Chapter 1 - Scope and definitions
Section 1 - Scope of the ActSection 2 - DefinitionsChapter 2 - Legal basis for processing personal data
Section 3 - Processing of personal data by public bodiesSection 4 - Video surveillance of publicly accessible spacesChapter 3 - Data protection officers of public bodies
Section 5 - DesignationSection 6 - PositionSection 7 - TasksChapter 4 - Federal Commissioner for Data Protection and Freedom of Information
Section 8 - EstablishmentSection 9 - CompetenceSection 10 - IndependenceSection 11 - Appointment and term of officeSection 12 - Official relationshipSection 13 - Rights and obligationsSection 14 - TasksSection 15 - Activity reportsSection 16 - PowersChapter 5 - Representation on the European Data Protection Board, single contact point, cooperation among the federal supervisory authorities and those of the Länder concerning European Union matters
Section 17 - Representation on the European Data Protection Board, single contact pointSection 18 - Procedures for cooperation among the federal and Länder supervisory authoritiesSection 19 - ResponsibilitiesChapter 6 - Legal remedies
Section 20 - Judicial remedySection 21 - Application of the supervisory authority for a court decision if it believes that an adequacy decision by the European Commission violates the lawChapter 1 - Legal basis for processing personal data
Sub-chapter 1 - Processing of special categories of personal data and processing for other purposes
Section 22 - Processing of special categories of personal dataSection 23 - Processing for other purposes by public bodiesSection 24 - Processing for other purposes by private bodiesSection 25 - Transfer of data by public bodiesSub-chapter 2 - Special processing situations
Section 26 - Data processing for employment-related purposesSection 27 - Data processing for purposes of scientific or historical research and for statistical purposesSection 28 - Data processing for archiving purposes in the public interestSection 29 - Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligationsSection 30 - Consumer loansSection 31 - Protection of commercial transactions in the case of scoring and credit reportsChapter 2 - Rights of the data subject
Section 32 - Information to be provided where personal data are collected from the data subjectSection 33 - Information to be provided where personal data have not been obtained from the data subjectSection 34 - Right of access by the data subjectSection 35 - Right to erasureSection 36 - Right to objectSection 37 - Automated individual decision-making, including profilingChapter 3 - Obligations of controllers and processors
Section 38 - Data protection officers of private bodiesSection 39 - AccreditationChapter 4 - Supervisory authorities for data processing by private bodies
Section 40 - Supervisory authorities of the LänderChapter 5 - Penalties
Section 41 - Application of provisions concerning criminal proceedings and proceedings to impose administrative finesSection 42 - Penal provisionsSection 43 - Provisions on administrative finesChapter 6 - Legal remedies
Section 44 - Proceedings against a controller or processorChapter 1 - Scope, definitions and general principles for processing personal data
Section 45 - ScopeSection 46 - DefinitionsSection 47 - General principles for processing personal dataChapter 2 - Legal basis for processing personal data
Section 48 - Processing of special categories of personal dataSection 49 - Processing for other purposesSection 50 - Processing for archiving, scientific and statistical purposesSection 51 - ConsentSection 52 - Processing on instructions from the controllerSection 53 - ConfidentialitySection 54 - Automated individual decisionChapter 3 - Rights of the data subject
Section 55 - General information on data processingSection 56 - Notification of data subjectsSection 57 - Right of accessSection 58 - Right to rectification and erasure and to restriction of processingSection 59 - Modalities for exercising the rights of the data subjectSection 60 - Right to lodge a complaint with the Federal CommissionerSection 61 - Legal remedies against decisions of the Federal Commissioner or if he or she fails to take actionChapter 4 - Obligations of controllers and processors
Section 62 - Processing carried out on behalf of a controllerSection 63 - Joint controllersSection 64 - Requirements for the security of data processingSection 65 - Notifying the Federal Commissioner of a personal data breachSection 66 - Notifying data subjects affected by a personal data breachSection 67 - Conducting a data protection impact assessmentSection 68 - Cooperation with the Federal CommissionerSection 69 - Prior consultation of the Federal CommissionerSection 70 - Records of processing activitiesSection 71 - Data protection by design and by defaultSection 72 - Distinction between different categories of data subjectsSection 73 - Distinction between facts and personal assessmentsSection 74 - Procedures for data transfersSection 75 - Rectification and erasure of personal data and restriction of processingSection 76 - LoggingSection 77 - Confidential reporting of violationsChapter 5 - Transfers of data to third countries and to international organisations
Section 78 - General requirementsSection 79 - Data transfers with appropriate safeguardsSection 80 - Data transfers without appropriate safeguardsSection 81 - Other data transfers to recipients in third countriesChapter 6 - Cooperation among supervisory authorities
Section 82 - Mutual assistanceChapter 7 - Liability and penalties
Section 83 - CompensationSection 84 - Penal provisions(1) Public bodies shall designate a data protection officer. This shall also apply to public bodies as defined in Section 2 (5) which take part in competition.
(2) A single data protection officer may be designated for several public bodies, taking account of their organisational structure and size.
(3) The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Section 7.
(4) The data protection officer may be a staff member of the public body, or fulfil the tasks on the basis of a service contract.
(5) The public body shall publish the contact details of the data protection officer and communicate them to the Federal Commissioner for Data Protection and Freedom of Information.
(1) The public body shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
(2) The public body shall support the data protection officer in performing the tasks referred to in Section 7 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
(3) The public body shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The data protection officer shall directly report to the highest management level of the public body. The data protection officer shall not be dismissed or penalized by the public body for performing his or her tasks.
(4) The dismissal of the data protection officer shall be permitted only by applying Section 626 of the Civil Code accordingly. The data protection officer’s employment shall not be terminated unless there are facts which give the public body just cause to terminate without notice. After the activity as data protection officer has ended, the data protection officer may not be terminated for a year following the end of appointment, unless the public body has just cause to terminate without notice.
(5) Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under Regulation (EU) 2016/679, this Act and other data protection legislation. The data protection officer shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless they are released from this obligation by the data subject.
(6) Where in the course of their activities data protection officers become aware of data for which the head of a public body or a person employed by such a body has the right to refuse to give evidence for employment-related reasons, this right shall also apply to the data protection officer and his or her assistants. The person to whom the right to refuse to give evidence applies for employment-related reasons shall decide whether to exercise this right unless it is impossible to effect such a decision in the foreseeable future. Where the right of the data protection officer to refuse to give evidence applies, his or her files and other documents shall not be subject to seizure.
(1) In addition to the tasks listed in Regulation (EU) 2016/679, the data protection officer shall have at least the following tasks:
In the case of a data protection officer ordered by a court, these tasks shall not refer to the action of the court acting in its judicial capacity.
(2) The data protection officer may perform other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
(3) The data protection officer shall in the performance of his or her tasks give due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
4. designation of a data protection officer;
(1) In addition to Article 37 (1) (b) and (c) of Regulation (EU) 2016/679, the controller and processor shall designate a data protection officer if they constantly employ as a rule at least ten persons dealing with the automated processing of personal data. If the controller or processor undertake processing subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, or if they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research, they shall designate a data protection officer regardless of the number of persons employed in processing.
(2) Section 6 (4), (5), second sentence, and (6) shall apply, Section 6 (4) however shall apply only if designating a data protection officer is mandatory.
(6) The supervisory authorities shall advise and support the data protection officers to meet their typical needs. They may demand the dismissal of a data protection officer if he or she does not have the expert knowledge needed to perform his or her tasks or if there is a serious conflict of interests as referred to in Article 38 (6) of Regulation (EU) 2016/679.
3. the names and contact details of the controller and the data protection officer,
2. the name and contact details of the data protection officer or other contact point where more information can be obtained;
5. the name and contact details of the data protection officer.
1. the name and contact details of the controller and, where applicable, of the joint controller; and the name and contact details of the data protection officer;
1. the name and contact details of the processor, of each controller on behalf of which the processor is acting and, where applicable, the data protection officer;
(3) The logs may be used only by the data protection officer, the Federal Commissioner or the data subject to verify the lawfulness of the processing; and for selfmonitoring, ensuring the integrity and security of the personal data, and for criminal proceedings.