GERMANY

The Federal Commissioner for Data Protection and Freedom of Information website: http://www.bfdi.bund.de/cln_134/EN/Home/homepage_node.html

Federal Data Protection Act (Bundesdatenschutzgesetz) as of 1 September 2009 http://www.bfdi.bund.de/cae/servlet/contentblob/1086936/

publicationFile/87545/BDSG_idFv01092009.pdf

(The changes effective as of 1 April 2010 and 11 June 2010 are printed in Italics)

What needs to be done prior to collection?

NOTIFY THE COMPETANT SUPEVISORY AUTHORITY OR FEDERAL COMMISSIONER

Section 4d - Obligation to Notify

(1)     Before carrying out any automated processing operations, private controllers shall notify the competent supervisory authority, while federal controllers and controllers of postal and telecommunication companies shall notify the Federal Commissioner for Data Protection and Freedom of Information in accordance with Section 4e. 

(2)     The obligation to notify shall not apply if the controller has appointed a data protection official

(3)     Further, the obligation to notify shall not apply if the controller collects, processes or uses personal data for its own persons and no more than nine employees are employed in collecting, processing or using personal data, and either the data subject has given his/her consent or the collection, processing or use is intended to create, carry out or terminate a legal obligation or a quasi-legal obligation with the data subject

(4)     Sub-sections 2 and 3 above shall not apply in cases of automated processing in which the controller commercial records personal data

a.       For the purpose of the transfer,

b.       For the purpose of transfer in anonymous form; or

c.        The purposes of market or opinion research

(5)     Where automated processing operations present special risks to the rights and freedoms of data subjects, these operations shall be examined before the start of processing (prior checking). Such prior checks shall be carried in particular:

a.       If special categories of personal data (Section 3 (9)) are to be processed; or

b.       The processing of personal data is intended to assess the data subject’s personality and his/her ability, performance or behaviour,

Unless a statutory obligation applies, the data subject's consent has been given, or the collection, processing or use is needed to create, carry out or terminate and legal obligation or quasi-legal obligation with the data subject

(6)     The data protection official shall be responsible for conducting prior checks. The data protection official shall carry out prior checks, following receipt of the overview in accordance with section 4g (2) first sentence. In case of doubt, the data protection official shall consult the supervisory authority or, in case of postal and telecommunication companies notify the Federal Commissioner for Data Protection and Freedom of Information

Section 4e Contents of notification

Where automated processing operations are subject to the obligation to notify, they shall include the following information:

1. Name or company of the controller
2. Owners, management boards, managing directors or other managers appointed in accordance with the law or company regulations, and the persons in charge of data processing
3. The controller’s address
4. The purposes of the data collection, processing or use
5. A description of the category or categories of data subject and of the data or categories of data relating to them
6. The recipients or categories of recipient to whom the data might be disclosed
7. standard data retention periods
8. Plans to transfer data to third countries
9. A general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Section 9 to ensure security of processing

CONTACT THE DATA SUBJECT

Section 33: Notification of the Data Subject

(1)     If personal data are recorded for own purposes for the first time without the Data Subject’s knowledge, the data subject shall be notified of such recording, the type of data, the purpose of collection, processing or use and the identity of the controller. If personal data are commercially recorded for the purpose of transfer without the data subject’s knowledge, the data subject shall be notified, the data subject shall be notified of their initial transfer and of the type of data transferred. In the cases covered by the first and second sentences above, the data subject shall also be notified of the categories of recipients, where given the circumstances of the individual case, the data subject need not expect that his/her data will be transferred to such recipients

 (2) Notification shall not be required if

1.       The data subject has become aware of the recording or transfer by other means,

2.       The data were recorded only because they may not be erased due to legal, statutory or contractual provisions on retention, or only for purposes of monitoring data protection or safeguarding data, and providing information would require a disproportionate effort,

3.       The data must be kept secret by law or due to the nature of the data, namely due to the overriding interests of a third party,

4.       Recording of transfer is expressly laid down by law,

5.       Recording or transfer is necessary for the purposes of scientific research and notification would require a disproportionate effort,

6.       The responsible public body has informed the controller that disclosure of the data would threaten the public security or otherwise be detrimental to the Federation, or

7.       The data were recorded for own purposes and

                                                               i.      Were acquired from generally accessible sources and notification would require a disproportionate effort due to the large number of cases concerned, or

                                                             ii.      Notification would seriously endanger the commercial purposes of the controller, unless the interest in notification overrides this danger,

8.       The data were commercially recorded for the purpose of the transfer, and

                                                               i.      Were acquired from generally accessible sources, where they related to the persons who published the data, or

                                                             ii.      The data are complied in lists or otherwise summarised

And notification would require a disproportionate effort due to the large numbers of cases concerned.

