1. public bodies of the Federation,]

2. public bodies of the Länder, where data protection is not governed by Land law and where they

(4) This Act shall apply to public bodies. It shall apply to private bodies if

(8) Regulation (EU) 2016/679 and Parts 1 and 2 of this Act shall apply accordingly to processing of personal data by public bodies in the context of activities outside the scope of Regulation (EU) 2016/679 and Directive (EU) 2016/680 unless otherwise provided for in this or another Act.

(1) Public bodies of the Federation are the authorities, judicial bodies and other public law institutions of the Federation, of direct federal corporations, statutory bodies and foundations established under public law and of their associations irrespective of their legal form.

(2) Public bodies of the Länder are the authorities, judicial bodies and other public law institutions of a Land, a municipality, an association of municipalities or of other legal

persons under public law subject to Land supervision and of their associations irrespective of their legal form.

(3) Associations of public bodies of the Federation and the Länder which are established under private law and perform tasks of public administration shall be regarded as public bodies of the Federation irrespective of the participation of private bodies if

Otherwise they shall be regarded as public bodies of the Länder.

(4) Private bodies are natural and legal persons, societies and other associations established under private law unless they are covered by subsections 1 to 3. If a private body performs sovereign tasks of the public administration, it shall be a public body as defined in this Act.

(5) Public bodies of the Federation shall be regarded as private bodies as defined in this Act if they take part in competition as enterprises governed by public law. Public bodies of the Länder shall also be regarded as private bodies as defined in this Act if they take part in competition as enterprises governed by public law and carry out federal law, and if data protection is not governed by Land law.

Public bodies shall be permitted to process personal data if such processing is necessary to perform the task for which the controller is responsible or to exercise official authority which has been vested in the controller.

(1) Monitoring publicly accessible areas with optical-electronic devices (video surveillance) shall be permitted only as far as it is necessary

1. for public bodies to perform their tasks,

1. large publicly accessible facilities, such as sport facilities, places of gathering and entertainment, shopping centres and car parks, or

2. vehicles and large publicly accessible facilities of public rail, ship or bus transport, protecting the lives, health and freedom of persons present shall be regarded as a very important interest.

(3) Storing or using data collected pursuant to subsection 1 shall be permitted if necessary to achieve the intended purpose and if there is nothing to indicate legitimate overriding interests of the data subjects. Subsection 1, second sentence, shall apply accordingly. The data may be further processed for another purpose only if necessary to prevent threats to state and public security and to prosecute crimes.

(1) Public bodies shall designate a data protection officer. This shall also apply to public bodies as defined in Section 2 (5) which take part in competition.

(2) A single data protection officer may be designated for several public bodies, taking account of their organisational structure and size.

(4) The data protection officer may be a staff member of the public body, or fulfil the tasks on the basis of a service contract.

(5) The public body shall publish the contact details of the data protection officer and communicate them to the Federal Commissioner for Data Protection and Freedom of Information.

(1) The public body shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

(2) The public body shall support the data protection officer in performing the tasks referred to in Section 7 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.

(3) The public body shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The data protection officer shall directly report to the highest management level of the public body. The data protection officer shall not be dismissed or penalized by the public body for performing his or her tasks.

(4) The dismissal of the data protection officer shall be permitted only by applying Section 626 of the Civil Code accordingly. The data protection officer’s employment shall not be terminated unless there are facts which give the public body just cause to terminate without notice. After the activity as data protection officer has ended, the data protection officer may not be terminated for a year following the end of appointment, unless the public body has just cause to terminate without notice.

(6) Where in the course of their activities data protection officers become aware of data for which the head of a public body or a person employed by such a body has the right to refuse to give evidence for employment-related reasons, this right shall also apply to the data protection officer and his or her assistants. The person to whom the right to refuse to give evidence applies for employment-related reasons shall decide whether to exercise this right unless it is impossible to effect such a decision in the foreseeable future. Where the right of the data protection officer to refuse to give evidence applies, his or her files and other documents shall not be subject to seizure.

