Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

Ahead.

Are any changes to existing data protection legislation proposed or expected in the near future?

The European General Data Protection Regulation came into force on May 24 2016. It replaces EU Directive 95/46/EC, which forms the basis of the existing national data privacy laws. The European General Data Protection Regulation is more complex than the German Federal Data Protection Act. The rights and duties stated in the EU General Data Protection Regulation will become effective in all EU member states on May 25 2018. This will significantly affect Germany’s data privacy practice – even more so as the EU General Data Protection Regulation stipulates that the parliaments of each member state should adopt more detailed regulations with respect to certain data privacy matters and, in doing so, are given some leeway to provide for local particularities. As such, German companies would be well advised to acquaint themselves with the EU General Data Protection Regulation and the subsequent national regulations and reassess their existing data privacy work in light of the new data privacy regime.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

The collection, processing and use of personal data are governed mainly by the Federal Data Protection Act. In addition, in certain areas (eg, internet-related activities or the monitoring of emails), more specific and thus overriding legislation (eg, the Telecommunications Act or the Telemedia Act) may apply, depending on the facts of the individual case.

Scope and jurisdiction
Who falls within the scope of the legislation?

The Federal Data Protection Act applies to public bodies and private entities that collect data for use in data processing systems and those that use such systems to process, use or collect data in or from non-automated filing systems, unless the data is collected, processed or used solely for personal or domestic activities.

What kind of data falls within the scope of the legislation?

The Federal Data Protection Act applies to personal data – this is, any information concerning the personal or material circumstances of an identified or identifiable natural person (ie, the data subject).

Are data owners required to register with the relevant authority before processing data?

Before carrying out any automated processing operations, private data processing entities must notify the competent supervisory authority, while postal and telecoms companies must notify the federal commissioner for data protection and freedom of information. The obligation to notify does not apply if the data processing entity has appointed a data protection official.

Is information regarding registered data owners publicly available?

The supervisory authority keeps a register of the automated processing operations that are subject to the aforementioned notification obligation. Anyone can inspect the register. 

Is there a requirement to appoint a data protection officer?

Private entities which process personal data by automated means must appoint a data protection official in writing within one month of commencing their activities, unless no more than nine persons are permanently employed in the automated processing of personal data.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

There is a local supervisory authority in each federal state. The authorities monitor the implementation of the Federal Data Protection Act and other data protection provisions governing the automated processing of personal data. They advise and support data protection officials and data processing entities with due regard to their typical duties. On request, they will provide administrative assistance to the supervisory authorities of other EU member states. If a supervisory authority finds that any of the data protection provisions have been violated, it can:

  • notify the data subjects;
  • report the violation to the bodies responsible for prosecution or punishment; and
  • in case of serious violations, notify the trade supervisory authority in order to initiate measures under trade law. 

The bodies that are subject to monitoring and the persons responsible for their management must provide the supervisory authority with the information necessary to perform its duties on request and without delay. Persons appointed by the supervisory authority to conduct monitoring will be authorised to enter the property and premises of the body during business hours and carry out checks and inspections there, where necessary. To ensure compliance with the Federal Data Protection Act and other data protection provisions, the supervisory authority may order measures to remedy violations identified in the collection, processing or use of personal data or technical or organisational problems. In case of serious violations or problems – especially those relating to a special threat to privacy – the supervisory authority may prohibit the collection, processing or use of data, or the use of particular procedures, if the violations or problems are not remedied within a reasonable period despite corresponding orders and the imposition of fines. The supervisory authority may also demand the removal of a data protection official from office if he or she does not have the necessary specialised knowledge and reliability to perform his or her duties.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

The collection, processing and use of personal data will be permissible only if permitted or ordered by the Federal Data Protection Act or another law, or if the data subject has provided consent.

For instance, pursuant to Section 32 of the Federal Data Protection Act, an employee’s personal data may be collected, processed or used for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract.

Pursuant to Section 28 of the Federal Data Protection Act, personal data may be collected, processed or used, among other things, if necessary to create, perform or terminate a legal obligation with the data subject (or as far as is necessary to safeguard the legitimate interests of the data processing entity), and where there is no reason to assume that the data subject has an overriding legitimate interest in preventing the possibility of processing or use.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

As a rule, personal data must be deleted once its further storage is no longer permissible or, if it is processed for private purposes, as soon as it is no longer needed to carry out the purpose for which it was stored. Certain other statutes (eg, tax laws or trade laws) provide for retention obligations of six or 10 years in relation to business documents.

Do individuals have a right to access personal information about them that is held by an organisation?

The data processing entity must provide information to data subjects on request concerning stored data relating to them, including information relating to:

  • the source of the data;
  • the recipients or categories of recipient to which the data is transferred; and
  • the purpose of storing the data.

