from Wikipedia, the free encyclopedia

Data protection is a term that emerged in the second half of the 20th century, which is sometimes defined and interpreted differently. Depending on the perspective, data protection is understood as protection against improper data processing , protection of the right to informational self-determination , protection of personal rights in data processing and also protection of privacy . Data protection is often understood as a right that every person can basically decide for themselves who and when should which of their personal data be accessible. The essence of such a data protection law is that the imbalance of power between organizations and individuals can be made subject to conditions. Data protection is intended to counteract the trend towards so-called transparent people in the increasingly digital and networked information society , the proliferation of state surveillance measures ( surveillance state ) and the emergence of data monopolies by private companies.

Terms and scientific justifications

Data protection initially comprises organizational and technical measures against misuse of data within an organization. The term IT security relates to technical measures against the deletion and falsification of data. The special emphasis on public security does not meet the primary interests of private data protection, but only the conflicting interests of the state monopoly of power .

Originally, the term data protection was used to protect the data itself in terms of data backup , e.g. B. before loss, change or theft understood. This understanding was reflected, for example, in the first Hessian Data Protection Act of 1970. In the same year, the current term of data protection was defined by an article by Ulrich Seidel, “Problems of personal rights in the electronic storage of private data”. In addition, the division of data from the unprotected social sphere and the protected private and intimate sphere was given up and reinterpreted in a uniform protection of personal data. In his dissertation “Databases and Personal Rights” from 1972, Seidel understood material data protection law as the regulation of personal data processing as a whole and differentiated it from formal data protection law and data backup. With his work he has given data protection the meaning it has been using in general and beyond Germany since then. Seidel was awarded the Federal Cross of Merit in 1986 for the scientific justification of the concept of data protection.

In Switzerland and Liechtenstein, data protection is defined as "protection of the personality and the fundamental rights of persons about whom data is processed" (§ 1 Federal Law on Data Protection in Switzerland, Art. 1 Paragraph 1 Liechtenstein Data Protection Act). In Austria, data protection is described as the right to confidentiality of personal data, provided there is an interest worthy of protection (Section 1 (1) sentence 1 Data Protection Act 2000 ).

The European Union understands data protection to mean "in particular the protection of the privacy of natural persons when processing personal data" (Art. 1 Para. 1 Directive 95/46 / EC ). The Council of Europe defines data protection as the protection of the “right to an area of ​​personality […] in the automatic processing of personal data” (Art. 1 European Data Protection Convention ). In the English-speaking world, one speaks of privacy (protection of privacy) and of data privacy or information privacy (data protection in the narrower sense). In the European legal area, the term data protection is also used in legislation .


The importance of data protection has increased steadily since the development of digital technology because data storage , data processing , data acquisition , data transfer and data analysis are becoming easier and easier. Technical developments such as the Internet , e-mail , mobile telephony , video surveillance and electronic payment methods create new possibilities for data collection. This development contrasts with a certain indifference from large parts of the population, in whose eyes data protection has little or no practical importance.

Both government agencies and private companies are interested in personal information. For example, security authorities want to improve the fight against crime through computer searches , telecommunications monitoring and inventory data information , while tax authorities are interested in bank transactions in order to uncover tax offenses.

Companies expect higher efficiency from employee monitoring (see employee data protection ), customer profiles should help with marketing including price differentiation and credit agencies ensure the solvency of customers (see consumer data protection , Schufa , Creditreform ).


The starting point of the worldwide debate about data protection are the plans of the US government under John F. Kennedy in the early 1960s to set up a national data center to improve state information. Data of all US citizens should be registered there. Against the background that there is no nationwide population register or registration system in the USA and also no nationwide valid ID cards , this planning was viewed in the following debates as an interference with the constitutionally postulated “right to be alone”. The "Right to Privacy ", which was developed in 1890 by Samuel D. Warren and the later federal judge Louis D. Brandeis , also played a major role , according to which every individual has the right to determine the extent to which his or her "thoughts, opinions and feelings" , i.e. personal information, should be shared with others. The project failed in the congress, with the result that there were calls for legal bases for the processing of personal data. The result was the passing of the Privacy Act - albeit not until 1974 - which introduced rules for federal authorities that already contained the essential principles of data protection: necessity, security, transparency. Considerations of extending the law to the private sector in general did not lead to success due to an expert opinion which came to the fatal conclusion that competition would regulate this.

