Advanced Search

Federal Data Protection Act

Original Language Title: Bundesdatenschutzgesetz

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

Federal Data Protection Act (BDSG)

Unofficial table of contents

BDSG

Date of completion: 20.12.1990

Full quote:

" Bundesdatenschutzgesetz (Federal Data Protection Act) in the version of the Notice dated 14 January 2003 (BGBl. 66), most recently by Article 1 of the Law of 25 February 2015 (BGBl. 162) has been amended "

Status: New by Bek. v. 14.1.2003 I 66;
Last amended by Art. 1 G v. 25.2.2015 I 162

For more details, please refer to the menu under Notes

Footnote 

(+ + + Text evidence from: 1.6.1991 + + +)
The G was decided as Art. 1 of G v. 20.12.1990 I 2954 of the Bundestag with the consent of the Bundesrat; § 10 (4) sentence 3 and 4 is on the first day of the twenty-fourth calendar month following the proclamation, in other words on the first day of the the sixth calendar month following the announcement. Art. 6 (2) sentence 1 and 2 G v. 20.12.1990 I 2954 entered into force. The G was announced on 29.12.1990. Unofficial table of contents

Content Summary

First section
General and common provisions
§ 1 Purpose and scope of the law
§ 2 Public and non-public bodies
§ 3 Other definitions
§ 3a Data avoidance and data economy
§ 4 Admissibility of data collection, processing and use
Section 4a Consent
§ 4b Transfer of personal data to foreign countries as well as to over-and inter-governmental bodies
§ 4c Exceptions
§ 4d Reporting obligation
§ 4e The content of the reporting requirement
§ 4f Data protection officer
§ 4g Duties of the Data Protection Officer
§ 5 Data secrecy
§ 6 Rights of the person concerned
§ 6a Automated individual decision
§ 6b Observation of publicly accessible rooms with optical-electronic devices
§ 6c Mobile personal storage and processing media
§ 7 Compensation
§ 8 Compensation for automated data processing by public authorities
§ 9 Technical and organisational measures
§ 9a Privacy Audit
§ 10 Setup of automated retrieval procedures
§ 11 Collection, processing or use of personal data on behalf of
Second section
Data processing of public authorities
First subsection
Legal bases for data processing
§ 12 Scope
§ 13 Data collection
§ 14 Data storage, modification and use
§ 15 Data transmission to public authorities
§ 16 Data transfer to non-public bodies
§ 17 (dropped)
§ 18 Implementation of data protection in the federal administration
Second subsection
Rights of the person concerned
§ 19 Information to the person concerned
§ 19a Notification
§ 20 Rectification, erasure and blocking of data; right of objection
Section 21 Call of the Federal Commissioner for Data Protection and Freedom of Information
Third Subsection
Federal Commissioner for Data Protection and Freedom of Information
Section 22 Election of the Federal Commissioner for Data Protection and Freedom of Information
Section 23 Legal status of the Federal Commissioner for Data Protection and Freedom of Information
§ 24 Control by the Federal Commissioner for Data Protection and Freedom of Information
Section 25 Complaints by the Federal Commissioner for Data Protection and Freedom of Information
Section 26 Further tasks of the Federal Commissioner for Data Protection and Freedom of Information
Third Section
Data processing of non-public bodies and public-sector competition undertakings
First subsection
Legal bases for data processing
§ 27 Scope
§ 28 Data collection and storage for your own business purposes
Section 28a Data transfer to credit agencies
§ 28b Scoring
§ 29 Business data collection and storage for the purpose of transmission
§ 30 Commercial data collection and storage for the purpose of transmission in anonymised form
§ 30a Business data collection and storage for market or opinion research purposes
Section 31 Special purpose binding
Section 32 Data collection, processing and use for purposes of employment
Second subsection
Rights of the person concerned
§ 33 Notification of the person concerned
Section 34 Information to the person concerned
§ 35 Rectification, erasure and blocking of data
Third Subsection
Supervisory authority
§ § 36 and 37 (dropped)
§ 38 Supervisory authority
Section 38a Rules of conduct for the promotion of the implementation of data protection regulations
Fourth Section
Special provisions
§ 39 Earmarking of personal data subject to professional or special official secrecy
§ 40 Processing and use of personal data by research institutions
Section 41 Collection, processing and use of personal data by the media
§ 42 Data Protection Officer of Deutsche Welle
§ 42a Obligation to provide information in the event of improper knowledge acquisition of data
Fifth Section
Final provisions
Section 43 Fines
Section 44 Criminal provisions
Sixth Section
Transitional provisions
§ 45 Current uses
Section 46 Retribution of definitions
§ 47 Transitional arrangements
§ 48 Report of the Federal Government
Annex (to § 9 sentence 1)

First section
General and common provisions

Unofficial table of contents

§ 1 Purpose and scope of the law

(1) The purpose of this law is to protect the individual from being adversely affected by the handling of his personal data in his/her personal rights. (2) This law applies to the collection, processing and use of such data. of personal data by
1.
public authorities of the federal government,
2.
public authorities of the Länder, insofar as data protection is not regulated by national law and insofar as it is
a)
federal law, or
b)
as organs of the administration of justice and are not administrative matters,
3.
non-public authorities, insofar as they process, use or collect the data using data processing systems, or process, use or collect the data in or from non-automated files, unless the survey, Processing or use of the data is done exclusively for personal or family activities.
(3) In so far as other federal legislation is applicable to personal data, including publication thereof, they shall comply with the provisions of this Act. The obligation to maintain legal confidentiality obligations or of professional or special official secrecy which is not based on statutory provisions remains unaffected. (4) The provisions of this law go to those of the Administrative procedural law, insofar as personal data are processed in the determination of the facts. (5) This law shall not apply, provided that one in another Member State of the European Union or in another Contracting State of the Agreement on the European Economic Area Entity collects, processes or uses personal data in Germany, unless this is done by an establishment domestily. This Act shall apply, provided that a responsible body which is not situated in a Member State of the European Union or in another State Party to the Agreement on the European Economic Area contains personal data in the Inland collects, processes or uses. As far as the responsible body is to be mentioned under this law, information about domestians resident in Germany shall also be provided. The sentences 2 and 3 shall not apply if data carriers are only used for the purpose of transit through the national territory. Section 38 (1) sentence 1 shall remain unaffected. Unofficial table of contents

§ 2 Public and non-public bodies

(1) Public authorities of the Federal Government are the authorities, the organs of the administration of justice and other publicly-legally organized institutions of the federal government, the federal bodies, institutions and foundations of public law, as well as their Associations irrespective of their legal form. As public authorities, the companies resulting from the special fund Deutsche Bundespost are subject to the law as long as they are entitled to an exclusive right under the Postal Law. (2) Public authorities of the Länder are the authorities, the institutions the administration of justice and other bodies organised by public law in a country, a municipality, a community association and other legal persons under public law under the supervision of the country, and their associations regardless of their legal form. (3) Associations of private law of public authorities of the Federal Government and of the Länder, which carry out tasks of the public administration, shall be deemed to be public authorities of the Federal Government, irrespective of the participation of non-public bodies, if:
1.
they operate beyond the territory of a country, or
2.
the federal government owns an absolute majority of the shares, or an absolute majority of the votes is granted.
Otherwise, they shall be deemed to be public bodies of the countries. (4) Non-public bodies shall be natural and legal persons, companies and other persons ' associations of private law, in so far as they do not fall within the provisions of paragraphs 1 to 3. If a non-public body carries out public administration tasks, it shall be public authority within the meaning of this Act. Unofficial table of contents

§ 3 Further definitions

(1) Personal data are details of personal or factual circumstances of a specific or identifiable natural person (person concerned). (2) Automated processing is the collection, processing or use of personal data. Data using data processing systems. A non-automated file is any non-automated collection of personal data which is of the same type and which can be accessed and evaluated in accordance with certain characteristics. (3) The gathering of data on the data Affected. (4) Processing is the storage, modification, transfer, blocking and deletion of personal data. In detail, regardless of the procedures used:
1.
Store the collection, recording, or storage of personal data on a data carrier for the purpose of its further processing or use,
2.
Change the content of stored personal data,
3.
Communicate the disclosure of personal data stored or obtained by data processing to a third party in such a way that:
a)
the data is passed on to the third party; or
b)
the third party shall view or retrieve data held for inspection or retrieval,
4.
Block the identification of stored personal data in order to restrict their further processing or use,
5.
Delete the unmistakable amount of stored personal data.
(5) Use is any use of personal data in so far as it is not processing. (6) anonymization is the modification of personal data in such a way that the individual data on personal or factual circumstances no longer exist or can only be attributed to a disproportionately large amount of time, costs and work force of a specific or determinable natural person. (6a) pseudonymisation is the replacement of the name and other identification features by a Mark for the purpose of excluding the determination of the person concerned; or (7) Responsible body is any person or entity that collects, processes or uses personal data for itself or makes it through others on behalf of others. (8) Recipient is any person or entity that is Data is obtained. The third party is any person or body outside the responsible body. Third parties are not the persons concerned and persons and bodies responsible for personal data on behalf of the European Union, in another Member State of the European Union or in another Contracting State of the Agreement on the European Economic Area. collect, process or use. (9) Special types of personal data are information on racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or Sex life. (10) Mobile personal storage and processing media are volumes,
1.
that are spent on those affected,
2.
on which personal data beyond storage can be processed automatically by the issuing or another entity, and
3.
where the person concerned can only influence this processing through the use of the medium.
(11) Employees are:
1.
workers,
2.
for their vocational training,
3.
Participants in the benefits of participation in working life as well as explanations of professional aptitude or work experience (rehabilitation students and rehabilitation centres),
4.
in recognised workshops for disabled people,
5.
in accordance with the Youth Voluntary Service Act,
6.
persons who, because of their economic independence, are to be regarded as persons-like persons; these include those employed in home employment and those who are equal to them,
7.
applicants for an employment relationship as well as persons whose employment relationship has ended,
8.
Civil servants, civil servants, judges and judges of the Federal Government, soldiers and civil servants.
Unofficial table of contents

§ 3a Data avoidance and data economy

The collection, processing and use of personal data and the selection and design of data processing systems shall be aligned with the objective of collecting, processing or using as little personal data as possible. In particular, personal data are to be anonymized or pseudonymized, insofar as this is possible according to the intended use and does not require a disproportionate effort in relation to the intended protection purpose. Unofficial table of contents

§ 4 Admissibility of data collection, processing and use

(1) The collection, processing and use of personal data are only permitted insofar as this law or any other legislation permits or arranges this or the data subject has consented to it. (2) Personal data are to be found in the data subject. to the public. Without their participation, they may only be collected if:
1.
it provides for, or necessarily requires, a legal provision; or
2.
a)
the administrative task of its kind to be fulfilled, or the business purpose, requires a survey among other persons or bodies; or
b)
the survey would require a disproportionate effort in the case of the data subject
and there is no evidence to suggest that the overriding legitimate interests of the person concerned are affected.
(3) If personal data are collected by the person concerned, he shall, if he has not already been informed in any other way, be transferred from the responsible body to the
1.
the identity of the responsible body,
2.
the purposes of the collection, processing or use, and
3.
the categories of recipients only, to the extent that the person concerned does not have to count on the transmission to the individual case in accordance with the circumstances of the case;
shall be informed. If personal data are collected by the person concerned on the basis of a legal provision which is obliged to provide information, or if the provision of the information is a precondition for the granting of legal benefits, the person concerned shall, otherwise, be subject to the following: the voluntary nature of its information. Where necessary or on request in the circumstances of the individual case, he shall be informed of the legislation and of the consequences of the refusal to provide information. Unofficial table of contents

§ 4a Consent

(1) The consent shall be effective only if it is based on the free choice of the person concerned. It shall be referred to the intended purpose of the collection, processing or use and, where necessary in the circumstances of the individual case or on request, for the consequences of the denial of consent. The consent shall be given in writing, unless a different form is appropriate due to special circumstances. If the consent is to be given in writing together with other declarations, it should be particularly emphasized. (2) In the field of scientific research, a special circumstance within the meaning of the third sentence of paragraph 1 shall also be provided if the The written form of the particular research purpose would be significantly affected. In this case, the notice referred to in the second sentence of paragraph 1 and the reasons resulting from the significant impairment of the particular research purpose shall be recorded in writing. (3) Insofar as special types of personal data (§ 3 (9)) are collected, In addition, the consent must expressly refer to this data. Unofficial table of contents

§ 4b Transfer of personal data abroad as well as to over-or inter-governmental bodies

