can claim damages.

Section 7 of the DPA provides for a claim for damages of a data subject who suffers damage because of the data controller's illegitimate or incorrect collection, processing or use of the individual's personal data, unless the data controller has observed the necessary diligence.

The regulatory authority

In Germany, each state has a regulatory authority in addition to the federal authority. Federal public entities are subject to the supervision of the federal data protection authority while state public entities and private sector data controllers are subject to the supervision of the authority of the state in which they reside. Most states differentiate between the control over public data controllers and non-public data controllers.

W The names and addresses of the data protection authorities are available under www.bundesdatenschutz.de

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 17 of 18

Main areas of responsibility. The data protection authorities are the supervisory authorities for all data controllers. They are responsible for enforcing the DPA and other legislation containing data protection regulations. In addition they are the main contact for queries from all persons/entities handling personal data and they encourage co-operation.

Contributor details

Stephan Rippert Reed Smith LLP, Munich office T +49 (0)89 20 30 41 0 F +49 (0)89 20 30 41 99 E [email protected] W www.reedsmith.com

Areas of practice/expertise. Stephan Rippert is a corporate partner and responsible for the practice group Advertising, Technology and Media of the German office of Reed Smith. Stephan advises international and national companies on transactional and commercial issues. He is member of the worldwide Data Privacy Group of Reed Smith. The Data Privacy Group reaches across geographies and industries. The group draws on the skills and expertise of lawyers around the globe, advising clients in the financial services, insurance, health care, technology, information management, and other industries on all issues including data privacy, data protection, data transfer, regulatory and policy issues as well as litigation management.

Katharina A Weimer Reed Smith LLP, Munich office T +49 (0)89 20 30 41 0 F +49 (0)89 20 30 41 99 E [email protected] W www.reedsmith.com

Areas of practice/expertise. Katharina A Weimer is an associate at Reed Smith in Munich. As member of the Data Privacy Group she focuses on national and cross-border data protection and privacy matters.

Resource information

http://whichlawyer.practicallaw.com/9-385-8462?qp=&qo=&q= 4/30/2009 PLC - Data Protection: Germany Page 18 of 18

Resource ID: 9-385-8462 Law stated date: 01-Mar-2009 Products: PLC Commercial, PLC Public Sector, PLC Law Department, PLC Cross-border Handbooks\2009\Data Protection 2009/10, PLC IPIT & Communications, PLC Cross-border Series: Country Q&A(www.practicallaw.com/ 1-103-2231)