The American debate was also reported in Europe. At the end of the 1960s, Germany was looking for a term that would avoid the direct translation of the term “privacy” - (general) personal rights - because of the controversial debate since the 19th century and its bulkiness. Based on the term "machine protection" (legislation on the safety of work equipment), the scientific word "data protection" was created, which was initially criticized because of its ambiguity (not the data is protected, but the people), but is now used internationally (data protection, protection des données, protección de datos, zaschtschyta danych, προστασία δεδομένων προσωπικού χαρακτήρα etc.).

In 1970, Hessen passed the world's first data protection law ; The German Federal Data Protection Act (BDSG 1977) followed in 1977, the focus was on determining the prerequisites for the introduction of data protection officers and the priority given to the protection of personal data. State data protection laws were passed in 1981 for all federal states. The BDSG 1977 saw it as the task of data protection " to counteract the impairment of legitimate interests of the data subjects by protecting personal data from misuse during their storage, transmission, modification and deletion (data processing)" (§ 1 Paragraph 1 BDSG 1977). Any data processing that was not carried out on a legal basis was abusive. At that time, data protection was seen as the protection of personal data from data processing that was not legally legitimized. In 1983 the Federal Constitutional Court made it clear in the so-called census ruling that data processing on a legal basis can inadmissibly interfere with the fundamental rights of those affected. The court derived a “right to informational self-determination” from the general personal right. The census judgment shaped the understanding of data protection in Germany and was a milestone in the history of German data protection. Since then, data protection has been understood as the protection of the right to informational self-determination (e.g. § 1 State Data Protection Act Schleswig-Holstein) or - more generally - as protection of the personal right when processing personal data (§ 1 BDSG).

In 1995 the European Data Protection Directive 1995/46 / EC was passed. In 2001 and 2006, amendments to the BDSG followed. Further novellas were dated May 29, 2009 and July 2 and 3, 2009.

With the immediate application of the higher-ranking European General Data Protection Regulation on May 25, 2018, most of the previous BDSG was superseded, and on the same day the complete new version of June 30, 2017 came into force.


Comparison of some countries in the privacy ranking 2007 of the organization Privacy International .
(the lighter the color, the higher the level of protection)

International regulations

With the OECD Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data, internationally valid guidelines have existed since 1980 , which have the goals of extensively harmonizing the data protection provisions of the member states, promoting a free exchange of information, avoiding unjustified trade barriers and, in particular, a gap between to prevent European and US developments.

In 1981, the adopted Euro Europe with the European Data Protection Convention of the first international agreement on data protection. The European Data Protection Convention is still in force today and is binding under international law for all 46 states (as of July 30, 2013) that have ratified it. The convention is open to states worldwide. The first accession country outside Europe is Uruguay, for which the convention came into force on August 1, 2013. (In contrast, the data protection guidelines of the European Union are only binding for the EU member states and therefore only to be implemented by them in national law.)

United States

In the United States, privacy is rarely regulated by law or regulation. In many cases, access to private data is socially acceptable, e.g. B. a credit check before agreeing an employment relationship or before renting an apartment. There are regulations for individual sub-areas, e.g. B. the Children's Online Privacy Protection Act (COPPA, German: "Law to protect the privacy of children on the Internet") and in the area of ​​health insurance the Health Insurance Portability and Accountability Act (HIPAA), but no comprehensive regulation for the handling of personal data .

One possible reason for this is that the US government has little confidence in protecting personal information. It is argued that in many cases data protection collides with the requirements in the 1st Amendment to the United States Constitution (First Amendment), which regulates freedom of expression . Data protection has also been used as an instrument to suppress freedom of expression in many countries around the world.

The Supreme Court of the United States has indeed in the case v Griswold. Connecticut 1965 interpreted the Constitution as granting individuals a right to privacy . Yet very few US states recognize an individual's right to privacy. One of the few exceptions is California . In Article 1, Section 1, of the California Constitution, an inalienable right to privacy is established, and California law has at least partially implemented this principle in some legal regulations. For example, the California Online Privacy Protection Act (OPPA) of 2003 requires operators of commercial websites or online services that collect personal information about citizens of the State of California via their websites to place a conspicuous note on the same pages about how they handle the data and to also comply with these self-imposed data protection guidelines - but not specified in detail.

