Chapter 1 - Scope and definitions
Section 1 - Scope of the ActSection 2 - DefinitionsChapter 2 - Legal basis for processing personal data
Section 3 - Processing of personal data by public bodiesSection 4 - Video surveillance of publicly accessible spacesChapter 3 - Data protection officers of public bodies
Section 5 - DesignationSection 6 - PositionSection 7 - TasksChapter 4 - Federal Commissioner for Data Protection and Freedom of Information
Section 8 - EstablishmentSection 9 - CompetenceSection 10 - IndependenceSection 11 - Appointment and term of officeSection 12 - Official relationshipSection 13 - Rights and obligationsSection 14 - TasksSection 15 - Activity reportsSection 16 - PowersChapter 5 - Representation on the European Data Protection Board, single contact point, cooperation among the federal supervisory authorities and those of the Länder concerning European Union matters
Section 17 - Representation on the European Data Protection Board, single contact pointSection 18 - Procedures for cooperation among the federal and Länder supervisory authoritiesSection 19 - ResponsibilitiesChapter 6 - Legal remedies
Section 20 - Judicial remedySection 21 - Application of the supervisory authority for a court decision if it believes that an adequacy decision by the European Commission violates the lawChapter 1 - Legal basis for processing personal data
Sub-chapter 1 - Processing of special categories of personal data and processing for other purposes
Section 22 - Processing of special categories of personal dataSection 23 - Processing for other purposes by public bodiesSection 24 - Processing for other purposes by private bodiesSection 25 - Transfer of data by public bodiesSub-chapter 2 - Special processing situations
Section 26 - Data processing for employment-related purposesSection 27 - Data processing for purposes of scientific or historical research and for statistical purposesSection 28 - Data processing for archiving purposes in the public interestSection 29 - Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligationsSection 30 - Consumer loansSection 31 - Protection of commercial transactions in the case of scoring and credit reportsChapter 2 - Rights of the data subject
Section 32 - Information to be provided where personal data are collected from the data subjectSection 33 - Information to be provided where personal data have not been obtained from the data subjectSection 34 - Right of access by the data subjectSection 35 - Right to erasureSection 36 - Right to objectSection 37 - Automated individual decision-making, including profilingChapter 3 - Obligations of controllers and processors
Section 38 - Data protection officers of private bodiesSection 39 - AccreditationChapter 4 - Supervisory authorities for data processing by private bodies
Section 40 - Supervisory authorities of the LänderChapter 5 - Penalties
Section 41 - Application of provisions concerning criminal proceedings and proceedings to impose administrative finesSection 42 - Penal provisionsSection 43 - Provisions on administrative finesChapter 6 - Legal remedies
Section 44 - Proceedings against a controller or processorChapter 1 - Scope, definitions and general principles for processing personal data
Section 45 - ScopeSection 46 - DefinitionsSection 47 - General principles for processing personal dataChapter 2 - Legal basis for processing personal data
Section 48 - Processing of special categories of personal dataSection 49 - Processing for other purposesSection 50 - Processing for archiving, scientific and statistical purposesSection 51 - ConsentSection 52 - Processing on instructions from the controllerSection 53 - ConfidentialitySection 54 - Automated individual decisionChapter 3 - Rights of the data subject
Section 55 - General information on data processingSection 56 - Notification of data subjectsSection 57 - Right of accessSection 58 - Right to rectification and erasure and to restriction of processingSection 59 - Modalities for exercising the rights of the data subjectSection 60 - Right to lodge a complaint with the Federal CommissionerSection 61 - Legal remedies against decisions of the Federal Commissioner or if he or she fails to take actionChapter 4 - Obligations of controllers and processors
