Hessian Data Protection Act

from Wikipedia, the free encyclopedia
Basic data
Title: Hessian Data Protection Act
Previous title: Data Protection Act
Abbreviation: HDSG
Type: State Law
Scope: Hesse
Legal matter: Data protection law , administrative law
References : GVBl. I 2016, 121 (GVBl. II 300-28)
Original version from: October 7, 1970
( GVBl. I p. 625)
Entry into force on: October 13, 1970
New announcement from: 7 January 1999
(GVBl. I p. 98)
Last revision from: November 11, 1986
(GVBl. I p. 309)
Entry into force of the
new version on: 		January 1, 1987
Last change by: Art. 1 G of May 20, 2011
(GVBl. I p. 208)
Effective date of the
last change: 		July 1, 2011
(Art. 3 G of May 20, 2011)
Expiry: January 1, 2019
(§ 44 sentence 2 HDSG)
Weblink: Text of the law
Please note the note on the applicable legal version.

The Hessian Data Protection Act is the data protection act for the public administration of the State of Hesse . It came into force in 1970, making it the first and oldest formal data protection law in the world.

Purpose of the law

The law regulates when the public administration of the State of Hesse may process personal data and which requirements it must observe. This regulation of data processing is intended to ensure that the persons whose data are processed are not violated in their right to informational self-determination (§ 1 Paragraph 1 No. 1).

In addition, the law is intended to protect “the constitutional structure of the state, which is based on the principle of separation of powers […] from being endangered by automated data processing” (Section 1 (1) No. 2). This goal - which is unusual for a data protection law - is to be achieved through regulations that level out the information gap between the legislature and the executive.

scope

According to Section 3 (1), this law applies to authorities and other public bodies in the State of Hesse and to the Hessian municipal administration . It also applies to other legal entities under public law that are subject to the supervision of the State of Hesse , e.g. B. the Johann Wolfgang Goethe University Frankfurt am Main , and for their associations. Companies in the private sector are only bound by the Hessian Data Protection Act if and to the extent that they perform sovereign tasks under the supervision of the Hessian authorities, e.g. B. chimney sweeps or if they process data on behalf of government agencies (§ 4).

For Hessischer Rundfunk and public service companies that take part in the competition, only certain parts of the law apply in accordance with Section 3 Paragraphs 5 and 6, as well as for the Hessian State Parliament (Section 39).

content

The Hessian Data Protection Act is divided into five parts:

  • First part: General data protection (§§ 1–20)
  • Second part: Hessian data protection officer (§§ 21–31)
  • Third part: special data protection (§§ 32-37)
  • Fourth part: Rights of the state parliament and the municipal representative bodies (§§ 38, 39)
  • Fifth part: final provisions (§§ 40-44)

First part: General data protection

The first part of the Hessian Data Protection Act is divided into three sections. The first section (§§ 1 to 10) contains basic regulations.

The purpose of the law is specified in Section 1 .

Section 2 defines basic terms of the law, including the terms “ personal data ”, “data processing agency”, “ third party ”, “recipient”, “ file ” and “ file ”. Section 2 (2) clarifies what is to be understood by the term “ data processing ”, namely “any use of stored personal data or data intended for storage”. The definition of data processing in the HDSG also includes the first-time collection of personal data. This differs from data processing within the meaning of the Federal Data Protection Act , which does not include the process of data collection.

Section 3 defines the scope of application .

§ 4 regulates the data processing in the order . If the contractor is a body that is not subject to the scope of the HDSG, it must be contractually ensured that the contractor follows the provisions of the HDSG and is subject to the control by the Hessian data protection officer. This is to prevent data protection from being undermined by relocating data processing.

§ 5 stipulates that every data processing agency has to appoint a data protection officer and determines his area of ​​responsibility. The obligation to keep procedural registers is specified in Section 6. Section 7 (1) regulates the cases in which data may be processed at all, namely if the Hessian Data Protection Act or a preceding legal provision provides, permits or mandates this or if the person concerned has consented. Section 7 (2) contains details on the requirements for effective consent . § 8 lists the rights of the persons whose data are processed. The data secrecy is stipulated in § 9. Section 10 obliges the data processing agencies to take certain organizational and technical measures to ensure data protection and data security .