The US Department of Commerce developed the (voluntary) Safe Harbor procedure between 1998 and 2000 , with which US companies can more easily demonstrate compliance with the EU Commission's data protection directive (95/46 / EC) when dealing with European business partners.

There is no comprehensive independent data protection oversight in the USA, only the Federal Trade Commission (FTC), which operates in the field of trade and which occasionally also deals with data protection issues. The FTC only intervenes if a company does not adhere to its self-imposed data protection guidelines; However, there are no minimum requirements about the existence or form of such a voluntary commitment. So if a company does not voluntarily commit to data protection, the FTC does not intervene either, since there is no violation of any regulations.

In contrast to European regulations, there are no legal requirements in the USA regarding the retention period for collected personal data. Furthermore, there is no right to information from authorities or companies about what personal data is stored (with the exception of the Freedom of Information Act ), and no right to correct incorrect data. All existing data protection regulations only apply to citizens of the USA and those who stay in the USA for a long time, not to data that comes from abroad.

The then Federal Commissioner for Data Protection, Peter Schaar , has therefore criticized the expansion of the intra-European automated data exchange regulated in the Prüm Treaty to the USA, which was agreed in March 2008 between the Federal Republic of Germany and the USA .

In March 2017, the Senate and House of Representatives suspended large parts of data protection for Americans in order to allow telecommunications providers, even without the express consent of their customers and users, to collect geospatial data, information about finances, health, children and movement patterns on the Internet for their users To be able to use advertising purposes. Furthermore, the corporations are now allowed to sell their users' information directly to third parties.

European Union

The protection of personal data is a fundamental right in the European Union. With Directive 95/46 / EC (Data Protection Directive) , the European Parliament and the European Council laid down minimum standards for data protection in the member states in 1995. However, the directive did not apply to the area of judicial and police cooperation , the so-called third pillar of the Union. In Germany, the directive was implemented into national law in 2001 with the law amending the Federal Data Protection Act and other laws . The transfer of personal data to third countries that are not members of the EU or that are party to the Agreement on the European Economic Area was also regulated : According to Article 25, the transfer was only permitted if the third country guaranteed an "adequate level of protection". The decision as to which countries guarantee this level of protection was made by the Commission, which was advised by the so-called Article 29 data protection group . In 2015, according to the decision of the Commission, an appropriate level of protection was guaranteed by the following third countries: Andorra , Argentina , Faroe Islands , Guernsey , Isle of Man , Israel , Jersey , Canada , New Zealand , Switzerland , Uruguay and when applying the principles of " Safe Harbor ”and when submitting Passenger Name Record to the US Customs and Border Protection (CBP) .

In particular, the decision on the permissibility of the transmission of passenger name records to the US customs authorities is highly controversial. The European Court of Justice ( ECJ ) has annulled these decisions of the Commission and the Council on the basis of an action brought by the European Parliament.

The general data protection guideline was supplemented by the area-specific data protection guideline for electronic communication .

With the votes of Christian Democrats and Social Democrats on December 14, 2005, the EU Parliament approved a directive on compulsory data retention for traffic data from telecommunications and the Internet. This directive obliged the member states to introduce minimum storage periods of six months (Internet) or one year (telephony). This data retention directive has been criticized by civil rights organizations and data protection officers and has also been the subject of a lawsuit before the European Court of Justice. On April 8, 2014, it was declared invalid by the ECJ. The invalidation took effect on the date the Directive entered into force.

As part of the EU data protection reform, the EU Commission published the draft of the European General Data Protection Regulation in January 2012 , which replaces the previous directive and is directly legally binding in all member states. The draft gave rise to clear statements, especially among German data protection experts. The German data protection authorities have also been discussing this draft controversially since its publication, with voices critical of data protection also expressing public criticism of it (“Ulm Resolution”). The following deliberations in the EU Parliament were characterized by intensive lobbying work, in particular by the US government and US IT companies, with a total of over 3,100 amendments being tabled. Nevertheless, the European Parliament, with the Green MEP Jan Philipp Albrecht as rapporteur, succeeded in developing a joint negotiating position, which was adopted by an overwhelming majority in October 2013 in the Interior and Justice Committee and in March 2014 in the plenary and on March 12, 2014 by the plenary has been confirmed. After extensive negotiations between the EU Council of Ministers, the European Parliament and the European Commission, the so-called trialogue , the Council adopted the final version on April 8, 2016 and Parliament on April 14. On April 25, 2016, the General Data Protection Regulation came into force. It has been in force in all EU member states since May 25, 2018.