(1) For the transfer of personal data to bodies
1.
in other Member States of the European Union,
2.
in other Contracting States to the Agreement on the European Economic Area, or
3.
of the institutions and bodies of the European Communities
§ 15 (1), section 16 (1) and § § 28 to 30a shall apply in accordance with the laws and agreements in force for this transmission, in so far as the transmission is carried out within the scope of activities which are wholly or partly within the scope of the law of the (2) For the transfer of personal data to bodies referred to in paragraph 1 which do not take place in the context of activities falling within the scope of the law of the European Communities, in whole or in part, as well as any other foreign or national or inter-governmental bodies, paragraph 1 shall apply: accordingly. In so far as the person concerned has a legitimate interest in the exclusion of the transmission, the transmission shall not be provided, in particular where an adequate level of data protection is not ensured in the case of the bodies referred to in the first sentence. Sentence 2 shall not apply if the transmission to fulfil its own functions of a public body of the Federal Government for imperative reasons of defence or the fulfilment of obligations in the field of crisis management over or in the case of international or international public authorities or conflict prevention or humanitarian action. (3) The adequacy of the level of protection shall be assessed in the light of all the circumstances in the case of a data transfer or a category of data transfer of importance; in particular, the nature of the data, the purpose of the data, the The duration of the planned processing, the country of origin and the final destination, the legal standards in force for the recipient in question and the rules and security measures applicable to it. (4) In the cases of § 16 para. 1 No 2 shall inform the person concerned of the transmission of his data to the person concerned. This shall not apply if it is to be expected that he becomes aware of this in other ways, or if the information would endanger public safety or would otherwise be detrimental to the good of the federal or a country. (5) Responsibility (6) The body to which the data is transmitted shall be informed of the purpose for which the data are to be transmitted. Unofficial table of contents

Section 4c Exceptions

(1) In the context of activities which fall within the scope of the law of the European Communities in whole or in part, a transfer of personal data to entities other than those referred to in Article 4b (1), even if they include them, shall be subject to the following: the appropriate level of data protection shall not be guaranteed, provided that:
1.
the person concerned has given his consent,
2.
the transfer is necessary for the performance of a contract between the person concerned and the responsible body or for the implementation of pre-contractual measures taken at the initiative of the person concerned,
3.
the transfer is necessary for the conclusion or the performance of a contract which, in the interest of the person concerned, has been or is to be closed by the responsible body with a third party;
4.
the transmission is necessary for the protection of an important public interest or for the assertion, exercise or defence of legal claims in the courts,
5.
the transmission is necessary for the maintenance of vital interests of the person concerned; or
6.
the transmission is made from a register intended for public information and is open to the public, either to the general public or to all persons who can demonstrate a legitimate interest, to the extent that: Legal requirements are given in individual cases.
The body to which the data is transmitted shall be informed that the data transmitted may be processed or used only for the purpose of which it is to be transmitted. (2) Without prejudice to the first sentence of paragraph 1, the competent supervisory authority shall authorise individual transfers or certain types of transfer of personal data to entities other than those referred to in Article 4b (1) if the responsible body provides sufficient guarantees with regard to the the protection of personal rights and the exercise of the rights attaching thereto; the guarantees may arise, in particular, from contractual clauses or binding company rules. The Swiss Federal Commissioner for Data Protection and Freedom of Information is responsible for the postal and telecommunications companies. If the transmission is to be carried out by public authorities, they shall carry out the examination in accordance with the first sentence of sentence 1. (3) The Länder shall notify the Federal Government of the decisions taken pursuant to the first sentence of paragraph 2. Unofficial table of contents

§ 4d Reporting obligation

(1) Procedures of automated processing shall be carried out by non-public authorities in the competent supervisory authority and by public authorities in the federal government and by the postal and public authorities before they are put into service. Telecommunications companies to report to the Federal Commissioner for Data Protection and Freedom of Information in accordance with § 4e. (2) The reporting obligation is not required if the responsible body has ordered a data protection officer. (3) The reporting obligation shall also be waiver if the responsible body is responsible for personal data , for its own purposes, collects, processes or uses it, usually employing at most nine persons continuously with the collection, processing or use of personal data and either with the consent of the person concerned or by the person concerned. (4) The provisions of paragraphs 2 and 3 shall not apply if they are to be considered as having been the subject of the following: (4) automated processing operations in which personal personal Data from the respective post
1.
for the purpose of transmission,
2.
for the purpose of anonymized transmission, or
3.
for the purposes of market or opinion research
(5) Insofar as automated processing presents specific risks to the rights and freedoms of the persons concerned, they shall be subject to the examination before the start of the processing (prior checking). Prior checking shall be carried out, in particular, if:
1.
particular types of personal data (§ 3 (9)), or
2.
the processing of personal data is intended to assess the personality of the person concerned, including his or her abilities, performance or behaviour;
unless there is a legal obligation or consent of the person concerned, or the collection, processing or use for the justification, execution or termination of a legal or legal business-like (6) The data protection officer is responsible for pre-checking. After receipt of the overview according to § 4g (2) sentence 1, the pre-inspection shall take the form of the prior check. In case of doubt, he has to address the supervisory authority or the postal and telecommunications companies to the Federal Commissioner for Data Protection and Information Freedom. Unofficial table of contents

§ 4e Content of the reporting obligation

Where automated processing procedures are subject to reporting, the following information shall be provided:
1.
name or company of the responsible body,
2.
Holders, directors, directors or other legal persons or directors appointed in accordance with the constitution of the company and the persons responsible for the management of the data processing,
3.
the address of the responsible body,
4.
Appropriate provisions for data collection, processing or use,
5.
a description of the categories of persons concerned and the relevant data or data categories;
6.
the recipients or categories of recipients to whom the data may be communicated;
7.
Deadlines for the erasure of data,
8.
a planned data transfer to third countries,
9.
a general description which makes it possible to assess on a provisional basis whether the measures provided for in Article 9 are appropriate in order to ensure the security of processing.
Section 4d (1) and (4) shall apply mutatily to the change in the information communicated in accordance with the first sentence and for the date on which the reporting obligation is received and the date of termination of the activity. Unofficial table of contents

§ 4f Data Protection Officer

(1) Public and non-public bodies which process personal data in an automated manner shall have a data protection officer to order in writing. Non-public authorities shall be obliged to do so at the latest within one month of commend of their activities. The same applies if personal data are collected, processed or used in other ways, and thus usually at least 20 persons are employed. Sentences 1 and 2 shall not apply to non-public bodies which, as a rule, employ no more than nine persons permanently with the automated processing of personal data. To the extent required by the structure of a public authority, the appointment of a data protection officer shall be sufficient for a number of areas. Where non-public bodies carry out automated processing which is subject to prior checking, or personal data for the purpose of transmission, anonymized transmission or for the purposes of the market, or They process opinion research in an automated way, they have to appoint a data protection officer for data protection irrespective of the number of persons employed with automated processing. (2) Only ordered to the data protection officer who are required to carry out the tasks required to carry out their duties; and Reliability. The measure of the required technical customer is determined, in particular, according to the extent of the data processing of the responsible body and the protection requirement of the personal data which the responsible body collects or uses. The person responsible for data protection may also appoint a person outside the responsible body; the control shall also cover personal data relating to a professional or special official secrecy, in particular: Tax secrecy in accordance with § 30 of the Tax Code. Public authorities may, with the consent of their supervisory authority, appoint a staff member from a different public authority to the data protection officer. (3) The data protection officer shall be the head of the public or public authorities. non-public body directly. He is free of instructions in the exercise of his or her technical expertise in the field of data protection. It must not be penalised because of the performance of its duties. The appointment to the Data Protection Officer can be revoked in the appropriate application of Section 626 of the Civil Code, in the case of non-public bodies, also at the request of the Supervisory Authority. If a data protection officer is to be appointed in accordance with paragraph 1, the termination of the employment relationship shall be inadmissible unless facts exist which the responsible body for termination for good reason without observance a period of notice. After the dismissal as agent for data protection, the termination within one year after the termination of the order is inadmissible unless the responsible body for termination for important reason without compliance with a Notice period is justified. In order to maintain the technical knowledge required for the performance of its tasks, the responsible body must allow the data protection officer to participate in continuing and continuing training events and to take over their costs. (4) The The person responsible for data protection is obliged to secrecy about the identity of the person concerned and about circumstances which permit conclusions to be drawn to the person concerned, unless he is exempted from it by the person concerned. (4a) Insofar as the person concerned is Data protection officer shall, in his activity, be informed of the data for which the data is received If, for professional reasons, a person employed by the public or non-public sector is entitled to refuse to give evidence, this right shall also be granted to the Data Protection Officer and its auxiliary staff. The person who is entitled to the right to refuse to give evidence on professional grounds shall decide on the exercise of that right, unless that decision cannot be brought about in the foreseeable future. Insofar as the data protection officer's right of denial is sufficient, his/her files and other documents are subject to a prohibition of seizure. (5) The public and non-public authorities have the data protection officer to assist in the performance of its duties and, in particular, to provide assistance staff and spaces, facilities, equipment and means to the extent necessary for the performance of its tasks. Interested parties can contact the Data Protection Officer at any time. Unofficial table of contents

§ 4g Tasks of the Data Protection Officer

(1) The Data Protection Officer shall have an effect on compliance with this law and other provisions on data protection. To this end, the Data Protection Officer may, in case of doubt, contact the competent authority responsible for the data protection control at the responsible body. He can take advantage of the advice according to § 38 (1) sentence 2. It shall in particular:
1.
to monitor the proper application of the data processing programmes with which personal data is to be processed; to that end, it shall be required in due time for projects relating to the automated processing of personal data; teaching,
2.
The person working in the processing of personal data shall be familiar with the provisions of this Act and other provisions on data protection and the specific requirements of data protection through appropriate measures. .
(2) The Data Protection Officer shall be provided by the responsible body with an overview of the particulars referred to in § 4e sentence 1 as well as of persons entitled to access. The Data Protection Officer shall make the information available to everyone in accordance with § 4e, sentence 1, No. 1 to 8, on request. (2a) Insofar as no obligation to appoint a data protection officer is required in a non-public body (3) The second sentence of paragraph 2 shall not apply to the authorities referred to in Article 6 (2), second sentence, of the said authorities. The second sentence of paragraph 1 shall apply with the proviso that the Data Protection Officer shall consult with the Head of the Authority; in the event of a disagreement between the Data Protection Officer and the Head of Government, the supreme federal authority decides. Unofficial table of contents

§ 5 Data secrecy

The persons employed in the data processing are prohibited from collecting, processing or using personal data without authorisation (data secrecy). These persons shall, in so far as they are employed in the case of non-public authorities, commit themselves to the obligation of data secrecy when they take up their duties. The confidentiality of the data shall continue even after the end of its activity. Unofficial table of contents

§ 6 Rights of the person concerned

(1) The rights of the person concerned for information (§ § 19, 34) and for rectification, erasure or blocking (§ § 20, 35) cannot be excluded or limited by legal business. (2) The data of the person concerned are automated in the manner If the person concerned is not in a position to determine where the data has been stored, he or she may contact any of those posts. This is obliged to forward the person concerned to the place where the data has been stored. The person concerned shall be informed of the forwarding and the position of the person concerned. The authorities referred to in Article 19 (3), the authorities of the Public Prosecutor's Office and the police, as well as public authorities of the financial administration, insofar as they provide personal data in the performance of their legal tasks within the scope of the tax code for monitoring and checking, the Federal Commissioner for Data Protection and Freedom of Information may be informed instead of the person concerned. In this case, the further procedure is governed by Section 19 (6). (3) Personal data relating to the exercise of a right of the person concerned arising from this Act or from any other provision on data protection may only be used for the purposes of To comply with the obligations of the responsible body arising from the exercise of the law. Unofficial table of contents

§ 6a Automated individual decision

(1) Decisions which result in a legal consequence for the person concerned or significantly impair him may not be based exclusively on the automated processing of personal data, which shall be based on the evaluation of individual data. Personality traits serve. A decision based solely on an automated processing is in particular present if there has been no assessment of the content and the decision based on it by a natural person. (2) This does not apply if:
1.
the decision was taken in the context of the conclusion or the performance of a contractual relationship or other legal relationship and the decision was granted to the person concerned; or
2.
the protection of the legitimate interests of the person concerned by means of appropriate measures is ensured and the responsible body informs the person concerned of the existence of a decision within the meaning of paragraph 1 and, on request, the main reasons for this decision shall be communicated and explained.
(3) The right of the data subject to be informed in accordance with § § 19 and 34 also extends to the logical structure of the automated processing of the data concerning him. Unofficial table of contents

§ 6b Observation of publicly accessible rooms with optical-electronic devices

(1) The observation of publicly accessible rooms with optical-electronic devices (video surveillance) shall be permitted only where they are
1.
for the task of filling public authorities,
2.
for the exercise of the right of home or
3.
on the exercise of legitimate interests for specific purposes
(2) The fact of the observation and the responsible body must be identified by appropriate measures. (3) The processing or use of the data is necessary. the data collected in accordance with paragraph 1 shall be admissible if it is necessary to achieve the objective pursued and if there are no indications that the interests of the persons concerned are predominant. For a different purpose, they may only be processed or used to the extent necessary to prevent threats to public and public security as well as to the prosecution of criminal offences. (4) Data relating to a specific person is to be notified of a processing or use in accordance with § § 19a and 33. (5) The data must be deleted immediately if it is no longer necessary to achieve the purpose or the protection of the interests of the persons concerned in order to prevent further storage. Unofficial table of contents

§ 6c Mobile personal storage and processing media

(1) The body issuing a mobile personal storage and processing medium or applying to the medium a method for the automated processing of personal data which runs in whole or in part on such a medium, amends or has to do so, the person concerned must:
1.
on their identity and address,
2.
in a generally comprehensible manner on the functioning of the medium, including the nature of the personal data to be processed,
3.
about how he can exercise his rights in accordance with § § 19, 20, 34 and 35, and
4.
on the measures to be taken in the event of loss or destruction of the medium
insofar as the person concerned has not already been informed. (2) The body responsible under paragraph 1 shall ensure that the equipment or facilities necessary for the exercise of the right of access to the (3) the communication processes that trigger data processing on the medium must be clearly identifiable for the person concerned. Unofficial table of contents

§ 7 Compensation

If a responsible body deals damage to the person concerned by means of a collection, processing or use of his personal data which is illegal or incorrect under this Act or in accordance with other provisions relating to data protection, the person concerned shall be liable to the effect of or their institution is obliged to pay compensation to the person concerned. In so far as the responsible body has taken care of the care provided in accordance with the circumstances of the case, the replacement obligation shall not be required. Unofficial table of contents

§ 8 Compensation for automated data processing by public authorities

(1) Inserts a responsible public body to the person concerned by means of an automated collection, processing or use of his or her personal data, which is illegal or incorrect in accordance with this law or in accordance with other provisions relating to data protection. (2) In the event of a serious breach of the personal right of the person concerned, the person concerned shall be liable for the damage which is not the property of the person concerned. in cash. (3) The claims referred to in paragraphs 1 and 2 shall be total is limited to an amount of EUR 130,000. If, on the basis of the same event, compensation is to be paid to a number of persons who, in total, exceed the maximum amount of EUR 130,000, the individual compensation benefits shall be reduced in proportion to the total amount to which the sum of the compensation is to be paid. (4) If, in the case of automated processing, several places are entitled to storage and the injured party is not in a position to establish the storage place, each of these bodies shall be liable. (5) Damage caused by the fault of the person concerned is subject to § 254 of the Civil (6) The statute of limitations shall apply to the statute of limitations of the Civil Code applicable to unauthorised acts. Unofficial table of contents

§ 9 Technical and organisational measures

Public and non-public bodies which collect, process or use personal data themselves or on behalf of the contract shall take the technical and organisational measures necessary to ensure that the rules are implemented. of this law, in particular the requirements set out in the annex to this Act. Measures shall be required only if their expenditure is proportionate to the intended purpose of protection. Unofficial table of contents

§ 9a Data Protection Audit

In order to improve data protection and data security, providers of data processing systems and programmes and data processing bodies may be able to develop their data protection concept and their technical facilities by means of independent and authorised data processing systems. Review and evaluate the verifier as well as publish the results of the review. The more detailed requirements for the examination and evaluation, the procedure as well as the selection and approval of the reviewers are governed by special law. Unofficial table of contents

§ 10 Establization of automated retrieval procedures

(1) The establishment of an automated procedure enabling the transfer of personal data by retrieval shall be permitted in so far as this procedure takes into account the legitimate interests of the persons concerned and of the tasks or activities of the persons concerned, or the business of the bodies involved is appropriate. The rules on the admissibility of the individual withdrawal shall remain unaffected. (2) The bodies involved shall ensure that the admissibility of the retrieval procedure can be controlled. To this end they shall specify in writing:
1.
The occasion and purpose of the retrieval procedure,
2.
Third party to which it is sent,
3.
the nature of the data to be transmitted,
4.
in accordance with § 9, technical and organisational measures.
In the public sector, the necessary provisions may also be made by the specialist supervisory authorities. (3) The establishment of retrieval procedures is in cases involving the bodies referred to in Article 12 (1) of this Directive, which shall: The Federal Commissioner for Data Protection and Freedom of Information shall be informed in the light of the provisions of paragraph 2. The establishment of retrieval procedures in which the bodies referred to in § 6 para. 2 and in § 19 para. 3 are involved is only admissible if the respective federal or state ministry responsible for the storage and the retrieving body has agreed to (4) The responsibility for the admissibility of the individual withdrawal shall be borne by the third party to whom the information is transmitted. The storage body shall examine the admissibility of the calls only if there is reason to do so. The storage body shall ensure that the transmission of personal data can be determined and verified, at least by means of appropriate sampling procedures. Where a complete set of personal data is obtained or transmitted (batch processing), the guarantee of the determination and verification shall only relate to the admissibility of the retrieval or the transmission of the total stock. (5) The Paragraphs 1 to 4 shall not apply to the retrieval of publicly available data. Generally accessible are data that anyone can use, whether without or after prior registration, admission or payment of a pay. Unofficial table of contents

§ 11 Collection, processing or use of personal data on behalf of

(1) If personal data is collected, processed or used by other bodies on behalf of other entities, the client shall be responsible for the compliance with the provisions of this law and other provisions on data protection. The rights referred to in § § 6, 7 and 8 shall be asserted against him. (2) The contractor shall be carefully selected with special regard to the suitability of the technical and organizational measures taken by him. The contract shall be given in writing, specifying in particular the following:
1.
the object and the duration of the contract;
2.
the scope, nature and purpose of the proposed collection, processing or use of data, the nature of the data and the circle of the persons concerned,
3.
the technical and organisational measures to be taken in accordance with Article 9;
4.
the rectification, erasure and blocking of data,
5.
the obligations of the contractor in accordance with paragraph 4, in particular the checks to be carried out by the contractor,
6.
the eligibility for the justification of subcontracting conditions,
7.
the rights of control of the contracting authority and the corresponding duty and co-action obligations of the Contractor,
8.
Infringements of the provisions relating to the protection of personal data or against the provisions on the protection of personal data to be carried out by the Contractor or the persons employed by the Contractor,
9.
the scope of the authority which the contracting authority reserves vis-à-vis the contractor;
10.
the return of overmade volumes and the deletion of data stored by the contractor on completion of the order.
It may also be issued by the specialised supervisory authority in the case of public authorities. The contracting authority must satisfy itself prior to the start of the data processing and then on a regular basis from the compliance with the technical and organizational measures taken by the contractor. The result is to be documented. (3) The contractor may only collect, process or use the data within the framework of the instructions of the client. If he considers that a client's instruction violates this law or other provisions on data protection, he must immediately notify the client. (4) For the contractor, in addition to the § § 5, 9, 43 (1) no. 2, 10 and 11, para. 2 no. 1 to 3 and para. 3 and § 44 only the provisions relating to the control of data protection or supervision, namely for:
1.
a)
public bodies,
b)
non-public bodies in which the public authorities hold the majority of the shares, or where the majority of the votes belong, and where the contracting authority is a public body,
§ § 18, 24 to 26, or the corresponding provisions of the data protection laws of the Länder,
2.
the other non-public bodies, in so far as they collect, process or use personal data on behalf of a service company, in accordance with § § 4f, 4g and 38.
(5) Paragraphs 1 to 4 shall apply mutatically if the examination or maintenance of automated procedures or of data processing equipment is carried out by other bodies on the order, and in so doing not preclude access to personal data can be.

Second section
Data processing of public authorities

First subsection
Legal bases for data processing

Unofficial table of contents

§ 12 Scope

(1) The provisions of this section shall apply to public authorities of the Federation, insofar as they do not participate in the competition as public-law undertakings. (2) In so far as data protection is not governed by national law, § § 12 to 16 shall apply. 19 to 20 also for the public authorities of the countries where they are
1.
Federal law and not participate in the competition as public-law firms, or
2.
as organs of the administration of justice, and are not administrative matters.
(3) For the State Commissioner for Data Protection, Section 23 (4) shall apply mutatily. (4) Personal data shall be collected, processed or used for earlier, existing or future employment relationships, § 28 (2) (2) and § § 32 (2) shall apply. to 35 instead of § § 13 to 16 and 19 to 20. Unofficial table of contents

§ 13 Data collection

(1) The collection of personal data shall be permissible if it is necessary to know that it is necessary to fulfil the tasks of the responsible body. (1a) If personal data are collected in a non-public place instead of the person concerned, the data shall be collected. (2) The provision of specific types of personal data (Section 3 (9)) shall only be permitted if: (2) The provision of personal data (Section 3 (9)) shall be subject to the obligation to provide information.
1.
a piece of legislation which provides for it or, for reasons of an important public interest, requires:
2.
the person concerned has consented in accordance with Section 4a (3),
3.
this is necessary for the protection of the vital interests of the person concerned or of a third party, provided that, for physical or legal reasons, the person concerned is not able to give his consent,
4.
it is data which the person concerned has publicly made public,
5.
this is necessary to avert a significant risk to public safety,
6.
this is absolutely necessary for the defence of significant disadvantages for the common good or for the protection of the considerable interests of the common good,
7.
this is necessary for the purposes of health care, medical diagnosis, healthcare or treatment, or for the management of health services, and the processing of such data by medical staff or by any other person who is subject to a corresponding obligation of secrecy,
8.
this is necessary for the implementation of scientific research, the scientific interest in carrying out the research project outweighs the interest of the person concerned in the exclusion of the survey and the purpose of the research cannot be achieved in any other way, or can only be achieved at a disproportionate cost, or
9.
This shall be necessary for imperative reasons of defence or the fulfilment of public or international obligations of a public body of the Federal Government in the field of crisis management or conflict prevention or for humanitarian action is.
Unofficial table of contents

§ 14 Data storage, change and use

(1) The storage, modification or use of personal data shall be permissible if it is necessary for the performance of the tasks within the competence of the responsible body and for the purposes for which the data have been collected . If no survey has been carried out, the data may only be changed or used for the purposes for which they have been stored. (2) The storage, modification or use for other purposes shall only be permitted if:
1.
it provides for, or necessarily requires, a piece of legislation;
2.
the person concerned has consented,
3.
it is clear that it is in the interest of the person concerned, and there is no reason to believe that it would, in the knowledge of the other purpose, refuse to give his consent,
4.
information of the person concerned must be checked, because there are actual indications of their inaccuracy,
5.
the data are generally accessible, or the responsible body should publish it, unless the legitimate interest of the person concerned clearly outweighs the exclusion of the purpose of the change,
6.
it is necessary to avert major disadvantages for the common good or a threat to public safety or to the protection of the public interest,
7.
for the prosecution of criminal offences or administrative offences, for the execution or enforcement of penalties or measures within the meaning of Section 11 (1) (8) of the Criminal Code or of educational measures or breeding funds in the sense of the the law on juvenile justice or the enforcement of decisions on fines,
8.
it is necessary for the defence of a serious impairment of the rights of another person; or
9.
it is necessary to carry out scientific research, the scientific interest in carrying out the research project substantially outweighs the interest of the person concerned in the exclusion of the purpose change and the purpose of the research project is to: Research in other ways cannot be achieved or can only be achieved with disproportionate effort.
(3) Processing or use for other purposes is not available if it serves the exercise of supervisory and control powers, the auditing of accounts or the carrying out of organization investigations for the responsible body. This also applies to the processing or use for training and examination purposes by the responsible body, insofar as there are no overriding legitimate interests of the person concerned. (4) Personal data, which are exclusively available for the purpose of The purpose of the data protection control, the data protection or to ensure the proper operation of a data processing system is to be used only for these purposes. (5) The storage, modification or use of Special types of personal data (§ 3 para. 9) for other purposes only permitted if:
1.
the conditions exist which would allow a survey in accordance with Article 13 (2) (1) to (6) or (9); or
2.
it is necessary to carry out scientific research, the public interest in carrying out the research project substantially outweighs the interest of the person concerned in the exclusion of the purpose change and the purpose of the research in other ways cannot be achieved or can only be achieved with disproportionate effort.
In the case of the weighing in accordance with the first sentence of the first subparagraph, the scientific interest in the research project shall be taken into account in the context of the public interest. (6) The storage, modification or use of special types of personal data (§ 3 (9)) for the purposes specified in § 13 para. 2 no. 7 shall be governed by the confidentiality requirements applicable to the persons referred to in § 13 para. 2 Nr. 7. Unofficial table of contents

§ 15 Data transfer to public authorities

(1) The transfer of personal data to public authorities shall be permitted where:
1.
it is necessary to carry out the tasks within the competence of the transmitting body or the third party to which the data are transmitted; and
2.
the conditions exist which would allow use in accordance with § 14.
(2) The responsibility for the admissibility of the transmission shall be borne by the transmitting body. If the transmission is carried out at the request of the third party to which the data are transmitted, the latter shall bear the responsibility. In such a case, the transmitting body shall examine only whether the request for transmission is within the scope of the duties of the third party to which the data are transmitted, unless there is particular cause for consideration of the admissibility of the transmission. § 10 (4) remains unaffected. (3) The third party to whom the data is transmitted may process or use it for the purpose of which it is transmitted to it. Processing or use for other purposes is only permitted under the conditions laid down in Section 14 (2). (4) The provisions of paragraphs 1 to 3 shall apply to the transfer of personal data to bodies of the public-law religious companies. (5) Where personal data may be transmitted in accordance with paragraph 1, further personal data of the person concerned or of a personal data subject shall be provided for in accordance with the provisions of the following provisions. Third party is connected in such a way that separation is not possible or can only be done with undue effort , the transmission of such data shall be permitted, unless the legitimate interests of the person concerned or of a third party appear to outweigh the legitimate interests of the person concerned; the use of such data shall be inadmissible. (6) Paragraph 5 shall apply accordingly; when personal data is passed on within a public body. Unofficial table of contents

§ 16 Data transfer to non-public bodies

(1) The transfer of personal data to non-public bodies shall be permitted where:
1.
it is necessary for the performance of the tasks within the competence of the authority to be notified and the conditions which would permit use in accordance with § 14, or
2.
the third party to whom the data is transferred credibly presents a legitimate interest in the knowledge of the data to be transmitted, and the person concerned has no interest in the exclusion of the transmission. By way of derogation from the first sentence of sentence 1, the transmission of special types of personal data (Section 3 (9)) is only permissible if the conditions for use pursuant to Article 14 (5) and (6) are fulfilled, or to the extent that this is the case for the purpose of the assertion, The exercise or defence of legal claims is required.
(2) The responsibility for the admissibility of the transmission shall be borne by the transmitting body. (3) In the cases of the transmission referred to in paragraph 1 (2), the transmitting body shall inform the person concerned of the transmission of his data. This shall not apply if it is to be expected that he will become aware of this in other ways, or if the information would endanger public safety or would otherwise be detrimental to the good of the federal or a country. (4) The third party, the data shall be transmitted, processed or used only for the purpose for which it is transmitted to it. The authority that has been notified must point out to him. Processing or use for other purposes shall be permitted if a transmission as referred to in paragraph 1 is admissible and the transmitting body has agreed. Unofficial table of contents

§ 17

(dropped) Unofficial table of contents

§ 18 Implementation of data protection in the Federal Administration

(1) The supreme federal authorities, the president of the federal railway assets, as well as the federal bodies, institutions and foundations of public law, on which only the federal government or a top federal authority Legal supervision shall be subject to the implementation of this Act and other data protection legislation for its business unit. The same applies to the management board of the Deutsche Bundespost special assets by law, as long as it is entitled to an exclusive right under the Postal Law. (2) The public authorities shall keep a list of the data processing systems used. For their automated processing, they shall specify the information in accordance with § 4e as well as the legal basis of the processing in writing. Automated processing for general administrative purposes, in which the right of access of the person concerned is not restricted in accordance with Section 19 (3) or (4), may be waited. For automated processing operations, which are carried out several times in the same or similar manner, the definitions can be combined.

Second subsection
Rights of the person concerned

Unofficial table of contents

§ 19 Information to the person concerned

(1) The person concerned shall be informed, on request, of
1.
the data stored on his/her person, including where they relate to the origin of such data;
2.
the recipients or categories of recipients to which the data is passed; and
3.
the purpose of storage.
The request shall be made more closely related to the type of personal data on which information is to be provided. If the personal data are neither automated nor stored in non-automated files, the information will only be provided in so far as the data subject makes the data available to enable the data to be found and the information provided for the purpose of issuing the information the necessary expenditure shall not be disproportionate to the information interest claimed by the person concerned. The responsible body determines the procedure, in particular the form of the exchange of information, at its discretion. (2) Paragraph 1 does not apply to personal data which are stored only because they are due to legal requirements, may not be deleted, or serve solely for the purpose of data protection or data protection control, and require a reasonable amount of information to be provided for information (3) If the exchange of information relates to the transmission of information Personal data to the Federal Intelligence Agency, the Federal Intelligence Service, the Military shielding service and, insofar as the security of the Federal Government is affected, other authorities of the Federal Ministry of Defence, it is only with the consent of (4) The exchange of information shall not be granted to the extent that:
1.
the information would endanger the proper performance of the tasks within the competence of the responsible body,
2.
the information would endanger public security or order or would otherwise be detrimental to the good of the federal government or a country; or
3.
the data or the fact of their storage must be kept secret, in accordance with a law or by their nature, in particular on account of the overriding legitimate interests of a third party;
and therefore the interest of the person concerned must be resigned in the course of the exchange of information. (5) The rejection of the exchange of information does not require a justification, insofar as the communication of the actual and legal reasons to which the decision is based does not need to be justified. , which would be jeopardised by the purpose of the refusal to provide information. In this case, the person concerned must be informed that he or she can contact the Federal Commissioner for Data Protection and Freedom of Information. (6) If no information is provided to the person concerned, it shall be at his request. To grant the Federal Commissioner for Data Protection and Freedom of Information, unless the respective responsible top federal authority determines in individual cases that this would jeopardizthe security of the federal or a federal state. The Federal Commissioner's notice to the person concerned must not allow any conclusions to be drawn as to the state of knowledge of the responsible body, provided that the person concerned does not agree to further information. (7) The information is free of charge. Unofficial table of contents

§ 19a Notification

(1) Where data are collected without knowledge of the person concerned, he shall be informed of the storage, the identity of the body responsible and of the purposes of the collection, processing or use. The person concerned shall also be informed about the recipients or categories of recipients of data, provided that he does not have to count on the transmission to them. Where a transmission is provided for, the notification shall be made at the latest by the first transmission. (2) A notification obligation shall not apply if:
1.
the person concerned has acquired knowledge of the storage or transmission in other ways,
2.
the information of the person concerned requires a disproportionate effort, or
3.
the storage or transmission of the personal data is expressly provided for by law.
The responsible body shall determine in writing the conditions under which a notification is to be waiver pursuant to point 2 or 3. (3) § 19 (2) to (4) shall apply accordingly. Unofficial table of contents

§ 20 Correction, erasure and blocking of data; right of objection

(1) Person-related data shall be corrected if they are incorrect. If it is established that personal data, which are neither processed automatically nor stored in non-automated files, are incorrect, or if their accuracy is disputed by the person concerned, this is appropriate in a suitable way. (2) Personal data that is automatically processed or stored in non-automated files shall be deleted if:
1.
their storage is inadmissible; or
2.
their knowledge of the body responsible for the performance of the tasks within their competence is no longer necessary.
(3) A blocking occurs to the place of deletion, to the extent that:
1.
Contrary to the deletion of statutory, statutory or contractual retention periods,
2.
There is reason to believe that the erasure would affect the interests of the person concerned, or
3.
Deletion due to the special nature of the storage is not possible or can only be deleted with disproportionately high effort.
(4) Personal data which are processed in an automated manner or are stored in non-automated files shall also be blocked, insofar as their accuracy is disputed by the person concerned and neither the accuracy nor the inaccuracy of the data subject to the data subject is (5) Personal data may not be collected, processed or used for automated processing or processing in non-automated files to the extent that the person concerned is responsible for the processing or processing of personal data in the responsible body contradicts and an examination shows that the interest of the person concerned because of its particular personal situation, the interest of the responsible body in this collection, processing or use outweighs the interest of the responsible body. Sentence 1 shall not apply if a law requires the collection, processing or use. (6) Person-related data which is neither automated nor stored in a non-automated file shall be blocked if the In the individual case, the authority determines that without the blocking of protection worthy interests of the person concerned would be affected and the data are no longer necessary for the task to be fulfilled by the authority. (7) Data which has been blocked may not be required by the authority of the competent authority. Data subject to be transmitted or used only if:
1.
it is essential for scientific purposes, to remedy an existing burden of proof or for other reasons which are in the overriding interest of the responsible body or for a third party, and
2.
the data should be transmitted or used for this purpose if it were not blocked.
(8) The correction of incorrect data, the blocking of disputed data and the erasure or blocking of the storage are to be understood by the authorities who, in the course of a data transmission, have these data for storage purposes. (9) § 2 (1) to (6), (8) and (9) of the Federal Archives Act (Bundesarchiv gesetz) shall apply. Unofficial table of contents

Section 21 Call to the Federal Commissioner for Data Protection and Freedom of Information

Anyone can contact the Federal Commissioner for Data Protection and Freedom of Information if he considers that his or her personal data is collected, processed or used by public authorities in the Federal Republic of Germany. Rights have been violated. For the collection, processing or use of personal data by federal courts, this applies only to the extent to which they are active in administrative matters.

Third Subsection
Federal Commissioner for Data Protection and Freedom of Information

Unofficial table of contents

Section 22 Election of the Federal Commissioner for Data Protection and Freedom of Information

(1) On a proposal from the Federal Government, the German Bundestag elects the Federal Commissioner for Data Protection and Freedom of Information with more than half of the legal number of its members. In his election, the Federal Commissioner must make the 35. Have completed their life year. The Federal Commissioner is to be appointed by the Federal President. (2) The Federal Commissioner makes the following oath before the Federal Minister of the Interior:
" I swear that I will dedicate my power to the good of the German people, increase their usefulness, turn damage from it, uphold and defend the Basic Law and the laws of the Federation, faithfully fulfill my duties, and justice against Everyone will practice. So help me God. "
The oath of oath can also be carried out without any religious praying. (3) The term of office of the Federal Commissioner is five years. One-off re-election is permissible. (4) The Federal Commissioner is in accordance with this Act to the Federal Government in a public-law relationship. He is independent in the performance of his duties and is subject only to the law. He is subject to the legal supervision of the Federal Government. (5) The Federal Commissioner is established at the Federal Ministry of the Interior. He is subject to the official supervision of the Federal Ministry of the Interior. The Federal Commissioner is to be provided with the personnel and equipment necessary for the performance of his duties; it shall be shown in a separate chapter in the section of the Federal Ministry of the Interior. The positions shall be filled in agreement with the Federal Commissioner. Employees may, if they do not agree with the intended measure, be transferred, seconded or implemented only in agreement with him. (6) If the Federal Commissioner is temporarily prevented from carrying out his duties, he may not be able to of the Federal Minister of the Interior, appoint a representative to carry out the business. The Federal Commissioner is to be consulted. Unofficial table of contents

Section 23 Legal status of the Federal Commissioner for Data Protection and Freedom of Information

(1) The official relationship of the Federal Commissioner for Data Protection and Freedom of Information begins with the handing out of the appointment certificate. It ends
1.
at the end of the term,
2.
with the dismissal.
The Federal President shall release the Federal Commissioner, if he or she requires it or on a proposal from the Federal Government, if there are grounds for his/her dismissal from the service in the case of a judge for life. In the event of termination of the term of office, the Federal Commissioner will receive a document completed by the Federal President. A dismissal shall be effective with the handing out of the certificate. At the request of the Federal Minister of the Interior, the Federal Commissioner is obliged to carry on the business until his successor is appointed. (2) The Federal Commissioner, in addition to his office, shall not be allowed to hold any other resounded office, no business and no other Do not belong to the management or the supervisory board or the administrative board of a company that is intended for acquisition or to a government or a legislative body of the federal or state governments. (3) The Federal Commissioner has to inform the Federal Ministry of the Interior of any gifts he receives regarding his office. The Federal Ministry of the Interior decides on the use of the gifts. (4) The Federal Commissioner is entitled to do so via persons who have entrusted facts to him in his capacity as Federal Commissioner, as well as on these facts himself. To refuse a certificate. This also applies to the employees of the Federal Commissioner, with the proviso that the Federal Commissioner decides on the exercise of this right. In so far as the Federal Commissioner's right of denial of evidence is sufficient, the presentation or extradition of files or other documents shall not be required by him. (5) The Federal Commissioner is, even after termination of his/her term of office, , to maintain secrecy over the matters which have been officially notified to him. This shall not apply to communications in the field of service or to facts which are obvious or which do not require secrecy in their importance. The Federal Commissioner, even if he is no longer in office, may not, without authorization from the Federal Ministry of the Interior, issue such matters before court or out of court, or make statements. This is without prejudice to the legally justified obligation to indicate criminal offences and to intervene in the event of a threat to the free democratic basic order for their conservation. § § 93, 97, 105 (1), § 111 (5) in conjunction with § 105 (1) and § 116 (1) of the German Tax Code do not apply to the Federal Commissioner and his employees. Sentence 5 shall not apply in so far as the financial authorities need knowledge of the implementation of a procedure on the basis of a tax offence and of a related tax procedure, in the pursuit of which there is a compelling public There is an interest, or in so far as it is intentionally incorrect information of the party responsible for the information or the persons who are active for him. If the Federal Commissioner establishes a breach of data protection, he shall be entitled to indicate and inform the person concerned about it. (6) The authorisation to testify as a witness shall only be denied if the statement is to the benefit of the Federal Government or of a person. Germany's country would be detrimental or seriously jeopardise the performance of public tasks, or would seriously complicate it. The authorisation to report an opinion may be denied if the refund would be detrimental to the interests of the service. § 28 of the Federal Constitutional Court Act shall remain unaffected. (7) The Federal Commissioner shall receive from the beginning of the calendar month in which the official relationship begins, until the end of the calendar month in which the official relationship ends, in the case of paragraph 1 Sentence 6, until the end of the month in which the management ends, shall pay the remuneration in the amount of the remuneration to be awarded to a Federal official of grade B 9. The Federal Travel Cost Act and the Federal Law for the Environment of the Federal Republic of Germany are to be applied accordingly. In addition, § 12 Abs 6 as well as § § 13 to 20 and 21a (5) of the Federal Minister's Law shall apply with the measures that a term of office of five years and to the position of the four-year term of office in § 15 para. 1 of the Federal Minister's Law shall be replaced by the In Section 21a (5) of the Federal Ministers ' Act, grade B 11 is replaced by grade B 9. By way of derogation from the third sentence in conjunction with Sections 15 to 17 and 21a (5) of the Federal Ministers ' Act, the Federal Commissioner's pension shall be calculated on the basis of the term of office as a pensionable period of service in the appropriate application of the term of office of the Federal Minister of State. Civil servants ' pensions law, if this is more favourable and the Federal Commissioner is to run as an official or judge immediately before his election as an official or judge at least in the last usually before reaching the grade B 9 (8) Paragraph 5, sentences 5 to 7, shall apply to the public authorities, which are responsible for monitoring compliance with the rules on data protection in the countries. Unofficial table of contents

Section 24 Control by the Federal Commissioner for Data Protection and Freedom of Information

(1) The Federal Commissioner for Data Protection and Freedom of Information controls the observance of the provisions of this Act and other provisions on data protection at the public authorities of the Federal Republic of Germany. (2) The control of the The Federal Commissioner also extends to
1.
personal data obtained from public authorities of the Federal Republic of Germany on the content and the circumstances of the correspondence, postal and telecommunications traffic, and
2.
personal data subject to a professional or special duty of official secrecy, in particular the tax secrecy referred to in § 30 of the German Tax Code.
The fundamental right of the letter, postal and telecommunications secrecy of Article 10 of the Basic Law is restricted to this extent. Personal data subject to control by the Commission pursuant to § 15 of Article 10 Act shall not be subject to control by the Federal Commissioner, unless the Commission requests the Federal Commissioner to comply with the To monitor and exclusively report on data protection rules in certain cases or in certain areas. The control by the Federal Commissioner is also not subject to personal data in files relating to the security check, if the person concerned is in the control of the data relating to him in individual cases with the Federal Commissioner (3) The Federal Courts are only subject to the control of the Federal Commissioner, insofar as they are active in administrative matters. (4) The Federal Public Offices are obliged to provide the Federal Commissioner and his agents with the responsibility of the Federal Government. to the performance of their duties. They shall in particular:
1.
to provide information on their questions and to provide access to all documents, in particular to the data stored and to the data processing programmes relating to the control referred to in paragraph 1,
2.
at any time, access to all premises.
The authorities referred to in § 6 (2) and § 19 (3) shall grant the assistance only to the Federal Commissioner himself and to the special envoy he has written in writing. Sentence 2 does not apply to these authorities, insofar as the supreme federal authority determines in individual cases that the information or insight would endanger the security of the federal government or a country. (5) The Federal Commissioner shares the result of his control of the public authority. In this way, he can combine proposals to improve data protection, in particular for the elimination of identified defects in the processing or use of personal data. § 25 shall remain unaffected. (6) Paragraph 2 shall apply mutatily to the public authorities responsible for checking compliance with the rules on data protection in the countries concerned. Unofficial table of contents

Section 25 Complaints by the Federal Commissioner for Data Protection and Freedom of Information

(1) If the Federal Commissioner for Data Protection and Freedom of Information breaches the provisions of this Act or other provisions relating to data protection or other defects in the processing or use of personal data, If data is fixed, it shall complain about this
1.
in the case of the federal administration, to the competent top federal authority,
2.
in the case of federal railway assets vis-à-vis the President,
3.
in the case of companies resulting from the special assets of the Deutsche Bundespost by law, as long as they are entitled to an exclusive right under the Postal Code, to their inventor,
4.
in the case of the federal bodies, institutions and foundations of public law and associations of such bodies, institutions and foundations vis-à-vis the board of directors or the institution which is otherwise authorised to represent them
and calls for an opinion within a time limit to be determined by the Commission. In the cases of sentence 1 no. 4, the Federal Commissioner shall simultaneously inform the competent supervisory authority. (2) The Federal Commissioner may refrain from any objection or waive an opinion from the concerned body, in particular if: (3) The opinion shall also contain a description of the measures taken on the basis of the complaint lodged by the Federal Commissioner. The bodies referred to in the first sentence of paragraph 1 (4) shall, at the same time, forward to the competent supervisory authority a copy of their opinion to the Federal Commissioner. Unofficial table of contents

Section 26 Further tasks of the Federal Commissioner for Data Protection and Freedom of Information

(1) The Federal Commissioner for Data Protection and Freedom of Information shall report to the German Bundestag every two years an activity report. He informs the German Bundestag and the public about significant developments in data protection. (2) On request of the German Bundestag or the Federal Government, the Federal Commissioner has to draw up opinions and reports on . At the request of the German Bundestag, the Committee on Petitions, the Committee on Internal Affairs or the Federal Government, the Federal Commissioner also provides information on matters and processes of data protection at the public authorities of the Federal Republic of Germany. The Federal Commissioner may contact the German Bundestag at any time. (3) The Federal Commissioner may give recommendations to the Federal Government and the Federal Government's bodies referred to in Section 12 (1) to improve data protection and to address them in questions of Advising data protection. The authorities referred to in § 25 (1) (1) to (4) shall be informed by the Federal Commissioner if the recommendation or advice does not directly affect them. (4) The Federal Commissioner shall have an effect on cooperation with the public authorities, which shall: in order to monitor compliance with the rules on data protection in the Member States, and with the supervisory authorities in accordance with § 38. Section 38 (1) sentences 4 and 5 shall apply accordingly.

Third Section
Data processing of non-public bodies and public-sector competition undertakings

First subsection
Legal bases for data processing

Unofficial table of contents

Section 27 Scope

(1) The provisions of this section shall apply to the extent that personal data are processed, used or collected using data processing equipment or the data are processed in or out of non-automated files, shall be used or collected by
1.
non-public bodies,
2.
a)
public authorities of the federal government, insofar as they participate in the competition as public-law firms,
b)
Public authorities of the Länder, insofar as they participate in the competition as public-law companies, execute federal law and the data protection is not regulated by national law.
This shall not apply if the collection, processing or use of the data is carried out exclusively for personal or family activities. In the cases referred to in point 2 (a), sections 18, 21 and 24 to 26 shall apply instead of § 38. (2) The provisions of this section shall not apply to the processing and use of personal data outside of non-automated files, to the extent that: they are not personal data, which have obviously been taken out of automated processing. Unofficial table of contents

§ 28 Data collection and storage for own business purposes

(1) The raising, storage, modification or transfer of personal data or its use as a means for the performance of its own business purposes is permissible
1.
if it is necessary for the establishment, implementation or termination of a legal or legal-related debt relationship with the person concerned,
2.
in so far as it is necessary to safeguard the legitimate interests of the responsible body and where there is no reason to believe that the legitimate interest of the person concerned outweighs the exclusion of processing or use, or
3.
where the data are generally accessible or where the responsible body is likely to publish it, unless the legitimate interest of the person concerned in the exclusion of processing or use is in relation to the legitimate interest of the person concerned; responsible authority obviously outweighs it.
In the collection of personal data, the purposes for which the data are to be processed or used are to be specified in concrete terms. (2) The transmission or use for a different purpose is permitted.
1.
, under the conditions laid down in the first sentence of paragraph 1, point 2 or point 3,
2.
as far as is necessary,
a)
the legitimate interests of a third party, or
b)
on the prevention of threats to public or public security or to the prosecution of criminal offences
and there is no reason to believe that the person concerned has an interest worthy of protection in the exclusion of transmission or use, or
3.
if, in the interest of a research institution, it is necessary to carry out scientific research, the scientific interest in carrying out the research project is the interest of the person concerned in the exclusion of the purpose of the research project. , and the purpose of the research may not be achieved in any other way, or can only be achieved at a disproportionate cost.
(3) The processing or use of personal data for the purposes of address trading or advertising shall be permitted provided that the person concerned has given his consent and, in the case of a consent not given in writing, the responsible body in accordance with the provisions of the following paragraph 3a. In addition, the processing or use of personal data is permissible, insofar as it is a list or otherwise aggregated data relating to members of a group of persons who are concerned with the affiliation of the person concerned to this group. Group of persons, its professional, industrial or business title, its name, title, academic degree, its address and its year of birth are limited, and the processing or use is required
1.
for the purposes of advertising for their own offers, the responsible body responsible for these data, with the exception of the group membership information referred to in the first sentence of paragraph 1, or from generally accessible address, telephone numbers, branches, or comparable directories,
2.
for the purposes of advertising with regard to the professional activity of the person concerned and his professional address or
3.
for the purposes of advertising for donations, which are tax-favored in accordance with § 10b (1) and § 34g of the Income Tax Act.
For the purposes of point 1 of the second sentence, the responsible body shall be allowed to store further data relating to the data referred to therein. Personal data collected in accordance with the second sentence may also be transmitted for advertising purposes, even if the transmission is stored in accordance with the first sentence of Article 34 (1) (1), in which case the body which collected the data for the first time shall be subject to the following conditions: has clearly emerged from advertising. Irrespective of the existence of the conditions set out in sentence 2, personal data may be used for the purposes of advertising for third parties, if the person concerned is responsible for the use of the data in his speech for the purpose of advertising the responsible body is clearly identifiable. Processing or use in accordance with sentences 2 to 4 shall only be permitted, insofar as the interests of the person concerned are not contrary to the protection of the person concerned. Data transmitted in accordance with sentences 1, 2 and 4 may only be processed or used for the purpose for which they have been transmitted. (3a) If the consent of Section 4a (1) sentence 3 is granted in a form other than that of the written form, the data shall be: responsible authority to confirm the content of the consent in writing to the person concerned, unless the consent is given electronically and the responsible body ensures that the consent is recorded and the Access the affected content at any time, and consent at any time with effect for the future can be revoked. If the consent is to be given in writing together with other declarations, it should be particularly emphasized in terms of printing technology. (3b) The responsible body must not consent to the conclusion of a contract. Subject to the conditions laid down in the first sentence of paragraph 3, if the person concerned has other access to equivalent contractual services without the consent, or is not possible in a reasonable manner. A consent granted in such circumstances shall be ineffective. (4) The person concerned shall object to the processing or use of his/her data for the purposes of advertising or market or opinion research, if the person responsible is responsible for the processing or use of his data. Processing or use shall not be permitted for such purposes. The person concerned shall also be responsible for the purposes of advertising or market or opinion research and, in the cases referred to in the first sentence of paragraph 1, the first sentence of paragraph 1, also in the case of the establishment of the legal or legal-related obligations of the person concerned. responsible, in so far as the person concerned uses the personal data of the person concerned, which is stored in a place not known to him, he shall also ensure that the person responsible for the Data subject to information about the origin of the data may be obtained. If the data subject is in conflict with the third party to whom the data has been transmitted for the purposes referred to in paragraph 3, processing or use for the purposes of advertising or market or opinion research, the data subject shall have the data available for such purposes. lock. In the cases referred to in the first sentence of paragraph 1, first sentence, no more stringent form shall be required for the opposition than for the justification of the commercial or legal relationship. (5) The third party to whom the data has been transferred shall be subject to the following conditions: may only be processed or used for the purpose for which it is transmitted to it. Processing or use for other purposes is only permitted under the conditions laid down in Article 14 (2) and only under the conditions laid down in paragraphs 2 and 3 and by public authorities. (6) The raising, processing and use of special types of personal data (Section 3 (9)) for own business purposes is permitted, unless the person concerned is subject to the conditions laid down in Section 4a (3) of the German Act. has consented, if
1.
this is necessary for the protection of the vital interests of the person concerned or of a third party, provided that, for physical or legal reasons, the person concerned is not able to give his consent,
2.
it is data which the person concerned has publicly made public,
3.
this is necessary for the assertion, exercise or defence of legal claims and there is no reason to believe that the legitimate interest of the person concerned outweighs the exclusion of the collection, processing or use, or
4.
this is necessary in order to carry out scientific research, the scientific interest in carrying out the research project significantly outweighs the interest of the person concerned in the exclusion of the collection, processing and use, and the purpose of the research cannot be achieved in other ways, or can only be achieved at a disproportionate cost.
(7) The raising of special types of personal data (Section 3 (9)) is also permissible if this is for the purpose of health care, medical diagnosis, health care or treatment or for the administration of health services is required and the processing of such data is carried out by medical staff or by other persons subject to a corresponding obligation of secrecy. The processing and use of data for the purposes set out in sentence 1 shall be governed by the confidentiality requirements applicable to the persons referred to in the first sentence. Where, for a purpose referred to in the first sentence, data relating to the health of persons by members of a profession other than those referred to in Article 203 (1) and (3) of the Criminal Code, the exercise of which shall be based on the detection, healing or alleviation of diseases or the production or distribution of ancillor, collected, processed or used, this is only permitted under the conditions under which a doctor himself would be entitled to do so. (8) For a different purpose, the special Types of personal data (Section 3 (9)) only subject to the conditions set out in paragraph 6 (1) to (4) or in the first sentence of paragraph 7, or to be used. Transmission or use is also permissible if this is necessary to prevent significant threats to public and public security as well as to the prosecution of criminal offences of considerable importance. (9) Organizations that are political, philosophical, religious or trade-union oriented and non-profit-making purposes, special types of personal data (§ 3 para. 9) may be collected, processed or used, insofar as this is for the activities of the organisation is required. This applies only to personal data of its members or to persons who have regular contacts with it in connection with their purpose. The transmission of this personal data to persons or entities outside the organisation is only permitted under the conditions of § 4a (3). Paragraph 2 (2) (b) shall apply accordingly. Unofficial table of contents

