Federal Data Protection Act

Original Language Title: Bundesdatenschutzgesetz

Read the untranslated law here: http://www.gesetze-im-internet.de/bdsg_1990/BJNR029550990.html

Federal Data Protection Act (BDSG) BDSG Ausfertigung date: 20.12.1990 full quotation: "Federal data protection act as amended by the notice of 14 January 2003 (BGBl. I S. 66), most recently by article 1 of the Act of February 25, 2015 (BGBl. I p. 162) has been changed" stand: Neugefasst by BEK. v. 14.1.2003 I 66.
 
As last amended by article 1 G v. 25.2.2015 I 162 for details on the stand number you see in the menu see remarks footnote (+++ text detection from: 1.6.1991 +++) the G as article 1 of the G v. 20.12.1990 I 2954 of the Bundestag with the consent of the Federal Council decided. § 10 para 4 sentence 3 and 4 is on the first day of the twenty-fourth on the proclamation of the following calendar month, in addition to the first day of the sixth the announcement of following each calendar month according Article 6 para 2 sentence 1 & 2 G v. 20.12.1990 I 2954 come into force. The G was announced on the 29.12.1990.

Table of contents the first section General and common provisions article 1 purpose and scope of the Act section 2 public and non-public bodies article 3 more definitions section 3a data avoidance and data minimisation § 4 admissibility of data collection, processing and use Section 4a consent article 4 b transfer of personal data to foreign countries as well as parent and intergovernmental bodies §4C exceptions § 4 d hailing § 4e content of notification section 4f of the Commissioner for data protection § 4 g duties of the Commissioner for data protection article 5 Confidentiality § 6 rights of affected sec. 6a automated individual decision section 6 b monitoring publicly available rooms with optical electronic devices § 6c mobile personal storage and processing Media § 7 compensation § 8 damages in automated data processing by public bodies article 9 technical and organizational measures 9a § 9A § 10 setting up automated retrieval procedure § 11 collection, processing or use of personal data on behalf of second section computing the authorities of first subsection legal basis § 12 data processing scope § 13 data collection § 14 data storage, modification and use of § 15 data transmission in public places article 16 data transmission to private parties § 17 (dropped out) § 18 implementation of data protection in the Federal Administration second subsection
 
 
 
Rights of the person concerned article 19 information on the affected section 19a notification section 20 correction, erasure and blocking of data; Contradiction law § 21 invocation of the Federal Commissioner for data protection and freedom of information third subsection of Federal Commissioner for data protection and freedom of information section 22 election of the Federal Commissioner for data protection and freedom of information section 23 legal status of the Federal Commissioner for data protection and freedom of information section 24 control by the Federal Commissioner for data protection and freedom of information section 25 complaints by the Federal Commissioner for data protection and freedom of information section 26 further tasks of the Federal Commissioner for data protection and freedom of information third section data processing non-public institutions and public service Competition company of first subsection legal bases of data processing section 27 scope of § 28 data collection and storage for its own business purposes § 28a of data transmission on bureaus § 28 b scoring section 29 business data collection and storage for the purpose of article 30 transfer business data collection and storage for the purpose of transfer in anonymised form section 30a businesslike data collection and storage for purposes of market research or opinion research § 31 special earmarking § 32 data collection, processing and use for purposes of employment second subsection Rights article 33 notification of the data subject article 34 information on the persons concerned § 35
Rectification, erasure and blocking of data third subsection authority articles 36 and 37 (dropped out) section 38 supervisory authority § 38a code of conduct to promote the implementation of data protection rules 4th section special provisions article 39 earmarking for personal data, which are subject to a special professional secrecy or professional section 40 processing and use of personal data by research institutions section 41 collection, processing and use of personal data by § 42 of the data protection officer of Deutsche Welle media section 42a obligation for unlawful obtaining of knowledge data fifth section final provisions § 43 penalty provisions article 44 penal provisions sixth section transitional provisions article 45 ongoing Uses section 46 continuing applicability of definitions § 47 transitional section 48 report of the Federal Government investment (to § 9 set 1) First section General and common provisions article 1 purpose and scope of application of Act (1) the purpose this law it is the individual to protect that he is affected by the handling of his personal data in its personality right,.
(2) this Act applies to the collection, processing and use of personal data by 1 public bodies of the Federation, 2. public authorities of countries, unless the privacy not by State law and if they a) run federal law or b) as organs of the administration of Justice Act and it is not administrative matters, 3. non-public bodies, as far as the data of use of data processing systems processing , use or to raise or process the data in or from non-automated files, use or for this charge, unless unless the collection, processing or use of the data is exclusively for personal or family activities.
(3) as far as other legislation of Federal personal information to apply are including their publication, they go before the provisions of this Act. The obligation to respect legal obligations to maintain secrecy or by professional or special administrative confidentiality not based on statutory provisions, shall remain unaffected.
(4) the provisions of this Act be which of the Administrative Procedure Act, as far as personal data are processed in the determination of the facts.
(5) this law does processed not apply unless a personal data in Germany rises located responsible in another Member State of the European Union or in another Contracting State to the agreement on the European economic area, or uses, unless this is done by a subsidiary in Germany. This law application is processed, if a responsible authority, which is situated in a Member State of the European Union or in another Contracting State to the agreement on the European economic area collects personal data in Germany, or uses. Unless the entity responsible name according to this law, resident representatives are also details of domestic make. Sentences 2 and 3 do not apply, provided that the disk be used only for the purpose of transit through the domestic. Article 38, paragraph 1, sentence 1 shall remain unaffected.

§ 2 public and non-public bodies (1) public bodies of the Federation are the authorities, the institutions of Justice and other public organized federal facilities, federal authorities, establishments and foundations under public law, as well as their associations irrespective of their legal form. The company arising from the Special Fund Deutsche Bundespost by Act are considered public bodies, as long as an exclusive right entitled to them under the postal Act.
(2) public authorities of countries irrespective of their legal form are the organs of administration of Justice, the authorities, their associations and other organized public institutions of a country, a community, a Community Association and other standing under the supervision of the country legal persons of governed by public law.
(3) associations of private law by public bodies of the Federation and the countries that perform functions of public administration, apply irrespective of the participation of non-public bodies as public bodies of the Federation if 1 they are working over the area of a country, or 2. the absolute majority of the shares belongs to the federal or the absolute majority of the votes entitled to.
Otherwise, they are considered public bodies of the countries.
(4) non-public bodies are natural and legal persons, companies and other associations of persons of private law, insofar as they are not covered by paragraphs 1 to 3. A non-public entity perceives entrust tasks of public administration, it is to the extent public authority within the meaning of this Act.

Section 3 further definitions (1) personal data are individual details about personal or factual circumstances of a specific or specifiable natural person (data subject).
(2) automated processing is the collection, processing or use of personal data by use of data processing equipment. A non-automated file is any non-automated collection of personal data which is homogeneous and is accessible by certain characteristics can be evaluated.
(3) raise is the obtaining of data of the persons concerned.
(4) process is save, change, transfer, locking and deletion of personal data. Is in the individual, regardless of the methods used: 1.
Save the capturing, recording or storing personal data on a disk for the purpose of their further processing or use, 2. changing refactoring stored personal data, 3. submit content expose stored or by means of data processing of personal data to a third party in such a way that a) the data be disclosed to third parties or b) the third party for inspection or retrieval is provided data or gets , 4 lock the marking of stored personal data, to restrict their further processing or use, 5 delete defaced making of stored personal data.
(5) use is any use of personal data, insofar as it is not processing.
(6) make anonymous is the change of personal data so that the individual details about personal or factual circumstances no longer or only with a disproportionately large expense in time, cost and labor of a specific or specifiable natural person can be associated.
(6a) aliasing is the replacement of the name and other identifying features a symbol for the purpose to exclude the provision of the data subject or significantly to make it more difficult.
(7) the responsible body is a person or body, which collects personal data for their own, processes or uses or can be done by others on behalf of.
(8) the recipient is a person or body that will receive data. Third party is a person or body outside of the responsible authority. Third parties are not affected parties as well as persons and organisations that collect personal data on behalf of domestically, in another Member State of the European Union or in another Contracting State to the agreement on the European economic area, process or use.
(9) special types of personal data is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.
(10) mobile personal storage and processing media are disks, 1 that the suspect be issued, 2. where personal data storage through the issuing or anywhere else automated can be processed and the person concerned this processing only through the use of the media can influence 3. where.
(11) employees are: 1. workers and employees, 2. to their vocational training workers, 3 participants and participants in the participation in working life as well as clarifications of professional fitness or testing of work (Rehabilitandinnen and undergoing rehabilitation), 4th in recognized workshops for disabled persons employees, 5 after the Youth Act willing to 6 people, due to their economic dependency as employee-like persons to look at, are employees; These even if they work at home include employees and them equals, 7 applicants and applicants for employment, as well as persons whose employment relationship ends is, 8 officers, officials, judges and judges of the Federal, soldiers and soldiers as well as civilian service.

section 3a data avoidance and data minimisation are to focus on the target, to collect as little personal data as possible, process or use collection, processing and use of personal data and the selection and design of data processing systems. In particular, are to anonymise personal data or pseudonymise, as far as this is possible to the intended purpose and is not disproportionate in relation to the protection purpose required.

Section 4 admissibility of data collection, processing and use (1) the collection, processing and use of personal data are allowed only insofar as this Act or other legislation allows or arranges or the data subject has consented.
(2) personal data are to raise in the individual. Without his participation it may be levied only, if 1 legislation so provides or requires mandatory or 2 a) after the management task to be their way or the purpose of the business requires a survey of other persons or bodies or b) the survey concerned would require a disproportionate effort and no indications that vast protection interests of the person concerned are affected.
(3) be collected personal data in the individual, he is so the identity of the responsible authority, 2. If not already has come to its knowledge in other ways, by the responsible body about 1 the purposes of collection, processing or use, and 3. the categories of recipients only as far as the person concerned must not count according to the circumstances of the individual case on delivery to these , to teach. Collected personal information to the person concerned on the basis of a legal provision which is obliged to provide information, or providing the information is a prerequisite for the granting of legal benefits, the person concerned this is so otherwise indicate the voluntary nature of his information. As far as according to the circumstances of the individual case required or upon request, it is about the legislation and about the consequences of the denial of information to educate.

Section 4a consent (1) the consent is effective only if it is based on the free decision of the person concerned. He is on the purpose of the collection, processing or use and, as far as to the circumstances of the individual case required or upon request, on the consequences of refusal of consent to point out. The consent if in writing, unless another form is not appropriate because of special circumstances. Should the consent together with other statements is to be granted in writing, it is notable.
(2) in the field of scientific research a special circumstance within the meaning of paragraph 1 exists set 3 even if the specific purpose of research would substantially impaired by the written form. In this case, the note are referred to in paragraph 1 sentence 2 and the reasons which the considerable prejudice to the specific purpose of research results, to put in writing.
(3) as far as special types of personal data (§ 3 ABS. 9) are collected, processed or used, the consent must in addition explicitly refer to this data.

