Federal Data Protection Act

Basic data
Title:	Federal Data Protection Act
Previous title:	Law to protect against misuse of personal data in data processing
Abbreviation:	BDSG
Type:	Federal law
Scope:	Federal Republic of Germany
Legal matter:	Administrative law
References :	204-4
Original version from:	January 27, 1977 ; ( BGBl. I p. 201 )
Entry into force on:	predominantly January 1, 1978
Last revision from:	June 30, 2017 ; ( Federal Law Gazette I p. 2097 )
Entry into force of the ; new version on:	May 25, 2018
Last change by:	Art. 12 G of November 20, 2019 ; ( Federal Law Gazette I p. 1626, 1633 )
Effective date of the ; last change:	November 26, 2019 ; (Art. 155 G of November 20, 2019)
GESTA :	B030
Weblink:	Text of the law
	Please note the note on the applicable legal version.

The German Federal Data Protection Act ( BDSG ), together with the data protection laws of the federal states and other area-specific regulations, regulates the handling of personal data that is processed in information and communication systems or manually ( see also: data protection ). By May 2018, it implemented the data protection directive, which was repealed and replaced by the General Data Protection Regulation . A new version of the BDSG came into force in 2018 ( BGBl. 2017 I p. 2097 ).

historical development

There have been individual provisions for a long time that serve to protect privacy ( confessional secrecy , medical confidentiality , tax secrecy , postal secrecy ). Reflections on a comprehensive data protection took its beginning in the 1960s in the US and were associated with the development of computer technology and the associated threats to privacy (English: privacy ).

In Germany, Hessen introduced data protection legislation in 1970 with the world's first data protection law. In 1977 the federal government followed suit with the first version of the Federal Data Protection Act. After the census ruling by the Federal Constitutional Court in 1983, it was clear that the previous data protection laws did not meet the constitutional requirements. These had to be amended within a reasonable period of time . In 1986, Hessen was the first state to pass a new, adapted data protection law; In 1990 the federal government was ready.

The Basic Law does not contain any express competence of the federal government to comprehensively regulate data protection . The regulatory competence for a Federal Data Protection Act arises from the recourse to the legislative competences for various areas that are important for data protection. For data protection in the area of application of the public administration, this is the legislation for the administrative procedure ( Art. 70 ff. In conjunction with Art. 84 (1), Art. 85 (1) and Art. 86 GG). Data processing is used as a work and organizational tool and is therefore part of the administrative procedure. Federal data protection provisions can therefore be issued for the administrative activities of the federal government as well as for those of the states, municipalities and associations of municipalities, insofar as they implement federal law. In the area of the state's own implementation of federal law, this requires the approval of the Federal Council. For the legal regulation of the protection of privacy in non-public areas, the legislative competence of the federal government is based on the respective expertise, i.e. on its competence as defined in the Basic Law and the like. a. for legislation in the field of economic, labor, civil, criminal and procedural law.

Amendment 2009

The BDSG was changed with three amendments in 2009 and 2010: On April 1, 2010, with "Amendment I", a new regulation of the activities of credit agencies and their contractual partners (particularly credit institutions) and of scoring came into force. The long and heatedly debated “Novelle II” came into force on September 1, 2009. They change 18 paragraphs in the BDSG. The content includes changes to the list privilege in address trading, new regulations for market and opinion research, opt-in , prohibition of coupling, employee data protection, order data processing, new powers for the supervisory authorities and new or greatly expanded fines, information obligations in the event of data protection violations, protection against dismissal for data protection officers. On June 11, 2010, the "Amendment III" changed as a small sub-item within the framework of the law for the implementation of the EU consumer credit directive, the § 29 BDSG extended by two paragraphs.

Overview of the BDSG in the old version

The BDSG old version consists of six sections:

In the first section (§§ 1–11) general and common provisions are explained,
in the second section (§§ 12–26) data processing for public bodies and
regulated in the third section (§§ 27–38a) for private bodies.
The fourth section (§§ 39-42) contains special provisions
in the fifth section (§§ 43-44) penal and administrative fines and
in the sixth section (§§ 45–48) mentioned transitional provisions.

General and common provisions

Section 1 (1) BDSG reads:

The purpose of this law is to protect individuals from having their personal rights impaired by handling their personal data .

Principles

An essential principle of the law is the so-called prohibition principle with reservation of permission . This states that the collection, processing and use of personal data are in principle prohibited. They are only permitted if either there is a clear legal basis (i.e. the law allows data processing in this case) or if the person concerned has expressly (usually in writing) given their consent to the collection, processing and use ( Section 4 (1) , § 4a ). The procedures used with automated processing are to be checked by the (official or company) data protection officer or (if such is not available) notifiable to the competent supervisory authority ( Section 4d ).

The principle of data economy and data avoidance defined in Section 3a also applies : All data processing systems should be geared towards the goal of using no or as little personal data as possible and, in particular , making use of the options for anonymization and pseudonymization .

