Chapter 1 - Scope and definitions
Section 1 - Scope of the ActSection 2 - DefinitionsChapter 2 - Legal basis for processing personal data
Section 3 - Processing of personal data by public bodiesSection 4 - Video surveillance of publicly accessible spacesChapter 3 - Data protection officers of public bodies
Section 5 - DesignationSection 6 - PositionSection 7 - TasksChapter 4 - Federal Commissioner for Data Protection and Freedom of Information
Section 8 - EstablishmentSection 9 - CompetenceSection 10 - IndependenceSection 11 - Appointment and term of officeSection 12 - Official relationshipSection 13 - Rights and obligationsSection 14 - TasksSection 15 - Activity reportsSection 16 - PowersChapter 5 - Representation on the European Data Protection Board, single contact point, cooperation among the federal supervisory authorities and those of the Länder concerning European Union matters
Section 17 - Representation on the European Data Protection Board, single contact pointSection 18 - Procedures for cooperation among the federal and Länder supervisory authoritiesSection 19 - ResponsibilitiesChapter 6 - Legal remedies
Section 20 - Judicial remedySection 21 - Application of the supervisory authority for a court decision if it believes that an adequacy decision by the European Commission violates the lawChapter 1 - Legal basis for processing personal data
Sub-chapter 1 - Processing of special categories of personal data and processing for other purposes
Section 22 - Processing of special categories of personal dataSection 23 - Processing for other purposes by public bodiesSection 24 - Processing for other purposes by private bodiesSection 25 - Transfer of data by public bodiesSub-chapter 2 - Special processing situations
Section 26 - Data processing for employment-related purposesSection 27 - Data processing for purposes of scientific or historical research and for statistical purposesSection 28 - Data processing for archiving purposes in the public interestSection 29 - Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligationsSection 30 - Consumer loansSection 31 - Protection of commercial transactions in the case of scoring and credit reportsChapter 2 - Rights of the data subject
Section 32 - Information to be provided where personal data are collected from the data subjectSection 33 - Information to be provided where personal data have not been obtained from the data subjectSection 34 - Right of access by the data subjectSection 35 - Right to erasureSection 36 - Right to objectSection 37 - Automated individual decision-making, including profilingChapter 3 - Obligations of controllers and processors
Section 38 - Data protection officers of private bodiesSection 39 - AccreditationChapter 4 - Supervisory authorities for data processing by private bodies
Section 40 - Supervisory authorities of the LänderChapter 5 - Penalties
Section 41 - Application of provisions concerning criminal proceedings and proceedings to impose administrative finesSection 42 - Penal provisionsSection 43 - Provisions on administrative finesChapter 6 - Legal remedies
Section 44 - Proceedings against a controller or processorChapter 1 - Scope, definitions and general principles for processing personal data
Section 45 - ScopeSection 46 - DefinitionsSection 47 - General principles for processing personal dataChapter 2 - Legal basis for processing personal data
Section 48 - Processing of special categories of personal dataSection 49 - Processing for other purposesSection 50 - Processing for archiving, scientific and statistical purposesSection 51 - ConsentSection 52 - Processing on instructions from the controllerSection 53 - ConfidentialitySection 54 - Automated individual decisionChapter 3 - Rights of the data subject
Section 55 - General information on data processingSection 56 - Notification of data subjectsSection 57 - Right of accessSection 58 - Right to rectification and erasure and to restriction of processingSection 59 - Modalities for exercising the rights of the data subjectSection 60 - Right to lodge a complaint with the Federal CommissionerSection 61 - Legal remedies against decisions of the Federal Commissioner or if he or she fails to take actionChapter 4 - Obligations of controllers and processors
Section 62 - Processing carried out on behalf of a controllerSection 63 - Joint controllersSection 64 - Requirements for the security of data processingSection 65 - Notifying the Federal Commissioner of a personal data breachSection 66 - Notifying data subjects affected by a personal data breachSection 67 - Conducting a data protection impact assessmentSection 68 - Cooperation with the Federal CommissionerSection 69 - Prior consultation of the Federal CommissionerSection 70 - Records of processing activitiesSection 71 - Data protection by design and by defaultSection 72 - Distinction between different categories of data subjectsSection 73 - Distinction between facts and personal assessmentsSection 74 - Procedures for data transfersSection 75 - Rectification and erasure of personal data and restriction of processingSection 76 - LoggingSection 77 - Confidential reporting of violationsChapter 5 - Transfers of data to third countries and to international organisations
Section 78 - General requirementsSection 79 - Data transfers with appropriate safeguardsSection 80 - Data transfers without appropriate safeguardsSection 81 - Other data transfers to recipients in third countriesChapter 6 - Cooperation among supervisory authorities
Section 82 - Mutual assistanceChapter 7 - Liability and penalties
Section 83 - CompensationSection 84 - Penal provisions4. to cooperate with the supervisory authority;
5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Section 69 of this Act, and to consult, where appropriate, with regard to any other matter.