In principle, the member states are not allowed to weaken or strengthen the data protection stipulated by the regulation through national regulations. However, the regulation contains opening clauses for national legislation for certain aspects of data protection.


According to the case law of the Federal Constitutional Court, data protection is a fundamental right ( right to informational self-determination ). Thereafter, the person concerned can basically decide for himself who to give which personal information.

However, this fundamental right is not explicitly mentioned in the Basic Law. On the other hand, a data protection regulation has been included in most of the state constitutions , for example in Berlin (Art. 33), Brandenburg (Art. 11), Bremen (Art. 12), Mecklenburg-Western Pomerania (Art. 6 Paragraphs 1 and 2), North Rhine-Westphalia (Art. 4 para. 2 as well as the guarantee of the establishment of the data protection officer in Art. 77a), Rhineland-Palatinate (Art. 4a), Saarland (Art. 2 para. 2), Saxony (Art. 33), Saxony-Anhalt ( Art. 6 Para. 1) and Thuringia (Art. 6).

At the federal level, the Federal Data Protection Act (BDSG) regulates data protection for the federal authorities and the private sector (i.e. for all commercial enterprises, institutions, associations, etc. vis-à-vis natural persons). In addition, the data protection laws of the federal states regulate data protection in state and local authorities. Data protection regulations can also be found in a number of other laws, such as the Telecommunications Act and the Telemedia Act , each of which contains more specific data protection regulations for their area of ​​application. These area-specific regulations take precedence over the Federal Data Protection Act, the BDSG only applies as a supplement.

Federal public authorities and companies that provide telecommunications or postal services on a business basis are subject to supervision by the Federal Commissioner for Data Protection . The state authorities are controlled by the state data protection officers . The private companies (with the exception of telecommunications and post) are subject to the supervision of the data protection supervisory authorities for the non-public area, which are based at the state data protection officer or the state authorities (e.g. Ministry of the Interior ). The EU Commission has initiated infringement proceedings against the Federal Republic of Germany, as some state data protection officers and all state authorities do not work “in complete independence”, but rather the state government is authorized to issue instructions.

In Germany, in contrast to many other countries, there is a legal prohibition on the use of real names as a result of Section 13 (6) of the Telemedia Act .


The legal basis for data protection in Austria is the Data Protection Act (DSG) . Compliance with data protection is monitored by the data protection authority , which has been headed by Andrea Jelinek since January 1, 2014.

However, it is also possible to enforce data protection under civil law in the ordinary courts (in particular, deletion and correction of incorrect data).


As in Germany, the Federal Data Protection Act regulates data protection for the federal authorities and for the private sector; The respective cantonal data protection law applies to the cantonal authorities.

Compliance with the Federal Data Protection Act is monitored by the Federal Data Protection and Information Commissioner and his secretariat.

The cantons are responsible for monitoring compliance with cantonal data protection laws. You are not subordinate to the Federal Data Protection Officer, but control independently.

A notable difference to the regulations in Germany and Austria, for example, is the fact that in Switzerland, in addition to the information obligation, there is also an information obligation (Art. 14 and Art. 18a): Is personal data processed by federal bodies or particularly sensitive personal data or personality profiles by private individuals Persons, then the data subjects must be actively informed by the owner of the data collection. Similar to what is defined in Germany and Austria, in Switzerland any data that allows a profile to be created (Art. 3d) are treated as particularly sensitive data.


