Data protection law

from Wikipedia, the free encyclopedia

The data protection law is the branch of law that deals with the data protection is concerned.

The task of data protection law is to ensure informational self-determination and legally protected secrets - in particular telecommunications secrecy - and to create a balance between the data protection of the individual and the legitimate interests of the general public and state and private data processors.

Data protection law in the broadest sense therefore includes all laws, agreements, orders and court decisions that serve to protect privacy, shape the right to informational self-determination or regulate the handling of secrets and personal data .

International and supranational data protection law

United Nations

The Universal Declaration of Human Rights , promulgated by the General Assembly of the United Nations on December 10, 1948 , attached importance to people's privacy . Article 12 of the Declaration of Human Rights states:

“Nobody may be exposed to arbitrary interference in their private life, their family, their home or their correspondence [...]. Everyone has the right to legal protection against such interference or interference. "

Although the declaration was not and is not legally binding and the rights set out in it are exclusively of a declaratory nature, it can still be counted among the forerunners or even basic pillars of supranational data protection law.

In September 2005 the 27th  International Conference of Commissioners for Data Protection and the Protection of Privacy called on the United Nations to further develop the content of the rights to privacy and data protection as human rights .

Council of Europe

Not least with regard to the UN Declaration of Human Rights that had just been announced, the European Convention on Human Rights of the Council of Europe , which was signed in 1950 and entered into force in 1953, also contained a provision on data protection - even if the term was not yet in use at the time. According to Article 8, Paragraph 1 of the European Convention on Human Rights, “everyone [...] has the right to respect for his private and family life , his home and his correspondence” . This sentence - to be understood more declaratively and programmatically - is still valid today; in Germany it has the same rank as a federal law .

After electronic data processing and thus data protection became more and more important in the 1970s, the Council of Europe prepared its own convention on data protection, which was agreed in 1981 as the convention for the protection of people with regard to the automatic processing of personal data . The European Data Protection Convention, as the convention was called colloquially, came into force in 1985. Through the convention, the states that have acceded to it undertake to observe certain elementary data protection principles in automated data processing and to enforce them against third parties in their own sovereign territory.


In 1980, the Organization for Economic Cooperation and Development (OECD) formulated guidelines for the protection of personal privacy and the cross-border movement of personal data . The guidelines are particularly intended to facilitate the cross-border exchange of data. However, they are only non-binding recommendations and can now be considered obsolete in terms of content. The OECD recommendations are of no practical relevance.

European Union

Until the year 2000, the data protection law of the European Union was primarily based on the idea of ​​creating and strengthening the common European internal market . Different national data protection laws were seen as possible trade barriers. With the adoption of the Charter of Fundamental Rights of the European Union , data protection was recognized as a fundamental right.

The EU's data protection standards are based on Convention No. 108 of the Council of Europe , on EU instruments such as the General Data Protection Regulation and the Data Protection Directive for Police and Criminal Justice, as well as the relevant case law of the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (ECJ). The competent advisory body has been the European Data Protection Board (EDPB), the supervisory body of the European Data Protection Supervisor , since May 2018 .

Charter of Fundamental Rights

In 2000, the heads of state and government of the EU member states proclaimed the Charter of Fundamental Rights of the European Union . Article 7 of the Charter guarantees everyone “the right to respect for their private and family life, their home and their communications”. Art. 8 of the charter also states a right to the protection of personal data. Data protection was thus expressly recognized as a fundamental right at the level of the European Union . The Treaty of Lisbon made the Charter of Fundamental Rights binding for the EU and its member states.

Article 16 (1) of the Treaty on the Functioning of the European Union stipulates that every person has the right to the protection of personal data concerning them.


The Council of the European Union and the European Parliament therefore passed Directive 95/46 / EC in 1995 on the protection of natural persons with regard to the processing of personal data and the free movement of data (data protection directive ), which was intended to harmonize the level of data protection within the European Economic Area . The German federal legislature was in no great hurry to implement this directive: it was not until 2001, six years after the data protection directive came into force, that the Federal Data Protection Act was adapted to the requirements of the directive.

The Data Protection Directive was supplemented in 1997 by Directive 97/66 / EC on the processing of personal data and the protection of privacy in the telecommunications sector (Telecommunications Data Protection Directive). The ISDN guideline, as the guideline 97/66 / EG was called colloquially, did not have a long lifespan. The overwhelming technical developments in telecommunications , in particular the proliferation of cell phones and Internet access as well as the increasing use of e-mail , soon made it necessary to completely revise the directive.

Therefore, in 2002 the European Parliament and the Council adopted Directive 2002/58 / EC on the processing of personal data and the protection of privacy in electronic communications , which replaced the Telecommunications Data Protection Directive.

Directive 2006/24 / EC on data retention, which came into force in 2006, does not belong to data protection law in the strict sense of the word . This directive obliges the EU member states to have data that is generated or processed in the provision of publicly accessible electronic communication services stored . It can therefore be viewed more as a data processing right.

Other legal acts

In 2000, Regulation (EC) No. 45/2001 was passed. It regulates data protection when processing personal data by the institutions and bodies of the European Union.