1. to inform and advise the public body and the employees who carry out processing of their obligations pursuant to this Act and other data protection legislation, including legislation enacted to implement Directive (EU) 2016/680;

2. to monitor compliance with this Act and other data protection legislation, including legislation enacted to implement Directive (EU) 2016/680, and with the policies of the public body in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

(1) The Federal Commissioner shall be competent to supervise the public bodies of the Federation, also if they take part in competition as enterprises governed by public law. The provisions of this chapter shall also apply to processors if they are private bodies in which the Federation holds the absolute majority of shares or controls the absolute majority of votes and they process data on behalf of a public body of the Federation

(1) The Federal Commissioner shall, in accordance with this Act, have official federal status under public law.

(4) Even after his or her official relationship has ended, the Federal Commissioner shall be obligated to secrecy concerning matters of which he or she is aware by reason of his or her official duties. This obligation shall not apply to official communications or to matters which are common knowledge or which by their nature do not require confidentiality. The Federal Commissioner shall decide at his or her due discretion whether and to what extent he or she will testify in or outside court or make statements concerning such matters; if he or she is no longer in office, the permission of the Federal Commissioner in office shall be required. This shall not affect the legal obligation to report crimes and to uphold the free and democratic order wherever it is threatened. Sections 93, 97, 105 (1), Section 111 (5) in conjunction with Section 105 (1) and Section 116 (1) of the German Fiscal Code shall not apply to the Federal Commissioner or his or her staff. The fifth sentence shall not apply where the financial authorities require such knowledge in order to conduct legal proceedings due to a tax offence and related tax proceedings, in the prosecution of which there is compelling public interest, or where the person required to provide information or persons acting on his or her behalf have intentionally provided false information. If the Federal Commissioner determines that data protection provisions have been violated, he or she shall be authorized to report the violation and inform the data subject accordingly.

1. be detrimental to the welfare of the Federation or a Land, in particular to the security of the Federal Republic of Germany or its relations with other countries, or

(6) Subsections 3 and 4, fifth to seventh sentences, shall apply accordingly to the public bodies responsible for monitoring compliance with the data protection provisions in the Länder.

2. to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data, paying special attention to measures specifically for children;

8. to conduct investigations on the application of this Act and other data protection legislation, including legislation adopted to implement Directive (EU) 2016/680, also on the basis of information received from another supervisory authority or other public authority;

(2) To carry out the task listed in subsection 1, first sentence, no. 3, the Federal Commissioner may, on request or at its own initiative, make recommendations to the German Bundestag or one of its committees, the Bundesrat, the Federal Government, other institutions and bodies and the public concerning all matters related to the protection of personal data. At the request of the German Bundestag, one of its committees or of the Federal Government, the Federal Commissioner shall also investigate data protection matters and incidents at public bodies of the Federation.

The Federal Commissioner shall produce an annual activity report which may contain a list of the types of violations reported and the types of measures taken, including penalties and measures taken in accordance with Article 58 (2) of Regulation (EU) 2016/679. The Federal Commissioner shall submit this report to the German Bundestag, the Bundesrat and the Federal Government and shall make it available to the public, the European Commission and the European Data Protection Board.

(1) The Federal Commissioner shall have, within the scope of Regulation (EU) 2016/679, the powers referred to in Article 58 of Regulation (EU) 2016/679. If the Federal Commissioner concludes that data protection legislation has been violated or that there are other problems with the processing of personal data, he or she shall inform the competent authority for legal or technical matters and, before exercising the powers referred to in Article 58 (2) (b) to (g), (i) and (j) of Regulation (EU) 2016/679, shall give this authority the opportunity to provide its opinion to the controller within a reasonable period. The opportunity to provide an opinion may be dispensed with if an immediate decision seems necessary due to imminent danger or in the public interest, or if it would conflict with compelling public interests. The opinion should also include a description of the measures taken on the basis of the information from the Federal Commissioner.