In the church, the right of personality has a very long tradition as a forerunner of data protection. As early as 1215 AD, the secrecy of pastoral care and confession was anchored in canon law. Shelters today in the area of the Roman Catholic Church , the globally valid Code of Canon Law Code of Canon Law (CIC) the right to protection of privacy in Canon 220. In Germany, the data protection laws of the federal government and state governments are in the public churches (including Caritas and diakonia ) partly because the churches have a right of self-determination in this regard . In the Evangelical Church in Germany (EKD) the EKD Data Protection Act (DSG- EKD) applies , in the Roman Catholic Church in Germany the order on ecclesiastical data protection (KDO) and in the old Catholic Church the order on the protection of personal data ( data protection regulation , DSO) in the area of ​​the Catholic Diocese of Old Catholics in Germany. However, general data protection law applies if the churches act outside of the charitable or other church mandate in forms of private law.


Main principles of data protection are

If data may be processed on the basis of a legal basis, technical and organizational measures must be taken to ensure operational data protection in the technical processes and functions. The standard data protection model (SDM) formulates all operational requirements that personal procedures have to meet.

Scope of application

Data protection relates to the collection, processing and use of personal data.


  • Collect = procure, Section 3 Paragraph 3 BDSG.
  • Processing = saving, changing, transmitting, blocking, deleting, § 3 Paragraph 4 BDSG.
  • Use = Any use, unless it is a matter of processing, i.e. H. Use is the generic term for processing and use, Section 3 (5) BDSG.

Data protection control

The public sector oversight is:

In addition, authorities have the option / obligation to appoint official data protection officers. These can take on individual tasks (e.g. keeping the data protection register), but do not prevent the superordinate officer from monitoring it.

In the non-public area, data protection supervision is regulated by state law. This is z. B. located at the district government, the Ministry of the Interior or the state commissioner for data protection. The Federal Commissioner for Data Protection is also responsible for postal and telecommunications companies .

From a certain company size, a company data protection officer must be appointed in accordance with the Federal Data Protection Act . Some of these are organized in the professional association of data protection officers in Germany .

Various associations are also concerned with strengthening data protection, such as the German Association for Data Protection , the Society for Data Protection and Data Security , the FIfF , digitalcourage (formerly FoeBuD), or in Austria the ARGE Daten and the Working Group on Data Reserves Austria .


Data protection collides with other goals in various areas. These conflicting goals have to be resolved by weighing data protection against other goals. Excessive data protection or data protection in the wrong place can also be harmful.

Data protection and freedom of information

Data protection is fundamentally in conflict with the demand for freedom of information . Freedom of information means that information from public administration ( administrative transparency ) and politics are made public to the citizen (principle of publicity ). However, this information is also subject to data protection and should therefore be treated confidentially. This conflict of goals is resolved very differently. In Sweden , the principle of public access is traditionally valued much higher than data protection. Even highly private data such as income tax returns are public. In Germany there has traditionally been a reluctance of public administrations to publish information. It was only in 2006 that this attitude was relaxed by the Freedom of Information Act . The balance between the concerns of freedom of information and data protection was made in § 5 Freedom of Information Act largely in favor of data protection:

"Access to personal data may only be granted if the applicant's interest in information outweighs the legitimate interest of the third party in excluding access to information or if the third party has consented. Special types of personal data within the meaning of Section 3 (9) of the Federal Data Protection Act may only be transmitted if the third party has expressly consented "

- § 5 Freedom of Information Act

Similar conflicts also arise at company level. This is where a possible right to information from customers or third parties collides with data protection. The mobile operator T-Mobile , for example, had rejected a customer's request to find out who was sending an advertising SMS with a reference to data protection - and was only forced to do so by a ruling by the Federal Court of Justice (Az. I ZR 191/04).

Data protection costs

Data protection causes costs and is therefore in conflict with the goal of companies and administrations to work cost-effectively. Data protection can (albeit to a lesser extent) contribute to cost savings.

You will incur costs, among other things:

  • for the data protection officer and his organization (e.g. material resources, employee training)
  • due to the fact that operational data processing becomes more complicated and therefore more expensive due to data protection (e.g. access rights management, deletion, archiving and blocking functions)
  • by processing requests from third parties about stored data and requests for correction or deletion
  • by documenting and checking the data protection measures taken

In addition, there are indirect costs, for example in the form of multiple entries of data if automated data transfer is not permitted (e.g. the tax office may not automatically change the address of taxpayers from the residents' registration office). Use of data that leads to business opportunities is also in some cases not permitted due to data protection. So z. For example, banks do not evaluate their customers' payment transactions to determine whether they have business connections with competitors and then submit product offers to them.

