HOME

TheInfoList



OR:

The German (BDSG) is a federal
data protection Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data pr ...
act, that together with the data protection acts of the German
federated states A federated state (which may also be referred to as a state, a province, a region, a canton, a land, a governorate, an oblast, an emirate or a country) is a territorial and constitutional community forming part of a federation. Such states dif ...
and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.


Historical development


1960–1970

In the early 1960s, consideration for comprehensive data protection began in the United States and further developed with advancements in computer technology and its privacy risks. So a regulatory framework was needed to counteract the impairment of privacy in the processing of personal data.


1970–1990

In the year 1970, the federal state of
Hesse Hesse (, , ) or Hessia (, ; german: Hessen ), officially the State of Hessen (german: links=no, Land Hessen), is a States of Germany, state in Germany. Its capital city is Wiesbaden, and the largest urban area is Frankfurt. Two other major histor ...
passed the first national data protection law, which was also the first data protection law in the world. In 1971, the first draft bill was submitted for a federal data protection act. Finally, on 1 January 1978, the first federal data protection act came into force. In the following years, as the BDSG was taking shape in practice, a technical development took place in data processing as the computer became increasingly important both at work and in the private sector. There were also significant changes in the legal field. With the '' Volkszählungsurteil'' (census verdict) of December 15, 1983, the Constitutional Court developed the right to self-determination of information (Article 1 I Constitution in conjunction with Article 2 I Constitution). The verdict confirmed that personal data are constitutionally protected in Germany. This means that individuals have the power to decide when and to what extent personal information is published.


From 1990

In 1990, the legislature adopted a new data protection law based on the decision of the German Constitutional Court. The BDSG was amended in 2009 and 2010 with three amendments: On April 1, 2010 came with the "Novelle I" a new regulation of the activities of credit bureaus and their counterparties (especially credit institutions) and scoring in force. The long and heavily debated "Novelle II" came into force on 1 September 2009. They change 18 paragraphs in the BDSG. Content includes changes to the list privilege for address trading, new regulations for market and opinion research, opt-in , coupling ban, employee data protection, order data processing, new powers for the supervisory authorities and new or greatly expanded fines, information obligations in the event of data breaches, dismissal protection for data protection officers. On June 11, 2010 changed the "Novelle III" as a small sub-item within the law implementing the EU Consumer Credit Directive, the § 29 BDSG by two paragraphs.


The legal amendment

In 2009, there were three amendments to the BDSG as a result of criticism from consumer advocates and numerous privacy scandals in business. The amendments addressed the following items:


Amendments I and III

* Strict earmarking in the enforcement of data protection rights (§ 6 III BDSG) * Permissibility and transparency in automated individual decisions (§ 6a BDSG) * Transmission of data to commercial agencies (§ 28a BDSG) * Admissibility in scoring procedures (§ 28b BDSG) * Claims for credit rejection information for cross-border credit inquiry within the EU/EEA(§ 29 VI and VII BDSG) * Information on claims against responsible agencies, especially in the case of scoring and commercial agencies (§ 34 BDSG) * New penalty offenses (§ 43 I No. 4a, 8b, 8c BDSG)


Amendment II

* Introducing a legal definition for the term “''Beschäftigte''” (employees) (§ 3 XI BDSG) * Extension of the target
data economy A data economy is a global digital ecosystem in which data is gathered, organized, and exchanged by a network of vendors for the purpose of deriving value from the accumulated information. Data inputs are collected by a variety of actors includ ...
and data avoidance (§ 3a BDSG) * Strengthening the position of internal data protection officer by training and explicit job protection law (§ 4f III sentence 5-7 BDSG) * Extension of the requirement for the written content to be fixed in order data processing and control of the contractor (§ 11 II BDSG) * New eligibility requirements and transparency in the use of personal data as part of the trade of addresses and promotional purposes (§ 28 III BDSG) * Tightening the consent requirements of non-written consent (§ 28 IIIa BDSG) * Introduction of a prohibition of a coupling in connection with the consent (§ 28 IIIb BDSG) * Relief for market and opinion research companies (§ 30a BDSG) * Rule on the admissibility of the processing of employment data (§ 32 BDSG) * Expansion of disclosure requirements for moderate transmission list (§ 34 Ia BDSG) * Extension of the arrangement powers of supervisory authorities on processing data protection and uses (§ 38 V BDSG) * A duty to self-disclosure to the supervisory authority and the affected person for unlawfully obtaining knowledge of data (§ 42a BDSG) * Introduction of new fines (§ 43 I No. 2a, 2b, 3a, 8a and II No. 5a-7 BDSG) * Increasing the fine frame at €50,000 to €300,000 (§ 43 III BDSG) * Transitional arrangements for market and opinion researchers, as well as for promotional use of stored data recorded before September 1, 2009 (§ 47 BDSG) * Emphasis on the use of
encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
(Annex of § 9 sentence 1 BDSG)


