Chapter 1 - Scope and definitions
Section 1 - Scope of the ActSection 2 - DefinitionsChapter 2 - Legal basis for processing personal data
Section 3 - Processing of personal data by public bodiesSection 4 - Video surveillance of publicly accessible spacesChapter 3 - Data protection officers of public bodies
Section 5 - DesignationSection 6 - PositionSection 7 - TasksChapter 4 - Federal Commissioner for Data Protection and Freedom of Information
Section 8 - EstablishmentSection 9 - CompetenceSection 10 - IndependenceSection 11 - Appointment and term of officeSection 12 - Official relationshipSection 13 - Rights and obligationsSection 14 - TasksSection 15 - Activity reportsSection 16 - PowersChapter 5 - Representation on the European Data Protection Board, single contact point, cooperation among the federal supervisory authorities and those of the Länder concerning European Union matters
Section 17 - Representation on the European Data Protection Board, single contact pointSection 18 - Procedures for cooperation among the federal and Länder supervisory authoritiesSection 19 - ResponsibilitiesChapter 6 - Legal remedies
Section 20 - Judicial remedySection 21 - Application of the supervisory authority for a court decision if it believes that an adequacy decision by the European Commission violates the lawChapter 1 - Legal basis for processing personal data
Sub-chapter 1 - Processing of special categories of personal data and processing for other purposes
Section 22 - Processing of special categories of personal dataSection 23 - Processing for other purposes by public bodiesSection 24 - Processing for other purposes by private bodiesSection 25 - Transfer of data by public bodiesSub-chapter 2 - Special processing situations
Section 26 - Data processing for employment-related purposesSection 27 - Data processing for purposes of scientific or historical research and for statistical purposesSection 28 - Data processing for archiving purposes in the public interestSection 29 - Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligationsSection 30 - Consumer loansSection 31 - Protection of commercial transactions in the case of scoring and credit reportsChapter 2 - Rights of the data subject
Section 32 - Information to be provided where personal data are collected from the data subjectSection 33 - Information to be provided where personal data have not been obtained from the data subjectSection 34 - Right of access by the data subjectSection 35 - Right to erasureSection 36 - Right to objectSection 37 - Automated individual decision-making, including profilingChapter 3 - Obligations of controllers and processors
Section 38 - Data protection officers of private bodiesSection 39 - AccreditationChapter 4 - Supervisory authorities for data processing by private bodies
Section 40 - Supervisory authorities of the LänderChapter 5 - Penalties
Section 41 - Application of provisions concerning criminal proceedings and proceedings to impose administrative finesSection 42 - Penal provisionsSection 43 - Provisions on administrative finesChapter 6 - Legal remedies
Section 44 - Proceedings against a controller or processorChapter 1 - Scope, definitions and general principles for processing personal data
Section 45 - ScopeSection 46 - DefinitionsSection 47 - General principles for processing personal dataChapter 2 - Legal basis for processing personal data
Section 48 - Processing of special categories of personal dataSection 49 - Processing for other purposesSection 50 - Processing for archiving, scientific and statistical purposesSection 51 - ConsentSection 52 - Processing on instructions from the controllerSection 53 - ConfidentialitySection 54 - Automated individual decisionChapter 3 - Rights of the data subject
Section 55 - General information on data processingSection 56 - Notification of data subjectsSection 57 - Right of accessSection 58 - Right to rectification and erasure and to restriction of processingSection 59 - Modalities for exercising the rights of the data subjectSection 60 - Right to lodge a complaint with the Federal CommissionerSection 61 - Legal remedies against decisions of the Federal Commissioner or if he or she fails to take actionChapter 4 - Obligations of controllers and processors
Section 62 - Processing carried out on behalf of a controllerSection 63 - Joint controllersSection 64 - Requirements for the security of data processingSection 65 - Notifying the Federal Commissioner of a personal data breachSection 66 - Notifying data subjects affected by a personal data breachSection 67 - Conducting a data protection impact assessmentSection 68 - Cooperation with the Federal CommissionerSection 69 - Prior consultation of the Federal CommissionerSection 70 - Records of processing activitiesSection 71 - Data protection by design and by defaultSection 72 - Distinction between different categories of data subjectsSection 73 - Distinction between facts and personal assessmentsSection 74 - Procedures for data transfersSection 75 - Rectification and erasure of personal data and restriction of processingSection 76 - LoggingSection 77 - Confidential reporting of violationsChapter 5 - Transfers of data to third countries and to international organisations
Section 78 - General requirementsSection 79 - Data transfers with appropriate safeguardsSection 80 - Data transfers without appropriate safeguardsSection 81 - Other data transfers to recipients in third countriesChapter 6 - Cooperation among supervisory authorities
Section 82 - Mutual assistanceChapter 7 - Liability and penalties
Section 83 - CompensationSection 84 - Penal provisions(3) The data protection officer shall in the performance of his or her tasks give due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
2. to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data, paying special attention to measures specifically for children;
(2) In the cases of subsection 1, appropriate and specific measures shall be taken to safeguard the interests of the data subject. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, these measures may include in particular the following:
(4) The bodies subject to monitoring and the persons responsible for their management shall provide a supervisory authority on request with the information necessary to perform their tasks. The person required to provide information may refuse to answer those questions which would expose himor herself or a relative as referred to in Section 383 (1) nos. 1 to 3 of the Code of Civil Procedure to the risk of criminal prosecution or proceedings under the Administrative Offences Act. The person required to provide information shall be informed accordingly.