Section 28a Data transfer to credit agencies

(1) The transfer of personal data concerning a claim to credit agencies is only admissible if the performance due has not been provided in spite of due maturity, the transmission to safeguard the legitimate interests of the responsible parties a third party or a third party, and
1.
the claim has been determined by a judgment which has been legally binding or has been declared provisionally enforceable, or a debt has been issued in accordance with Section 794 of the Code of Civil Procedure,
2.
the claim under section 178 of the insolvency order has been established and has not been disputed by the debtor in the examination date;
3.
the person concerned has expressly recognised the claim,
4.
a)
the person concerned has been warned at least twice in writing after the date on which the claim has been due;
b)
between the first warning and the transmission at least four weeks,
c)
the person responsible has informed the person concerned in good time of the transmission of the information but, at the earliest, informed the person concerned of the imminent transmission of the information at the earliest, and
d)
the person concerned has not contested the claim, or
5.
the contractual relationship on which the claim is based may be terminated without notice on the basis of arrestor arrestings and the responsible body has informed the person concerned of the imminent transmission.
Sentence 1 shall apply accordingly if the responsible body itself uses the data in accordance with § 29. (2) For future transmission in accordance with § 29 para. 2, credit institutions may provide personal data on the justification, proper implementation and termination of the data. of a contractual relationship with respect to a banking business pursuant to section 1 (1), second sentence, no. 2, 8 or 9 of the Banking Act to credit agencies, unless the legitimate interest of the person concerned in the exclusion of the transfer is evidently outweighed by the interest of the information party in the knowledge of the data. The person concerned shall be informed of this prior to the conclusion of the contract. The first sentence shall not apply to agreements relating to the establishment of an account without the possibility of being overdragged. For the purposes of the future transmission in accordance with Section 29 (2), the transmission of data on the behaviour of the person concerned, which serves as part of a pre-contractual relationship of trust in the production of market transparency, shall also be provided to credit agencies with Consent of the person concerned is inadmissible. (3) Any amendments to the facts on which a transfer referred to in paragraph 1 or 2 are based shall have the responsibility of the competent authority of the information party within one month of obtaining knowledge as long as the originally transmitted data are stored at the information party . The information party has to inform the agency of the deletion of the data originally transmitted. Unofficial table of contents

§ 28b Scoring

For the purposes of the decision on the establishment, implementation or termination of a contractual relationship with the person concerned, a probability value may be levied or used for a particular future conduct of the person concerned, if:
1.
the data used for the calculation of the probability value, based on a scientifically recognised mathematical-statistical procedure, are demonstrably relevant for the calculation of the probability of the particular behaviour,
2.
in the case of the calculation of the probability value by an information party, the conditions for the transmission of the data used in accordance with § 29 and in all other cases, the conditions for the permissible use of the data in accordance with section 28 are available,
3.
for the calculation of the probability value not exclusively address data are used,
4.
in the case of the use of address data of the data subject, prior to the calculation of the probability value, the person concerned has been informed of the intended use of such data; the information shall be documented.
Unofficial table of contents

§ 29 Business-wise data collection and storage for the purpose of transmission

(1) The commercial collection, storage, modification or use of personal data for the purpose of transmission, in particular where this is used for the advertising, the activity of credit agencies or the address trade, shall be permitted if:
1.
there is no reason to believe that the person concerned has a legitimate interest in the exclusion of the collection, storage or change,
2.
the data may be taken from publicly available sources or the responsible body should publish it, unless the legitimate interest of the person concerned in the exclusion of the collection, storage or alteration is obviously predominant, or
3.
the requirements of Section 28a (1) or (2) are fulfilled; data within the meaning of Section 28a (2) sentence 4 may not be collected or stored.
Article 28 (1), second sentence, and paragraphs 3 to 3b shall apply. (2) The transmission within the scope of the purposes referred to in paragraph 1 shall be admissible if:
1.
the third party to whom the data is transmitted has credibly demonstrated a legitimate interest in its knowledge, and
2.
there is no reason to believe that the person concerned has a legitimate interest in the exclusion of the transmission.
Section 28 (3) to (3b) shall apply accordingly. The reasons for the existence of a legitimate interest and the manner in which they are to be credited shall be recorded by the transmitting body in the case of the transmission referred to in the first sentence of 1 (1). In the case of transmission in the automated retrieval procedure, the recording obligation is the responsibility of the third party to whom the data is transmitted. The notified body must carry out sampling procedures in accordance with § 10 (4) sentence 3 and in so doing also determine and verify the existence of a legitimate interest in a case-by-case basis. (3) The inclusion of personal data in electronic or printed address, telephone number, branch or similar directories shall be kept under the control of the person concerned from the underlying electronic or printed directory or register. The recipient of the data shall ensure that markings from electronic or printed directories or registers are taken over at the time of the acquisition in directories or registers. (4) For the processing or use of the transmitted data, the data shall be transferred to the Data applies to § 28 (4) and (5). (5) § 28 (6) to (9) shall apply. (6) A body which collects, stores, for the purpose of transmission, personal data which may be used to assess the creditworthiness of consumers for the purpose of transmission or changes, has requests for information from lenders from others Member States of the European Union or other States Parties to the Agreement on the European Economic Area should be treated in the same way as the request for information by domestic lenders. (7) Those who conclude a consumer loan agreement, or of a financial assistance contract with a consumer, as a result of information provided by a body within the meaning of paragraph 6, shall inform the consumer immediately and of the information received. The information shall not be notified to the extent that this would endanger public security or order. § 6a shall remain unaffected. Unofficial table of contents

§ 30 Business-wise data collection and storage for the purpose of transmission in anonymised form

(1) If personal data are collected and stored in a business-wise manner in order to transmit them in an anonymised form, the characteristics are to be stored separately, with which individual information on personal or factual circumstances of a particular one or can be assigned to a determinable natural person. These characteristics may only be combined with the details provided that this is necessary for the purpose of carrying out the purpose of storage or for scientific purposes. (2) The modification of personal data shall be permissible if:
1.
there is no reason to believe that the person concerned has a legitimate interest in the exclusion of the change, or
2.
the data may be taken from publicly available sources or the responsible body should publish it, unless the legitimate interest of the person concerned clearly outweighs the exclusion of the change.
(3) The personal data shall be deleted if their storage is inadmissible. (4) § 29 shall not apply. (5) § 28 (6) to (9) shall apply accordingly. Unofficial table of contents

§ 30a Business-wise data collection and storage for market or opinion research purposes

(1) The commercial collection, processing or use of personal data for the purposes of market or opinion research shall be permitted if:
1.
there is no reason to believe that the person concerned has a legitimate interest in the exclusion of the collection, processing or use, or
2.
the data may be taken from publicly available sources or the responsible body should publish it and the legitimate interest of the person concerned in the exclusion of the collection, processing or use of the data is likely to be excluded from the Interest of the responsible body does not obviously outweigh the interest.
Special types of personal data (§ 3 paragraph 9) may only be collected, processed or used for a specific research project. (2) Personal data collected or stored for purposes of market or opinion research may only be used for the purposes of market or opinion research. are processed or used for these purposes. Data which have not been taken from generally accessible sources and which the responsible body may not publish shall be processed or used only for the research project for which they have been collected. For a different purpose, they may only be processed or used if they are previously anonymized in such a way that a personal reference can no longer be established. (3) The personal data are to be anonymized as soon as this is done according to the purpose of the Research project for which the data have been collected is possible. In the meantime, the features must be stored separately, with which individual data can be assigned to a specific or identifiable person via personal or factual circumstances. These characteristics may only be combined with the individual details, insofar as this is necessary for the purpose of the research project. (4) § 29 does not apply. (5) § 28 (4) and (6) to (9) shall apply accordingly. Unofficial table of contents

Section 31 Special purpose binding

Personal data which is stored exclusively for the purposes of data protection control, data protection or for ensuring the proper operation of a data processing system may only be used for these purposes. Unofficial table of contents

Section 32 Data collection, processing and use for the purpose of employment

(1) Person-related data of an employee may be collected, processed or used for the purposes of the employment relationship if this is the case for the decision on the establishment of an employment relationship or on the grounds of the employment relationship. Employment relationship is required for its implementation or termination. For the detection of criminal offences, personal data of an employee may only be collected, processed or used if the actual evidence to be documented substantiates the suspicion that the person concerned is in employment relationship has committed a criminal offence, the collection, processing or use is necessary for detection and the protection worthy interest of the employee does not outweigh the exclusion of collection, processing or use, in particular the nature and extent of the crime (2) Paragraph 1 is also not disproportionate to the occasion. where personal data is collected, processed or used without being processed, used or processed in or out of a non-automated file for the purposes of processing or use in such a (3) The rights of participation of the employees ' representations of interests remain unaffected.

Second subsection
Rights of the person concerned

Unofficial table of contents

Section 33 Notification of the person concerned

(1) If, for the first time, personal data are stored for their own purposes without knowledge of the person concerned, the data subject shall be subject to the storage, the type of data, the purpose of the collection, processing or use and the identity of the data subject. responsible body. If personal data are stored for the purpose of transmission without knowledge of the person concerned, the data subject shall be notified of the first transmission and the nature of the data transmitted. In the cases of sentences 1 and 2, the person concerned must also be informed about the categories of recipients, insofar as he does not have to reckon with the transmission to them according to the circumstances of the individual case. (2) A duty to notify consists of: not when
1.
the person concerned has acquired knowledge of the storage or transmission in other ways,
2.
the data are stored only because they may not be deleted due to statutory, statutory or contractual storage requirements, or are used exclusively for data protection or data protection control and notification would require a disproportionate effort,
3.
the data must be kept secret in accordance with a law or by its nature, in particular because of the overriding legal interest of a third party;
4.
the storage or transmission by law is expressly provided for;
5.
storage or transmission is required for the purposes of scientific research and notification would require a disproportionate effort,
6.
the competent public authority has established, vis-à-vis the responsible body, that the disclosure of the data would endanger public security or order or would otherwise be detrimental to the benefit of the Federal Government or of a country;
7.
the data are stored for own purposes and
a)
are taken from generally accessible sources and a notification is disproportionate because of the large number of cases concerned; or
b)
the notification would seriously endanger the business purposes of the responsible body, unless the interest in the notification outweighs the risk,
8.
the data are stored in business for the purpose of transmission and
a)
are taken from generally accessible sources in so far as they relate to those persons who have published this data, or
b)
it is a list of or otherwise aggregated data (§ 29 (2) sentence 2)
and a notification is disproportionate to the number of cases involved,
9.
data taken from publicly available sources are stored in business for market or opinion research purposes and a notification is disproportionate to the large number of cases concerned.
The responsible body shall specify in writing the conditions under which a notification as provided for in the first sentence of the first sentence of paragraph 2 to 7 shall be waiver. Unofficial table of contents

§ 34 Information to the person concerned

(1) The responsible body shall, on request, provide information to the person concerned about:
1.
the data stored on his/her person, including where they relate to the origin of such data;
2.
the recipient or categories of recipients to which data are passed; and
3.
the purpose of storage.
The person concerned should refer to the nature of the personal data on which information is to be provided. If the personal data are stored in business for the purpose of the transmission, information about the origin and the recipients is to be granted even if this information is not stored. The information on the origin and the consignee may be refused if the interest in the maintenance of the business secrecy is greater than the information interest of the person concerned. (1a) In the case of § 28 (3) sentence 4, the to store the origin of the data and the consignee for a period of two years after the transmission and to provide information to the person concerned on the origin of the data and the recipient on request. (2) In the case of § 28b, the body responsible for the decision shall provide the person concerned with information on request at the request of the person concerned.
1.
The probability values collected or stored for the first time within the last six months prior to the access of the request for information,
2.
the data types used for the calculation of the probability values, and
3.
the arriving and the significance of the probability values in a case-by-case basis and in a comprehensible manner in a generally understandable form.
The first sentence shall apply if the body responsible for the decision
1.
stores the data used for the calculation of the probability values without reference to the person, but produces the reference to the person in the calculation, or
2.
uses stored data in another location.
Has a body other than the body responsible for the decision
1.
the probability value, or
2.
a part of the probability value
, it shall provide the information necessary to the extent necessary to meet the information requirements referred to in the first and second sentences and, at the request of the body responsible for the decision, to the authorities responsible for the decision. In the case referred to in the third sentence of sentence 3, the body responsible for the decision shall have the person concerned to assert his right of access, indicating the name and address of the other body, and the person required to designate the individual case. Please refer to the information immediately if it does not provide the information yourself. In this case, the other body which has calculated the probability value shall have the right to obtain the right to information in accordance with the rates 1 and 2, free of charge, to the person concerned. The obligation of the body responsible for calculating the probability value in accordance with the third sentence shall be deleted, provided that the body responsible for the decision makes use of its right under the fourth sentence. (3) A body which shall be responsible for the calculation of the probability value. personal data for the purpose of the transmission shall, on request, provide the data subject with information about the data stored on his/her person, even if they are not processed in an automated manner or in a non-automated File is saved. The data subject shall also be provided with information on data which:
1.
have no personal reference at present, but where such a reference is to be made by the responsible body in the context of the exchange of information,
2.
does not store the responsible body, but uses it for the purpose of the exchange of information.
The information on the origin and the consignee may be refused if the interest in the maintenance of business secrecy is greater than the information interest of the person concerned. (4) A place which is the business-related personal data for the purpose of the transmission, the person concerned shall, on request, provide information to the person concerned on request concerning:
1.
the probability values for a particular future behaviour of the person concerned, as well as the names and last-known addresses of the third parties to which the values have been transmitted within the last twelve months prior to the receipt of the request for information. has been forwarded,
2.
the probability values obtained at the time of the request for information, in accordance with the procedures used by the body for calculation,
3.
the data types used for the calculation of the probability values referred to in points 1 and 2, and
4.
the arriving and the significance of the probability values in a case-by-case basis and in a comprehensible manner in a generally understandable form.
Sentence 1 shall apply mutatily if the responsible body
1.
stores the data used for the calculation of the probability value without reference to the person, but produces the reference to the person in the calculation, or
2.
uses stored data in another location.
(5) The data stored in accordance with paragraphs 1a to 4 for the purpose of providing information to the data subject may be used only for this purpose and for the purposes of data protection control; for other purposes, they shall be blocked. (6) The information shall be on request in text form, unless a different form of exchange of information is appropriate because of the particular circumstances. (7) A duty to provide information does not exist if the person concerned is subject to the provisions of § 33 (2) sentence 1 no. 2, 3 and 5 to 7. (8) The information is free of charge. If the personal data are stored in business for the purpose of the transmission, the person concerned can request a free information in text form once per calendar year. For any further information, a fee may be required if the person concerned is able to use the information to be provided to third parties for economic purposes. The remuneration shall not exceed the costs directly attributable to the exchange of information. A fee may not be required if:
1.
special circumstances justify the assumption that data is stored inaccurately or inadmissible; or
2.
provides information that the data is to be corrected in accordance with Section 35 (1) or to be deleted in accordance with § 35 (2) sentence 2 no. 1.
(9) If the exchange of information is not free of charge, the person concerned shall be given the opportunity to obtain a personal knowledge of the data concerning him in the context of his/her right to receive information. It shall be pointed out. Unofficial table of contents

Section 35 Correction, erasure and blocking of data

(1) Person-related data shall be corrected if they are incorrect. Estimated data are to be clearly identified as such. (2) Personal data may be deleted at any time except in the cases referred to in paragraph 3 (1) and (2). Personal data shall be deleted if:
1.
their storage is inadmissible;
2.
it is data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, criminal acts or administrative offences, and their The correctness of the responsible body cannot be proven,
3.
they are processed for their own purposes, as soon as their knowledge is no longer necessary for the fulfilment of the purpose of storage, or
4.
they are processed in business for the purpose of the transmission and an examination at the end of the fourth, in so far as it is data on completed facts and the data subject does not object to the deletion, at the end of the third The calendar year starting with the calendar year following the initial storage shows that a longer-term storage is not required.
Personal data which are stored on the basis of § 28a (2) sentence 1 or § 29 (1) sentence 1 no. 3 shall also be deleted after termination of the contract if the person concerned requires this. (3) A deletion shall be replaced by a Blocking, insofar as
1.
in the case referred to in the second sentence of paragraph 2, paragraph 3, preclude the deletion of statutory, statutory or contractual retention periods,
2.
There is reason to believe that the erasure would affect the interests of the person concerned, or
3.
Deletion due to the special nature of the storage is not possible or can only be deleted with disproportionately high effort.
(4) Personal data shall also be blocked in so far as their accuracy is disputed by the person concerned and neither the correctness nor the inaccuracy can be ascertained. (4a) The fact of the blocking shall not be transmitted. (5) Personal data may not be collected, processed or used for automated processing or processing in non-automated files, in so far as the data subject contradicts this at the responsible authority and if the data subject is not Examination reveals that the interest of the person concerned is worthy of protection because of his particular interest. Personal situation the interest of the responsible body in this collection, processing or use outweighs the interest. Sentence 1 shall not apply if a piece of law obliges the collection, processing or use. (6) Personal data which are incorrect or whose accuracy is disputed must be used for the purpose of data retention for the purpose of Transmission, except in the cases referred to in paragraph 2 (2), shall not be corrected, blocked or deleted if taken from publicly available sources and stored for documentation purposes. At the request of the person concerned, this data shall be accompanied by its reply for the duration of the storage. The data may not be transmitted without this reply. (7) The authorities must be notified of the correction of incorrect data, the blocking of disputed data as well as the erasure or blocking due to the inadmissibility of the storage. which, in the context of a data transmission, have been passed on for storage if this does not require a disproportionate effort and does not prevent the interests of the person concerned worthy of protection. (8) Data that has been sent to the data may not be used without consent of the person concerned shall only be transmitted or used if:
1.
it is essential for scientific purposes, to remedy an existing burden of proof or for other reasons which are in the overriding interest of the responsible body or for a third party, and
2.
the data should be transmitted or used for this purpose if it were not blocked.

Third Subsection
Supervisory authority

Unofficial table of contents

§ § 36 and 37 (omitted)

- Unofficial table of contents

Section 38 Supervisory Authority

(1) The supervisory authority shall monitor the implementation of this law as well as other provisions on data protection, insofar as these are the automated processing of personal data or the processing or use of personal data in or on the market. shall govern non-automated files, including the law of the Member States in the cases referred to in Article 1 (5). It advises and supports the data protection officers and the responsible bodies with regard to their typical needs. The supervisory authority may only process and use the data stored by it for the purposes of supervision; § 14 (2) Nos. 1 to 3, 6 and 7 shall apply accordingly. In particular, the supervisory authority may submit data to other supervisory authorities for the purpose of supervision. It shall provide additional assistance to the supervisory authorities of other Member States of the European Union (administrative assistance). If the supervisory authority establishes a breach of this law or other provisions on data protection, it shall have the power to inform the parties concerned of the infringement of the authorities responsible for the prosecution or prosecution. , and in the event of a serious infringement, to inform the Trade Supervisory Authority for the implementation of industrial measures. It shall publish regularly, at the latest every two years, an activity report. Section 21, first sentence, and section 23 (5), sentences 4 to 7 shall apply. (2) The supervisory authority shall keep a register of the automated processing operations according to § 4d, with the information in accordance with § 4e sentence 1. The register can be viewed by anyone. The right of admission does not extend to the information provided for in § 4e sentence 1 no. 9 as well as to the indication of the persons entitled to access. (3) The bodies subject to the control as well as the persons responsible for their management shall have the following information: to provide the supervisory authority with the information necessary for the performance of its tasks without delay. The party responsible for providing information may refuse to answer any such questions, the answers to which he or she himself or one of the members of the civil procedure referred to in § 383 (1) (1) to (3) of the Code of Civil Procedure of the risk of criminal prosecution or of a person who is liable to Proceedings under the Law on Administrative Offences would be suspended. The person responsible for providing information shall be informed. (4) The persons responsible for the supervision of the supervisory authority shall be entitled to the extent necessary for the performance of the tasks entrusted to the supervisory authority, during the operation and the operation of the holding. To enter business hours of land and business premises of the post and carry out examinations and visits there. You can view business documents, in particular the overview according to § 4g (2) sentence 1 as well as the stored personal data and the data processing programs. Section 24 (6) shall apply accordingly. (5) In order to ensure compliance with this law and other provisions on data protection, the Supervisory Authority may take measures to eliminate detected infringements in the survey; Order processing or use of personal data or technical or organizational defects. In the event of a serious breach or defect, in particular those associated with a particular risk to the right to privacy, it may prohibit the collection, processing or use or use of individual procedures if the Breaches or defects contrary to the order of sentence 1 and in spite of the imposition of a penalty shall not be disposed of in reasonable time. It may request the appointment of the Data Protection Officer if he does not possess the technical and reliability required to fulfil his/her duties. (6) The State Governments or the bodies authorised by them shall determine the (7) The application of the commercial order to the commercial enterprises subject to the provisions of this section shall remain unaffected. Unofficial table of contents

§ 38a Code of conduct for the promotion of the implementation of data protection regulations

(1) Professional associations and other associations representing certain groups of responsible bodies may draft codes of conduct for the promotion of the implementation of data protection regulations of the competent supervisory authority (2) The Supervisory Authority shall verify the compatibility of the drafts submitted to it with the applicable data protection law.

Fourth Section
Special provisions

Unofficial table of contents

Section 39 Purpose of earmarking of personal data subject to a professional or special official secrecy

(1) Personal data subject to a professional or special obligation of official secrecy and which have been made available by the body responsible for secrecy in the exercise of their professional or official duty may be provided by the responsible authority shall only be processed or used for the purpose for which it has received it. In order to transfer to a non-public body, the body responsible for secrecy must agree. (2) For a different purpose, the data may only be processed or used if the purpose of the amendment to the purpose is determined by special law. is approved. Unofficial table of contents

§ 40 Processing and use of personal data by research institutions

(1) Personal data collected or stored for purposes of scientific research may only be processed or used for the purposes of scientific research. (2) The personal data shall be anonymized as soon as this is done. is possible for the purpose of research. In the meantime, the features must be stored separately, with which individual data can be assigned to a specific or identifiable person via personal or factual circumstances. They may only be merged with the individual information provided that the purpose of the research is required. (3) The scientific research bodies may publish personal data only if:
1.
the person concerned has consented to, or
2.
this is essential for the presentation of research results on the events of contemporary history.
Unofficial table of contents

§ 41 Collection, processing and use of personal data by the media

(1) Countries have to provide in their legislation that for the collection, processing and use of personal data of companies and auxiliary companies of the press exclusively for their own journalistic-editorial or literary- The provisions of § § 5, 9 and 38a shall apply in accordance with the provisions of Sections 5, 9 and 38a, including a liability regime relating thereto in accordance with § 7. (2) The journalistic-editorial collection, processing or use shall be carried out. of personal data by Deutsche Welle for the publication of Counterrepresentations of the data subject are to be taken from the stored data and kept for the same period of time as the data themselves. (3) If someone is reported by Deutsche Welle in his/her report, the data are to be stored in the data Personal rights may require information about the data on which the person is reporting the data stored on his/her personal data. The information may be refused after consideration of the legitimate interests of the parties concerned, to the extent that:
1.
can be deducted from the data on persons who have participated in or participated in journalistic work in the preparation, production or distribution of radio broadcasts,
2.
may be drawn from the data to the person of the consignor or the guarantor of contributions, documents and communications for the editorial part,
3.
Through the communication of the researched or otherwise obtained data, the journalistic task of Deutsche Welle would be affected by research of the information stock.
The person concerned may request the correction of incorrect data. (4) In addition, the provisions of this law apply to Deutsche Welle (§ § 5, 7, 9 and 38a). § § 42 applies instead of § § 24 to 26, also as far as administrative matters are concerned. Unofficial table of contents

§ 42 Data Protection Officer of Deutsche Welle

(1) Deutsche Welle appoints a data protection officer who is to replace the Federal Commissioner for Data Protection and Freedom of Information. The appointment shall be made on the basis of a proposal by the Director of the Board of Directors for a period of four years, whereby reorders may be made. The Office of a Data Protection Officer can, in addition to other tasks within the broadcaster, be exercised. (2) The Data Protection Officer shall monitor compliance with the provisions of this Act and other provisions. on data protection. He is independent in the performance of this office and is subject only to the law. In addition, he is subject to the administrative and legal supervision of the Administrative Board. (3) Everyone can contact the Data Protection Officer in accordance with § 21 sentence 1. (4) The Data Protection Officer shall reimburse the organs of the Deutsche Welle Every two years, for the first time on 1 January 1994, an activity report. In addition, he reports special reports on the decision of an organ of the Deutsche Welle. The activity reports shall also be forwarded to the Federal Commissioner for Data Protection and Freedom of Information. (5) Further regulations in accordance with § § 23 to 26 shall apply to Deutsche Welle for its area of activity. § § 4f and 4g shall remain unaffected. Unofficial table of contents

Section 42a Information on incorrect data acquisition

If a non-public body within the meaning of Article 2 (4) or a public authority in accordance with Article 27 (1), first sentence, point 2, establishes that it has stored
1.
special types of personal data (§ 3 (9)),
2.
personal data subject to professional secrecy;
3.
personal data relating to criminal acts or administrative offences or the suspicion of criminal acts or administrative offences, or
4.
Personal data relating to bank or credit card accounts
unlawfully communicated or otherwise unlawfully notified to third parties, and shall have serious adverse effects on the rights or the legitimate interests of the persons concerned, it shall, in accordance with the provisions of sentences 2 to 5, immediately of the competent supervisory authority and of the persons concerned. The notification of the person concerned must be made without delay as soon as appropriate measures have been taken to secure the data or have not been taken immediately and the prosecution is no longer at risk. The notification of the parties concerned must include a presentation of the nature of the unlawful knowledge gained and recommendations for measures to mitigate possible adverse consequences. The notification of the competent supervisory authority must also include a presentation of possible adverse consequences of the undue knowledge gained and of the measures taken by the body. In so far as the notification of the parties concerned would require a disproportionate effort, in particular due to the large number of cases concerned, the information provided to the public shall be notified to the public by means of advertisements containing at least one half of the following: This shall include, in at least two national daily newspapers, or by another measure which is the same in terms of its effectiveness with regard to the information of the persons concerned. A notification that has been notified to the notifying person may be sent in a criminal case or in proceedings under the law on administrative offences against him or a member of the family referred to in Article 52 (1) of the Code of Criminal Procedure of the notifiable person only with the consent of the notifying person.

Fifth Section
Final provisions

Unofficial table of contents

Section 43 Penal rules

(1) Contrary to the law, those who intentionally or negligently act
1.
contrary to Section 4d (1), even in conjunction with § 4e sentence 2, a report does not make, not correct, not complete or not in time,
2.
contrary to § 4f (1) sentence 1 or 2, including in connection with sentences 3 and 6, a data protection officer shall not be appointed in the prescribed manner or in a timely manner,
2a.
Contrary to Article 10 (4) sentence 3, it is not guaranteed that the data transmission can be determined and verified,
2b.
Contrary to § 11 (2) sentence 2, an order is not correct, not provided in full or not in the prescribed manner, or contrary to § 11 (2) sentence 4, not before the beginning of the processing of data from the compliance with the contract shall be satisfied with technical and organisational measures taken,
3.
, contrary to the second sentence of Article 28 (4), the person concerned is not informed, not properly or not in good time, or does not ensure that the data subject can be informed,
3a.
requires a stricter form, contrary to the fourth sentence of Article 28 (4),
4.
, contrary to § 28 (5) sentence 2, personal data is transmitted or used,
4a.
Contrary to § 28a (3) sentence 1, a communication does not make, not correct, not complete or not timely,
5.
Contrary to § 29 (2) sentence 3 or 4, the reasons referred to therein or the manner in which they have been credited are not drawn up,
6.
, contrary to § 29 (3) sentence 1, personal data shall be included in electronic or printed address, telephone number, branch or comparable directories,
7.
Contrary to Section 29 (3) sentence 2, the acquisition of markings shall not be ensured;
7a.
Contrary to Section 29 (6), a request for information is not properly addressed,
7b.
Contrary to the first sentence of Article 29 (7), a consumer is not informed, not right, not fully or in good time,
8.
Contrary to § 33 para. 1, the persons concerned are not informed, not correct or not fully informed,
8a.
contrary to § 34 (1) sentence 1, also in connection with sentence 3, contrary to § 34 paragraph 1a, contrary to § 34 paragraph 2 sentence 1, also in connection with sentence 2, or contrary to § 34, paragraph 2, sentence 5, paragraph 3 sentence 1 or sentence 2 or paragraph 4 sentence 1, also in connection in the case of the second sentence, the information provided shall not, not properly, be given in full or in time or in breach of § 34 (1a) of the data,
8b.
, contrary to § 34 (2) sentence 3, information is not provided, not correct, not complete or not in good time,
8c.
does not refer to the person concerned or not to refer to the other body in time, contrary to Article 34 (2) sentence 4;
9.
, contrary to § 35 (6) sentence 3, data is transmitted without any reply,
10.
, contrary to the first sentence of Article 38 (3) or (4) sentence 1, no information is provided, is not correct, is not granted in full or not in good time, or does not tolerate a measure or
11.
of a fully-retractable arrangement according to § 38 (5) sentence 1.
(2) Contrary to the law, who intentionally or negligently
1.
Collects or processes unauthorised personal data, which are not generally accessible,
2.
makes unauthorised use of personal data, which is not generally accessible, for retrieval by means of automated procedures,
3.
Unauthorized persons, who are not generally accessible, retrieve, or otherwise obtain themselves or another from automated processing or non-automated files,
4.
the transmission of personal data, which is not generally accessible, is made difficult by incorrect information,
5.
Contrary to § 16 (4) sentence 1, § 28 (5) sentence 1, also in conjunction with Section 29 (4), § 39 (1) sentence 1 or § 40 (1), the transmitted data is used for other purposes,
5a.
Contrary to Article 28 (3b), the conclusion of a contract depends on the consent of the person concerned,
5b.
Contrary to § 28 (4) sentence 1, data for the purposes of advertising or market or opinion research are processed or used,
6.
contrary to the provisions of the second sentence of Article 30 (1), second sentence of Article 30a (3) or Article 40 (2), third sentence, a feature referred to in that paragraph shall be combined with a single statement or
7.
Contrary to § 42a sentence 1, a communication does not make it correct, not complete or not in good time.
(3) In the case referred to in paragraph 1, the administrative offence may be punishable by a fine of up to EUR 50 000, in the cases referred to in paragraph 2, with a fine of up to three hundred thousand euros. The fine is intended to exceed the economic advantage that the perpetrator has pulled out of the administrative offence. If the amounts referred to in the first sentence are not sufficient for this purpose, they may be exceeded. Unofficial table of contents

Section 44 Criminal Code

(1) Those who commit an intentional act, referred to in § 43 (2), for remuneration or in order to enrich themselves or others or to harm another person, shall be punished with imprisonment of up to two years or a fine. (2) The deed will only be pursued on request. The person concerned, the responsible body, the Federal Commissioner for Data Protection and the Freedom of Information and the Supervisory Authority are entitled to apply for an application.

Sixth Section
Transitional provisions

Unofficial table of contents

Section 45 Rending uses

Any surveys, processing or use of personal data which have already begun on 23 May 2001 shall be brought into line with the provisions of this Act within three years after that date. To the extent that the provisions of this Act have been laid down in legislation outside the scope of Directive 95 /46/EC of the European Parliament and of the Council of 24 June 1998 on October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are subject to surveys, processing or use of personal data which has already begun on 23 May 2001 shall, within five years after that date, comply with the provisions of this Act. Unofficial table of contents

Section 46 Continuation of definitions

(1) If the term file is used in special federal legislation, file
1.
a collection of personal data, which can be evaluated by automated procedures according to certain characteristics (automated file), or
2.
any other collection of personal data which is of the same type and which can be ordered, rearranged and evaluated according to certain characteristics (not automated file).
This does not include files and file collections, unless they can be rearranged and evaluated by automated procedures. (2) If the term acts is used in special federal legislation, acts shall be any official or a document which does not fall within the definition of the file referred to in paragraph 1 and which includes image and sound carriers. This does not include preliminary drafts and notes which are not intended to form part of a process. (3) If the term 'recipient' is used in special federal legislation, the recipient shall be the recipient of any person or body outside the responsible party. Place. Recipients are not the persons concerned and persons and entities which, on behalf of the European Union, in another Member State of the European Union or in another State Party to the Agreement on the European Economic Area, order personal data on behalf of the collect, process or use. Unofficial table of contents

Section 47 Transitional regime

§ 28 in the version currently in force shall continue to be applied for processing and use before 1 September 2009 of collected or stored data.
1.
for the purposes of market research or opinion research by 31 August 2010,
2.
for the purposes of advertising until 31 August 2012.
Unofficial table of contents

§ 48 Report of the Federal Government

The Federal Government reports to the Bundestag
1.
by 31 December 2012 on the effects of § § 30a and 42a,
2.
by 31 December 2014 on the effects of the amendments to § § 28 and 29.
If legislative measures are recommended in the Federal Government's view, the report should contain a proposal. Unofficial table of contents

Annex (to § 9 sentence 1)

(Fundstelle des Originaltextes: BGBl. I 2003, 88;
with regard to of the individual amendments. Footnote) If personal data are processed or used in an automated manner, the internal or intra-agency organization shall be designed in such a way that it meets the special requirements of data protection. In particular, measures are to be taken which are appropriate depending on the type of personal data or categories of data to be protected,
1.
to deny unauthorised access to data processing facilities with which personal data are processed or used (access control),
2.
to prevent data processing systems from being used by unauthorized persons (access control),
3.
ensure that persons entitled to use a data processing system are able to access the data subject to their access rights only, and that personal data are used in the processing, use and in accordance with the storage cannot be read, copied, changed or removed without authorization (access control),
4.
ensure that personal data cannot be read, copied, altered or removed during the electronic transmission or during its transport or storage on data carriers, and that it is reviewed and , it is possible to determine to which bodies a transfer of personal data is provided by means of data transmission (handover control),
5.
to ensure that it is subsequently possible to verify and establish whether and by whom personal data have been entered, modified or removed in data processing systems (input control),
6.
ensure that personal data processed on behalf of the contract can only be processed in accordance with the instructions of the contracting authority (order control),
7.
to ensure that personal data are protected against accidental destruction or loss (availability control),
8.
to ensure that data collected for different purposes can be processed separately.
A measure according to the second sentence of 2 to 4 is in particular the use of encryption methods corresponding to the state of the art.