§ 4 b transfer of personal data abroad as well as parent - or intergovernmental bodies (1) for the transfer of personal data to places 1st in other Member States of the European Union, 2nd in other States party to the agreement on the European economic area or 3. the organs and institutions of the European Communities shall apply article 15, paragraph 1, article 16, paragraph 1 and sections 28 to 30a in accordance with the submitted these laws and agreements , as far as the transmitted within the framework of activities, which fall wholly or partly within the scope of the law of the European communities.
(2) paragraph 1 shall apply accordingly for the transfer of personal data in places referred to in paragraph 1, which is not within the scope of activities falling wholly or partly within the scope of the law of the European communities, as well as on foreign or parent or intergovernmental bodies. The transmission is omitted, unless the person concerned has a legitimate interest in the exclusion of the delivery, especially if the authorities referred to in sentence 1 are not guaranteed an adequate level of data protection. Sentence 2 shall not apply if the delivery to fulfil own tasks of a public authority of the Federal Government for compelling reasons of defence or the fulfilment of over or intergovernmental obligations in the field of crisis management or conflict prevention or for humanitarian action is required.
(3) the adequacy of the level of protection is assessed taking into account all the circumstances are when a data transfer operation or set of data transfer operations of importance; in particular, the type of data, the purpose, the duration of the proposed processing, the country of origin and the country of final destination, used current legal standards and the applicable professional rules and security measures for that recipient can.
(4) in the cases of § 16 para 1 No. 2 shall inform the transmitting body to those affected by the transfer of his data. This does not apply if it can be expected is that he becomes aware of it otherwise, or if the information would endanger public safety or otherwise prepare disadvantages the well-being of the Federation or a land.
(5) the admissibility of the communication is responsible for the transmitting site.
(6) the authority to whom the data are disclosed, is to indicate the purpose of the data are transmitted to its fulfilment.

section 4 c exceptions (1) In the framework of activities which fall, wholly or in part within the scope of the law of the European communities is a transfer of personal data to others as in § 4 of par. 1 b mentioned point, although with them an adequate level of data protection is not ensured, permitted, provided that the person concerned his consent has given 1, 2.
Providing for the performance of a contract between the data subject and the responsible body or the implementation of precontractual measures taken at the request of the person concerned, is required, 3. that submission at the end or to the performance of a contract is required, which was closed in the interest of the person concerned by the responsible authority with a third party, or should be closed, 4 providing for the preservation of important public interest, or to claim , Exercise or defence of legal claims is required, 5 is the submission for the vital interests of the data subject is required or 6 the transmission from a register that is to inform of the public determined and either the public or by any person who can demonstrate a legitimate interest, to consultation is open, as far as the legal conditions in individual cases.
The job, to whom the data are disclosed, is to point out that the transmitted data may be processed only for the purpose or used, they delivered to its fulfilment.
(2) without prejudice to paragraph 1 sentence 1 can the competent supervisory authority single transmissions or certain types of transfers of personal data to others when you approve b paragraph 1 bodies as referred in article 4, if the responsible authority has sufficient guarantees regarding the protection of personal rights and the exercise of rights; the guarantees may arise from contractual clauses or binding corporate rules. The Federal Commissioner for data protection and freedom of information is responsible for the postal and telecommunications companies. If the delivery is required by public agencies, they perform the check pursuant to sentence 1.
(3) the countries share the Federal judgment decisions referred to in paragraph 2 sentence 1 with.

§ 4 d registration are (1) procedures automated processing before their use by non-public authorities authorities and by public authorities of the Federation and of the postal and telecommunications company to report the Federal Commissioner for data protection and freedom of information pursuant to § 4e.
(2) the notification obligation shall not apply if the responsible entity has appointed a data protection officer.
(3) the reporting obligation is also, if the entity responsible collects personally identifiable information for their own purposes, processed or uses this usually not more than nine persons constantly collection, processing or use of personal data and either the consent of the person concerned is or the collection, processing or use for the establishment, implementation or termination of a contractual or legal transaction similar debt relationship with the parties concerned.
(4) the provisions of paragraphs 2 and 3 do not apply if it is automated processing businesslike personal data stored by the respective job 1 for the purpose of transfer, 2. for the purpose of anonymous delivery or 3 for purposes of market research or opinion research.
(5) as far as automated processing operations have specific risks to the rights and freedoms of data subjects, they are subject to the test before the start of the processing (ex ante control). A prior checking is especially carried out if 1 special types of personal data (§ 3 ABS. 9) are processed or 2 is the processing of personal data intended to assess the personality of the person concerned including his abilities, his performance or his behavior, unless that is a legal obligation or a consent of the person concerned, or the collection, processing or use for the rationale , Execution or termination of contractual or similar legal obligation with the parties concerned is required.
(6) the Commissioner for data protection is responsible for the ex ante control. This makes the prior checking after receiving the summary 4 g para 2 sentence 1 according to §. He has to apply in cases of doubt to the supervisory authority or in the postal and telecommunications companies to the Federal Commissioner for data protection and freedom of information.

§ 4e following information contents of notification procedures automated processing operations are subject, are: 1 name or company of the responsible authority, 2nd owners, Board members, Managing Director or other statutory or appointed according to the Constitution of the company director and the persons entrusted with the management of data processing, 3. address of the responsible body, 4. purposes of data collection, processing or use, 5. a description of the person concerned and the related data or data categories , 6. recipients or categories of recipients, to whom the data may be communicated, 7 standard deadlines for the deletion of data, 8 a planned data transfer to third countries, 9 a general description that makes it possible for the time being to assess whether the measures are adequate according to article 9 to ensure of security of processing.
section 4 d para 1 and 4 applies for the amendment of the information communicated pursuant to sentence 1, as well as for the time of the recording and the termination of the reportable activity in accordance with.

section 4f of the Commissioner for data protection (1) public and private bodies that automated process personal data, have to appoint a data protection officer in writing. Private bodies are obliged, at the latest within one month of its establishment. The same applies when personal information in other ways is collected, processed or used and at least 20 people are employed. Sentences 1 and 2 shall not apply to the non-public bodies which constantly deal with no more than nine persons usually with the automated processing of personal data. As far as due to the structure of a public authority required the appointment of a Commissioner for data protection in several areas is sufficient. As far as private parties to make automated processing operations that are subject to a prior check, or personal data automated process businesslike to the end of the anonymous transmission or for purposes of market research or opinion research, they have regardless of the number of persons employed with the automated processing to appoint a data protection officer.
(2) to the data protection officer may only be ordered if you have the expertise required to carry out its tasks and reliability. The degree of required expertise determines in particular according to the extent of the data processing of the responsible authority and the need for protection of personal data, which is the responsible body or used. To the data protection officer, a person outside the responsible authority can be ordered; the control also extends to personal data which are subject to a special professional secrecy, in particular the tax secret according to § 30 of the tax code, or professional. Public authorities can order a staff member from another public location to the data protection officer with the approval of their supervisors.
(3) the Commissioner for data protection shall be place under the head of the public or non-public office immediately. It is free in the exercise of its expertise in the field of data protection directive. He may not be disadvantaged due to the performance of his duties. The order to the data protection officer may be revoked in corresponding application of section 626 of the civil code, in non-public places also at the request of the supervisory authority of. A Commissioner for data protection is referred to in paragraph 1 to order the termination of employment is not permitted, unless that evidence of facts, which entitle the entity responsible to terminate for good cause without observing a notice period. After the dismissal as Commissioner for data protection, cancellation is not permitted within one year after the termination of the order, except that the entity responsible to terminate for good cause without observing a notice period is entitled. To maintain the expertise needed to carry out its tasks, the responsible entity has to allow participation in further and continuing education events for the Commissioner for data protection and to cover their costs.
(4) the Commissioner for data protection is obliged to maintain confidentiality about the identity of the person concerned as well as circumstances which permit conclusions on those affected, insofar as he is not discharged by the party concerned.
(4a) where the Commissioner receives privacy at his occupation data, for which a privilege is entitled to the Director or a person employed in the public or non-public spot for professional reasons, this right is also the Commissioner for data protection and its support staff. The person entitled to the privilege for professional reasons, decides on the exercise of this right except that this decision can not be achieved any time soon. As far as the privilege of the Commissioner for data protection goes, its files and other documents are subject to a prohibition of seizure.
(5) the public and non-public bodies have the Commissioner for data protection in the fulfilment of its tasks to support and it in particular, as far as this is necessary for the fulfilment of its tasks to provide support staff, rooms, facilities, equipment and means. Affected parties can at any time contact the data protection officer.

§ 4 g duties of the Commissioner for data protection (1) the Commissioner for data protection works towards compliance with this Act and other legislation on data protection. For this purpose, the Commissioner for data protection in cases of doubt, to the authority responsible for controlling privacy on the responsible authority may consult. He can take the advice according to § 38 paragraph 1 sentence 2 claim. He has in particular 1 the proper application of data processing programs, using their personal data processed are to monitor; for this purpose, he is about intentions of the automated processing of personal data in time to teach, to make 2 the persons working in the processing of personal data through appropriate measures with the provisions of this Act and other regulations on data protection and with the respective special requirements of data protection.
(2) the Commissioner for the privacy policy is to provide an overview of the information specified in § 4e sentence 1 and authorized persons by the responsible authority. The Commissioner for data protection makes everyone in an appropriate manner according to § 4e sentence 1 No. 1 to 8 at the request of the information available.
(2a) if there is no obligation to appoint a data protection officer at a non-public place the head of the non-public authority has the tasks to make sure paragraphs 1 and 2 in any other way.
(3) on the authorities referred to in article 6, paragraph 2, sentence 4, paragraph 2 sentence 2 shall not apply. Paragraph 1 applies sentence 2 with the proviso, that the official Ombudsman for data protection establishes the behaviour with the Chief Executive; Disagreements between the regulatory data protection officer and the Chief Executive will decide the Supreme Federal Authority.

§ 5 confidentiality persons employed in the data processing is prohibited without authorization to collect personal data, process or use (data secrecy). These people are as far as they are employed by non-public bodies to undertake when entering upon their duties on data confidentiality. The confidentiality persists even after the termination of their activities.

§ 6 rights of the person concerned (1) the rights of the person concerned to receive information (sections 19, 34) and to rectification, erasure or blocking (sections 20, 35) can be excluded by legal transaction or limited.
(2) the data of the person concerned are automated stored in such a way that several bodies are entitled to storage, and the person concerned not in the position to determine which body has stored the data, is so he can refer to any of these places. It is obliged to pass on the submissions of the person concerned to the body which has stored the data. The person concerned has to inform the forwarding and that place. The authorities referred to in article 19, paragraph 3, the authorities of the public prosecutor's Office and the police, as well as public authorities of financial management, where they store personal data on their statutory tasks in the scope of application of the tax law for monitoring and testing, can teach the Federal Commissioner for data protection and freedom of information instead of the person concerned. In this case, is the exercise of a right of the person concerned, arising from this Act or of a different provision on data protection the procedure according to § 19 para 6 (3) personal information about, may be used only for the performance of the duties of the responsible authority resulting from the exercise of the right.

Section 6a of the automated individual decision (1) decisions that entail a legal consequence for the person affected or significantly affect him, may be based not solely on the automated processing of personal data, which are used to assessing individual personality traits. A decision based solely on automated processing exists in particular if no content review and fact-based decision-making by a natural person has taken place.
(2) this does not apply if 1 the decision in the context of the financial statements or the performance of a contract or other legal relationship and the desire of the person concerned was granted or 2. respect for the legitimate interests of the person concerned by appropriate measures is ensured and the responsible agency concerned shall the fact of the existence of a decision within the meaning of paragraph 1, and tells the main reasons of this decision at the request and explains.
(3) the right of the person concerned to receive information to the articles 19 and 34 extends also to the logical structure of the automated processing of data relating to him.

§ 6 b observation public spaces with optical electronic devices (1) the observation of public spaces with optical electronic devices (video surveillance) is permitted only insofar as she 1 to the fulfilment of public bodies, 2. the perception of the House right or 3. to carry out legitimate interests for specifically defined purposes is required and no evidence that prevail protect interests of the persons concerned.
(2) the fact of observation and the responsible are recognizable through appropriate measures.
(3) the processing or use of data collected pursuant to paragraph 1 is allowed, if it is necessary to achieve the purpose of the persecuted, and no evidence that prevail protect interests of the persons concerned. For any other purpose they may be only processed or used, insofar as this is necessary to ward off threats to the State and public security, as well as to the prosecution of criminal offences.
(4) collected of a particular person be associated through video surveillance, is to notify about any processing or use according to the sections 19a and 33.
(5) the data are immediately to delete when they are no longer required to achieve the purpose or preclude protection interests of those concerned of a further saving.

§ 6 c the body which is a mobile personal storage and processing medium or on the medium brings up a procedure for the automated processing of personal data, that expires, wholly or in part on such media, changes personal storage and processing media (1) mobile or this holds, the functioning of the media, including the type of personal data to be processed must be those concerned about 1 over their identity and address, 2nd in General an intelligible form , 3. Moreover, how he can exercise his rights to the articles 19, 20, 34 and 35, and 4th on the measures to be taken in case of loss or destruction of the medium teaching, insofar as the person concerned has not already become aware.
(2) the Agency required pursuant to paragraph 1 has to take care that are necessary equipment or facilities reasonably free use available to the exercise of the right to information.
(3) communications operations that cause a data processing on the media, must be clearly identifiable for the persons concerned.

§ 7 compensation adds a responsible concerned by one according to this law or under other provisions concerning data protection invalid or improper collection, processing or use of his personal data, is damage they or their vehicle commits the person concerned to pay damages. The obligation is void, unless the responsible authority has complied with the care provided according to the circumstances of the case.

§ 8 damages in automated data processing by public bodies (1) a responsible public body adds to invalid or incorrect automated collection, processing or use of his personal data damage by a concerned under this Act or under other provisions concerning data protection, is obliged to pay damages their vehicle the person concerned regardless of any fault.
(2) in the case of a serious injury of the right to privacy, the damage that non-pecuniary damage is adequate to replace money is concerned.
(3) the claims under paragraphs 1 and 2 are a total limited to a sum of 130,000 euros. Compensation is due to the same event to multiple people to afford, which exceeds the maximum amount of 130,000 euros, a total the individual compensation in the ratio, where is your total to the maximum decrease.
(4) several bodies are automated processing storage entitled and the injured party not in a position to determine the storage place is as each of these places is liable.
(5) has a fault of the person concerned participated in the damage, § 254 of the German Civil Code shall apply.
(6) on the Statute of limitations of the civil statute of limitations rules applicable to torts / delicts find code shall apply.

§ 9 technical and organisational measures, public and non-public bodies themselves or on behalf of personal data, process and use, have to meet the technical and organizational measures that are necessary to carry out the provisions of this Act, in particular the requirements referred to in the annex to this law, to ensure. Measures are required only if your expenses in proportion to the protection purpose.

9a § 9A to improve data protection and data security provider of data processing systems and programs and data processing offices can can check their data protection concept, as well as their technical facilities by independent and Authorised Auditors and to review and publish the result of the test. The detailed requirements on testing and assessment, the procedure and the selection and approval of the experts are regulated by special law.

§ 10 setting up automated retrieval procedures (1) setting up an automated procedure that enables the transmission of personal data by retrieving, is permitted, insofar as this is appropriate, taking into account the legitimate interests of the person concerned and tasks or business purposes of the bodies involved. The rules on the eligibility of the individual call shall remain unaffected.
(2) the bodies involved have to ensure that the admissibility of retrieval process can be controlled. To do this, they have to specify in writing: 1 occasion and purpose of the polling process, 2. third parties, will be delivered, 3 types of data to be transmitted, 4. technical and organizational measures required pursuant to § 9.
In the public sector, the necessary provisions can be made also by the technical supervision authorities.
(3) concerning the establishment of retrieval procedures, 2 in cases where the authorities referred to in article 12, paragraph 1 of the Federal Commissioner for data protection and freedom of information in communication of the provisions referred to in paragraph are involved, is to teach. The establishment of retrieval procedures, where the involved bodies as referred in article 6, paragraph 2 and article 19, para. 3, is only permitted if it has approved each competent federal or State Ministry of for the storing and retrieving point.
(4) the third will be delivered to the bears responsibility for the admissibility of each retrieval. The storing place the admissibility of views only checks to see if there is reason to. The recording authority has to ensure that the transmission of personal data can be found and verified at least by appropriate sampling procedures. A total of personal data is fetched from or transmitted (batch processing), so ensuring the identification and verification refers only to the admissibility of retrieval or the submission of all cases.
(5) paragraphs 1 to 4 do not apply to accessible data retrieval. Data that is everyone, are generally available with or without prior notification, approval or payment of a fee, can use it.

§ 11 collection, processing or use of personal data on behalf of (1) are personal data on behalf of other bodies collected, processed or used, is responsible to the client for the compliance with the provisions of this Act and other legislation on data protection. The rights referred to in articles 6, 7 and 8 are to to claim him.
(2) the contractor is to choose carefully, focusing on the suitability of the technical and organisational measures taken by him. The order in writing to grant, to set especially in the individual being: 1 the subject and the duration of the contract, 2. the scope, the nature and the purpose of the intended collection, processing or use of data, the type of data and the circle of stakeholders, 3. that pursuant to § 9 to appropriate technical and organisational measures, 4. the rectification, erasure and blocking of data , 5. the obligations of the contractor pursuant to paragraph 4, in particular, to be made of it controls, 6 any permission to the grounds of lower order relations, 7 the control rights of the contracting authority and the corresponding Duldungs - and split with cooperation obligations of the contractor, 8 breach of the contractor or at him employed persons with regard to rules on the protection of personal data or against the commitments taken on behalf of 9 the scope of authority , which the contracting authority to the contractor reserves, 10 the return of full-service commercial disk and deleted when the contractor of stored data after completion of the order.
He may be granted at public places by the supervision authority. The principal has before the data processing and then regularly the compliance with the technical and organisational measures taken by the contractor to convince. The result is to be documented.
(3) the contractor must collect the data only within the scope of the instructions of the customer, process or use. He is of the opinion that an instruction of the client violates this law or other provisions concerning data protection, he has to indicate the principal without delay.
(4) No. 2, 10 and 11, paragraph 2 shall apply for the contractor in addition to the sections 5, 9, 43 para 1 No. 1 to 3 and par. 3 and § 44 only the provisions on data protection control or supervision, for 1 a) public bodies, b) non-public places, where the majority of the shares belongs to public or the majority of votes are entitled to and the contracting authority is a public body , the sections 18, 24-26, or the corresponding provisions of the data protection laws of the countries, 2. process the other non-public bodies insofar as they collect personal data on behalf of a service company businesslike, or use, the sections 4f, 4 g and 38 (5) paragraphs 1 to 4 shall apply mutatis mutandis, if the testing or servicing of automated procedures or of data processing equipment by other places in the order is made and while accessing personal data can not be excluded.
Second section computing the authorities of first subsection legal bases of data processing article 12 scope (1) the provisions of this section apply to public bodies of the Federation, as far as they do not participate in competition as a public company.
(2) unless the privacy not by State law, apply the sections 12 to 16, 19 to 20 for the public authorities of the countries where they run 1 Federal law and does not participate in the competition as a public company, or 2. organs of the administration of Justice Act and it is not administrative matters.
(3) for data protection section 23 paragraph 4 applies country representative accordingly.
(4) personal data collected, processed for former, existing or future employment or used number 2 and §§ 32-35, instead of sections 13 to 16 and 19 to 20 apply article 28, paragraph 2.

§ 13 data collection (1) the collection of personal data is permitted if their knowledge to carry out the tasks of the responsible authority is required.
(1a) are personal data instead of in the individual in a non-public place raised the point on the legislation is obliged to otherwise indicate the voluntary nature of their information to the information.
(2) the rise of special types of personal data (§ 3 ABS. 9) is only permitted as far as 1 a piece of legislation so provides or requires compelling reasons of important public interest, 2. the data subject has consented in accordance with Article 4a, paragraph 3, 3. This is necessary to protect of vital interests of the data subject or a third party, unless the party concerned physical or legal reasons is unable , to give his consent 4. is data, the data subject has made obviously public, 5. This is necessary to avert of a serious threat to public safety, 6 this imperative to avert of significant disadvantages for the common good or to safeguard major interests of the common good requires, 7 this is necessary for the purpose of health care, medical diagnosis, health care or treatment or the management of health services and the processing of these data by medical personnel or by are other persons who are subject to an equivalent obligation of secrecy, 8.
This is required to carry out scientific research, scientific interest in the implementation of the research project which significantly outweighs the interest of the person concerned to the exclusion of the survey and the purpose of the research in other ways not or only at disproportionate time and effort can be achieved, or 9 this compelling reasons to defend or fulfillment above or intergovernmental obligations of a public authority of the Federal Government in the field of crisis management or conflict prevention or for humanitarian action is required.

§ 14 data storage, modification and use of (1) storing, modification or use of personal data is permitted if it for the fulfilment of the tasks under the responsibility of the responsible authority is required and it for the purposes for which the data are collected. Is preceded by no survey, the data may for any purpose be altered or used, for which they have been stored.
(2) the save, change or use for other purposes is permitted only if 1 this provides for a legislative provision or necessarily requires, 2. the data subject has consented, 3 is obvious, that it is in the interest of the person concerned, and is no reason to believe that he would refuse his consent to having regard to the purpose of the other, 4. details of the person concerned must be checked , because actual evidence for their inaccuracy, 5 which are generally available data or the entity responsible they should publish, unless that outweighs the protection interest of the person concerned to the exclusion of purpose change obviously, 6 it is necessary to ward off considerable disadvantages for the public or a danger to public safety or to maintain significant interests of the common good, , 7's to the prosecution of criminal offences or administrative offences, the enforcement or execution of penalties or measures within the meaning of § 11 para 1 No. 8 of the Penal Code or require correction or breeding means within the meaning of the Juvenile Court Act, or the enforcement of penalty decisions, 8 it is necessary to ward off a serious impairment of the rights of another person or 9's to carry out scientific research is required , significantly outweighs the interest of the person concerned to the exclusion of purpose change the scientific interest in the implementation of the research project and the purpose of the research in other ways not or only at disproportionate time and effort can be achieved.
(3) any processing or use for other purposes is not, if it serves the perception of supervisory and control powers, audit or the implementation of organisational studies for the responsible. This is true also for the processing or use by the entity responsible for training and testing purposes where conflict not vast protection interests of the person concerned.
(4) personal data stored exclusively for purposes of privacy control, backup or to ensure a proper operation of a data processing system may be used only for these purposes.
(5) the save, change or use of special types of personal data (§ 3 ABS. 9) for other purposes is only allowed if a collection according to § 13 ABS. 2 Nr. 1 to 6 or 9 would allow 1 which are prerequisites, or 2 to carry out scientific research is required, the public interest in the conduct of the research project the interest of the data subject on the exclusion of purpose change significantly outweighs and the purpose of the research in other ways not only with disproportionate time and effort can be achieved.
In balancing pursuant to sentence 1 No. 2 is the scientific interest in the research project particularly taken into account in the context of the public interest.
(6) the storage, modification or use of special types of personal data (section 3 paragraph 9) to the in section 13, paragraph 2 purposes referred to in no. 7 depends on the confidentiality obligations in section 13, paragraph 2 applicable to persons referred to in no. 7.

§ 15 data transmission to public authorities (1) the transfer of personal data in public places is allowed for the fulfilment of the requirements are the responsibility of the sending site or of third parties to which the data is transmitted, tasks is required and 2. use according to § 14 should keep to 1.
(2) responsibility for the admissibility of the communication is the transmitting site. The delivery is carried out at the request of the third party, the data are transmitted to the this is responsible. In this case the transmitting authority checks only the transfer request within the framework of the tasks of the third party, the data are transmitted to the is, except that there is a special occasion for the consideration of the admissibility of the communication. § 10 section 4 shall remain unaffected.
(3) the third party, the data are transmitted to the may process them for the purpose or use, they transferred him to its fulfilment. Any processing or use for other purposes is permitted only under the conditions of § 14 para 2.
(4) paragraphs 1 to 3 shall apply for the transmission of personal data to places of public religious associations, provided that it is ensured that adequate data protection measures are taken at these.
(5) connected with personal data that may be transferred under paragraph 1, other personal data of the person concerned or a third party so, that a separation not or is possible only with unreasonable effort, so is the transmission of this data also permitted, as far as not legitimate interests of the data subject or a third party to whose secrecy obviously outweigh; Use of this data is not permitted.
(6) paragraph 5 applies mutatis mutandis where personal data within a public authority be passed.

§ 16 data transmission to private parties (1) the transfer of personal data to non-public institutions is permitted if 1 it to fulfil the tasks under the responsibility of the sending site is required and the conditions exist that would allow a use according to section 14, or the third parties to which the data is transmitted, a legitimate interest in the knowledge of the data to be transmitted credibly outlines 2. and the person concerned has no legitimate interest in the exclusion of the delivery. The transfer of special types of personal data (§ 3 ABS. 9) is derogation from sentence 1 No. 2 only permissible, if the requirements are met, which would allow a use according to § 14 para 5 and 6, or as far as this is necessary for the claim, exercise or defence of legal claims.
(2) responsibility for the admissibility of the communication is the transmitting site.
(3) in cases of delivery pursuant to paragraph 1 No. 2 shall inform the transmitting body to those affected by the transfer of his data. This does not apply if it can be expected is that he becomes aware of it otherwise, or if the information would endanger public safety or otherwise prepare disadvantages the benefit of the Federation or a land.
(4) the third party to which the data is transmitted, may process them only for the purpose or use, they transferred him to its fulfilment. The transmitting authority has to point it out. Any processing or use for other purposes is allowed if a delivery would be permissible under paragraph 1 and the transmitting authority has approved.

Article 17 (dropped out) section 18 implementation of data protection in the Federal Administration (1) the Supreme Federal authorities, the President of the federal railway assets and the federal authorities, establishments and foundations under public law, the only legal supervision is exercised by the Federal Government or a Supreme Federal authorities have to ensure the execution of this law, as well as other legislation on data protection for their business area. The same applies to the directors of the company arising from the Special Fund Deutsche Bundespost by Act, as long as an exclusive right to this under the postal Act.
(2) the public authorities maintain a directory of used computers. For their automated processing operations, they have to set in writing the information according to § 4e, as well as the legal basis of the processing. Can be seen from this serving for general administration purposes automated processing, in which the right of access of the data subject is not restricted according to § 19 section 3 or 4. For automated processing operations carried out several times in same or similar way, the definitions can be grouped together.
Second subsection Rights article 19 concerned is information on the persons concerned (1) to provide information about 1 at the request of the data stored to his person, also insofar as they relate to the origin of such data, 2. the recipients or categories of recipients to whom the data are disclosed, and 3. the purpose of the storage.
The kind of personal data, the information should be provided, to identified closer in the application. The personal data are neither automatically nor stored in non-automated files, the information is granted only as far as the person concerned makes statements that allow finding the data, and is required for the supply of the information not out of proportion to the interest asserted by the party concerned. The responsible body determines the procedure, particularly in the form of information to dutiful discretion.
(2) paragraph 1 does not apply to personal data which are only stored, because they must not be deleted due to legal, statutory or contractual retention requirements, or would serve only for purposes of data backup or data protection control and an disclosure require a disproportionate effort.
(3) the information refers to the transmission of personal data to intelligence, the Federal Intelligence Service, the military Abschirmdienst and, as far as the security of the Federation is touched, other authorities of the Ministry of defence, it is permitted only with the approval of these posts.
(4) providing information is omitted as far as 1 that the proper performance of the tasks under the responsibility of the responsible authority would endanger information, would give 2 the information which endanger public security or order or otherwise the benefit of the Federal Government or disadvantages of a country or the data or the fact guardians 3. interests of a third party their storage after a piece of legislation or its nature, in particular due to the vast , kept secret will need to and that's why the interest of the data subject to the disclosure must resign.
(5) the refusal of information need not a reason, as far as the statement of the factual and legal grounds on which the decision is based, jeopardizes the purpose pursued by the refusal of information. In this case, the person concerned, it is to point out that he can turn to the Federal Commissioner for data protection and freedom of information.
(6) no information issued to the person concerned, it shall at his request to grant the Federal Commissioner for data protection and freedom of information, as far as not the competent Supreme Federal Authority determines in a particular case that this jeopardizes the security of the Federation or a land. The communication of the Federal Commissioner on the person concerned must allow no conclusions on the State of knowledge of the responsible authority, unless it agrees with not a further information.
(7) the information is provided free of charge.

section 19a notification (1) collected data without the knowledge of the person concerned, he comes from the storage, the identity of the responsible authority, as well as the purposes of the survey, to notify processing or use. The person concerned shall be informed, insofar as he must not expect delivery to these also on the recipients or categories of recipients of the data. Where a delivery is provided for, the briefing at the latest at the first transmission must be made.
(2) a duty to notify fails if of affected otherwise has gained knowledge of the storage or transmission 1, 2. the notification of the person concerned requires a disproportionate effort, or 3. the storage or transmission of personal data by law is expressly provided.
The responsible body in writing sets conditions under which 2 or 3 is apart of a notification referred to in point.
(3) section 19 para 2 to 4 shall apply mutatis mutandis.

Article 20 rectification, erasure and blocking of data; (1) personal data are right to correct if they are inaccurate. Is established that personal data which processes automated or non-automated files are stored, are incorrect, or their accuracy is disputed by the affected this is so in an appropriate manner to hold.
(2) personal data processed automated or non-automated files are stored, is to delete if 1 their storage is inadmissible or 2 their knowledge for the entity responsible for the fulfilment of the tasks within their competence is no longer required.
(3) at the point of a deletion, blocking occurs as far as 1 legal, statutory or contractual retention periods oppose deletion, 2. There is reason to believe, that a deletion protection interests of the person concerned would adversely affect, or 3 a deletion because of the special nature of storage not or only with disproportionately high costs is possible.
(4) personal data processed automated or non-automated files are stored, are also to close, as far as accuracy is disputed by the affected and be identified neither the accuracy nor the incorrectness.
(5) personal data may be charged not for automated processing or processing in non-automated files, processed or used, as far as the person on the responsible authority contradicts and an examination reveals that sensitive interest of the person concerned because of his particular personal situation outweighs the interest of the responsible position on this collection, processing or use. Sentence 1 shall not apply if a rule of law committed to the collection, processing or use.
(6) personal data which is not processed automatically or are stored in a non-automated file, are to block, if in individual cases, the authority finds that adversely affected without the blocking protection interests of the person concerned and the data for the fulfilment of the tasks of the authority are no longer required.
(7) locked data may be transmitted without the consent of the person concerned only or used if 1 for scientific purposes, to correct an existing proof emergency or other in the overwhelming interest of the responsible authority or a third party's essential reasons and 2 may be the data transmitted or used, if they were not locked out.
(8) of the correction of inaccurate data, the blocking of disputed data as well as the erasure or blocking inadmissibility of storage are to communicate the places where these data storage have been disclosed in the context of a notification if this requires a disproportionate effort and do not preclude protection interests of the person concerned.
(9) § 2 para 1 to 6, 8 and 9 of the Federal Archives Act shall apply.

Invocation of the Federal Commissioner for data protection and freedom of information anyone can the Federal Commissioner for data protection and freedom of information contact section 21, if he is considered to be injured in the collection, processing or use of his personal data by public bodies of the Federation in his right hand. This applies to the collection, processing or use of personal data by courts of the Federation only insofar as they are working in administrative matters.
Third subsection of Federal Commissioner for data protection and freedom of information section 22 election of the Federal Commissioner for data protection and freedom of information (1) the German Bundestag elects on the Federal Government's proposal the Federal Commissioner for data protection and freedom of information with more than half of the statutory number of its members. The Federal Commissioner must have completed the age of 35 years in his election. The selected is appointed by the Federal President.
(2) the Federal Commissioner shall before the Minister of the Interior following oath: "I swear that I dedicate my strength to the benefit of the German people, its benefits increase, contact damage from him, uphold the basic law and the laws of the Federal Government and defend, conscientiously fulfill my duties and justice will pursue anyone against. So help me God."
The oath can be made without a religious affirmation.
(3) the term of Office of the Federal Commissioner is five years. One-time re-election is permitted.
(4) the Federal Commissioner is in accordance with this Act to the federal public service Office relationship. He is subjected to in the performance of his duties independently and only the law. He is law supervised by the Federal Government.
(5) the Federal Commissioner is established at the Federal Ministry of the Interior. He is under the supervision of the Federal Ministry of the Interior. That is the Federal Commissioner for the fulfilment of its tasks necessary personnel and cause equipment to provide; It is in the section of the budget of the Federal Ministry of the Interior in its own chapter. The bodies are in agreement with the Federal Commissioner to occupy. The employee can, if they disagree with the proposed measure, are placed only in agreement with him, ordered or implemented.
(6) the Federal Commissioner is temporarily on the performance of his duties prevented, the Federal Minister of the Interior may delegate a representative with the perception of the business. The Federal Commissioner shall be include.

Section 23 legal status of the Federal Commissioner for data protection and freedom of information
(1) the official ratio of the Federal Commissioner for data protection and freedom of information begins with the handing over of the certificate of appointment. It ends up 1 at the end of the term, 2. with the dismissal.
The President dismisses the Federal Commissioner, if this requires it or on a proposal from the Federal Government, if you have grounds which justify the dismissal from the service with a judge on lifetime. In the event of the termination of the Office, the Federal Commissioner receives a certificate made by the Federal President. A dismissal is effective with the handing over of the certificate. At the request of the Federal Minister of the Interior, the Federal Commissioner is obliged to continue the business until the appointment of his successor.
(2) the Federal Commissioner may exercise no other paid Office, no trade and no profession next to his Office and belong to the management or to the Supervisory Board or Board of Directors of a company acquisition-oriented nor a Government or a legislative body of the Federation or a land. He may not deliver extra-judicial opinion for a fee.
(3) the Federal Commissioner has to make to the Federal Ministry of the Interior communication on gifts he receives in his Office. The Federal Ministry of the Interior decides on the use of the gifts.
(4) the Federal Commissioner shall be entitled to deny the testimony of persons who have entrusted facts in his capacity as Federal Commissioner, as well as the facts themselves. The same applies to the employees of the Federal Commissioner with the proviso that the Federal Commissioner decides whether the exercise of this right. As far as the privilege of the Federal Commissioner goes, the presentation or delivery of files or other documents by him may not be required.
(5) the Federal Commissioner, even after termination of his Office, committed to him officially known issues to preserve secrecy. This does not apply to communications in the interests of the service or about facts that are obvious or require their importance for any secrecy. The Federal Commissioner may, even if he is no longer in the Office, about such matters without the permission of the Federal Ministry of the Interior either in court or out of court statements or declarations. The legally justified obligation to display crime and to promote conservation in threat to the free democratic basic order shall remain unaffected. For the Federal Commissioner and his staff apply para 1, § 111 paragraph 5 in conjunction with article 105, paragraph 1, and article 116, paragraph 1, of the tax code, not the sections 93, 97, 105. Sentence 5 shall not apply, as far as the financial authorities need knowledge to perform a procedure due to a Steuerstraftat, as well as a related tax procedure, whose persecution there is a compelling public interest, or where it is deliberately false information of the respondents or the persons working for him. The Federal Commissioner finds a breach of privacy, he is authorized to display it and inform the person concerned thereof.
(6) the authorisation to testify as a witness, should be refused only if the statement would prepare disadvantages to the benefit of the Federation or a German land or seriously jeopardise the performance of public duties or significantly complicate. The right to give an opinion, can be refused if the refund would cause disadvantages the official interests. section 28 of the Federal Constitutional Court Act shall remain unaffected.
(7) the Federal Commissioner receives from the beginning of the calendar month in which the official relationship begins, until at the end of the calendar month, in which the Office ends, in the case of paragraph 1 set until to the end of the month in which the management ends, salaries in salaries due to the height of a federal official of in grade B 9 6. The Federal travel Act and the Federal costs of moving are apply mutatis mutandis. In addition ABS 6 as well as the § are § 12 § 13 to 20 and 21a to apply paragraph 5 of the Federal Minister act with the requirements, that takes the place of the four-year term in section 15, paragraph 1, of the law of the Federal Minister a term by five years and the grade B-9 place the grade B 11 in article 21a par. 5 of the law of Minister of the Federal. By way of derogation from sentence 3 in connection with the § 15 to 17 and 21a § 5 of the Federal Minister is calculated the retirement pension of the Commissioner of of federal, adding the term as pensionable service time in corresponding application of the officials supply Act, if this is more favourable and the Federal Commissioner prior to his election to the Federal Commissioner as a civil servant or judge has immediately found at least in the last Office to passing through usually before reaching the grade B 9.
(8) paragraph 5 sets 5 to 7 shall apply accordingly for the public authorities, which are responsible for the verification of compliance with the rules on data protection in the countries.

§ 24 control by the Federal Commissioner for data protection and freedom of information (1) the Federal Commissioner for data protection and freedom of information controlled by the public bodies of the Federation the compliance with the provisions of this Act and other legislation on data protection.
(2) the control of the Federal Commissioner obtained personal information also extends to 1 by public bodies of the Federation about the contents and the circumstances of the stamps, postal and telecommunications, and 2 personal data, the a professional or special professional secrecy, in particular the tax secret according to § 30 of the tax code, are subject to.
The fundamental right of the mail, post and correspondence of laid down in article 10 of the basic law is limited in this respect. Personal data that 10 law are subject to control by the Commission pursuant to § 15 of the articles, not under the control by the Federal Commissioner, unless the Commission asked the Federal Commissioner, compliance with the rules on data protection for certain operations or in certain areas to control and report on only her. By the Federal Commissioner, non-personal data in the files of the security check under control, if the person concerned is contrary to the control of data related to him in some cases to the Federal Commissioner.
(3) the federal courts are subject to the control of the Federal Commissioner only insofar as they are working in administrative matters.
(4) the public bodies of the Federation are required to support the Federal Commissioner and his officers in carrying out their duties. In particular 1 information is them to their questions as well as insight in all documents, in particular the stored data and the data processing programs, grant, which are associated with the control referred to in paragraph 1 at any time access to all premises to grant 2..
The authorities referred to in article 6, paragraph 2 and article 19, para. 3 provide the support only the Federal Commissioner and the his writing particularly representative. Sentence 2 applies to these authorities do not, unless in individual cases, the Supreme Federal Authority determines that the information or insight would threaten the security of the Federation or a land.
(5) the Federal Commissioner shall inform the result of its control of the public authority. Thus he can combine proposals for improving data protection, in particular to the Elimination of identified deficiencies in the processing or use of personal data. section 25 shall remain unaffected.
(6) paragraph 2 shall apply correspondingly for public authorities, who are responsible for the verification of compliance with the rules on data protection in the countries.

§ 25 complaints by the Federal Commissioner for data protection and freedom of information (1) is the Federal Commissioner for data protection and freedom of information offences against the provisions of this Act or other legislation of data protection or other deficiencies in the processing or use of personal data set, so he complains about this 1 with the Federal Administration to the competent Supreme Federal Authority, 2 the federal railway assets toward the President. , 3. in the case of the company arising from the Special Fund Deutsche Bundespost by Act, as long as them an exclusive right according to the postal Act, is compared to their boards of Directors, 4. the federal authorities, establishments and foundations governed by public law and associations of such bodies, institutions and foundations compared to the Board of directors or otherwise authorized body and calls for comments within a period to be determined by him on. In the cases set the Federal Commissioner shall inform the competent supervisory authority 1 No. 4 at the same time.
(2) the Federal Commissioner may refrain from making a complaint or renounce an opinion of the affected area, especially if it's now removed or insignificant defects.
(3) the opinion to contain also a representation of the measures that have been taken due to the objection of the Federal Commissioner. The usher in paragraph 1 sentence 1 place referred to in no. 4 the competent authorities at the same time to a copy of its opinion on the Federal Commissioner.

Section 26 further duties of the Federal Commissioner for data protection and freedom of information
(1) the Federal Commissioner for data protection and freedom of information be reimbursed an activity report of the German Bundestag every two years. He teaches the German Parliament and the public about major developments of data protection.
(2) upon request of the Bundestag or the Federal Government, the Federal Commissioner has to provide expert opinions and reports. The Federal Commissioner is also remarks on the Affairs and operations of data protection in the public bodies of the Federation at the request of the German Federal Parliament, the Committee on Petitions, of the Home Affairs Committee or the Federal Government. The Federal Commissioner may consult at any time at the German Bundestag.
(3) the Federal Commissioner can make recommendations to improve the data protection of the Federal Government and the federal authorities referred to in article 12, paragraph 1, and advise them in matters of data protection. You are in article 25, paragraph 1 No. 1 to 4 mentioned point to teach when the recommendation or advice not directly concerned by the Federal Commissioner.
(4) the Federal Commissioner works towards cooperation with the public authorities that are responsible for the verification of compliance with the rules on data protection in the countries, and with the supervisory authorities according to § 38. Article 38, paragraph 1, sentence 4 and 5 shall apply mutatis mutandis.
Third section data processing non-public institutions and public service competition companies first subsection scope (1) who find regulations of this section application, as far as personal data using data processing systems be processed, used, or collected for or the data to or from non-automated files processed legal bases of data processing section 27, used or to be raised by 1 non-public bodies, 2. a) public bodies of the Federation, as far as participating as a public company in the competition , b) public bodies of the countries, insofar as they participate in the competition as a public company, run federal law and data protection by law of the land is regulated.
This does not apply if the collection, processing or use of data only for personal or family activities. In the cases of the number the sections 18 2(a) shall apply in place of section 38, the provisions of this section 21 and 24 to 26 (2) do not apply to the processing and use of personal data outside of non-automated files, if it was not for personal information, apparently from an automated processing have been taken.

§ 28 data collection and storage for its own business purposes (1) that is rising, save, change or transfer of personal data or their use as a means of fulfilling its own business purposes allowed 1 when necessary for the establishment, implementation or termination of a contractual or legal transaction similar debt relationship with the victims, 2. insofar as is necessary to protect legitimate interests of the responsible authority and no reason to believe there is , that outweighs the protection interest of the person concerned to the exclusion of the processing or use, or 3. If the data are generally available or the responsible body should publish them, except that obviously is interest worthy of protection of the person concerned to the exclusion of the processing or use against the legitimate interests of the responsible authority.
The collection of personal data, the purposes for which the data are to is processed or used, specifically set are.
(2) the transmission or use for any other purpose 1 under the conditions of paragraph 1 sentence 1 number 2 or number 3, allowed 2. as far as necessary is a) to protect legitimate interests of a third party or b) to ward off dangers for the State or public safety or to the prosecution of criminal offences and there is no reason to believe , that the person concerned has a legitimate interest in the exclusion of the delivery or use, or 3. If it is in the interest of a research facility to conduct scientific research is required, significantly outweighs the interest of the person concerned to the exclusion of purpose change the scientific interest in the implementation of the research project and the purpose of the research in other ways not or only at disproportionate time and effort can be achieved.
(3) the processing or use of personal data for purposes of Munz or advertising is allowed, provided the person concerned has consented and paragraph 3A is the entity responsible in the case of a granted without written consent. Moreover, the processing or use of personal data may 1 for purposes of advertising for your own offers of the responsible authority as far as it is lists or otherwise summarized data about members of a group of persons confined on the affiliation of the person concerned to this group of persons, his professional, industry or trade name, his name, title, academic degree, address and year of his birth, and processing or use is required , the these data with the exception of information on group membership in the individual referred to in paragraph 1 sentence 1 number 1 or from generally accessible address, telephone, industry or similar directories collected has, 2. for purposes of advertising in terms of the professional activity of the person concerned and his professional address or 3 for purposes of advertising for donations, which are tax deductible according to section 10 (b) paragraph 1 and article 34 g of the income tax act.
For purposes pursuant to sentence 2 number 1 must add save the entity responsible for the referred data more data. Aggregated personal data pursuant to sentence 2 may be submitted for advertising purposes also if delivery paragraph 1a sentence 1 is stored in accordance with the § 34; in this case, the job, for the first time has collected the data, must emerge clearly from advertising. Regardless of the existence of the conditions of the set of 2 personal data may be used for purposes of advertising for foreign deals when for the suspect at the address for the purpose of advertising the entity responsible for the use of the data is clearly identifiable. Any processing or use pursuant to sentences 2 to 4 is allowed only as far as do not preclude protection interests of the person concerned. Data transmitted pursuant to sentences 1, 2 and 4 may be processed only for the purpose or use for which they have been submitted.
(3a) the consent according to § 4a paragraph 1 sentence 3 in any other form than the written form is given, has the entity responsible to confirm the content of the consent of the person concerned in writing, unless that consent will be declared electronically and the responsible authority shall ensure that the consent is logged and affected parties can retrieve their content at any time and revoke the consent at any time with effect for the future. Should the consent together with other statements is to be granted in writing, it is notable in typographically clear design.
(3B) which is responsible pursuant to paragraph 3 sentence 1 make dependent on the conclusion of a treaty not by consent of the person concerned, if other equivalent contractual services without the consent or not is possible the person concerned in a reasonable manner. A consent granted in such circumstances is ineffective.
(4) the person concerned to the responsible body of the processing or use of data for purposes of advertising or market or opinion research, contradicts any processing or use for these purposes is not permitted. The person concerned is in the speech for the purpose of advertising or market or opinion research, and in the cases of paragraph 1 pursuant to sentence 1 to teach sentence 1 number 1 also for reasons of contractual or similar legal obligation of the responsible body as well as the right to object; as far as who uses appealing personal data of the person concerned, that are stored at a location not known to him, he has also to ensure that the person concerned can obtain knowledge of the origin of the data. This is contrary to the data subject for the third party to whom the data within the framework of the purposes pursuant to paragraph 3 have been transmitted, the processing or use for purposes of advertising or market or opinion research, has to block the data for these purposes. In cases of paragraph 1 sentence 1 number 1 shall be required no stricter form contradiction for the justification of contractual or similar legal obligation.
(5) the third parties to which the data have been transmitted, must process them only for the purpose or use, they transferred him to its fulfilment. Any processing or use for other purposes is allowed authorities only under the conditions of paragraphs 2 and 3 and authorities only under the conditions of § 14 para 2. The transmitting authority has to point it out.
(6) the collection, processing and use of special types of personal data (§ 3 ABS. 9) for its own business purposes is permitted, as far as not the person concerned has consented in accordance with Article 4a, paragraph 3, if 1.
This is necessary to protect of vital interests of the data subject or a third party, provided that the person concerned physical or legal reasons is unable to give his consent, 2. it is data, the data subject has made obviously public, 3. This is necessary for the claim, exercise or defense of legal claims, and there is no reason to believe that the sensitive interests of the person concerned to the exclusion of the survey , Processing or use prevail, or 4 it is necessary to carry out scientific research, significantly outweighs the interest of the person concerned to the exclusion of the collection, processing and use the scientific interest in the implementation of the research project and the purpose of the research in other ways not or only at disproportionate time and effort can be achieved.
(7) the rise of special types of personal data (§ 3 ABS. 9) is also allowed, if this is necessary for the purpose of health care, medical diagnosis, health care or treatment or the management of health services and the processing of these data is done by medical staff or other persons which are subject to an equivalent obligation of secrecy. The processing and use of data for the purposes referred to in sentence 1 shall depend on the confidentiality obligations applicable to the entities referred to in sentence 1. Is data on the health of individuals by members of other than in article 203, paragraph 1 and 3 of the Penal Code of referred to profession, the exercise of which brings the detection, cure or alleviation of disease or the production or distribution of AIDS with raised, processed for a purpose referred to in sentence 1 or used, this is allowed only under the conditions, under which a doctor himself, would be authorized.
(8) for any other purpose may be the specific types of personal data (§ 3 ABS. 9) only under the conditions of paragraph 6 sentence 1 sent no. 1 to 4 or of paragraph 7 or used. A transmission or use is also permissible if this is necessary to ward off substantial dangers for the State and public security, as well as to the prosecution of major criminal offenses.
(9) organizations that are political, philosophical, religious or trade unions aligned and are non-profit-making, shall collect special types of personal data (§ 3 ABS. 9), process or use, insofar as this is necessary for the activities of the organization. This applies only to personal data of their members or by persons who maintain contact with her regularly in connection with the purpose of the activity. The transmission of this personal data to persons or bodies outside the organisation is allowed only under the conditions of Article 4a, paragraph 3. Paragraph 2 paragraph 2 point (b) shall apply mutatis mutandis.