Do individuals have a right to request deletion of their data?

Yes, under certain circumstances.

Consent obligations
Is consent required before processing personal data?

The collection, processing and use of personal data are permissible only if permitted or ordered by the Federal Data Protection Act or another law, or if the data subject has consented. Hence, prior consent is required only if there is no other legal basis (eg, a statutory provision or a works council agreement) that justifies the data processing.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, if permitted or ordered by the Federal Data Protection Act or another law, including a works council agreement.

What information must be provided to individuals when personal data is collected?

If personal data is stored for non-commercial purposes for the first time without the data subject’s knowledge, he or she must be notified of:

  • the storage;
  • the type of data;
  • the purpose of collection;
  • the data’s processing or use; and
  • the identity of the data processing entity.

If personal data is commercially stored for the purpose of transfer without the data subject’s knowledge, he or she must be notified of the initial transfer and the type of data being transferred. In these cases, the data subject must also be notified of the categories of recipient where, given the circumstances of the individual case, he or she need not expect that his or her data will be transferred to such recipients.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Yes – in particular, measures suited to the types of personal data or categories of data being protected will be taken in order to:

  • prevent unauthorised persons from accessing data processing systems used to process or use personal data (access control);
  • prevent data processing systems from being used without authorisation (access control);
  • ensure that persons authorised to use a data processing system have access only to that data which they are authorised to access, and that personal data cannot be read, copied, altered or removed without authorisation during processing and use and after storage (access control);
  • ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transfer or transport or while being stored on data storage media, and that it is possible to ascertain and verify which bodies are transferring personal data using data transmission facilities (disclosure control);
  • ensure that it is possible after the fact to verify and ascertain whether personal data has been accessed, altered or removed from data processing systems and, if so, by whom (input control);
  • ensure that personal data processed on behalf of others is processed strictly in compliance with the data controller’s instructions (job control);
  • ensure that personal data is protected against accidental destruction or loss (availability control); and
  • ensure that data collected for different purposes can be processed separately.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

A company must immediately notify data subjects if any of the following information has been stored, transferred or disclosed to third parties illegally and threatens to cause serious harm to the rights or legitimate interests of the data subjects:

  • sensitive data;
  • personal data that is subject to professional secrecy;
  • personal data referring to criminal or administrative offences or to suspected criminal or administrative offences; or
  • personal data concerning bank or credit card accounts.

Data subjects must be informed as soon as appropriate measures have been taken to safeguard the data and notification would no longer endanger criminal prosecution. The notification must describe the nature of the illegal disclosure and recommend measures to minimise possible harm. Where notifying the data subjects would require a disproportionate effort – in particular due to the large number of persons affected – it may be replaced by public ads of at least half a page in at least two national daily newspapers or by another equally effective measure.

Are data owners/processors required to notify the regulator in the event of a breach?

A company must immediately notify the competent supervisory authority if any of the following information has been stored, transferred or disclosed to third parties illegally and threatens to cause serious harm to the rights or legitimate interests of data subjects:

  • sensitive data;
  • personal data that is subject to professional secrecy;
  • personal data referring to criminal or administrative offences or to suspected criminal or administrative offences; or
  • personal data concerning bank or credit card accounts.

The notification must describe all possible harmful consequences of the illegal disclosure and the measures taken by the body as a result.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes. In principle, promotional emails are permitted only if the intended recipient agrees beforehand to receive such emails (Section 7 of the Act against Unfair Competition). This applies to both entrepreneurs and consumers. Exceptions are limited to narrow circumstances (see Section 7(3), 1-4 of the Act against Unfair Competition).

If the recipient has not given his or her express consent to receive promotional emails, he or she can request the sender to desist pursuant to Sections 823(1) and 1004(1) of the Civil Code. Moreover, competitors of the sender may request that the sender desist pursuant to Section 8(1) of the Act against Unfair Competition.

Cookies
Are there rules governing the use of cookies?

Yes – the Telemedia Act entered into force on March 1 2007. However, the EU Cookie Directive (2009/136/EC) has not yet been formally implemented into German law. The government maintains that the existing legislation is sufficient to comply with the directive – in particular, Sections 13(1) and 15(3) of the Telemedia Act.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

As a rule, personal data may be transferred to recipients in other EU member states or states that are parties to the EEA Agreement, because these countries have a level of data protection which is similar to that in Germany, provided that there is a justification for the data transfer. Moreover, according to European Commission decisions, a few other countries are deemed safe as regards their level of data protection.

If the recipient is located in a country where none of the aforementioned requirements are met and the recipient therefore does not ensure an adequate level of protection, data may be transferred if, among other things, the data subject has given his or her consent. Moreover, it is possible to establish an adequate level of data protection with the recipient; recognised ways of doing this are to conclude standard contractual clauses approved by the European Commission or implement so-called ‘binding corporate rules’. 

