Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Germany - Data Protection

History of Data Protection in GERMANY

Prior to the introduction of Directive 95/46/EC, Germany prided itself on the comprehensive nature of its data protection system. Indeed, the implementation of the Directive did not require changes of the magnitude seen in some other countries. However, somewhat surprisingly, the implementation of 95/46/EC turned into a lengthy process.

The Federal Data Protection Act was the end result of this process in 2001. It satisfies the requirements of the Directive, but there is still a feeling that the problems of unnecessary data use have not been adequately addressed. As such, the 2001 law is seen by some as an interim measure, and extra reform should not come as a surprise.

As a result of the Federal nature of the German state, there is a patchwork of laws and regulations covering data protection, with the Federal Data Protection Act 2001 working alongside the Data Protection Acts of the 16 German states.

Summary of Data Protection in GERMANY

Title of Data Protection Legislation Federal Data Protection Act (Bundesdatenschutzgesetz -BDSG) 2001
Name of supervisory authority Federal Data Protection Commissioner
General Powers of supervisory authority Chapter 3 of the Federal Data protection Act provides the legal basis for the Commissioner and outlines his functions. The key role is to ensure that the Data Protection Act is implemented correctly: s24 states the Commissioner is to monitor compliance with the Act and grants him powers of access to information as well as the opportunity to inspect all documents and the right of access to all official premises at any time. s25 states that the commissioner can lodge complaints with higher authorities (e.g. the competent supreme federal authority) in the case of breaches. s26 states, inter alia, that the commissioner can be requested by federal government to give opinions and make recommendations on matters pertaining to the law.
Who has standing to notify the supervisory authority of breaches? Anybody
What are the penalties for data controllers if they breach the law? The Federal Data Protection Act 2001 sets out the penalties for breaches in Sections 43 and 44.1. They are fines and imprisonment.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? No- national identification numbers are not used in the Federal Republic of Germany. Consequently, no provisions have been made to implement Article 8.7 of the Directive.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased? No, although each of the Lander is entitled to extend it in their regional legislation if they wish.
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations

Institutions

Links to laws and institutions of German Lander: