Prohibition with reservation of permission (data protection)

The prohibition with reservation of permission (or also the principle of prohibition with reservation of permission ) is a legal rule of German and European data protection law . It concerns the question of the legality of data collection , data processing and data usage.

Content of the legal rule

The prohibition with reservation of permission contains two regulations.

Question of legality

First of all, it regulates the question of when data collection , data use and data processing ( storage , modification, transmission, blocking and deletion of personal data ) is lawful. Here, the legal rule assumes that all data-related measures are fundamentally illegal, unless a legally standardized reason for permission justifies them. It can be spoken of an indicated illegality.

This principle applies not only in the relationship between government agencies and non-government agencies, but also in the relationship between two government agencies. In this context, one speaks of an informational separation of powers or the requirement of isolation .

Shifting the burden of proof

In addition, a reversal of the burden of proof can be inferred from this. Because with the prohibition with reservation of permission according to h. M. defines a rule-exception principle, according to which any collection, processing and / or use of personal data is prohibited (rule) unless justified by law or the consent of the person concerned (exception). If one now takes into account the civil procedural principle, according to which the burden of proof is always reversed where an exception to the statutory rule is asserted, it is easy to see that if the responsible body wants to assert that an exception (namely the admissibility of the survey , Processing and / or use) intervenes, it must also explain and prove the requirements for the existence of this exception. From this follows the reversal of the burden of proof.

A consequent reversal of the burden of proof has been assumed by case law and legal literature, for example in relation to the question of who has the predominant disclosure interest i. S. v. § 28 Paragraph 1 No. 1 BDSG must present and prove.

Independent meaning

The term prohibition with reservation of permission is also used in other administrative law, among other things in connection with the so-called control permit . Nevertheless, this principle has an independent meaning in data protection .

First of all, the control permit regulates that a certain issue (e.g. building project ) is generally prohibited unless the administration allows it (e.g. building permit ). The aim here is for the administration to retain control over certain issues. In the case of a prohibition with reservation of permission in data protection law, the legality of a per se "forbidden" issue (e.g. data processing of personal data) does not result from action by the authorities, but rather by virtue of the law , namely through intervention of a reason for permission. The aim here is not to ensure that the administration retains control over certain facts (e.g. data processing), but rather that behavior, regardless of whether it comes from the administration or from a citizen, is only justified if the legislature allows it . The main difference between the control permission in administrative law and the prohibition with reservation of permission in data protection law is that the control permission is about control by the administration and the ban with permission is about control by the legislature.

An independent meaning of the prohibition with reservation of permission in data protection law arises from the fact that the Federal Data Protection Act and Directive 95/46 / EC (data protection directive) not only concern questions of public administrative law , i.e. the relationship between citizen and state, but also in accordance with Section 27 BDSG also affect private law , i.e. the relationship between citizens. In terms of private law, the prohibition principle under data protection law, subject to permission, means a partial departure from the principle of private autonomy that applies there . While the principle that every citizen may do what is not forbidden applies throughout private law, the special feature of private data protection law is that every citizen may only do what is allowed.

European law background

The prohibition with reservation of permission originally goes back to German data protection law. Since 1995 it has been codified for the entire legal area of the European Union by Article 7 of Directive 95/46 / EC (Data Protection Directive) . Article 7 reads:

Member States provide that personal data may only be processed if one of the following conditions is met:

a) The person concerned has given their consent without any doubt;

b) the processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures that are carried out at the request of the data subject;

c) the processing is necessary for the fulfillment of a legal obligation to which the controller is subject;

d) the processing is necessary to safeguard the vital interests of the data subject;

e) the processing is necessary for the performance of a task which is in the public interest or which is carried out in the exercise of official authority and which has been assigned to the controller or the third party to whom the data is transmitted;

f) The processing is necessary for the realization of the legitimate interest that is exercised by the person responsible for the processing or by the third party or third parties to whom the data is transmitted, unless the interest or the fundamental rights and freedoms of the data subject, which pursuant to Article 1 paragraph 1 are protected.

The indicated illegality results in particular from the wording of Article 7; and here from the word "merely".

Legal situation in Germany

The prohibition with reservation of permission is laid down in § 4 paragraph 1 BDSG , which reads:

The collection, processing and use of personal data are only permitted insofar as this law or another legal provision permits or orders this or the person concerned has consented.

The indicated illegality results from the formulation of § 4 paragraph 1 BDSG, and here from the word "only".

Legal situation in Austria

In Austria, the data protection law also applies subject to permission. It follows from the formulation of § 7 Paragraph 1, §§ 8, 9 DSG .