Overview of the BDSG

* First section (§ § 1-11): General and common rules * Second section (§ § 12-26): Data processing by public bodies * Third section (§ § 27-38a): Data processing by non-public bodies and public competitor companies * Fourth section (§ § 39-42): Special provisions * Fifth section (§ § 43-44): Criminal and civil penalty provisions * Sixth section (§ § 45-46): Transitional provisions


Purpose and scope


Purpose

The law should protect individuals' personal rights from being injured through the handling of their personal information (§ 1 I BDSG).


Scope

According to § 1 II BDSG the law applies to the collection, processing, and use of personal data by: * Public bodies of the Federation * Public authorities of the federal states * Non-public agencies


Exclusions

The Central Register of Foreign Nationals, according to § 22 and § 37 of the law, is excluded from certain sections of the Bundesdatenschutzgesetz.


Public bodies of the Federation

Public authorities are the Federal Authorities, the administration of justice and other public-law institutions of the Federation, the Federal Authorities, establishments, and foundations under public law and their associations, irrespective of their legal form (§ 2 I BDSG).


Public authorities of the federal states

Public authorities of the federal states, the authorities and the institutions of justice and other public-law institutions of a federal state, community, a community association and other legal persons of public law, which are subordinated to the supervision of the federal state of public law and their associations, irrespective of their legal form (§ 2 II BDSG).


Non-public agencies

Non-public agencies are natural and legal persons, companies, and other associations of persons in private law that do not fall under the paragraphs of § 2 I-III BDSG (§ 2 IV BDSG).


Overview of the first principles

The BDSG contains seven first principles of data protection law: 1. Prohibition with reservation of permission: The collection, processing and use of personal data is strictly prohibited, unless it is permitted by the law or the person concerned gives consent (§ 4 I BDSG). 2. Principle of immediacy: The personal data has to be collected directly from the person concerned. An exception of this principle is a legal permission or a disproportionate effort (§ 4 III BDSG). 3. Priority to special laws: The BDSG supersedes any other federal law that relates to personal information and its publication (§ 1 III BDSG). 4. Principle of proportionality: The creation of standards restrict the fundamental rights of the affected person. Therefore, these laws and procedures must be appropriate and necessary. A balancing of interests must occur. 5. Principle of data avoidance and data economy: Through the use of data anonymization or pseudo-anonymization, every data processing system should achieve the goal to use no (or as little as possible) personally identifiable data. 6. Principle of transparency: If personal data is collected, the responsible entity must inform the affected person of its identity and the purposes of the collection, processing or use (§ 4 III BDSG). 7. Principle of earmarking: If data is permitted to be collected for a particular purpose, use of the data is restricted to this purpose. A new consent or law is required, if the data will be used for another purpose.


Types of personal data

Personal data Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
means all data that provide information about personal relationships or facts about an identified or identifiable
natural person In jurisprudence, a natural person (also physical person in some Commonwealth countries, or natural entity) is a person (in legal meaning, i.e., one who has its own legal personality) that is an individual human being, distinguished from the bro ...
. They include: * Personal relationships: name, address, occupation, e-mail, IP address, or personal number * Factual circumstances: income, taxes, ownership * Special kind of personal data: racial or
ethnic origin An ethnic group or an ethnicity is a grouping of people who identify with each other on the basis of shared attributes that distinguish them from other groups. Those attributes can include common sets of traditions, ancestry, language, history, ...
, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life. These data are subject to special protection. Protected personal data does not include anonymized data, where the person's identity is not discernible. Pseudonymized data (where the person's name is replaced with a pseudonym) is protected by the BDSG, because the data relates to a person whose identity is discernible. The BDSG does not protect the data of
legal person In law, a legal person is any person or 'thing' (less ambiguously, any legal entity) that can do the things a human person is usually able to do in law – such as enter into contracts, sue and be sued, own property, and so on. The reason for ...
s, such as corporations, although some courts have extended protection to legal persons.