Protected data

The handling of personal data is regulated. Data are personal if they describe the personal or factual circumstances of a natural person . It is sufficient if the person is not named but can be identified (for example: telephone number , e-mail address, IP address when surfing , personnel number ).

In contrast, there is anonymous data in which the person is unknown (i.e. indeterminable). However, pseudonymous data, in which the name is replaced by an alias, again fall under the scope of the BDSG, because it concerns details of identifiable persons. But since it is more time-consuming to infer the owner from the pseudonym, the right to informational self-determination is better protected than z. B. by name.

Data on legal entities (GmbH, AG, etc.) do not fall within the scope of the BDSG . Contrary to the clear wording, individual administrative courts have also applied data protection laws to legal persons.

So-called special types of data are particularly protected in accordance with Section 3 (9) BDSG, namely data on ethnic origin , political opinion, religious or philosophical convictions, trade union membership, health and sex life . According to Section 4d (5) BDSG, this data is subject to prior checking . This means that the handling of the data in institutions that collect, process or store data of this type must be checked before data processing begins. The data protection officer, who must be appointed by the institution concerned, is responsible for this.

With this data, the principle of prohibition is defined even more closely, subject to permission, by an exception catalog and the express consent of the person concerned is required.

Material scope

The BDSG regulates the following activities: data collection, data processing and data use. A collection within the meaning of the law already exists with the mere acquisition of data about natural persons from the data subject or from third parties. For processing while the storage, modification, transfer, part of Block and delete the data. Under benefit any use of personal data is to be understood outside the processing. The BDSG also regulates which rights and obligations the supervisory authorities have for data protection.

Spatial scope

German companies always have to comply with German data protection law.

If a responsible body located in another EU / EEA country collects, processes or uses personal data in Germany (Germany), the data protection law that applies in the country of domicile ("seat principle" - § 1 Paragraph 5, S. 1 HS. 1 BDSG). Accordingly, French data protection law must generally be applied to the handling of data by a company based in France. An exception applies if the data is handled by a branch in Germany (Germany). In this case, German data protection law must again be applied ("Territorial principle" - § 1 Paragraph 5, S. 1 HS. 2 BDSG).

If a responsible body that is neither in Germany nor in the EC / EEA area collects, processes or uses personal data in Germany (Germany), German data protection law must generally be applied (Section 1, Paragraph 5, Sentence 2 BDSG). Therefore, Facebook and Co. have to adhere to German data protection law. Such bodies have to appoint a representative in Germany.

Norm addressees

The BDSG differentiates between data protection in public and non-public bodies. Competitive companies under public law that compete with private companies (e.g. Deutsche Bahn ) are treated like non-public bodies.

Data processing of non-public bodies and advice

Every non-public body (e.g. company) in which 20 or more people are constantly involved in the processing of personal data by means of electronic data processing requires a data protection officer (DSB for short). The same is true for twenty or more employees, if the data is processed manually (e.g. with index cards), if processing requires prior checking or processing is processed for transmission (detective agency, credit agency) or anonymous transmission (opinion polls).

The duties of the responsible (processing) body always fall to the management. Regardless of the appointment of a data protection officer, they include a .:

Granting of rights of data subjects (notification, information, correction, blocking, deletion)
transparent and documented EDP ( procedure directory )
Protection of EDP and data in terms of IT security (Section 9 BDSG plus appendix)
Traceability of access, changes and transfers to third parties

Rights of the persons affected

Affected persons (natural persons about whom data are stored in public or non-public bodies) have the following rights (which are indispensable in accordance with Section 6 (1) BDSG) according to the Federal Data Protection Act :

Information about whether and which personal data is stored about you
Information about the sources from which these data originate and for what purpose they are stored
Correction of incorrect personal data
Right of appeal to the competent supervisory authority for data protection
Deletion or blocking of your data records. Instead of deletion, a block is always carried out if one of the facts provided for in the law in this regard is met (e.g. statutory retention periods ).
Prohibit the transmission of personal data to third parties

The first two rights mentioned can be refused if the general public interest, the interest of the respective non-public body in maintaining business secrecy or the interest of third parties in secrecy outweighs. However, this must be checked on a case-by-case basis. A refusal to provide information must be documented stating the reasons.

Every citizen has a right to information about the data stored about him and a right to correct incorrect data. There is an obligation to provide information for the respondents; there may be restrictions on the police and secret services. The information is to be provided by public authorities free of charge ( Section 19 (7) BDSG). If information is provided by private bodies, a fee may be required under certain circumstances ( Section 34 BDSG), but the person concerned must be made aware of this and a free alternative must be offered if necessary. For a long time, the Schufa practice of giving a self- disclosure request a negative rating was controversial ; However, the Schufa has given up this practice. Furthermore, everyone has the right to object to the use of their address data for advertising or market or opinion research at the data-storing office and to request that their data be blocked.

Special regulations

The respective state data protection laws apply to the authorities of the federal states and municipalities . There are also special regulations for public broadcasters .