(1) The controller and the processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the legally protected interests of natural persons, shall implement the necessary technical and organisational measures to ensure a level of security appropriate to the risk when processing personal data, in particular as regards the processing of special categories of personal data. In doing so, the controller shall take into account the relevant Technical Guidelines and recommendations from the Federal Office for Information Security.
(3) In respect of automated processing, the controller and processor, following an evaluation of the risks, shall implement measures designed to
(1) In the case of a personal data breach, the controller shall notify the Federal Commissioner without delay and, if possible, not later than 72 hours after having become aware of it, of the personal data breach, unless the personal data breach is unlikely to result in a risk to the legally protected interests of natural persons. If the Federal Commissioner is not notified within 72 hours, the notification shall be accompanied by reasons for the delay.
(1) If a personal data breach is likely to result in a substantial risk to the legally protected interests of natural persons, the controller shall notify the data subject of the personal data breach without delay.
2. the controller has taken subsequent measures which ensure that the substantial risk referred to in subsection 1 is no longer likely to exist;
(4) If the controller has not informed the data subjects of a personal data breach, the Federal Commissioner may formally determine that, in his or her opinion, the conditions referred to in subsection 3 have not been met. In doing so, the Federal Commissioner shall consider the likelihood of the personal data breach resulting in a high risk as referred to in subsection 1.
(5) The notification of data subjects pursuant to subsection 1 may be delayed, restricted or omitted under the conditions referred to in Section 56 (2) unless the interests of the data subjects outweigh those of the controller owing to the high risk resulting from the personal data breach as referred to in subsection 1.
(1) Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a substantial risk to the legally protected interests of data subjects, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the data subjects.
(2) A joint assessment may address a set of similar processing operations that present similar substantial risks.
3. an assessment of the risks to the legally protected interests of the data subjects; and
4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the law.
1. a data protection impact assessment pursuant to Section 67 indicates that the processing would result in a substantial risk to the legally protected interests of data subjects in the absence of measures taken by the controller to mitigate the risk; or
2. the type of processing, in particular, where using new technologies, mechanisms or procedures, involves a substantial risk to the legally protected interests of data subjects.
On request, the Federal Commissioner shall be given any other information he or she requires to assess the lawfulness of the processing and, in particular, the existing risks to the protection of the data subjects’ personal data and the related safeguards.
(3) If the Federal Commissioner believes that the planned processing would violate the law, in particular because the controller has not sufficiently identified the risk or has not taken sufficient measures to mitigate the risk, he or she may provide, within a period of up to six weeks of receipt of the request for consultation, written advice to the controller and, where applicable, to the processor, as to which additional measures should be taken. The Federal Commissioner may extend this period by a month, if the planned processing is especially complex. In this case, the Federal Commissioner shall inform the controller and, where applicable, the processor of the extension within one month of receipt of the request for consultation.
(1) The controller, both at the time the means of processing are determined and at the time of the processing itself, shall take appropriate measures to implement data protection principles, such as data minimization, in an effective manner, to ensure compliance with legal requirements and to protect the rights of data subjects. In doing so, the controller shall take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the legally protected interests of the data subject posed by the processing. In particular, personal data shall be processed, and processing systems shall be selected and designed in accordance with the aim of processing as few personal data as possible. Personal data shall be rendered anonymous or pseudonymized as early as possible, as far as possible in accordance with the purpose of processing.