Germany - Data Protection
History of Data Protection in GERMANY
Prior to the introduction of Directive 95/46/EC, Germany prided itself on the comprehensive nature of its data protection system. Indeed, the implementation of the Directive did not require changes of the magnitude seen in some other countries. However, somewhat surprisingly, the implementation of 95/46/EC turned into a lengthy process.
The Federal Data Protection Act was the end result of this process in 2001. It satisfies the requirements of the Directive, but there is still a feeling that the problems of unnecessary data use have not been adequately addressed. As such, the 2001 law is seen by some as an interim measure, and extra reform should not come as a surprise.
As a result of the Federal nature of the German state, there is a patchwork
of laws and regulations covering data protection, with the Federal Data Protection
Act 2001 working alongside the Data Protection Acts of the 16 German states.
Summary of Data Protection in GERMANY
|Title of Data Protection Legislation||Federal Data Protection Act (Bundesdatenschutzgesetz -BDSG) 2001|
|Name of supervisory authority||Federal Data Protection Commissioner|
|General Powers of supervisory authority||Chapter 3 of the Federal Data protection Act provides the legal basis for the Commissioner and outlines his functions. The key role is to ensure that the Data Protection Act is implemented correctly: s24 states the Commissioner is to monitor compliance with the Act and grants him powers of access to information as well as the opportunity to inspect all documents and the right of access to all official premises at any time. s25 states that the commissioner can lodge complaints with higher authorities (e.g. the competent supreme federal authority) in the case of breaches. s26 states, inter alia, that the commissioner can be requested by federal government to give opinions and make recommendations on matters pertaining to the law.|
|Who has standing to notify the supervisory authority of breaches?||Anybody|
|What are the penalties for data controllers if they breach the law?||The Federal Data Protection Act 2001 sets out the penalties for breaches in Sections 43 and 44.1. They are fines and imprisonment.|
|Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)?||No- national identification numbers are not used in the Federal Republic of Germany. Consequently, no provisions have been made to implement Article 8.7 of the Directive.|
|Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate?||It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.|
|Does the Data Protection Legislation cover the deceased?||No, although each of the Lander is entitled to extend it in their regional legislation if they wish.|
|Who is able to indirectly identify the data subject?||Anybody|
- Federal Data Protection Commissioner
- Data Protection Commissioner of Berlin - in German
- National Council on Ethics
- German Medical Association
- Bavarian Bioethics Commission -in German
- For links to
the data protection institutions of the Lander listed below, try the Bavarian data protection commission:
http://www.datenschutz-bayern.de/infoquel/ds-inst/deutschland.html- in German
Berlin, Baden Wuerttemberg, Brandenburg, Bremen, Hamburg, Hessen, Mecklenburg Vorpommern, Niedersachsen, Nordrhein-Westfalen, Rheinland Pfalz, Saarland, Sachsen Anhalt, Schleswig Holstein, Thuringen
- Summary of the Essentials of Bavarian State law for data protection and privacy (in English): click on 'Recht & Normen' in left hand column then scroll down to 'Bayerische Landesgestze und Verordnungen'