6. to handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 55 of Directive (EU) 2016/680, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
8. to conduct investigations on the application of this Act and other data protection legislation, including legislation adopted to implement Directive (EU) 2016/680, also on the basis of information received from another supervisory authority or other public authority;
(1) The Federal Commissioner shall serve as the joint representative on the European Data Protection Board and single contact point (joint representative). The Bundesrat shall elect the head of the supervisory authority of a Land to serve as the joint representative’s deputy (deputy). The term shall be five years. When the head of the supervisory authority of a Land leaves office, his or her function as deputy shall end at the same time. The deputy may be re-elected.
(2) If the supervisory authorities of the Federation and the Länder fail to achieve agreement on a common position, the lead supervisory authority, or, in the absence of a lead authority, the joint representative and his or her deputy, shall present a recommendation for a common position. If the joint representative and his or her deputy fail to agree on a recommendation for a common position, the deputy shall determine the recommendation for a common position in matters dealing with the performance of a task for which the Länder alone have the right to legislate, or which affect the establishment or procedures of Land authorities. For matters other than those referred to in the second sentence in which the joint representative and deputy fail to agree, the joint representative shall determine the common position. The negotiations shall be based on the position recommended pursuant to the first to third sentences unless the supervisory authorities of the Federation and the Länder adopt a different position with a simple majority. The Federation and each Land each have one vote. Abstentions shall not be counted.
(1) The lead supervisory authority of a Land in the one-stop-shop mechanism pursuant to Chapter VII of Regulation (EU) 2016/679 shall be the supervisory authority of the Land in which the controller or processor has its main establishment, as referred to in Article 4 no. 16 of Regulation (EU) 2016/679 or its single establishment in the European Union, as referred to in Article 56 (1) of Regulation (EU) 2016/679. Article 56 (1) in conjunction with Article 4 no. 16 of Regulation (EU) 2016/679 shall apply accordingly within the Federal Commissioner’s area of responsibility. If there is no agreement on determining the lead supervisory authority, the procedure described in Section 18 (2) shall be applied accordingly.
(2) The supervisory authority with which a data subject has lodged a complaint shall forward the complaint to the lead supervisory authority referred to in subsection 1; in the absence of such a lead supervisory authority, the complaint shall be forwarded to the supervisory authority of a Land in which the controller or processor has an establishment. If a complaint is lodged with a supervisory authority which is not responsible for the matter, this authority shall forward the complaint to the supervisory authority where the applicant resides, if it is not possible to forward the complaint as referred to in the first sentence. The receiving supervisory authority shall be regarded as the supervisory authority according to Chapter VII of Regulation (EU) 2016/679 with whom the complaint was lodged, and shall fulfil the obligations referred to in Article 60 (7) to (9) and Article 65 (6) of Regulation (EU) 2016/679.
(1) Recourse to the administrative courts shall be provided for disputes between natural or legal persons and a supervisory authority of the Federation or a Land concerning rights according to Article 78 (1) and (2) of Regulation (EU) 2016/679 and Section 61. The first sentence shall not apply to administrative fine proceedings.
(3) For proceedings pursuant to subsection 1, first sentence, the administrative court in whose district the supervisory authority is located shall be locally competent.
(4) In proceedings pursuant to subsection 1, first sentence, the supervisory authority shall be competent to take part.
2. the supervisory authority as defendant or respondent. Section 63 nos. 3 and 4 of the Code of Administrative Court Procedure shall remain unaffected.
(7) With respect to an authority or its legal entity, the supervisory authority shall not order immediate execution in accordance with Section 80 (2), first sentence, no. 4 of the Code of Administrative Court Procedure.
(1) If a supervisory authority believes that an adequacy decision of the European Commission or a decision on the recognition of standard protection clauses or on the general validity of approved codes of conduct, on the validity of which a decision of the supervisory authority depends, violates the law, the supervisory authority shall suspend its procedure and lodge an application for a court decision.
(3) The Federal Administrative Court shall decide in the first and last instance on an application by the supervisory authority pursuant to subsection 1.
(4) In proceedings pursuant to subsection 1, the supervisory authority shall be competent to take part. The supervisory authority shall be a party to proceedings pursuant to subsection 1 as applicant; Section 63 nos. 3 and 4 of the Code of Administrative Court Procedure shall remain unaffected. The Federal Administrative Court may give the European Commission the opportunity to comment within a period of time to be determined.
(3) The supervisory authorities shall not have the investigative powers according to Article 58 (1) (e) and (f) of Regulation (EU) 2016/679 with regard to the persons listed in Section 203 (1), (2a) and (3) of the Criminal Code or their processors as far as exercising these powers would violate these persons’ obligations to secrecy. If in the context of an investigation a supervisory authority becomes aware of data subject to an obligation of secrecy as referred to in the first sentence, the obligation of secrecy shall also apply to the supervisory authority.