Section 62 - Processing carried out on behalf of a controllerSection 63 - Joint controllersSection 64 - Requirements for the security of data processingSection 65 - Notifying the Federal Commissioner of a personal data breachSection 66 - Notifying data subjects affected by a personal data breachSection 67 - Conducting a data protection impact assessmentSection 68 - Cooperation with the Federal CommissionerSection 69 - Prior consultation of the Federal CommissionerSection 70 - Records of processing activitiesSection 71 - Data protection by design and by defaultSection 72 - Distinction between different categories of data subjectsSection 73 - Distinction between facts and personal assessmentsSection 74 - Procedures for data transfersSection 75 - Rectification and erasure of personal data and restriction of processingSection 76 - LoggingSection 77 - Confidential reporting of violationsChapter 5 - Transfers of data to third countries and to international organisations
Section 78 - General requirementsSection 79 - Data transfers with appropriate safeguardsSection 80 - Data transfers without appropriate safeguardsSection 81 - Other data transfers to recipients in third countriesChapter 6 - Cooperation among supervisory authorities
Section 82 - Mutual assistanceChapter 7 - Liability and penalties
Section 83 - CompensationSection 84 - Penal provisions(3) Storing or using data collected pursuant to subsection 1 shall be permitted if necessary to achieve the intended purpose and if there is nothing to indicate legitimate overriding interests of the data subjects. Subsection 1, second sentence, shall apply accordingly. The data may be further processed for another purpose only if necessary to prevent threats to state and public security and to prosecute crimes.
1. be detrimental to the welfare of the Federation or a Land, in particular to the security of the Federal Republic of Germany or its relations with other countries, or
a) processing is necessary to exercise the rights derived from the right of social security and social protection and to meet the related obligations;
b) processing is necessary to prevent a substantial threat to public security;
9. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
3. processing is necessary to prevent substantial harm to the common good or a threat to public security, defence or national security; to safeguard substantial concerns of the common good; or to ensure tax and customs revenues;
1. processing is necessary to prevent threats to state or public security or to prosecute criminal offences; or
(3) By derogation from Article 9 (1) of Regulation (EU) 2016/679, the processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 for employment-related purposes shall be permitted if it is necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data. Subsection 2 shall also apply to consent to the processing of special categories of personal data; consent must explicitly refer to these data. Section 22 (2) shall apply accordingly.
(2) Anyone who refuses to conclude a consumer loan contract or a contract concerning financial assistance for payment with a consumer as the result of information provided by a body as referred to in subsection 1 shall immediately notify the consumer of this refusal and the information received. Such notification shall not be made if doing so would endanger public security or order. Section 37 shall remain unaffected.
3. would endanger public security or order or would otherwise be detrimental to the welfare of the Federation or a Land, and the controller’s interests in not providing the information outweigh the interests of the data subject;
b) would threaten the public security or order or otherwise be detrimental to the Federation or a Land, and therefore the data subject’s interest in receiving the information must not take precedence;
b) the responsible public body has determined with respect to the controller that disclosing the data would endanger public security or order or would otherwise be detrimental to the welfare of the Federation or a Land; in the case of data processing for purposes of law enforcement, no determination pursuant to the first half-sentence shall be required.
(3) If the provision of information relates to the transfer by public bodies of personal data to the authorities for the protection of the Constitution, the Federal Intelligence Service, the Military Counterintelligence Service and, as far as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, such provision shall be permitted only with the approval of these bodies.
(3) If a public body of the Federation does not provide information to a data subject, such information shall be provided to the Federal Commissioner at the request of the data subject, unless the responsible supreme federal authority determines in the individual case that doing so would endanger the security of the Federation or a Land. The notification from the Federal Commissioner to the data subject with the results of the data protection assessment shall not permit any conclusions to be drawn concerning the information held by the controller unless the latter agrees to the provision of more extensive information.