(2) If the Federal Commissioner finds that, in data processing for purposes beyond the scope of Regulation (EU) 2016/679, public bodies of the Federation have violated this Act or other data protection legislation or there are other insufficiencies with their processing or use of personal data, the Federal Commissioner shall lodge a complaint with the competent supreme federal authority and shall require this authority to respond within a period to be determined by the Federal Commissioner. The Federal Commissioner may dispense with a complaint or a response, especially if the problems involved are insignificant or have been remedied in the meantime. The response should also describe the measures taken as a result of the Federal Commissioner’s complaint. The Federal Commissioner may also warn a controller that intended processing operations are likely to violate provisions of this Act and other data protection provisions which apply to the data processing in question.

1. personal data obtained by public bodies of the Federation concerning the contents of and specific circumstances relating to postal communications and telecommunications, and

(4) The public bodies of the Federation shall be obligated to provide the Federal Commissioner and his or her assistants with the following:

(5) The Federal Commissioner shall work to cooperate with the public bodies responsible for monitoring compliance with data protection provisions in the Länder and with the supervisory authorities under Section 40. Section 40 (3), first sentence, second half sentence, shall apply accordingly.

1. by public and private bodies if

c) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; in addition to the measures referred to in subsection 2, in particular occupational and criminal law provisions to ensure professional secrecy shall be complied with;

2. by public bodies if

a) processing is urgently necessary for reasons of substantial public interest;

b) processing is necessary to prevent a substantial threat to public security;

d) processing is necessary for urgent reasons of defence or to fulfil intergovernmental obligations of a public body of the Federation in the field of crisis management or conflict prevention or for humanitarian measures;

(1) Public bodies shall be permitted to process personal data for a purpose other than the one for which the data were collected where such processing is necessary for them to perform their duties and if

3. processing is necessary to prevent substantial harm to the common good or a threat to public security, defence or national security; to safeguard substantial concerns of the common good; or to ensure tax and customs revenues;

1. processing is necessary to prevent threats to state or public security or to prosecute criminal offences; or

(1) The transfer of personal data by public bodies to public bodies shall be permitted if it is necessary for the transferring body or the third party to whom the data are transferred to perform their duties and the conditions are met which would permit processing pursuant to Section 23. The third party to whom the data are transferred shall process the transferred data only for the purpose for which they were transferred. Processing for other purposes shall be permitted only if the conditions of Section 23 are met.

(2) Public bodies shall be permitted to transfer personal data to private bodies if

and the third party has promised the public body transferring the data that it will process them only for the purpose for which they were transferred. Processing for other purposes shall be permitted if transfer pursuant to the first sentence would be permitted and the transferring body has consented to the transfer.

(1) By derogation from Article 9 (1) of Regulation (EU) 2016/679, the processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 shall be permitted if necessary for archiving purposes in the public interest. The controller shall take appropriate and specific measures to safeguard the interests of the data subject in accordance with Section 22 (2), second sentence.

(3) The right of the data subject to rectification according to Article 16 of Regulation (EU) 2016/679 shall not apply if the personal data are processed for archiving purposes in the public interest. If the data subject disputes the accuracy of the personal data, he or she shall have the opportunity to present his or her version. The responsible archive shall be obligated to add this version to the files.

(4) The rights provided in Article 18 (1) (a), (b) and (d) and in Articles 20 and 21 of Regulation (EU) 2016/679 shall not apply as far as these rights are likely to render impossible or seriously impair the achievement of the archiving purposes in the public interest, and the exceptions are necessary to fulfil those purposes.

(2) Anyone who refuses to conclude a consumer loan contract or a contract concerning financial assistance for payment with a consumer as the result of information provided by a body as referred to in subsection 1 shall immediately notify the consumer of this refusal and the information received. Such notification shall not be made if doing so would endanger public security or order. Section 37 shall remain unaffected.