The second section of the first part (§§ 11-17) contains the legal basis for data processing. Pursuant to Section 11 (1) sentence 1, the processing of personal data is only permitted “if it is necessary for the lawful fulfillment of the tasks within the responsibility of the data processing agency and for the respective associated purpose”. How personal data is to be collected is regulated in Section 12. Section 13 fundamentally prohibits the use of data for purposes other than those originally intended (so-called earmarking ). Sections 14, 16–17 regulate the transfer of data to other bodies and persons, Section 15 the admissibility of so-called joint procedures. These are automated procedures that enable several data processing bodies to jointly process personal data, in particular centralized databases.

The third section (§§ 18-20) specifies the rights of data subjects already mentioned in § 8 to information and notification (§ 18), data correction, blocking and deletion (§ 19) and to compensation (§ 20).

Second part: Hessian data protection officer

The second part of the law (§§ 21–31) regulates the legal status, tasks and powers as well as the duties of the Hessian data protection officer. According to § 22, the data protection officer is "independent in the exercise of his office and only subject to the law". He is elected by the state parliament in accordance with Section 21 (1).

The main task of the Hessian data protection officer is to monitor compliance with data protection at the data processing offices in accordance with Section 24 (1) sentence 1. The focus is on advising the positions. If the consultation does not lead to success, the Hessian data protection officer can object to any data protection violations found in accordance with Section 27, ie report it to the highest state authority or the responsible supervisory authority. The data protection officer presents serious data protection deficiencies in his annual report, which he must submit to the state parliament in accordance with Section 30 (1). The state government has to issue a statement on this (Section 30 (2)).

The Hessian data protection officer must be provided with the personnel and material equipment required for his work by the President of the State Parliament (Section 31 (1)). At his suggestion, the President of the State Parliament appoints the civil servants (Section 31, Paragraph 2, Clause 1), but their superior is the Hessian data protection officer, whose instructions they are exclusively bound by. This also applies to all other employees (Section 31, Paragraph 2, Clauses 2 and 3).

Third part: special data protection

The third part of the law (§§ 32–37) contains special provisions that take precedence over the provisions of the first part. Some of them (Sections 32, 33 and 35) allow certain data processing under simplified conditions, others (Sections 34 and 36) apply a higher standard for processing that is particularly critical to data protection.

Under easier circumstances, data may be processed for planning and scientific purposes (Sections 32, 33). The transmission of data to religious societies under public law is privileged by Section 35.

By contrast, stricter regulations apply to data protection in service and employment relationships (Section 34). These regulations only protect employees of the offices named in Section 3 (1), i.e. in particular state employees. Section 36 stipulates that remote-controlled measurements and remote actions are only permitted with the consent of the person concerned.

§ 37 regulates the data processing of the Hessischer Rundfunk for journalistic and editorial purposes and concerns, among other things, the handling of counter notifications .

Fourth part: rights of the state parliament and the municipal representative bodies

The fourth part consists of §§ 38 and 39. These are special regulations for the Hessian state parliament and certain municipal organs.

Section 38 (1) grants the Landtag, the President of the Landtag and the parliamentary groups represented in the Landtag comprehensive rights to information vis-à-vis state authorities and state or communal data centers, e.g. B. towards the Hessian Center for Data Processing . The right to information does not relate to individual personal data, but to information that is obtained by evaluating this data. This is intended to level a possible information gap between the Hessian authorities on the one hand and the Hessian legislature on the other. In order for the state parliament to be able to exercise its right to information in a meaningful way, it can demand that the state government inform it about the existing data processing procedures and databases (Section 38 (2)). Section 38 (3) extends the right to information to include Hessian municipal councils and district assemblies as well as the parliamentary groups represented there.

The Hessian Data Protection Act only partially applies to the Landtag in order to do justice to its special constitutional status: The Landtag administration is (apart from three provisions) bound by the HDSG (Section 39 Paragraph 1 Clause 1), in its capacity as a constitutional body give himself a data protection regulation for the members of parliament, the parliamentary groups and their employees (Section 39 (1) sentences 2 and 3).

Fifth part: final provisions

The fifth part of the law (§§ 40–44) makes certain illegal data processing a criminal offense in § 40 . Section 41 defines administrative offenses . Section 42 contains a transitional provision for old files that contain incorrect or unlawful data. The data only need to be corrected or deleted from the files if the "storing body determines the requirements for correction, deletion or blocking while performing its current tasks". This regulation makes it clear that the data processing unit are not obliged to examine their old files for possible incorrect data.

