Section 22 - Processing of special categories of personal dataSection 23 - Processing for other purposes by public bodiesSection 24 - Processing for other purposes by private bodiesSection 25 - Transfer of data by public bodiesSection 26 - Data processing for employment-related purposesSection 27 - Data processing for purposes of scientific or historical research and for statistical purposesSection 28 - Data processing for archiving purposes in the public interestSection 29 - Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligationsSection 30 - Consumer loansSection 31 - Protection of commercial transactions in the case of scoring and credit reportsSection 32 - Information to be provided where personal data are collected from the data subjectSection 33 - Information to be provided where personal data have not been obtained from the data subjectSection 34 - Right of access by the data subjectSection 35 - Right to erasureSection 36 - Right to objectSection 37 - Automated individual decision-making, including profilingSection 38 - Data protection officers of private bodiesSection 39 - AccreditationSection 40 - Supervisory authorities of the LänderSection 41 - Application of provisions concerning criminal proceedings and proceedings to impose administrative finesSection 42 - Penal provisionsSection 43 - Provisions on administrative finesSection 44 - Proceedings against a controller or processor
Section 45 - ScopeSection 46 - DefinitionsSection 47 - General principles for processing personal dataSection 48 - Processing of special categories of personal dataSection 49 - Processing for other purposesSection 50 - Processing for archiving, scientific and statistical purposesSection 51 - ConsentSection 52 - Processing on instructions from the controllerSection 53 - ConfidentialitySection 54 - Automated individual decisionSection 55 - General information on data processingSection 56 - Notification of data subjectsSection 57 - Right of accessSection 58 - Right to rectification and erasure and to restriction of processingSection 59 - Modalities for exercising the rights of the data subjectSection 60 - Right to lodge a complaint with the Federal CommissionerSection 61 - Legal remedies against decisions of the Federal Commissioner or if he or she fails to take actionSection 62 - Processing carried out on behalf of a controllerSection 63 - Joint controllersSection 64 - Requirements for the security of data processingSection 65 - Notifying the Federal Commissioner of a personal data breachSection 66 - Notifying data subjects affected by a personal data breachSection 67 - Conducting a data protection impact assessmentSection 68 - Cooperation with the Federal CommissionerSection 69 - Prior consultation of the Federal CommissionerSection 70 - Records of processing activitiesSection 71 - Data protection by design and by defaultSection 72 - Distinction between different categories of data subjectsSection 73 - Distinction between facts and personal assessmentsSection 74 - Procedures for data transfersSection 75 - Rectification and erasure of personal data and restriction of processingSection 76 - LoggingSection 77 - Confidential reporting of violationsSection 78 - General requirementsSection 79 - Data transfers with appropriate safeguardsSection 80 - Data transfers without appropriate safeguardsSection 81 - Other data transfers to recipients in third countriesSection 82 - Mutual assistanceSection 83 - CompensationSection 84 - Penal provisions
If the testimony concerns ongoing or completed processes which are or could be considered core aspects of executive responsibility, the Federal Commissioner may testify only with the approval of the Federal Government. Section 28 of the Federal Constitutional Court Act shall remain unaffected.
(1) The lead supervisory authority of a Land in the one-stop-shop mechanism pursuant to Chapter VII of Regulation (EU) 2016/679 shall be the supervisory authority of the Land in which the controller or processor has its main establishment, as referred to in Article 4 no. 16 of Regulation (EU) 2016/679 or its single establishment in the European Union, as referred to in Article 56 (1) of Regulation (EU) 2016/679. Article 56 (1) in conjunction with Article 4 no. 16 of Regulation (EU) 2016/679 shall apply accordingly within the Federal Commissioner’s area of responsibility. If there is no agreement on determining the lead supervisory authority, the procedure described in Section 18 (2) shall be applied accordingly.
(1) The controller shall keep a record of all categories of processing activities under its responsibility. This record shall contain all of the following information:
The controller shall ensure that it is able to receive confidential reports of violations of data protection law which have occurred in its area of responsibility.
(2) No transfer of personal data shall be permitted, despite an adequacy decision as referred to in subsection 1 no. 2 and the public interest in the data transfer to be taken into account, if in the individual case it cannot be ensured that the data will be handled appropriately in terms of data protection law and in accordance with fundamental human rights in the area of responsibility of the recipient, or if a transfer would conflict with other overriding legitimate interests of a data subject. The controller shall base its assessment on whether the recipient in the individual case guarantees appropriate protection of the transferred data.
(4) The controller transferring data pursuant to subsection 1 shall take appropriate measures to ensure that the recipient will transfer the data onward to other third countries or other international organisations only with the prior authorisation of the controller. When deciding whether to authorize the transfer, the controller shall take into account all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data were originally transferred and the level of personal data protection in the third country or international organisation to which the data are to be transferred onward. The transfer shall be authorized only if a direct transfer to the other third country or international organisation would be lawful. The responsibility for issuing authorisation may also be otherwise provided for.