2. would, in the case of a public body, endanger the proper performance of tasks as referred to in Article 23 (1) (a) to (e) of Regulation (EU) 2016/679 for which the controller is responsible, and the controller’s interests in not providing the information outweigh the interests of the data subject;

3. would endanger public security or order or would otherwise be detrimental to the welfare of the Federation or a Land, and the controller’s interests in not providing the information outweigh the interests of the data subject;

5. would endanger a confidential transfer of data to public bodies.

(2) If information is not provided to the data subject pursuant to subsection 1, the controller shall take appropriate measures to protect the legitimate interests of the data subject, including providing the information referred to in Article 13 (1) and (2) of Regulation (EU) 2016/679 for the public in precise, transparent, understandable and easily accessible form in clear and simple language. The controller shall set down in writing the reasons for not providing information. The first and second sentences shall not apply in the cases of subsection 1 nos. 4 and 5.

1. in the case of a public body

b) would threaten the public security or order or otherwise be detrimental to the Federation or a Land, and therefore the data subject’s interest in receiving the information must not take precedence;

b) the responsible public body has determined with respect to the controller that disclosing the data would endanger public security or order or would otherwise be detrimental to the welfare of the Federation or a Land; in the case of data processing for purposes of law enforcement, no determination pursuant to the first half-sentence shall be required.

(2) If information is not provided to the data subject pursuant to subsection 1, the controller shall take appropriate measures to protect the legitimate interests of the data subject, including providing the information referred to in Article 14 (1) and (2) of Regulation (EU) 2016/679 for the public in precise, transparent, understandable and easily accessible form in clear and simple language. The controller shall set down in writing the reasons for not providing information.

(3) If the provision of information relates to the transfer by public bodies of personal data to the authorities for the protection of the Constitution, the Federal Intelligence Service, the Military Counterintelligence Service and, as far as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, such provision shall be permitted only with the approval of these bodies.

(3) If a public body of the Federation does not provide information to a data subject, such information shall be provided to the Federal Commissioner at the request of the data subject, unless the responsible supreme federal authority determines in the individual case that doing so would endanger the security of the Federation or a Land. The notification from the Federal Commissioner to the data subject with the results of the data protection assessment shall not permit any conclusions to be drawn concerning the information held by the controller unless the latter agrees to the provision of more extensive information.

(4) The data subject shall have the right to information about personal data processed by a public body neither in automated nor in non-automated form and stored in a filing system only if the data subject provides information enabling the data to be located and if the effort required is not disproportionate to the data subject’s interest in the information.

The right to object according to Article 21 (1) of Regulation (EU) 2016/679 with regard to a public body shall not apply if there is an urgent public interest in the processing which outweighs the interests of the data subject or if processing is required by law.

2. processing is necessary to prevent substantial harm to the common good or a threat to public security or to safeguard substantial concerns of the common good; or

(2) Unless this Act provides otherwise, the provisions of the Administrative Offences Act and the general laws on criminal procedures, namely the Code of Criminal Procedure and the Judicature Act, shall apply accordingly in proceedings for violations pursuant to Article 83 (4) to (6) of Regulation (EU) 2016/679. Sections 56 to 58, 87, 88, 99 and 100 of the Administrative Offences Act shall not apply. Section 69 (4), second sentence of the Administrative Offences Act shall apply on the condition that the public prosecutor’s office may stop the proceedings only with the approval of the supervisory authority which issued the administrative decision imposing a fine.

(1) The following actions done deliberately and without authorisation with regard to the personal data of a large number of people which are not publicly accessible shall be punishable with imprisonment of up to three years or a fine:

(2) The following actions done with regard to personal data which are not publicly accessible shall be punishable with imprisonment of up to two years or a fine:

(3) Authorities and other public bodies as referred to in Section 2 (1) shall not be subject to any administrative fines.