§ 28a transmission of data to credit bureaus (1) the transfer of personal data about a challenge to credit bureaus is allowed only as far as the owening work despite maturity has not been established, the transmission to protect legitimate interests of the responsible authority or a third party is required and 1 the requirement has been established by a final or declared provisionally enforceable judgment or a debt exists according to § 794 of the code of civil procedure , 2. the claim has been determined according to section 178 of the bankruptcy order and not disputed by the debtor in the exam, 3. the party concerned the requirement has explicitly recognized, 4. a) the person concerned is been reminded at least twice in writing after the due date of the claim, b) at least four weeks between the first reminder is sent and the transmission, c) the entity responsible stakeholders in good time before the provision of the information , at the earliest when the first reminder about the upcoming delivery has taught and d) the person concerned has not disputed the claim or 5 the contract underlying the claim as a result of arrears without notice may be terminated and the responsible entity has informed the parties concerned about the upcoming delivery.
Sentence 1 shall apply accordingly if the responsible authority itself uses the data according to § 29.
(2) for future delivery according to § 29 par. 2, credit institutions may transmit personal data on the grounds, proper implementation and termination of a contract concerning a Bank business according to § 1 para 1 sentence 2 No. 2, 8 or no. 9 of the Banking Act to credit bureaus, except that obviously is interest worthy of protection of the person concerned to the exclusion of the delivery against the interests of the Agency to the knowledge of the data. The person concerned shall be informed prior to the conclusion of the contract on this. Sentence 1 does not apply to current contracts, which have an account without overdraft facility to the subject. For future delivery according to § 29 par. 2, the transmission of data on the behaviour of the person concerned, which are used in the framework of a pre-contractual relationship of trust in the production of market transparency, is inadmissible to credit bureaus also with the consent of the person concerned.
(3) responsible for the reporting agency within a month after becomes aware subsequent changes of the facts underlying a submission pursuant to paragraph 1 or paragraph 2 has to tell, as long as the data originally transmitted at the Agency are stored. The Agency shall inform the transmitting point about the deletion of the data originally transmitted.

section 28 a probability value for a specific future behavior of the person concerned raised b scoring for the purpose which may decision on the establishment, implementation or termination of a contract with the data subject or be used if 1 the data used for calculating the value of probability on the basis of a scientifically recognized mathematical and statistical procedure can be proven for the calculation of the probability of certain behavior significantly are, 2. in the case of calculating the probability of value by a reporting agency the conditions for delivery of the data according to § 29 and in all other cases there are the requirements of a permissible use of data under section 28, 3. for the calculation of the probability value not only address data are used, 4. in the case of the use of address data affected parties prior to calculation of the probability value about the intended use of this data is; been informed the information shall be documented.

§ 29 business data collection and storage for the purpose of transfer (1) businesslike collection, storing, modification or use of personal data for the purpose of transfer, especially if this is advertising, the activities of rating agencies or the address, is allowed if 1 is no reason to believe that the person concerned has a legitimate interest in the exclusion of the collection, storage or change , 2. the data from publicly available sources can be found or the responsible body should publish them unless that interest worthy of protection of the person concerned to the exclusion of the collection, storage or change obviously outweigh, or 3. the requirements of section 28a, paragraph 1 or paragraph 2 are met; Within the meaning of article 28a (2) sentence 4 must not collected or saved.
Article 28, paragraph 1, sentence 2 and paragraph 3 and 3B shall apply.
(2) the transmission within the framework of the purposes referred to in paragraph 1 is allowed, if the third party, the data are disclosed a legitimate interest credibly presented 1 on their knowledge, and 2. is no reason to believe that the person concerned has a legitimate interest in the exclusion of the delivery.
§ 28 paragraph 3 and 3B shall apply mutatis mutandis. Transmission pursuant to sentence the reasons for the existence of a legitimate interest and the way their credible statement from the transmitting site are 1 No. 1 record. Transmission in the automated retrieval procedures, recording duty is whether the third party to whom the data are disclosed. The transmitting agent shall perform sampling procedure according to § 10 para 4 sentence 3 and individual cases related to determine also the existence of a legitimate interest and check.
(3) the inclusion of personal data in electronic or printed address, phone numbers, industry or similar directories has to be avoided, if the contrary will of the person concerned from the underlying electronic or printed directory or register is evident. The recipient of the data shall ensure that labels from electronic or printed directories or registers during the transfer to directories or registers are applied.
(4) section 28 (4) applies for the processing or use of the transmitted data and 5 (5) section 28 paragraph 6 to 9 shall apply mutatis mutandis.
(6) a body that collects businesslike personal data which may be used for assessing the creditworthiness of consumers for the purpose of transfer, stores or changed, request for information from lenders from other Member States of the European Union or other as to handle parties of the agreement on the European economic area as request for domestic lenders.
(7) a person who refuses to conclude of a consumer loan agreement or a Treaty on the non-gratuitous financial support with a consumer as a result of a report of a body within the meaning of paragraph 6, has to inform the consumer immediately on this, as well as the preserved information. The information is omitted as far as this would endanger the public safety or order. § 6a shall remain unaffected.

Article 30 any data collection and storage for the purpose of transfer in anonymised form (1) collected PII businesslike and features to save separately which can be associated with individual details about personal or factual circumstances of a specific or specifiable natural person are stored to submit it anonymously. These features may only be merged with the individual information insofar as this is necessary for the fulfilment of the purpose of storage or for scientific purposes.
(2) the change of personal data is permitted if no reason to believe there is 1 that the person concerned has a legitimate interest in the exclusion of the change, or 2. the data from publicly available sources can be found, or the entity responsible should publish them, as far as not worthy of protection interest of the person concerned to the exclusion of change obviously outweigh.
(3) the personal information is to delete if their storage is inadmissible.
(4) section 29 does not apply.
(5) section 28 paragraph 6 to 9 shall apply accordingly.

section 30a businesslike data collection and storage for purposes of market research or opinion research (1) the businesslike collection, processing or use of personal data for purposes of market research or opinion research is permitted if 1 there is no reason to believe, that the person concerned has a legitimate interest in the exclusion of the collection, processing or use, or 2. the data from publicly available sources can be found or they should publish the entity responsible and sensitive interest of the person concerned to the exclusion of the survey , Not obviously outweighs processing or use against the interests of the responsible authority.
Special types of personal data (section 3 paragraph 9) may be charged only for a specific research project, processed or used.
(2) for the purposes of market research or opinion research collected or stored personal data may be processed only for those purposes, or it can be used. Data, which have not been taken from generally accessible sources and may not also publish the entity responsible, may be processed only for the research project or used, for which they are collected. For any other purpose they may be is only processed or used, when she made anonymous before, that a personal reference can no longer be manufactured.
(3) the personal data are made anonymous as soon as this is possible according to the purpose of the research project for which the data are collected. Until then, there are the features to save separately that individual details about personal or factual circumstances of a certain or determinable person can be associated. These characteristics may only be merged with the particulars, insofar as this is necessary according to the purpose of the research project.
(4) section 29 does not apply.
(5) paragraph 4 and 6 to 9 shall apply § 28 accordingly.

§ 31 special purpose personal data stored exclusively for purposes of privacy control, backup or to ensure a proper operation of a data processing system may be used only for these purposes.

Data collection, processing and use for purposes of employment (1) personal data of employees for purposes of employment section 32 may collected, processed or used, if this is necessary for the decision on the establishment of an employment relationship or after establishment of the employment relationship for its execution or termination. Detecting crimes personal data of employees may be only collected, processed or used, when to document actual indications the suspicion justified that the interested party in the employment relationship has committed an offence, the collection, processing or use for detection is required and not outweighs the protection interest of an employee to the exclusion of the collection, processing or use, in particular the type and extent with regard to the occasion are not disproportionate.
(2) paragraph 1 shall apply also, when personal data is collected, processed or used, unless they are processed automatically or to or from a non-automated file processed, used or collected for processing or use in such a file.
(3) the participation rights of the representatives of employees remain unaffected.
Second subsection be rights of the data subject section 33 notification of the person concerned (1) for the first time personally identifiable information for their own purposes without the knowledge of the person concerned the person concerned from the storage is stored, to inform the nature of the data, the purpose of the collection, processing or use, and the identity of the responsible authority. Businesslike, is personal data is stored for the purpose of transfer without the knowledge of the person concerned, is to notify the person concerned by the first delivery and the type of the transmitted data. The person concerned shall be informed, insofar as he must not count according to the circumstances of the individual case with the delivery to these in cases of sentences 1 and 2 also on the categories of recipients.
(2) a duty to notify is not, if of affected otherwise has gained knowledge of the storage or transmission 1, 2. the data are only stored, because it due to legal, statutory or contractual retention requirements must not be deleted or serve only the data protection or privacy control and notification would require a disproportionate effort, 3. after the data after a piece of legislation or its nature that must be kept secret because of overriding legal interest of a third party, namely, 4. the storage or transmission by law is expressly provided, 5. the storage or transmission for purposes of scientific research is required and a notification would require a disproportionate effort, 6 the competent public authority to the responsible authority has determined, that disclosed the data would endanger the public safety or order or prepare disadvantages otherwise the benefit of the Federation or a land , 7. the data for their own purposes are stored and a) are taken from generally accessible sources and a notification because of the large number of affected cases is disproportionate, or b) notification that would considerably disturb business purpose of the responsible authority unless that interest in the notification outweighs the risk, 8 are businesslike stored for the purpose of transmitting data and a) are taken from generally accessible sources , to those persons related, which have published these data or b) it was to lists or otherwise summarized data (article 29 paragraph 2 sentence 2) and a notification because of the large number of affected cases is disproportionate, 9 from generally accessible sources extracted data businesslike for purposes of market research or opinion research is stored and a notification because of the large number of affected cases is disproportionate.
The responsible body in writing sets conditions under which no. 2 to 7 will apart from a notification pursuant to sentence 1.