Religious societies under public law are not subject to the Federal Data Protection Act or the state data protection laws. The Roman Catholic Church issued the ordinance on ecclesiastical data protection and the Synod of the Evangelical Church in Germany issued the EKD Data Protection Act .

For administrative procedures within the scope of the Social Security Code , special regulations apply to the protection of social data , which are to be applied instead of the Federal Data Protection Act or national regulations. This also applies to the implementation of those laws which, in accordance with Section 68 of the First Book of the Social Code (SGB I), apply as special parts of the Social Code, such as for procedures carried out by BAföG or housing benefit offices. Social data protection is regulated in the second chapter of Book 10 of the Social Code (SGB X).

literature

Federal Commissioner for Data Protection and Freedom of Information (Ed.): DSGVO - BDSG. Texts and explanations (= BfDI-Info . No. 1 ). Bonn 2019 (299 pp., Bund.de [PDF; 3.8 MB ; accessed on March 12, 2019]).

Lutz Bergmann, Roland Möhrle, Armin Herb: Commentary on data protection law. 55th day Boorberg publishing house. Stuttgart, August 2018, ISBN 978-3-415-00616-4 .
Wolfgang Däubler , Thomas Klebe, Peter Wedde, Thilo Weichert : Federal Data Protection Act. Compact commentary on the BDSG. With judgment on Safe Harbor and outlook EU General Data Protection Regulation. 5th edition. Bund-Verlag, Frankfurt (Main) 2016, ISBN 978-3-7663-6446-3 .
Peter Gola , Rudolf Schomerus (up to the 9th edition), Christoph Klug, Barbara Körffer: BDSG - Federal Data Protection Act. Comment. 12th edition. Verlag CH Beck, Munich 2015, ISBN 978-3-406-67176-0 .
Spiros Simitis (Ed.): Commentary on the Federal Data Protection Act Nomos, authors: Ulrich Dammann , Alexander Dix, Eugen Ehmann, Walter Ernestus, Otto Mallmann, Thomas Petri, Philip Scholz, Achim Seifert, Spiros Simitis, Bettina Sokoll, 8th edition. Nomos, Baden-Baden 2014, ISBN 978-3-8487-0593-1 .

Web links

Federal Data Protection Act
Federal Data Protection Act (valid until May 25, 2018)
BDSG online comment in the data protection WIKI of the BfDI
New data protection law in force (article by RA Terhaag on address trading, listing privilege, data protection officer, employee data protection, information and disclosure obligations as well as the new guidelines for order data agreements)
Report on the effects of Sections 30a and 42a of the Federal Data Protection Act ( BT-Drs. 17/12319 )
Report of the Federal Government on the effects of the changes to §§ 28 and 29 of the Federal Data Protection Act (BSDG) in the context of the second BDSG amendment ( BT-Drs. 18/3707 )

supporting documents

↑ Process flow (drafts, explanations and advice) in the DIP
text and changes by the law amending the Federal Data Protection Act
↑ Process flow (drafts, explanations and advice) in the DIP
text and changes due to the law amending data protection regulations
↑ Process flow (drafts, explanations and advice) in the DIP
text and changes through Art. 5 of the law for the implementation of the consumer credit directive, the civil law part of the payment services directive and the reorganization of the regulations on the right of withdrawal and return
↑ The Wiesbaden Administrative Court ruled on January 18, 2008 (AZ 6 E 1559/06) that data protection requirements “ also apply to legal persons, provided there is a fundamentally guaranteed right to informational self-determination under Article 14 of the Basic Law ” . On February 27, 2009, the Wiesbaden Administrative Court confirmed its case law (AZ 6 K 1045 / 08.WI) .
↑ Federal Data Protection Act (BDSG) § 20 and § 35 , correction, deletion and blocking of data
↑ FAQ SCHUFA-Score, point 4.18 ( Memento from March 29, 2013 in the Internet Archive )

[1] Process flow (drafts, explanations and advice) in the DIP
text and changes by the law amending the Federal Data Protection Act

[2] Process flow (drafts, explanations and advice) in the DIP
text and changes due to the law amending data protection regulations

[3] Process flow (drafts, explanations and advice) in the DIP
text and changes through Art. 5 of the law for the implementation of the consumer credit directive, the civil law part of the payment services directive and the reorganization of the regulations on the right of withdrawal and return

[4] The Wiesbaden Administrative Court ruled on January 18, 2008 (AZ 6 E 1559/06) that data protection requirements “ also apply to legal persons, provided there is a fundamentally guaranteed right to informational self-determination under Article 14 of the Basic Law ” . On February 27, 2009, the Wiesbaden Administrative Court confirmed its case law (AZ 6 K 1045 / 08.WI) .

[5] Federal Data Protection Act (BDSG) § 20 and § 35 , correction, deletion and blocking of data

[6] FAQ SCHUFA-Score, point 4.18 ( Memento from March 29, 2013 in the Internet Archive )