The Framework Decision 2008/977 / JHA in 2008 relates to the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. It had to be implemented into national law by November 27, 2010.

As part of a general data protection reform was on April 27, 2016, the basic Regulation privacy issue, according to which the Data Protection Directive of 1995 expires.

Practical significance had between the European Union and the United States agreed Safe Harbor Agreement . It allowed the transfer of personal data from the territory of the EU to that of the USA, provided that the data recipient met certain data protection criteria. Microsoft and made use of this option . On October 6, 2015, however, the European Court of Justice declared the Safe Harbor Agreement to be invalid. The agreement thus no longer provided a legal basis for data transfers to the USA. On July 12, 2016, however, the EU Commission decided to regard the EU-US Privacy Shield as corresponding to the data protection level of the European Union.

National data protection law


German data protection law is largely determined by the census ruling of the Federal Constitutional Court of 1983. The basic right to informational self-determination recognized for the first time in the census ruling and the detailed requirements that the Federal Constitutional Court has imposed on the legislature with regard to the restrictions on this basic right have been reflected in all legal regulations on data protection.

The Basic Law for the Federal Republic of Germany from 1949 (GG) contains important data protection regulations with the basic right to maintain the secrecy of letters , post and telecommunications . However, it does not make any statements on legislative competence , i.e. on the question of whether the federal government or the states are responsible for data protection law. In the absence of an allocation of competences, the Länder therefore have legislative competence in principle ( Article 70, Paragraph 1 of the Basic Law). The Federal Constitutional Court has ruled, however, that the federal government may issue data protection regulations whenever it “cannot reasonably regulate a matter assigned to it for legislation without regulating the data protection provisions”. This is a case of so-called legislative competence by virtue of factual context .

Laws expressly regulating the protection of personal data in data processing were only enacted in the 1970s. The state of Hesse passed the world's first data protection law in 1970 .

Probably the best known German set of rules on data protection is the Federal Data Protection Act , which came into force in 1978. It applies to federal authorities and the private sector. The sixteen German federal states have their own state data protection laws that apply to the respective state authorities and the municipalities .

Both the Federal Data Protection Act and the state data protection laws only apply if no specific data protection law exists for the specific matter . For example, Internet providers must observe the special data protection regulations of the Telemedia Act when processing their customers' personal data . If, on the other hand, the Internet providers process the personal data of their own employees, the general Federal Data Protection Act applies - since there is no employee data protection law in Germany. ( See also: Employee data protection . ) The Postal Services Data Protection Regulation applies to postal service providers .

The provisions anchored in social law on the protection of social secrecy are of considerable practical importance . In addition to the general regulations on social data protection , which are laid down in the second chapter of Book 10 of the Social Code (SGB X), there are also detailed data protection regulations in all other books of the Social Code .

For the public broadcasting corporations , special regulations apply to both substantive law and control due to their distance from the state ( Art. 5 GG). Due to the distance from the state and the constitutionally prescribed guarantee and structure of public broadcasting, broadcasters cannot be controlled by a “state” data protection officer, but have to appoint their own data protection officer by way of autonomous control. It is the control body within the meaning of Art. 28 Paragraph 1 Data Protection Directive 95/46 / EC of October 24, 1995.

In 2008 the Federal Constitutional Court developed the fundamental right to guarantee the confidentiality and integrity of information technology systems . This basic right serves primarily to protect personal data that is stored or processed in information technology systems . This right is not specifically mentioned in the Basic Law. It was formulated as a special expression of the general right of personality by the Federal Constitutional Court.

The data protection audit law planned for 2009 was not passed by the Bundestag.

The Genetic Diagnostics Act came into force in February 2010 . This regulates the handling of genetic data.


The core data protection law in Austria is regulated by the Data Protection Act 2000 (DSG 2000). This law implements the EU data protection directive. The genesis of the 2000 law is similar to that in the other EU countries. Initially, the legislature planned to limit itself to amending the old data protection act. But then the realization prevailed that the EU data protection guideline brings a multitude of innovations so that a simple amendment cannot be in conformity with the guideline. So a new law had become necessary. § 1 DSG 2000 guarantees a basic right to data protection. The confidentiality of personal data is factually protected if there is an interest worthy of protection, in particular with regard to Art. 8 ECHR. The fundamental right is therefore also seen as a supplement to Art. 8 ECHR. In personal terms, natural and legal persons are protected. The basic right is not unlimited. Interventions can be justified by the consent of the person concerned or an overriding interest in data processing. The core of Austrian data protection law is the principle of prohibition with reservation of permission . This results from § 7 Abs. 1 DSG 2000 i. V. m. § 8 , § 9 DSG 2000. According to this, data processing is fundamentally illegal, unless there is a justification.

But data protection is also anchored in Austrian general civil law. In Austrian civil law, personal rights have a high priority. Section 16 ABGB is part of the original state of modern Austrian private law. This general clause is a gateway for civil rights protection of personal rights and thus also data protection.


In Switzerland , data protection is regulated both at the federal level and in the cantons. If data is processed by federal authorities or private individuals, the Federal Data Protection Act applies. If, on the other hand, cantonal authorities process personal data, data protection law is based on the cantonal provisions.