Legal situation in Switzerland

According to Swiss data protection law, in contrast to European law, there is no prohibition with reservation of permission, but on the contrary a permission with reservation of prohibition. According to Art. 12 of the Swiss Data Protection Act, data processing is generally permitted, provided that the data protection processing principles (Art. 4, Art. 5 and Art. 7) are observed. Only if these principles are violated (e.g. in the case of data collection, the purpose or purpose of which is not recognizable to the person concerned), the data processing needs to be justified, with the consent of the person concerned, a legal permission or a predominantly public or private interest come into consideration (Art. 13).

literature

Stephan Gärtner: Hard negative features put to the test of data protection law. A legal comparison between German, English and Austrian law . Publishing house Dr. Kovac, Hamburg 2011, ISBN 978-3-8300-5418-4 .

Individual evidence

↑ Introduction to data protection law (data protection and freedom of information from a European perspective) by Marie-Theres Tinnefeld, Eugen Ehmann, Rainer W. Gerling, 4th completely revised and expanded edition, 2005, R. Oldenbourg Verlag, Munich / Vienna, p. 315 .
↑ BDSG Federal Data Protection Act, commentary by Peter Gola and Rudolf Schomerus with the assistance of Christoph Klug, 9th revised and supplemented edition, Verlag CH Beck, Munich 2007, § 4, marginal no. 3
↑ BVerfGE 65, 1, so-called census judgment
↑ BVerfG NJW 1988, 959-961 (red. Guiding principle and reasons)
↑ cf. Spindler / Nink in Spindler / Schuster, Law of Electronic Media, 1st edition 2008, § 4 BDSG, Rn. 4)
↑ BGHZ 87, 393, 399 f. = NJW 1983, 2499; BGH DB 1990, 1081, 1082; see. also Foerste in Musielak, ZPO, 7th edition. 2009, § 286, Rn. 36)
^ Evidence of case law : BGH NJW 1984, NJW year 1984 p. 436; OLG Frankfurt / M. NJW-RR 2008, NJW-RR year 2008 p. 1228; Documentation references : Schimansky / Bunte / Lwowski, Bankrechts-Handbuch, 3rd edition 2007, § 41, margin no. 15th
↑ On the question of the applicability of the BDSG to non-public bodies : cf. BDSG Federal Data Protection Act, commentary by Peter Gola and Rudolf Schomerus with the collaboration of Christoph Klug, 9th revised and expanded edition, Verlag CH Beck Munich 2007, § 27, Rn. 1 ff.
↑ EU data protection guideline: short comment / by Eugen Ehmann, Marcus Helfrich. - Cologne: O. Schmidt, 1999, Article 7, Rn. 6th
^ BDSG Federal Data Protection Act, commentary by Peter Gola and Rudolf Schomerus with the assistance of Christoph Klug, 9th revised and supplemented edition, Verlag CH Beck Munich 2007, § 4, marginal no. 3
↑ Stephan Gärtner: Hard negative features on the test bench of data protection law. A legal comparison between German, English and Austrian law , Verlag Dr. Kovac, Hamburg, 2011, p. 330

[1] Introduction to data protection law (data protection and freedom of information from a European perspective) by Marie-Theres Tinnefeld, Eugen Ehmann, Rainer W. Gerling, 4th completely revised and expanded edition, 2005, R. Oldenbourg Verlag, Munich / Vienna, p. 315 .

[2] BDSG Federal Data Protection Act, commentary by Peter Gola and Rudolf Schomerus with the assistance of Christoph Klug, 9th revised and supplemented edition, Verlag CH Beck, Munich 2007, § 4, marginal no. 3

[3] BVerfGE 65, 1, so-called census judgment

[4] BVerfG NJW 1988, 959-961 (red. Guiding principle and reasons)

[5] . Spindler / Nink in Spindler / Schuster, Law of Electronic Media, 1st edition 2008, § 4 BDSG, Rn. 4)

[6] BGHZ 87, 393, 399 f. = NJW 1983, 2499; BGH DB 1990, 1081, 1082; see. also Foerste in Musielak, ZPO, 7th edition. 2009, § 286, Rn. 36)

[7] Evidence of case law : BGH NJW 1984, NJW year 1984 p. 436; OLG Frankfurt / M. NJW-RR 2008, NJW-RR year 2008 p. 1228; Documentation references : Schimansky / Bunte / Lwowski, Bankrechts-Handbuch, 3rd edition 2007, § 41, margin no. 15th

[8] On the question of the applicability of the BDSG to non-public bodies : cf. BDSG Federal Data Protection Act, commentary by Peter Gola and Rudolf Schomerus with the collaboration of Christoph Klug, 9th revised and expanded edition, Verlag CH Beck Munich 2007, § 27, Rn. 1 ff.

[9] EU data protection guideline: short comment / by Eugen Ehmann, Marcus Helfrich. - Cologne: O. Schmidt, 1999, Article 7, Rn. 6th

[10] BDSG Federal Data Protection Act, commentary by Peter Gola and Rudolf Schomerus with the assistance of Christoph Klug, 9th revised and supplemented edition, Verlag CH Beck Munich 2007, § 4, marginal no. 3

[11] Stephan Gärtner: Hard negative features on the test bench of data protection law. A legal comparison between German, English and Austrian law , Verlag Dr. Kovac, Hamburg, 2011, p. 330