Of even greater importance are economic costs that arise from the fact that in the absence of perfect information there is a significant deviation from the assumptions of a perfect market. Data protection, which (otherwise it would be empty of content) reduces the flow of information, automatically reduces economic efficiency (on this and on further references cf. Maennig 2006). In extreme cases, the hiding of information with reference to data protection is interpreted as an attempt to misrepresent yourself or your company to the detriment of others or society, for example by suppressing unpleasant information. A typical example is laws that protect financial information. These make it possible, for example, for people and companies with an insolvency history to present themselves just as positively as other people and companies. If they then receive loans, credit cards, etc., there is a risk that the number of future defaults and thus the credit risk will increase - with the consequence of higher risk margins for everyone, including the innocent.

Due to the economic costs associated with data protection, the economic answer to the question of data protection is not yes or no; rather, the search is on for an optimal amount and structure of data protection.

To save costs z. B. contribute:

  • Smaller amounts of data due to the principle of data economy
  • More efficient IT systems due to more systematic IT organization and documentation

The cost aspect has been an issue since the beginning of data protection. A study from 1985 showed data protection-induced costs of from 1977 to 1985

  • up to 0.3 million marks for almost all small and some medium-sized companies,
  • 0.3 to 0.6 million marks in the majority of medium-sized companies and
  • 1 to 3 million marks in most large companies.

A few large companies had costs of more than 20 million marks. Due to ever more stringent data protection regulations, the costs are now many times higher.

A lack of data protection also causes costs, sometimes considerable, for the organizations. The direct costs here are e.g. B. to name fines for non-compliance with data protection regulations. Violations of data protection are potentially capable of damaging the image of the organization and thus damaging the business.

Data protection and the fight against crime

The conflict between data protection and the fight against crime is widely discussed in public. Extensive access by the law enforcement authorities to personal data (including those of innocent / innocent people) makes their work easier. However, data protection is particularly important here, as a surveillance state is incompatible with the rule of law . The protection of the basic rights of the residents requires the legal regulation of the access and storage options of the law enforcement authorities to personal data. The extent of these possibilities and the related relationship between benefit ( security ) and harm (interference with civil liberties and civil rights ) is highly controversial politically. While some strive for the image of a surveillance state even with minor interventions, a blanket catchphrase from the other side is "data protection is protection of perpetrators".

In order to weigh up the interests of data protection and the fight against crime, the specific measure must be considered. Starting points for an assessment are:

  • Severity of the interference with data protection
  • Degree of suitability of the measure for improving the fight against crime

The topics on which the discussion about data protection and the fight against crime is based changed over time. In the 1970s, the raster search and from the 1990s on the video surveillance were discussed intensively. Today the discussion z. B. to DNA series examinations , the introduction of biometric data ( fingerprint , face measurements, in the future possibly iris scan ) and RFID chips in the passport ( biometric passport ).

On February 24, 2012, the Federal Constitutional Court in Karlsruhe ruled that the police and intelligence services are not allowed to access passwords and PIN codes during their investigations.

At the moment, the Passenger Name Records transmitted for air travel as a result of an agreement between the EU and the USA , in which personal data of the passenger is transmitted to the USA before departure and stored there for at least 15 years. A similar agreement was overturned by the ECJ in 2006, but shortly afterwards it was brought back on the road with little change.

Data protection and science

Scientific data collections are also subject to data protection. This can lead to a conflict between freedom of research and data protection. From a data protection point of view, the use of pseudonymized or even anonymized data is unproblematic . In science, however, personal data is also often used. In these cases, consistent application of data protection regulations would sometimes prohibit scientific research. To avoid this, there are special regulations for scientific research. At the international level there is the Council of Europe recommendation for the protection of personal data for the purposes of scientific research and statistics (No. R [83] 10), at the national level there are exceptions in the BDSG for scientific research. So z. B. with regard to the consent of the data subjects ( Section 4a (2)), data collection ( Section 13 (2) Item 8), data storage, modification and use ( Section 14 (2) Item 9 or (5)) Section 2) or deletion and blocking ( Section 20 (7) Section 1).

Nevertheless, in many scientific researches, compliance with data protection is a cost factor and a restriction in the collection and use of data.