(2) Subsection 1 shall not apply to proceedings against public authorities acting in the exercise of their sovereign powers.

The provisions of this Part shall apply to the processing of personal data by public bodies competent for the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal or administrative penalties, as far as they process data for the purpose of carrying out these tasks. The public bodies shall be regarded in that case as controllers. The prevention of criminal offences as referred to in the first sentence shall include protection against and prevention of threats to public security. The first and second sentences shall also apply to those public bodies responsible for executing penalties, measures as referred to in Section 11 (1) no. 8 of the Criminal Code, educational or disciplinary measures as referred to in the Juvenile Court Act or fines. As far as this Part contains provisions for processors, it shall also apply to them.

7. ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;

8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. ‘recipient’ means a natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or other law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

15. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 41 of Directive (EU) 2016/680;

16. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

Personal data may be processed in the context of purposes listed in Section 45 in archival, scientific or statistical form if doing so is in the public interest and appropriate safeguards for the legally protected interests of data subjects are implemented. Such safeguards may consist of rendering the personal data anonymous as quickly as possible, taking measures to prevent unauthorised disclosure to third parties, or in processing them organisationally and spatially separate from other tasks.

The controller shall provide general and publicly accessible information on

2. public security, or

(1) Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with the Federal Commissioner, if the data subject believes that the processing by public bodies of personal data relating to him or her for the purposes listed in Section 45 infringes his or her rights. This shall not apply to the processing of personal data by courts, if they have processed these data in the context of their judicial activities. The Federal Commissioner shall inform the data subject of the progress and the outcome of the complaint and of the possibility of a judicial remedy pursuant to Section 61.

3. it would involve a disproportionate effort; in this case, a public communication shall be made or a similar measure taken to inform the data subjects in an equally effective manner.

(2) No transfer of personal data shall be permitted, despite an adequacy decision as referred to in subsection 1 no. 2 and the public interest in the data transfer to be taken into account, if in the individual case it cannot be ensured that the data will be handled appropriately in terms of data protection law and in accordance with fundamental human rights in the area of responsibility of the recipient, or if a transfer would conflict with other overriding legitimate interests of a data subject. The controller shall base its assessment on whether the recipient in the individual case guarantees appropriate protection of the transferred data.

(3) If personal data which have been transmitted or made available from another European Union Member State are to be transferred pursuant to subsection 1, the competent body of the other Member State must provide prior authorisation of the transfer. Transfers without the prior authorisation shall be permitted only if the transfer is necessary to prevent an immediate and serious threat to the public security of a country or to essential interests of a Member State and the prior authorisation cannot be obtained in time. In the case of the second sentence, the other Member State’s body responsible for giving prior authorisation shall be informed of the transfer without delay.

3. to prevent an immediate and serious threat to the public security of a country;

(2) The controller shall not transfer data pursuant to subsection 1 if the fundamental rights of the data subject override the public interest in the transfer.

1. in the specific case no fundamental rights of the data subject override the public interest in the transfer;

Section 42 shall apply accordingly to the processing of personal data by public bodies in the context of activities pursuant to Section 45, first, third or fourth sentences.

(1) The transfer of personal data to a third country, to supranational or intergovernmental bodies or to international organisations in the context of activities outside the scope of Regulation (EU) 2016/679 and Directive (EU) 2016/680 shall be permitted in addition to the cases permitted under Regulation (EU) 2016/679 also if the processing is necessary to perform tasks for urgent reasons of defence or to fulfil supraor intergovernmental obligations of a public body of the Federation in the field of crisis management or conflict prevention or for humanitarian measures. The recipient shall be instructed that the transferred data may be used only for the purpose for which they were transferred.

(3) Processing by public bodies of the Federation in the context of activities outside the scope of Regulation (EU) 2016/679 and Directive (EU) 2016/680 shall not be subject to the obligation to provide information in accordance with Article 13 (1) and (2) of Regulation (EU) 2016/679