Article 34 information to the concerned (1) the responsible entity has the party concerned on request to provide information about 1, also insofar as they relate to the origin of such data, 2. the recipients or categories of recipients, the data passed to be stored data to his person, and 3. the purpose of the storage.
Affected parties should designate the type of personal data, the information should be provided, closer. Businesslike, is the personal data is stored for the purpose of transfer, information on the origin and the recipient is also granted if this information is not stored. Information about the origin and the recipient can be denied if outweighs the interest in maintaining business confidentiality compared to the interest of the person concerned.
(1a) In the case of section 28 (3) sentence 4, the transmitting authority has to save the origin of the data and the recipient for a period of two years after the delivery, and to provide information about the origin of the data and the recipients concerned upon request. Sentence 1 shall apply accordingly to the recipients.
(2) in the case of § 28b the entity responsible for the decision, the persons concerned upon request to provide information about 1 within the last six months prior to the request for access has collected or first stored probability values, 2. the types of data used for the calculation of the probability values and 3.
the formation and the importance of the probability values case-related and traceable in General an intelligible form.
Sentence 1 shall apply accordingly if the responsible for the decision point 1 that saves data without personal reference for calculating the probability values, but manufactures the personal reference when calculating or 2. another Bureau uses stored data.
She has another as the responsible for the decision point 1 calculates the probability value, or 2. a part of the probability value, to transmit 1 and 2 information required at the request of the responsible for the decision point on this to meet the information requirements pursuant to sentences. In the case of Theorem 3, no. 1 has to reference the entity responsible for the decision the person concerned to assert of his claims of information, stating the name and address of the other place as well as the information required to the name of the case immediately on this, unless she not even granted the information. The other point that has computed the probability value, free of charge to meet the information requirements pursuant to sentences 1 and 2 to the stakeholders has in this case. The duty of the place responsible for the calculation of the probability value is eliminated pursuant to sentence 3, as far as the entity responsible for the decision is its right pursuant to sentence 4 use.
(3) a body which stores businesslike personal data for the purpose of transfer, has to provide information about its personal data concerned upon request, even if it does not automatically processed, are stored in a non-automated file. Also information, to furnish data that 1 are currently unrelated person, where such but should be made in connection with the information from the responsible authority, the responsible authority does not store 2, but uses it for the purpose of information is concerned.
Information about the origin and the recipient can be denied if outweighs the interest in maintaining business confidentiality compared to the interest of the person concerned.
(4) a body that collects businesslike personal data for the purpose of transfer, stores or changed, has transmitted probability values for a specific future behavior of the person concerned, as well as the names and last known addresses of the third parties, the party concerned on request to provide information about 1 within the last twelve months prior to the request for access to the values are transmitted, 2. the probability values , arising after the procedures applied by the authority to calculate at the time of the request, the types of data used for the calculation of the probability values according to paragraphs 1 and 2, as well as 4. effecting and the importance of the probability values case involved 3. and in General an intelligible form.
Sentence 1 applies accordingly if the responsible body 1 stores data used to calculate the probability value unrelated to the person, the personal reference but the calculation produces or 2. another Bureau uses data stored.
(5) the data stored after the paragraphs 1a to 4 for the purpose of the disclosure to the parties concerned may be used only for this purpose, as well as for purposes of the data protection supervision; for other purposes, they are to block.
(6) the information shall be granted as far as another form of disclosure is not appropriate because of the special circumstances at the request in writing.
(7) an obligation to exchange the information does not exist if the person concerned is not to notify Nos 2, 3 and 5 to 7 according to section 33, paragraph 2, sentence 1.
(8) the information is provided free of charge. Businesslike, is the personal data is stored for the purpose of transfer, the person concerned may once request a free information in text form per calendar year. For any further information, a fee may be required, if the party concerned can use the information to third parties for commercial purposes. The fee may not go beyond the directly attributable costs incurred in providing information. A fee may not be required, if 1 special circumstances justify the assumption that inaccurate or inadmissible data, or 2 the information shows that the data according to § 35 par. 1 to correct or to delete no. 1 according to article 35, paragraph 2, sentence 2 are.
(9) providing information is not free of charge, is to allow the parties concerned, to gain knowledge of the data relating to him within the framework of his information claim personally. He is here to point out.

§ 35 rectification, erasure and blocking of data (1) personal data are correct if they are inaccurate. Estimated data are clearly labelled such as.
(2) personal data can be deleted at any time except in the cases of paragraph 3 Nos. 1 and 2. Personal data is to delete if 1 if their storage is inadmissible, 2 it is data about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sex life, criminal offences or administrative offences and their accuracy cannot be proven by the responsible authority, 3. they are processed for their own purposes, as soon as their knowledge for the fulfilment of the purpose of the storage is no longer necessary , or 4 it businesslike for the purpose of the transfer are processed and a check at the end of the fourth, insofar as it is data on the completed facts and the person concerned of the deletion does not contradict, at the end of the third calendar year beginning with the calendar year following the initial storage, is that a längerwährende storage is not required.
Personal data stored on the basis of section 28a, paragraph 2, sentence 1 and section 29, subsection 1, sentence 1 No. 3 is to delete, if the person concerned so requires also after termination of the contract.
(3) at the point of a deletion, blocking occurs as far as 1 in the case of paragraph 2 sentence 2 No. 3 of deletion preclude legal, statutory or contractual retention periods, 2. to believe there is reason, that a deletion protection interests of the person concerned would adversely affect, or 3 a delete due to the special nature of storage not or only with disproportionately high costs is possible.
(4) personal data are also to close, as far as accuracy is disputed by the affected and be identified neither the accuracy nor the incorrectness.
(4a) the fact of blocking may not be delivered.
(5) personal data may be charged not for automated processing or processing in non-automated files, processed or used, as far as the person on the responsible authority contradicts and an examination reveals that sensitive interest of the person concerned because of his particular personal situation outweighs the interest of the responsible position on this collection, processing or use. Sentence 1 shall not apply if a rule of law committed to the collection, processing or use.
(6) personal data which are inaccurate or whose Richtigkeit is disputed, when storing business data for the purpose of the transfer must except in the cases of paragraph 2 No. 2 are not corrected, blocked or deleted, if they are extracted and stored for documentation purposes from generally accessible sources. At the request of the person concerned, his reply is this information for the duration of the storage to be attached. The data may not be transferred without this reply.
(7) of the correction of inaccurate data, the blocking of disputed data as well as the erasure or blocking inadmissibility of storage are to communicate the places where these data storage have been disclosed in the context of a notification if this requires a disproportionate effort and do not preclude protection interests of the person concerned.
(8) locked data may be transmitted without the consent of the person concerned only or used if 1 for scientific purposes, to correct an existing proof emergency or other in the overwhelming interest of the responsible authority or a third party's essential reasons and 2 may be the data transmitted or used, if they were not locked out.
Third subsection authority articles 36 and 37 (dropped out) - section 38 supervisory authority
(1) the Supervisory Authority controlled the execution of this law, as well as other legislation on data protection, as far as these govern the automated processing of personal data or the processing or use of personal data to or from non-automated files including the right of the Member States in the cases of § 1 5. It advises and supports the Commissioner for data protection and the responsible authorities with respect to their typical needs. The supervisory authority may process your data only for purposes of supervision and use; § 14 para 2 Nos. 1 to 3, 6, and 7 applies. In particular, the supervisory authority for the purpose of supervision can transmit data to other supervisory authorities. It provides the supervisory authorities of other Member States of the European Union on additional requests for help (official). The supervisory authority finds a violation of this Act or other legislation on data protection, it is entitled to inform the person concerned thereof, to show the violation for the bodies responsible for the persecution or sanctioning, and to inform the labour inspectorate to carry out managing measures for serious infringements. You regularly, at least every two years, an activity report. Section 21, sentence 1 and § 23 para 5 set 4 to 7 shall apply mutatis mutandis.
(2) the supervisory authority keeps a register of reportable according to § 4 d automated processing operations with the data according to § 4e sentence 1. The register can be viewed by anyone. The right of inspection does not cover the information according to § 4e sentence 1 No. 9, as well as on providing the persons entitled to access.
(3) the bodies subject to the control and the persons entrusted with the management have to provide the information necessary for the performance of their duties the supervisory authority on request without delay. The party may refuse the information on such questions, whose answer himself or an expose of the Nos. 1 to 3 of the code of civil procedure referred to members of the danger of criminal prosecution or proceedings would in section 383, paragraph 1 according to the law of administrative offences. The party is to point out.
(4) the persons responsible for the control of the supervisory authority are authorized insofar as it is necessary for the fulfilment of the tasks entrusted to the supervisory authority to enter land and business premises of the body during the operation and business hours and to make tests and inspections. Can business documents, in particular the overview according to § 4 g para 2 sentence 1, as well as the stored personal data and the data processing programs, see. Article 24, paragraph 6 shall apply accordingly. The party has put up these measures.
(5) the supervisory authority may order measures to eliminate established infringements in the collection, processing or use of personal data or technical or organisational defects to ensure of compliance with this Act and other legislation on data protection. For serious violations or defects, particularly those that are associated with a particular risk of personal rights, she may prevent the collection, processing or use, or the use of individual procedures, if the violations or deficiencies against the arrangement not be eliminated pursuant to sentence 1, and despite the imposition of a penalty payment in due time. She may demand the dismissal of the Commissioner for data protection if he does not have the expertise required to carry out its tasks and reliability.
(6) the land Governments or the bodies authorised by them to determine the supervisory authorities responsible for the control of the implementation of the data protection within the scope of this section.
(7) the application of trade regulations on the businesses subject to the provisions of this section shall remain unaffected.

Professional associations and other associations, the certain groups of officials representing § 38a code of conduct to promote the implementation of data protection rules (1) authorities, may submit draft rules of conduct to promote the implementation of data protection rules.
(2) the supervision authority checks the conformity of the designs submitted to you with the applicable data protection law.
4th section special provisions article 39 personal data, which are subject to a special professional secrecy or professional and which have been put by the agent obliged to maintain secrecy in the exercise of their professional or official duty available may earmarking for personal data, which are subject to a special professional secrecy or professional (1) by the responsible authority only for the purpose of processed or used, for which she has received. The authority committed to secrecy must consent to the transfer to a non-public place.
(2) for any other purpose, the data may be only processed or used if the change of purpose by special law is approved.

Processing and use of personal data by research organisations (1) for purposes of scientific research collected or stored personal data only for purposes of scientific research section 40 may processed or used.
(2) the personal data are made anonymous as soon as this is possible under the purpose of the research. Until then, there are the features to save separately that individual details about personal or factual circumstances of a certain or determinable person can be associated. You may be merged only with the particulars, as far as required by the purpose of the research.
(3) the bodies operating scientific research is allowed to publish personal data only if 1 the person concerned has consented or 2 this is essential for the presentation of research results about events of contemporary history.