Data protection and medicine

In medicine, there is a special degree of confidentiality (see medical confidentiality ). According to Art. 9 Paragraph 1 of the General Data Protection Regulation (GDPR), health data are “special categories of personal data ”. It is debatable whether the data protection regulations offer sufficient protection.

The areas of conflict here are the exchange of data between doctors, health insurance companies, hospitals and other service providers in the healthcare sector. Effective and inexpensive treatment (e.g. avoiding duplicate examinations) requires knowledge of previous illnesses, previous diagnosis and treatment, and drug use. For the critical discussion in this regard, see: Electronic health card .


In the course of ever advancing, easier and more perfect personal genetic analyzes with the creation of so-called genetic fingerprints , the data protection of the "genetic privacy" is becoming more and more important.


Above all through global networking , especially through the Internet, the dangers with regard to the protection of personal data are constantly increasing ( "The Internet does not forget." ). The relocation (e.g. outsourcing , offshoring ) of IT tasks to regions in which German and European laws are not enforceable and foreign governments seek access to data not intended for them often makes data protection ineffective. Data protectionists therefore increasingly have to deal not only with the fundamental questions of technical data protection ( data security ), but especially with the effective enforceability of data protection if they want to be successful.

See also

  • EU data protection reform to standardize the existing European and national data protection regulations
  • INDECT - controversial EU project for the "detection of suspicious behavior" in public space by linking automated evaluation of surveillance camera images with a variety of information sources, including from social networks such as Facebook


  • Lukas Bauer, Sebastian Reimer (Ed.): Handbook on data protection law . facultas, 2009, ISBN 978-3-7089-0509-9 .
  • Helmut Bäumler : E-Privacy - data protection on the Internet. Vieweg + Teubner Verlag, 2000. ISBN 3-528-03921-3 .
  • Peter Berger: Unrecognized in the network. Communicate and research securely on the Internet . Practical Journalism Series . UVK, Konstanz 2008, ISBN 978-3-86764-087-9 .
  • Bergmann, Möhrle, Herb: Commentary on data protection law. Boorberg-Verlag, Stuttgart, ISBN 3-415-00616-6 . Status: 54th delivery February 2018 with the new BDSG and EU- DSGVO .
  • Hans-Jürgen Schaffland: Working folder for the data protection officer. Deutscher Genossenschafts-Verlag, Wiesbaden, ISBN 978-3-87151-175-2 .
  • Professional Association of Data Protection Officers in Germany (BvD) e. V. (Ed.): Data protection - a collection of rules . 5th edition. TÜV Media, Cologne 2018, ISBN 978-3-7406-0340-3 .
  • Hans Peter Bull : Questions of doubt about informational self-determination - data protection as a data task . In: Neue Juristische Wochenschrift , Volume 2006, No. 23.
  • Wolfgang Däubler , Thomas Klebe, Peter Wedde, Thilo Weichert: Federal Data Protection Act. Compact commentary on the BDSG and other laws . 3rd edition Bund-Verlag, 2010, ISBN 978-3-7663-3917-1 .
  • Wolfgang Däubler : Transparent workforces? The manual on employee data protection . 5th edition Bund-Verlag, 2010, ISBN 978-3-7663-3919-5 .
  • Hansjürgen Garstka : Informational self-determination and data protection. The right to privacy. (PDF) ( Memento from November 22, 2009 in the Internet Archive )
  • GDD e. V. (Ed.): Data protection and data security in health and social services . 1st edition. Datakontext-Fachverlag, 2002, ISBN 3-89577-224-0 .
  • Thomas Giesen: The basic right to data processing . In: JZ 2007, pp. 918-927.
  • Gerhard Kongehl (Hrsg.): Data protection management in companies and authorities. Haufe 2005, ISBN 3-8092-1705-0 .
  • Adrian Lobe: Saving and Punishing. Society in the data prison . Verlag CH Beck, Munich 2019, ISBN 978-3-406-74179-1
  • Wolfgang Maennig: On the economics of data protection . In: A. Peilert (Ed.): P rivate security services and data protection . 2006, pp. 1-24.
  • Ronald Petrlic, Christoph Sorge: Data protection: Introduction to technical data protection, data protection law and applied cryptography . Springer Vieweg, Wiesbaden 2017, ISBN 978-3-658-16838-4 .
  • Alexander Roßnagel : Handbook on data protection law . CH Beck, 2003, ISBN 3-406-48441-7
  • Martin Rost : Linkability as a basic concept of data protection? In: Innovative data protection , for Helmut Bäumler. 2004, pp. 315–334, (PDF; 270 kB)
  • Peter Schaar : The end of privacy. The way to the surveillance society . C. Bertelsmann, Munich 2007, ISBN 978-3-570-00993-2 .
  • Christiane Schulzki-Haddouti : On the end of anonymity. The globalization of surveillance. ISBN 3-88229-185-0 .
  • Pär Ström: The surveillance mafia. The good business with our data. Munich 2005, ISBN 3-446-22980-9 .
  • Marie-Theres Tinnefeld, Benedikt Buchner, Thomas Petri: Introduction to data protection law. Data protection and freedom of information from a European perspective . 5th edition Munich 2012, ISBN 978-3-486-59656-4 .