2. processing is necessary to prevent substantial harm to the common good or a threat to public security or to safeguard substantial concerns of the common good; or
The provisions of this Part shall apply to the processing of personal data by public bodies competent for the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal or administrative penalties, as far as they process data for the purpose of carrying out these tasks. The public bodies shall be regarded in that case as controllers. The prevention of criminal offences as referred to in the first sentence shall include protection against and prevention of threats to public security. The first and second sentences shall also apply to those public bodies responsible for executing penalties, measures as referred to in Section 11 (1) no. 8 of the Criminal Code, educational or disciplinary measures as referred to in the Juvenile Court Act or fines. As far as this Part contains provisions for processors, it shall also apply to them.
10. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed;
23. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
1. specific requirements for data security or data protection monitoring;
2. public security, or
(3) If the notification relates to the transfer of personal data to the authorities for the protection of the Constitution, the Federal Intelligence Service, the Military Counterintelligence Service and, as far as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, such notification shall be permitted only with the approval of these bodies.
(5) If the information to be provided relates to the transfer of personal data to the authorities for the protection of the Constitution, the Federal Intelligence Service, the Military Counterintelligence Service and, as far as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, such provision shall be permitted only with the approval of these bodies.
(7) If the data subject is notified pursuant to subsection 6 of the refusal or restriction of access, he or she may exercise his or her right of access also via the Federal Commissioner. The controller shall inform the data subject of this possibility and that, in accordance with Section 60, the data subject may lodge a complaint with the Federal Commissioner or seek a judicial remedy. If the data subject exercises his or her right pursuant to the first sentence, the information shall be provided to the Federal Commissioner at the request of the data subject, unless the responsible supreme federal authority determines in the individual case that doing so would threaten the security of the Federation or a Land. The Federal Commissioner shall at least inform the data subject that all necessary checks have been conducted or that the Federal Commissioner has conducted a review. This notification may include information as to whether violations of data protection law were found. The notification from the Federal Commissioner to the data subject shall not permit any conclusions to be drawn concerning the information held by the controller unless the latter agrees to the provision of more extensive information. The controller may refuse to such provision only as far as and for as long as he or she could dispense with or restrict information pursuant to subsection 4. The Federal Commissioner shall also inform the data subject of his or her right to seek a judicial remedy.
(1) The controller and the processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the legally protected interests of natural persons, shall implement the necessary technical and organisational measures to ensure a level of security appropriate to the risk when processing personal data, in particular as regards the processing of special categories of personal data. In doing so, the controller shall take into account the relevant Technical Guidelines and recommendations from the Federal Office for Information Security.
4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the law.
9. a general description of the technical and organisational security measures referred to in Section 64.
3. a general description of the technical and organisational security measures according to Section 64.
(3) The logs may be used only by the data protection officer, the Federal Commissioner or the data subject to verify the lawfulness of the processing; and for selfmonitoring, ensuring the integrity and security of the personal data, and for criminal proceedings.
(3) If personal data which have been transmitted or made available from another European Union Member State are to be transferred pursuant to subsection 1, the competent body of the other Member State must provide prior authorisation of the transfer. Transfers without the prior authorisation shall be permitted only if the transfer is necessary to prevent an immediate and serious threat to the public security of a country or to essential interests of a Member State and the prior authorisation cannot be obtained in time. In the case of the second sentence, the other Member State’s body responsible for giving prior authorisation shall be informed of the transfer without delay.
3. to prevent an immediate and serious threat to the public security of a country;
(2) Section 16 (4) shall not apply to processing in the context of activities outside the scope of Regulation (EU) 2016/679 and Directive (EU) 2016/680 by workplaces within the remit of the Federal Ministry of Defence if the Federal Ministry of Defence determines in the individual case that meeting the obligations referred to in that provision would endanger the security of the Federation.
The Act on Prerequisites and Procedures for Security Clearance Checks Undertaken by the Federal Government 20 April 1994 (Sicherheitsüberprüfungsgesetz, SÜG) (Federal Law Gazette I p. 867), last amended by Article 1 of the Act of 16 June 2017 (Federal Gazette I, p. 1634), shall be amended as follows: