1. public bodies of the Federation,]

(1) Public bodies of the Federation are the authorities, judicial bodies and other public law institutions of the Federation, of direct federal corporations, statutory bodies and foundations established under public law and of their associations irrespective of their legal form.

(3) Associations of public bodies of the Federation and the Länder which are established under private law and perform tasks of public administration shall be regarded as public bodies of the Federation irrespective of the participation of private bodies if

2. the Federation holds the absolute majority of shares or controls the absolute majority of votes.

(5) Public bodies of the Federation shall be regarded as private bodies as defined in this Act if they take part in competition as enterprises governed by public law. Public bodies of the Länder shall also be regarded as private bodies as defined in this Act if they take part in competition as enterprises governed by public law and carry out federal law, and if data protection is not governed by Land law.

(1) The Federal Commissioner shall be competent to supervise the public bodies of the Federation, also if they take part in competition as enterprises governed by public law. The provisions of this chapter shall also apply to processors if they are private bodies in which the Federation holds the absolute majority of shares or controls the absolute majority of votes and they process data on behalf of a public body of the Federation

(2) The Federal Commissioner shall swear the following oath before the Federal President: “I swear to do everything in my power to further the good and the benefit of the German people, to protect them from harm and to defend the Basic Law and the laws of the Federation, to perform my duties conscientiously and to exercise justice in all my dealings, so help me God.” The reference to God may be omitted from the oath.

(1) The Federal Commissioner shall refrain from any action incompatible with his or her duties and shall not, during his or her term of office, engage in any incompatible occupation, whether gainful or not. In particular, the Federal Commissioner shall not hold any other paid office or pursue any commercial activity or occupation in addition to his or her official duties and shall not belong to the management or supervisory board of a profit oriented enterprise, nor to a government or legislative body of the Federation or a Land. The Federal Commissioner shall not deliver extra-judicial opinions in exchange for payment.

1. be detrimental to the welfare of the Federation or a Land, in particular to the security of the Federal Republic of Germany or its relations with other countries, or

(2) To carry out the task listed in subsection 1, first sentence, no. 3, the Federal Commissioner may, on request or at its own initiative, make recommendations to the German Bundestag or one of its committees, the Bundesrat, the Federal Government, other institutions and bodies and the public concerning all matters related to the protection of personal data. At the request of the German Bundestag, one of its committees or of the Federal Government, the Federal Commissioner shall also investigate data protection matters and incidents at public bodies of the Federation.

(2) If the Federal Commissioner finds that, in data processing for purposes beyond the scope of Regulation (EU) 2016/679, public bodies of the Federation have violated this Act or other data protection legislation or there are other insufficiencies with their processing or use of personal data, the Federal Commissioner shall lodge a complaint with the competent supreme federal authority and shall require this authority to respond within a period to be determined by the Federal Commissioner. The Federal Commissioner may dispense with a complaint or a response, especially if the problems involved are insignificant or have been remedied in the meantime. The response should also describe the measures taken as a result of the Federal Commissioner’s complaint. The Federal Commissioner may also warn a controller that intended processing operations are likely to violate provisions of this Act and other data protection provisions which apply to the data processing in question.

1. personal data obtained by public bodies of the Federation concerning the contents of and specific circumstances relating to postal communications and telecommunications, and

(4) The public bodies of the Federation shall be obligated to provide the Federal Commissioner and his or her assistants with the following:

(1) The Federal Commissioner and the supervisory authorities of the Länder (supervisory authorities of the Federation and the Länder) shall work together in European Union matters with the aim of consistently applying Regulation (EU) 2016/679 and Directive (EU) 2016/680. Before submitting a common position to the supervisory authorities of the other Member States, the European Commission or the European Data Protection Board, the supervisory authorities of the Federation and the Länder shall give each other the opportunity to comment at an early stage. For this purpose, they shall share all relevant information. The supervisory authorities of the Federation and the Länder shall consult the specific supervisory authorities established under Articles 85 and 91 of Regulation (EU) 2016/679 if these authorities are affected by the matter.

(2) If the supervisory authorities of the Federation and the Länder fail to achieve agreement on a common position, the lead supervisory authority, or, in the absence of a lead authority, the joint representative and his or her deputy, shall present a recommendation for a common position. If the joint representative and his or her deputy fail to agree on a recommendation for a common position, the deputy shall determine the recommendation for a common position in matters dealing with the performance of a task for which the Länder alone have the right to legislate, or which affect the establishment or procedures of Land authorities. For matters other than those referred to in the second sentence in which the joint representative and deputy fail to agree, the joint representative shall determine the common position. The negotiations shall be based on the position recommended pursuant to the first to third sentences unless the supervisory authorities of the Federation and the Länder adopt a different position with a simple majority. The Federation and each Land each have one vote. Abstentions shall not be counted.

(1) Recourse to the administrative courts shall be provided for disputes between natural or legal persons and a supervisory authority of the Federation or a Land concerning rights according to Article 78 (1) and (2) of Regulation (EU) 2016/679 and Section 61. The first sentence shall not apply to administrative fine proceedings.

d) processing is necessary for urgent reasons of defence or to fulfil intergovernmental obligations of a public body of the Federation in the field of crisis management or conflict prevention or for humanitarian measures;

3. would endanger public security or order or would otherwise be detrimental to the welfare of the Federation or a Land, and the controller’s interests in not providing the information outweigh the interests of the data subject;

b) would threaten the public security or order or otherwise be detrimental to the Federation or a Land, and therefore the data subject’s interest in receiving the information must not take precedence;

b) the responsible public body has determined with respect to the controller that disclosing the data would endanger public security or order or would otherwise be detrimental to the welfare of the Federation or a Land; in the case of data processing for purposes of law enforcement, no determination pursuant to the first half-sentence shall be required.

(3) If the provision of information relates to the transfer by public bodies of personal data to the authorities for the protection of the Constitution, the Federal Intelligence Service, the Military Counterintelligence Service and, as far as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, such provision shall be permitted only with the approval of these bodies.

(3) If a public body of the Federation does not provide information to a data subject, such information shall be provided to the Federal Commissioner at the request of the data subject, unless the responsible supreme federal authority determines in the individual case that doing so would endanger the security of the Federation or a Land. The notification from the Federal Commissioner to the data subject with the results of the data protection assessment shall not permit any conclusions to be drawn concerning the information held by the controller unless the latter agrees to the provision of more extensive information.

The power to act as a certification body in accordance with Article 43 (1), first sentence of Regulation (EU) 2016/679 shall be granted by the supervisory authority of the Federation or the Länder responsible for data protection supervision of the certification body on the basis of accreditation by the German accreditation body. Section 2 (3), second sentence, Section 4 (3) and Section 10 (1), first sentence, no. 3 of the Accreditation Body Act shall apply on the condition that data protection falls within the scope of Section 1 (2), second sentence.

(3) If the notification relates to the transfer of personal data to the authorities for the protection of the Constitution, the Federal Intelligence Service, the Military Counterintelligence Service and, as far as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, such notification shall be permitted only with the approval of these bodies.

(5) If the information to be provided relates to the transfer of personal data to the authorities for the protection of the Constitution, the Federal Intelligence Service, the Military Counterintelligence Service and, as far as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, such provision shall be permitted only with the approval of these bodies.

(7) If the data subject is notified pursuant to subsection 6 of the refusal or restriction of access, he or she may exercise his or her right of access also via the Federal Commissioner. The controller shall inform the data subject of this possibility and that, in accordance with Section 60, the data subject may lodge a complaint with the Federal Commissioner or seek a judicial remedy. If the data subject exercises his or her right pursuant to the first sentence, the information shall be provided to the Federal Commissioner at the request of the data subject, unless the responsible supreme federal authority determines in the individual case that doing so would threaten the security of the Federation or a Land. The Federal Commissioner shall at least inform the data subject that all necessary checks have been conducted or that the Federal Commissioner has conducted a review. This notification may include information as to whether violations of data protection law were found. The notification from the Federal Commissioner to the data subject shall not permit any conclusions to be drawn concerning the information held by the controller unless the latter agrees to the provision of more extensive information. The controller may refuse to such provision only as far as and for as long as he or she could dispense with or restrict information pursuant to subsection 4. The Federal Commissioner shall also inform the data subject of his or her right to seek a judicial remedy.

(1) The transfer of personal data to a third country, to supranational or intergovernmental bodies or to international organisations in the context of activities outside the scope of Regulation (EU) 2016/679 and Directive (EU) 2016/680 shall be permitted in addition to the cases permitted under Regulation (EU) 2016/679 also if the processing is necessary to perform tasks for urgent reasons of defence or to fulfil supraor intergovernmental obligations of a public body of the Federation in the field of crisis management or conflict prevention or for humanitarian measures. The recipient shall be instructed that the transferred data may be used only for the purpose for which they were transferred.

(2) Section 16 (4) shall not apply to processing in the context of activities outside the scope of Regulation (EU) 2016/679 and Directive (EU) 2016/680 by workplaces within the remit of the Federal Ministry of Defence if the Federal Ministry of Defence determines in the individual case that meeting the obligations referred to in that provision would endanger the security of the Federation.

(3) Processing by public bodies of the Federation in the context of activities outside the scope of Regulation (EU) 2016/679 and Directive (EU) 2016/680 shall not be subject to the obligation to provide information in accordance with Article 13 (1) and (2) of Regulation (EU) 2016/679

The Act Regulating the Cooperation between the Federation and the Federal States in Matters Relating to the Protection of the Constitution and on the Federal Office for the Protection of the Constitution of 20 December 1990 (Bundesverfassungsschutzgesetz,