Web links

Wiktionary: Data protection  - explanations of meanings, word origins, synonyms, translations
Wikibooks: Data protection  - learning and teaching materials
 Wikinews: Privacy  - in the news

Individual evidence

  1. Emphasis on public safety in the Federal Data Protection Act in Section 4b (4), Section 6b (3), Section 13 (3) No. 5, Section 14 (2) No. 6, Section 16 (3), Section 19 (4) No. 2, Section 28 ( 2) 2 No. 2b, Section 28 (8), Section 29 (7), Section 33 (2) No. 6
  2. Neue juristische Wochenschrift (NJW) 1970, pp. 1581 and 1583 f.
  3. von Lewinski, History of data protection law from 1600 to 1977, freedom-security-public, 48th assistant conference on public law, Nomos Verlag Baden-Baden 2009, p. 197/198 with further references
  4. ^ Samuel D. Warren , Louis D. Brandeis : The Right to Privacy . In: Harvard Law Review . tape 4 , no. 5 , December 15, 1890, doi : 10.2307 / 1321160 , JSTOR : 1321160 (English).
  5. Amendments to the Federal Data Protection Act (before the General Data Protection Regulation came into force)
  6. as Article 1 of the EU Data Protection Adaptation and Implementation Act of 30 June 2017 ( Federal Law Gazette I p. 2097 , PDF)
  7. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 108) of January 28, 1981. Online at
  8. Status of signature and ratification . Online at on July 30, 2013, accessed on September 9, 2013.
  9. ^ Brian Fung, "The House just voted to wipe away the FCC's landmark Internet privacy protections," Washington Post, March 28, 2017
  10. Title II Freedoms - Article 8 of the Charter of Fundamental Rights of the European Union . Official Journal No. C 326, October 26, 2012.
  11. Commission decisions on the adequacy of the protection of personal data in third countries
  12. ^ Judgment in Joined Cases C-293/12 and C-594/12
  13. ECJ, press release No. 54/14, fn. 3 .
  16. ( Memento from October 17, 2012 in the Internet Archive )
  17. ( Memento from October 19, 2012 in the Internet Archive )
  18. Volker Briegleb, Stefan Krempl: EU Parliament gives the green light for data protection reform. In: October 21, 2013, accessed October 22, 2013 .
  19. Markus Beckedahl: EU General Data Protection Regulation passes first reading in the EU Parliament ,, March 12, 2014
  20. Complete independence of data protection supervision , letter from the EU Commission about the initiation of infringement proceedings against the Federal Republic of Germany
  21. ( Memento from August 31, 2013 in the web archive )
  22. In the case of unsolicited advertising SMS: Just don't answer , , July 19, 2007
  23. Reinhard Vossbein: Data protection controlling: costs and benefits of data protection solutions . 2002, ISBN 3-922746-45-4
  24. What costs can the economy be expected to incur for data protection? ( Memento from August 30, 2011 in the Internet Archive ) In: Computerwoche , 13/1976
  25. Erwin Grochla (Ed.): Costs of data protection in the company . 1985, ISBN 3-528-03602-8
  26. Constitutional Court restricts access to passwords and pins . In: Stern , February 24, 2012.
  27. Michael Stang : Hacked genes . Deutschlandfunk , Science in Focus , October 3, 2014