Interaction with European law

The Council of Ministers and the European Parliament adopted the
Data Protection Directive The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Pr ...
on October 24, 1995, that had to be transposed into internal law of the Member States by the end of 1998 (Directive 95/46/EC of the European Parliament and Council on the protection of individuals with the processing of personal data and on the free movement of such data). All member states have enacted their own data protection legislation. On 25 January 2012, the European Commission unveiled a draft
General Data Protection Regulation The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...
that will supersede the Data Protection Directive.


Cross-border data transmission

The following rules apply in accordance with the requirements of the
European Commission The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body o ...
's
Data Protection Directive The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Pr ...
to companies domiciled in Germany and for companies based abroad.


Companies domiciled in Germany

For companies based in Germany, the Federal Data Protection Act regulates the transfer of data differently in another EU member country and to a third country.


Transmission from Germany to another EU member country

Through the implementation of the EU Data Protection Directive, a uniform level of data protection has emerged in EU member countries. A company domiciled in Germany is therefore entitled to transfer personal data in Europe under the same rules as if it were to transfer data within Germany.


Transmission from Germany to a third country

Transfers to third countries must comply with the requirements of the Federal Privacy Act (§ 4b II sentence 1 BDSG). The transmission must cease if the person has a legitimate interest in the prevention of transmission, especially if an adequate data protection in the third country is not guaranteed (§ 4b II sentence 2 BDSG). The adequacy of protection shall be assessed by taking all the circumstances into account that are of importance for data transmission (§ 4b III BDSG). These include the type of data, the purpose, duration of processing, professional rules and security measures. In the opinion of the European Commission,
Switzerland ). Swiss law does not designate a ''capital'' as such, but the federal parliament and government are installed in Bern, while other federal institutions, such as the federal courts, are in other cities (Bellinzona, Lausanne, Luzern, Neuchâtel ...
and
Canada Canada is a country in North America. Its ten provinces and three territories extend from the Atlantic Ocean to the Pacific Ocean and northward into the Arctic Ocean, covering over , making it the world's second-largest country by tot ...
have an adequate level of protection. A further decision by the European Commission affects data transmission into the United States. According to the decision, the
U.S. Department of Commerce The United States Department of Commerce is an United States federal executive departments, executive department of the Federal government of the United States, U.S. federal government concerned with creating the conditions for economic growth ...
assured a reasonable level of data protection through the negotiated Safe Harbor Agreement. Through the Safe Harbor Agreement (invalidated 6 October 2015 by Maximillian Schrems v. Data Protection Commissioner, and its successor, Privacy Shield, invalidated on 16 July 2020), the recipient in the United States commits itself to comply with certain data protection principles by means of statements that to the relevant U.S. authorities. No transfer framework currently applies and transfers to and from the U.S., as all third countries, requires another approved mechanism under the GDPR (e.g. binding corporate rules, standard contractual clauses). For other third countries, it is hardly possible to determine the appropriate level of protection because of the complex criteria. For this reason certain exceptions (in § 4c I and II BDSG) under which a data transmission is allowed in third countries, even if an adequate level of data protection is not guaranteed, are important. § 4c I BDSG allows cross-border data transfer with the person's consent and subject to the fulfillment of a contract between the person and the responsible party. In all other cases, the "subject to approval" solution (§ 4c II BDSG) allows the manufacturing site to transfer data in recipient countries where an adequate level of data protection is ensured. The contractual clauses or "binding corporate rules" must offer adequate guarantees regarding the protection of personal rights and must be approved in advance by the Competent Authority (§ 4c BDSG II set 1). For international companies, it is advisable to obtain approval for standard contractual clauses. Even self-regulation in corporate policies can enable the data flow within multinational corporations. The
codes of conduct A code of conduct is a set of rules outlining the norms, rules, and responsibilities or proper practices of an individual party or an organization. Companies' codes of conduct A company code of conduct is a set of rules which is commonly writt ...
must also give victims legal rights and certain guarantees, as is the case in contracts.New Jersey Companies Settle State HIPAA Investigation
/ref>


See also

* '' Volkszählungsurteil''


References


External links


Overview of the First Principles




{{Authority control Law of Germany Privacy in Germany Data laws of Europe