9.       Data acquired from generally accessible sources recorded commercially for the purpose of market or opinion research and notification would require a disproportionate effort due to the large number of cases concerned

The controller shall stipulate in writing the conditions under which notification shall not be provided in accordance with nos. 2 through 7.

What needs to be done prior to shipping?

Section 4b – Transfer of personal data abroad and to supranational or international bodies

(1)     The transfer of personal data to bodies

a.       In other European Union Member States,

b.       In other states parties to the Agreement on the European Economic Area or

c.        Institutions and bodies of the European Communities

Shall be subject to Section 15 (1), Section 16 (1) and Sections 28 to 30 in accordance with the laws and agreements applicable to such transfer, in so far as transfer is affected in connection with activities which fall in part or in their entirety within the scope of the law of the European Communities.

Section 4c – Derogations

(1)     In connection with activities which fall fully or partly within the scope of the law of the European Communities, the transfer of personal data to bodies other than those listed in section 4b (1) above shall be lawful, even if they do not ensure an adequate data of data protection, if

1.       The data subject has given his/her consent,

2.       The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request,

3.       The transfer is necessary for the conclusion or performance of a contract which has been or is to be entered into in the interest of the data subject between the controller and a third party,

4.       The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims,

5.       The transfer is necessary in order to protect the vital interests of the data subject,

6.       The transfer is made from a register which is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the statutory conditions are fulfilled in the particular case.

The body to which the data are transferred shall be informed that the transferred data may be processed or used only for the purpose for which they are being transferred

(2)     Without prejudice to subsection 1 first sentence, the competent supervisory authority may authorise individual transfers or certain categories of transfers of personal data to bodies other than those stated in Section 4b (1) above, where the controller adduces adequate safeguards with respect to the protection of privacy and exercise of the corresponding rights; such safeguards may in particular result from contractual clauses or binding corporate regulations. The Federal Commissioner for Data Protection and Freedom of information shall be responsible in the case of postal and telecommunication companies. Where public bodies are to transfer personal data, they shall undertake the examination referred to in the first sentence

(3)     The Länder shall notify the Federation of the decisions made in accordance with subsection 2 above.

What are the Sanctions for non-compliance?

Section 7 – Compensation

If a controller harms a data subject through collection, processing or use of his or her personal data which is unlawful or improper under this Act or other data protection provisions, the controller or its supporting organisation shall be obligated to compensate the data subject for the damage suffered. The obligation to provide compensation shall be waived if the controller exercised due care in the case.

Section 43 – Administrative Offences

1. An administrative offence shall be deemed to have been committed by anyone who, whether intentionally or through negligence:

-          In violation of s.4d (1), also in conjunction with section 4e second sentence, fails to notify, fails to do so within the prescribed time limit or fails to provide complete information

-          In violation of s.33 (1) fails to notify the data subject or fails to do so correctly or completely

2. An administrative offence shall be deemed to have been committed by anyone who, whether intentionally or through negligence:

-          Collects or processes personal data which are not generally accessible without authorisation

-          Makes available personal data which are not generally accessible without authorisation

The administrative offences above may be punished by a fine of up to EUR 50,000 in the case of subsection 1, and a fine of up to EUR 300,000 in the case of subsection 2. The fine should exceed the financial benefit to the perpetrator derived from the administrative offence. If the amounts mentioned in the first sentence are not sufficient to do so, they may be increased

Section 44 – Criminal Offences

Anyone who wilfully commits an offence described in s.43 (2) in exchange for payment or with the intention of enriching him/herself or another person, or of harming another person, shall be liable to imprisonment for up to 2 years or a fine

Please refer to the Federal Commissioner for Data Protection and Freedom of Information website for further details on the statute