Due to the federal structures of Switzerland and the constitutional distribution of competences between the federal government and the canton, the cantons are autonomous in the area of ​​data protection and are not subject to any overarching control by the federal government. Thus there are 27 data protection laws and just as many data protection authorities in Switzerland.

Canon Law

Within the Roman Catholic Church , the confessional secret has been a generally recognized data protection rule that is also respected by the state since the 13th century . The confessional secret only obliges the pastor. In 1983, the Codex Iuris Canonici included the prohibition against violating the “right of any person to the protection of one's own privacy”. This rule applies to all members of the Catholic faith.

In addition to these more general rules, there is a detailed set of rules for all Roman Catholic institutions in Germany, the order on ecclesiastical data protection . The content of the arrangement is based on the Federal Data Protection Act . In the North Rhine-Westphalian dioceses , data protection supervision is carried out by the Catholic Data Protection Center .

The EKD Data Protection Act applies to institutions of the Evangelical Church . Just like the ordinance on church data protection, the EKD Data Protection Act also shows parallels to the Federal Data Protection Act.

Criticism of data protection law

The current data protection law can only partially fulfill its purpose today. Its basic structures are based on the data protection concept of the 1970s, which in turn is based on the electronic data processing of the time. This was characterized by the central data storage on mainframes , limited storage capacities and a relatively small group of - mostly state - data processors.

State data protection law has only partially taken into account the technical development of the last 30 years and with a considerable delay. Technical innovations that can impair data protection - for example the Internet , video surveillance , biometrics , RFID - are not or only insufficiently regulated by law. Numerous legislative amendments have not been able to change that.

In addition, German data protection law in particular is considered to be "overregulated, fragmented, confusing and contradicting" ( Alexander Roßnagel ). Today, even experts can no longer see data protection law in its entirety. In addition, there is a "massive enforcement deficit in data protection" ( Johann Bizer ): Violations of data protection regulations usually have no consequences because the persons concerned are generally not aware of abusive data processing and the state data protection authorities do not have the necessary human resources to deal with the Effectively control data processors.


  • Jürgen Kühling, Christian Seidel, Anastasios Sivridis : Data protection law. 3. Edition. Müller, Heidelberg 2015, ISBN 978-3-8114-9486-2 .
  • Lutz Bergmann, Roland Möhrle, Armin Herb: Commentary on data protection law. 58.Delivery as of August 2019, Boorberg-Verlag, Stuttgart ISBN 978-3-415-00616-4 .
  • Alexander Roßnagel : Handbook on data protection law - The new foundations for economy and administration. Verlag CH Beck, Munich 2003, ISBN 3-406-48441-7 .
  • Hans H. Wohlgemuth, Jürgen Gerloff: Data protection law. An introduction with practical cases. 3. Edition. Luchterhand, 2005, ISBN 3-472-02652-9 .
  • Marie-Theres Tinnefeld, Benedikt Buchner, Thomas Petri: Introduction to data protection law. Data protection and freedom of information from a European perspective. 5th edition. Oldenbourg 2012, ISBN 978-3-486-59656-4 .
  • Peter Gola , Christoph Klug: Principles of data protection law. 3. Edition. Verlag CH Beck, Munich 2003, ISBN 3-406-50197-4 .
  • Ulrich Dammann , Spiros Simitis : Data protection law. 9th edition. Nomos, 2005, ISBN 3-8329-1112-X .
  • Alessandra DiMartino: Data protection in European law. 1st edition. Nomos, 2005, ISBN 3-8329-1203-7 .
  • Alexander Roßnagel , Andreas Pfitzmann , Hansjürgen Garstka : Modernization of data protection law. Expert opinion on behalf of the Federal Ministry of the Interior. Berlin 2001.
  • Lutz Grammann: The new church data protection law. 2004. (Download)
  • Rainer Knyrim: Praxishandbuch Datenschutzrecht - Guidelines for correct registration, processing, transmission, consent, outsourcing, advertising and much more. 1st edition. Manz Verlag, Vienna 2003.


Individual evidence

  1. Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in the processing of personal data by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences as well as for free Data traffic and repealing Council Framework Decision 2008/977 / JHA OJ L 119/89 of May 4, 2016.
  2. EU directive for data protection in the police and judiciary March 16, 2017.
  3. Handbook on European data protection law, edition 2018. European Union Agency for Fundamental Rights , Luxembourg 2019.
  4. Federal Constitutional Court, judgment of March 2, 2010, Az. 1 BVR 256/08, para. 201.
  6. Stephan Gärtner: Hard negative features on the test bench of data protection law. A legal comparison between German, English and Austrian law. Publishing house Dr. Kovac, Hamburg 2011, p. 329.
  7. for the entire paragraph: Stephan Gärtner: Hard negative features on the test bench of data protection law. A legal comparison between German, English and Austrian law. Publishing house Dr. Kovac, Hamburg 2011, p. 329.
  8. Stephan Gärtner: Hard negative features on the test bench of data protection law. A legal comparison between German, English and Austrian law. Publishing house Dr. Kovac, Hamburg 2011, p. 335.