The power to act as a certification body in accordance with Article 43 (1), first sentence of Regulation (EU) 2016/679 shall be granted by the supervisory authority of the Federation or the Länder responsible for data protection supervision of the certification body on the basis of accreditation by the German accreditation body. Section 2 (3), second sentence, Section 4 (3) and Section 10 (1), first sentence, no. 3 of the Accreditation Body Act shall apply on the condition that data protection falls within the scope of Section 1 (2), second sentence.
(2) If the controller or processor has more than one establishment in Germany, Article 4 no. 16 of Regulation (EU) 2016/679 shall apply accordingly in determining which supervisory authority is competent. If more than one authority considers itself competent or not competent, or when the competence is unclear for other reasons, the supervisory authorities shall make a joint decision in accordance with Section 18 (2). Section 3 (3) and
(3) The supervisory authority may process the data it has stored only for purposes of supervision; to this end, it may transfer data to other supervisory authorities. Processing for another purpose shall be permitted in addition to Article 6 (4) of Regulation (EU) 2016/679 if
If the supervisory authority determines that data protection legislation has been violated, it shall have the power to inform the data subjects concerned, to report the violation to other bodies responsible for prosecution or punishment and, in the case of serious violations, to notify the trade supervisory authority to take measures under trade and industry law. Section 13 (4), fourth to seventh sentences shall apply accordingly.
(4) The bodies subject to monitoring and the persons responsible for their management shall provide a supervisory authority on request with the information necessary to perform their tasks. The person required to provide information may refuse to answer those questions which would expose himor herself or a relative as referred to in Section 383 (1) nos. 1 to 3 of the Code of Civil Procedure to the risk of criminal prosecution or proceedings under the Administrative Offences Act. The person required to provide information shall be informed accordingly.
(5) Persons assigned by the supervisory authority to monitor compliance with data protection legislation shall be authorized, as needed to perform their tasks, to enter the property and premises of the body and to have access to all data processing equipment and means. The body shall be obligated to tolerate such access. Section 16 (4) shall apply accordingly.
(2) Unless this Act provides otherwise, the provisions of the Administrative Offences Act and the general laws on criminal procedures, namely the Code of Criminal Procedure and the Judicature Act, shall apply accordingly in proceedings for violations pursuant to Article 83 (4) to (6) of Regulation (EU) 2016/679. Sections 56 to 58, 87, 88, 99 and 100 of the Administrative Offences Act shall not apply. Section 69 (4), second sentence of the Administrative Offences Act shall apply on the condition that the public prosecutor’s office may stop the proceedings only with the approval of the supervisory authority which issued the administrative decision imposing a fine.
(3) Such offences shall be prosecuted only if a complaint is filed. The data subject, the controller, the Federal Commissioner and the supervisory authority shall be entitled to file complaints.
15. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 41 of Directive (EU) 2016/680;
(2) If a complaint about processing is lodged with the Federal Commissioner instead of the competent supervisory authority in another Member State of the European Union, the Federal Commissioner shall transmit the complaint to the competent supervisory authority without delay. In this case, the Federal Commissioner shall inform the data subject about the transmission of his or her complaint and shall provide further support at the data subject’s request.
(1) The controller shall consult the supervisory authority prior to processing which will form part of a new filing system if
(4) The Federal Commissioner shall inform the other state’s requesting supervisory authority of the results or, as the case may be, of the progress of the measures taken in response to the request. In the case of subsection 3, he or she shall provide reasons for refusing to comply with the request.
(5) The Federal Commissioner shall, as a rule, supply the information requested by the other state’s supervisory authority by electronic means and using a standardized format.
(6) The Federal Commissioner shall not charge a fee for action taken pursuant to a request for mutual assistance unless he or she has agreed with the other state’s supervisory authority in the individual case on the reimbursement of expenses incurred.
“Section 42b Application of the supervisory authority for a court decision if it believes that a decision by the Commission violates European law”
5. The following Section 42b shall be added after Section 42a: “Section 42b Application of the supervisory authority for a court decision if it believes that a decision by the European Commission violates the law
(1) If a supervisory authority believes that an adequacy decision of the European Commission or a decision on the recognition of standard protection clauses or on the general validity of approved codes of conduct, on the validity of which a decision of the supervisory authority depends, violates the law, the supervisory authority shall suspend its procedure and lodge an application for a court decision.
(3) The Federal Administrative Court shall decide in the first and last instance on an application by the supervisory authority pursuant to subsection 1.
(4) In proceedings pursuant to subsection 1, the supervisory authority shall be competent to take part. The supervisory authority shall be a party to proceedings pursuant to subsection 1 as applicant; Section 63 nos. 3 and 4 of the Code of Administrative Court Procedure shall remain unaffected. The Federal Administrative Court may give the European Commission the opportunity to comment within a period of time to be determined.