Section 41 collection, processing and use of personal data by the media (1) the countries to provide in their legislation that come the provisions of §§ 5, for the collection, processing and use of personal data by companies and assistance company of the press exclusively for own journalistic editorial or literary purposes corresponding to 9 and 38a arrangements including a limitation-related liability according to § 7 to the application.
(2) the journalistic editorial collection, processing or use of personal data by the Deutsche Welle leads to the publication of corrections of the person concerned, these corrections to the stored data are to take and keep for same period of time as the data itself.
(3) someone affected by a reporting of Deutsche Welle in his rights, he may require information about the underlying reporting, stored its personal data. The information can be denied after consideration of the legitimate interests of the parties, as far as 1 from the data on persons who professionally a journalist involved in the preparation, manufacture, or distribution of broadcasts or have contributed, can be closed, 2. the data on the person of the sender or of the guarantee institution of articles, documents and messages for the editorial section can be closed , 3. the provision of researched or otherwise obtained data the journalistic task of Deutsche Welle would impaired by discovery of information structure.
The person concerned may request the correction of incorrect data.
(4) in addition, the sections 5, 7, 9 and 38a shall apply for Deutsche Welle of the provisions of this Act. Instead of §§ 24-26 section 42 applies, also as far as dealing with administrative matters.

Section 42 of the data protection officer of Deutsche Welle (1) Deutsche Welle appointed a protection of data officer, who shall take the place of the Federal Commissioner for data protection and freedom of information. The order is made on a proposal from the Director by the Board of Directors for a term of four years and may be reappointed. The Office of the data protection officer can be perceived in addition to other duties within the broadcaster.
(2) the Commissioner for data protection for monitoring compliance with the provisions of this Act and other legislation on data protection. He is subjected to in exercising this Office is independent and only the law. In addition he is the service and legal supervision of the Board of Directors.
(3) anyone may apply according to section 21, sentence 1 of the Commissioner for data protection.
(4) the Commissioner for data protection shall an activity report the organs of Deutsche Welle every two years, for the first time to January 1, 1994. He also presented special reports on decision of an organ of Deutsche Welle. The Commissioner also to the Federal Commissioner for data protection and freedom of information submitted activity reports.
(5) the German wave hits further regulations according to the sections 23 to 26 for their area. Sections 4f and 4 g shall remain unaffected.

section 42a obligation for unlawful obtaining of knowledge data a non-public place within the meaning of article 2, paragraph 4, or a public authority according to § 27, paragraph 1, sentence 1 number 2 notes that stored her 1 special types of personal data (section 3 paragraph 9), 2.
personal data which are subject to an obligation of professional secrecy, 3. personal data relating to criminal offences or administrative offences or suspected of offences or offences, or 4 personal data to bank or credit card accounts illegally transmitted or otherwise arrived third parties unlawfully to the knowledge, and threaten serious adverse effects for the rights or legitimate interests of the persons concerned, it has to immediately after the sentences 2 to 5 the competent authorities and the person concerned. The notification of the person concerned shall be immediately, as soon as appropriate measures to safeguard the data are taken or is not immediately and law enforcement is not compromised. The notification of the person concerned must contain a statement of the type of unlawful obtaining knowledge and recommendations for action to reduce potential adverse consequences. The notification of the competent supervisory authority must also include a statement of potential adverse consequences of unlawful obtaining knowledge and the measures taken by the site then. As far as the notification of the person concerned would require a disproportionate effort in particular due to the large number of affected cases, informing the public enters through ads that include at least a half-page, in at least two daily newspapers nationwide, or by another, in their effectiveness with regard to the information of concerned is appropriate measure in its place. A notification that has given the Benachrichtigungspflichtige, may be used according to the law of administrative offences against him or a in article 52, paragraph 1, of the code of criminal procedure in criminal proceedings or in proceedings referred to members of the Benachrichtigungspflichtigen only with the consent of the Benachrichtigungspflichtigen.
Fifth section final provisions § 43 (1) rude is fine rules, who intentionally or negligently 1 violates article 4 d, par. 1, also in conjunction with § 4e sentence 2, a message not, incorrectly, incompletely or not in time makes, 2. contrary to section 4f para 1 sentence 1 or 2, also in conjunction with sentence 3 and 6, a representative for data protection does not, not in the manner prescribed or ordered in a timely manner , 2a.
contrary to section 10, paragraph 4, sentence 3 does not warrant that the data transmission can be determined and checked, 2. contrary to section 11, paragraph 2, sentence 2 does not properly placed an order incomplete or not in the prescribed manner or contrary to section 11, paragraph 2, sentence 4 is not before the data processing by compliance with the technical and organisational measures taken by the contractor convinced , 3. contrary to section 28, paragraph 4, sentence 2 the person concerned informed not, not properly or in a timely manner or does not ensure that the person concerned may obtain, 3a.
contrary to section 28, paragraph 4, sentence 4 requires a stricter form, 4. contrary to section 28, paragraph 5, sentence 2 to transmit personal data or uses, 4a.
contrary to section 28a, paragraph 3, sentence 1 a communication does not, incorrectly, incompletely or not in time, does not record the designated thereon reasons or the manner their plausible discourse 5. contrary to article 29, paragraph 2, sentence 3 or 4, 6 contrary to section 29, paragraph 3, sentence 1 takes on personal data in electronic or printed address, phone numbers, industry or similar directories, 7 contrary to section 29, paragraph 3, sentence 2 does not ensure the acquisition of flags , 7a.
contrary to article 29 paragraph 6 a request not correctly treated, 7. contrary to section 29, paragraph 7, sentence 1 not, incorrectly, incompletely or not timely informed a consumer, 8 contrary to section 33, paragraph 1, not, not properly or not fully notified the persons concerned, 8a.
contrary to § 34 paragraph 1 sentence 1, also in conjunction with sentence 3, contrary to § 34 paragraph 1a, contrary to § 34 paragraph 2 sentence 1, also in conjunction with sentence 2, or contrary to § 34 paragraph 2 sentence 5, sentence 1 in conjunction with sentence 2, information not, incorrectly, incompletely or not timely given paragraph 3 set 1 or set 2 or paragraph 4 or contrary to § 34 paragraph 1a does not store data , 8. contrary to article 34, paragraph 2, sentence 3 data not, incorrectly, incompletely or not timely submitted, 8c.
contrary to § 34 paragraph 2 sentence 4 not or not timely to the other point refers to those affected, 9 contrary to section 35, paragraph 6, sentence 3 transmits data without reply, 10 contrary to section 38, paragraph 3, sentence 1 or paragraph 4 information not, incorrectly, incompletely or not timely given set 1 or a measure does not condone or contravenes 11 an enforceable order according to article 38, paragraph 5, sentence 1.
(2) any person who intentionally or negligently personal data which are not generally available, collects 1 or processes that, 2. holds personal data that are not generally available for retrieval using the automated procedure, 3rd gets personal data which are not generally available, or giving himself or another processing automated or non-automated files, 4. the transmission of personal data , that are not generally available, by incorrect information 5 contrary to § 16 para 4 sentence 1 reinstates section 28 paragraph 5 sentence 1, also in conjunction with section 29 para 4, § 39 para 1 sentence 1 or section 40 para 1, which uses data transmitted for other purposes,, 5a.
contrary to section 28, paragraph 3 b is dependent on the conclusion of a contract by the consent of the person concerned, processed 5. contrary to article 28, paragraph 4, sentence 1 data for purposes of advertising or market or opinion research or uses 6 contrary to section 30, paragraph 1, sentence 2, section 30a, paragraph 3, clause 3, or article 40, paragraph 2, sentence 3 brings together one there called a feature with a single claim or 7 violates article 42a set 1 is a message not that does not, not fully or not timely.
(3) the offence may in the case of paragraph 1 with a fine up to fifty thousand euro, in the cases of paragraph 2 with a fine, up to three hundred thousand euros are punished. The amount of the fine should exceed the economic advantage that the perpetrator of the offence has drawn. The amounts referred to in sentence 1 this is not enough, so they can be exceeded.

§ To enrich 44 penal provisions (1) who is a designated deliberate act for a fee or in the intention, himself or another in section 43, paragraph 2, or harming another, commits, is punishable by up to two years, or punished with fines.
(2) the Act will be prosecuted only upon application. Eligible to apply are the person concerned, the responsible body, the Federal Commissioner for data protection and freedom of information and the authority.
Sixth section transitional provisions article 45 are ongoing uses surveys, processing or use of personal data, which have already begun on May 23, 2001, to bring within three years after that date with the provisions of this Act in accordance. As far as provisions of this Act in legislation outside the scope of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons in the processing of personal data and on the free movement of data to the application reach elevations are to bring the processing or use of personal data, which have already begun on May 23, 2001, within five years after that date with the provisions of this Act in accordance.

Section 46 the term file is used in special legal provisions of the Federation continuing applicability of definitions (1), file 1 is a collection of personal data, which are evaluated by automated procedures according to specific characteristics can (automated file), or 2. any other collection of personal data which is homogeneous and (non-automated file) may be arranged according to certain characteristics, rearranged, and evaluated.
Not these files and file collections include, except that they can be rearranged and evaluated by automated procedures.
(2) special legal provisions of the Covenant the term used in file file is any document serving official or official purposes which falls under not the file term of paragraph 1; This includes also image and sound carriers. Not include drafts and notes that are not part of an operation fall.
(3) is used in special legal provisions of the Covenant the term recipient, recipient is any person or body outside of the responsible authority. Recipients are not the person concerned as well as persons and organisations that collect personal data on behalf of domestically, in another Member State of the European Union or in another Contracting State to the agreement on the European economic area, process or use.

Section 47 is transitional arrangements for the processing and use before 1 September 2009 collected or stored data section 28 in the previously applicable version continue to use 1 for purposes of market research or opinion research up to August 31, 2010, 2. for purposes of advertising up to August 31, 2012.

Section 48 report of the Federal Government the Federal Government the Bundestag 1 until December 31, 2012 reported the impact of sections 30a and 42a, 2. until 31 December 2014, about the effects of the changes of sections 28 and 29.
Unless the Federal Government recommend legislative measures from the point of view, the report should contain a proposal.

Plant (to § 9 set 1) (site of the original text: BGBl. I 2003, 88, regarding the details of the changes see footnote) personal data is automatically processed or used, is the domestic regulatory or internal organization to ensure that it meets the special requirements of data protection. In particular, measures are to meet, according to the type of protected personal data or categories of data are suitable, 1 personal data processed unauthorised access to computers, that or be used to deny (access control), to prevent that data processing systems by unauthorised persons can be used (access control), to ensure that the use of a data processing system can access entitled only to the data covered by their access authorisation 3. 2. , and that personal data during processing, use and after the unauthorized reading, copying, modification or removal are to (access control), and 4 to ensure that personal data in the electronic transmission or during their transport and their storage on disk unauthorized read, can be copied, modified or removed, and that can be reviewed and determined, which places a transmission of personal data by facilities for data transmission (transmission control) is intended , 5. to ensure that subsequently checked and can be determined, whether and by whom entered personal data in data processing systems, altered or removed been are (input control), to ensure that personal data are processed, the order can be processed only in accordance with the instructions of the client (job control), 7 to ensure that personal data against accidental destruction or loss (availability control) are protected to ensure 8 6 , that data collected can be processed separately for different purposes.
A measure number 2 to 4 is particularly the use of State of the art encryption process pursuant to sentence 2.