Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

The collection, processing and use of personal data will be permissible only if permitted or ordered by the Federal Data Protection Act or another law, or if the data subject has provided consent.

For instance, pursuant to Section 32 of the Federal Data Protection Act, an employee’s personal data may be collected, processed or used for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract.

Pursuant to Section 28 of the Federal Data Protection Act, personal data may be collected, processed or used, among other things, if necessary to create, perform or terminate a legal obligation with the data subject (or as far as is necessary to safeguard the legitimate interests of the data processing entity), and where there is no reason to assume that the data subject has an overriding legitimate interest in preventing the possibility of processing or use.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

As a rule, personal data must be deleted once its further storage is no longer permissible or, if it is processed for private purposes, as soon as it is no longer needed to carry out the purpose for which it was stored. Certain other statutes (eg, tax laws or trade laws) provide for retention obligations of six or 10 years in relation to business documents.

Do individuals have a right to access personal information about them that is held by an organisation?

The data processing entity must provide information to data subjects on request concerning stored data relating to them, including information relating to:

  • the source of the data;
  • the recipients or categories of recipient to which the data is transferred; and
  • the purpose of storing the data.

Do individuals have a right to request deletion of their data?

Yes, under certain circumstances.

Consent obligations
Is consent required before processing personal data?

The collection, processing and use of personal data are permissible only if permitted or ordered by the Federal Data Protection Act or another law, or if the data subject has consented. Hence, prior consent is required only if there is no other legal basis (eg, a statutory provision or a works council agreement) that justifies the data processing.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, if permitted or ordered by the Federal Data Protection Act or another law, including a works council agreement.

What information must be provided to individuals when personal data is collected?

If personal data is stored for non-commercial purposes for the first time without the data subject’s knowledge, he or she must be notified of:

  • the storage;
  • the type of data;
  • the purpose of collection;
  • the data’s processing or use; and
  • the identity of the data processing entity.

If personal data is commercially stored for the purpose of transfer without the data subject’s knowledge, he or she must be notified of the initial transfer and the type of data being transferred. In these cases, the data subject must also be notified of the categories of recipient where, given the circumstances of the individual case, he or she need not expect that his or her data will be transferred to such recipients.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

As a rule, personal data may be transferred to recipients in other EU member states or states that are parties to the EEA Agreement, because these countries have a level of data protection which is similar to that in Germany, provided that there is a justification for the data transfer. Moreover, according to European Commission decisions, a few other countries are deemed safe as regards their level of data protection.

If the recipient is located in a country where none of the aforementioned requirements are met and the recipient therefore does not ensure an adequate level of protection, data may be transferred if, among other things, the data subject has given his or her consent. Moreover, it is possible to establish an adequate level of data protection with the recipient; recognised ways of doing this are to conclude standard contractual clauses approved by the European Commission or implement so-called ‘binding corporate rules’. 

Are there restrictions on the geographic transfer of data?

Yes. Countries outside the European Union and European Economic Area are generally considered to be unsafe. A data transfer to recipients in such countries may take place only in exceptional cases or where an adequate level of data protection has been established at the recipient (eg, by means of standard contractual clauses approved by the European Commission or the implementation of binding corporate rules).

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

The data processor must be chosen carefully, with special attention paid to the suitability of the technical and organisational measures applied by the processor. The work to be carried out by the processor must be specified in writing, including the following:

  • the subject and duration of the work to be carried out;
  • the extent, type and purpose of the intended collection, processing or use of data;
  • the types of data and categories of data subject;
  • the technical and organisational measures to be taken;
  • the rectification, deletion and blocking of data;
  • the data processor’s obligations – in particular, monitoring;
  • any right to issue subcontracts;
  • the data controller’s rights to monitor and the data processor’s corresponding obligations to cooperate;
  • violations by the data processor or its employees of provisions to protect personal data or of the terms specified by the data processing entity which are subject to the obligation to notify;
  • the extent of the data controller’s authority to issue instructions to the data processor; and
  • the return of data storage media and the deletion of data stored by the data processor after the work has been carried out.

Click here to view the full article.