Are there restrictions on the geographic transfer of data?

Yes. Countries outside the European Union and European Economic Area are generally considered to be unsafe. A data transfer to recipients in such countries may take place only in exceptional cases or where an adequate level of data protection has been established at the recipient (eg, by means of standard contractual clauses approved by the European Commission or the implementation of binding corporate rules).

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

The data processor must be chosen carefully, with special attention paid to the suitability of the technical and organisational measures applied by the processor. The work to be carried out by the processor must be specified in writing, including the following:

  • the subject and duration of the work to be carried out;
  • the extent, type and purpose of the intended collection, processing or use of data;
  • the types of data and categories of data subject;
  • the technical and organisational measures to be taken;
  • the rectification, deletion and blocking of data;
  • the data processor’s obligations – in particular, monitoring;
  • any right to issue subcontracts;
  • the data controller’s rights to monitor and the data processor’s corresponding obligations to cooperate;
  • violations by the data processor or its employees of provisions to protect personal data or of the terms specified by the data processing entity which are subject to the obligation to notify;
  • the extent of the data controller’s authority to issue instructions to the data processor; and
  • the return of data storage media and the deletion of data stored by the data processor after the work has been carried out.

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

The Federal Data Protection Act provides for fines in case of administrative offences, or even imprisonment in case of criminal offences. Fines may amount to up to €300,000 per case. Fines must exceed the financial benefit derived by the perpetrator the administrative offence. If the aforementioned amount is insufficient to do so, it may be increased. In case of a criminal offence, imprisonment for up to two years is possible.

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes.

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Yes. On July 25 2015 the IT Security Act entered into force. The act is a response to more frequent and complex attacks against information infrastructure in Germany in recent years. The act applies to private and public infrastructure operators in Germany and requires operators of critical infrastructure to implement minimum security measures and report security incidents to the Federal Office for Information Security.

Pursuant to Section 10 of the act, ‘critical infrastructure’ is defined as facilities and installations (or parts thereof) in sectors whose interruption could seriously affect public utility or safety. The relevant sectors include energy, IT, telecommunications, transportation, traffic, healthcare, water, food, finance and insurance.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

The Communication on a Cybersecurity Strategy of the European Union and the European Agenda on Security for 2015-2020 provide the overall strategic framework for the EU initiatives on cybersecurity and cybercrime.

In 2013, the European Commission proposed a directive concerning measures to ensure a high common level of network and information security across the European Union. On December 7 2015 the European Parliament and the Council agreed on the text of the Network and Information Security Directive. The directive provides legal measures to boost the overall level of cybersecurity by, among other things, enhancing cooperation on cybersecurity among member states.

Which cyber activities are criminalised in your jurisdiction?

The relevant legal provisions of the Criminal Code penalise:

  • data espionage (Section 202a);
  • phishing (Section 202b);
  • preparatory acts to data espionage and phishing (Section 202c);
  • violations of postal and telecoms secrets (Section 206);
  • computer fraud (Section 263a);
  • data tampering (Section 303a);
  • computer sabotage (Section 303b); and
  • disruption of telecoms facilities (Section 317).

Which authorities are responsible for enforcing cybersecurity rules?

The competent law enforcement agencies include, but are not limited to, state and federal police.

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes – many insurers offer insurance for cybersecurity breaches. 

Are companies required to keep records of cybercrime threats, attacks and breaches?

The IT Security Act does not specifically require operators of critical infrastructure to keep records of cybercrime threats, attacks or breaches. However, pursuant to Section 8b(2) of the act, the Federal Office for Information Security must collect information relating to possible cybersecurity attacks.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Pursuant to Section 8b(3) of the IT Security Act, operators of critical infrastructure must report significant security incidents without delay to the Federal Office for Information Security. Pursuant to Section 44b of the Atomic Energy Act, operators of nuclear power plants must report cybersecurity incidents that could constitute serious nuclear safety risks. 

Are companies required to report cybercrime threats, attacks and breaches publicly?

No – not under the Act on the Federal Office for Information Security. However, pursuant to Section 8d of the IT Security Act, the Federal Office for Information Security can, in limited circumstances and on request, provide third parties with information on reported cybersecurity incidents.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

It depends on the applicable criminal rule. In principle, anyone who commits a criminal offence could be liable to imprisonment or a fine.

What penalties may be imposed for failure to comply with cybersecurity regulations?

An operator of critical infrastructure that fails to report cybersecurity incidents to the Federal Office for Information Security properly could be liable to a fine of up to €50,000, depending on the circumstances of the case (Section 14(2) of the IT Security Act). Other issues – for example, failure to implement organisational rules and technical preventative measures to protect critical IT systems (Section 8a(1) of the IT Security Act) – could lead to a fine up to €100,000.