Section 43 repealed three laws, namely the Hessian Data Protection Act of January 31, 1978 (GVBl. I p. 96), the Hessian Ordinance on the Publication of Information on Stored Personal Data of November 1, 1978 (GVBl. I p. 553 ) and the Hessian ordinance on the file registers to be kept by the Hessian data protection officer of December 8, 1978 (GVBl. I p. 682). Section 44 regulates the entry into force and expiry of the law.

history

The data protection law of the state of Hesse came into force on October 13, 1970, and was written by Spiros Simitis , who has since been referred to as the "father of data protection". The law was the first of its kind and set the standard for all later federal and state data protection laws. On the occasion of the passage of the law, Prime Minister Albert Osswald declared that Orwell's vision of the omniscient state would not become reality in Hesse. Characteristic of the Data Protection Act 1970 was the monitoring of data protection by an independent institution - the state data protection officer - and the definition of organizational, personal and technical data protection measures. The Hessian law was therefore a model for both the Federal Data Protection Act passed in 1977 and the data protection laws of the federal states .

The law of October 13, 1970, on the other hand, lacks provisions that, according to today's understanding, are indispensable for data protection. It allowed the processing of personal data without a legal basis and without the consent of the data subjects. Data were also allowed to be collected and processed if this was not absolutely necessary for the data processing agency to perform its tasks. In addition, the data was not restricted to a specific purpose. This situation was not seen as problematic in 1970. It was not until 13 years after the Data Protection Act came into force that the Federal Constitutional Court found in the census judgment that the right to informational self-determination may only be encroached upon on a legal basis, that data must be protected against misuse and that only the data may be collected and processed for the legally permitted purpose is absolutely necessary. The law of October 13, 1970 did not meet these constitutional requirements. So by today's standards it would probably be unconstitutional .

During the discussion about the Federal Data Protection Act, the Hessian legislature came to the conclusion that the Data Protection Act was in need of reform. The law of October 13, 1970 was therefore repealed and replaced by the Hessian Data Protection Act of January 31, 1978 (GVBl. I p. 96). A major innovation was to make the processing of personal data subject to the proviso of the law or to make it dependent on the consent of the person concerned.

The second amendment was made by the law of November 11, 1986 (GVBl. I p. 309) on January 1, 1987. It was influenced by the census ruling and the associated need to reform the existing law. Hesse not only implements the requirements of the Federal Constitutional Court to protect the right to informational self- determination, but was also the first federal state to adopt a regulation on employee data protection . The Hessian data protection officer at the time, Spiros Simitis, certified that the law “is considered to be the most important contribution to the further development of data protection well beyond the borders of the Federal Republic of Germany”.

In 1995 the European Community issued Directive 95/46 / EC (Data Protection Directive) . The EC member states were obliged to transpose the objectives of the directive into national law within three years. In Hesse, this was done through the Third Act amending the Hessian Data Protection Act of November 5, 1998 (GVBl. I p. 421). The amended version of the Hessian Data Protection Act was announced in January 1999. It is essentially still valid today.

literature

Fundamental

  • Hans-Hermann Schild, Michael Ronellenfitsch and others: Hessian data protection law. Comment. Municipal and school publishing house. Wiesbaden 2009, ISBN 978-3-88061-810-7 .

For amendment 1987

  • Gerhard Fuckner: The new Hessian data protection law. In: CR 1988, pp. 144-147.
  • Spiros Simitis, Stefan Walz: The new Hessian data protection law. In: RDV 1987, pp. 157-169.
  • HA. Lennartz: New data protection law in Hessen. In: RDV 1987, pp. 74-78.

For the 1999 amendment

  • Hans-Hermann Schild: Hessian data protection law amended. JurPC web doc. 45/1999.
  • Hans-Hermann Schild: The new Hessian data protection law. In: RDV 1999, pp. 52-60.

Web links

Individual evidence

  1. Alexander Genz: Data protection in Europe and the USA. German university publisher. Wiesbaden 2004. ISBN 3-8244-2185-2 . P. 9.
  2. [1]
  3. EDP ​​in the Odenwald. In: Der Spiegel 20/1971, p. 88.
  4. ^ Hessian data protection officer: Third activity report. Landtag printed matter 7/5146 of April 1, 1974. p. 9.
  5. Federal Constitutional Court, judgment of December 15, 1983, 1 BvR 209, 269, 362, 420, 440, 484/83, BVerfGE 65, 1 (44). ( Memento of the original from March 29, 2010 in the Internet Archive ) Info: The archive link was inserted automatically and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.servat.unibe.ch
  6. BVerfGE 65, 1 (46).
  7. BVerfGE 65, 1 (46).
  8. ^ Hessian data protection officer: Sixteenth activity report. Landtag printed matter 12/1742 of February 26, 1988. p. 8.