Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
The collection, processing and use of personal data will be permissible only if permitted or ordered by the Federal Data Protection Act or another law, or if the data subject has provided consent.
For instance, pursuant to Section 32 of the Federal Data Protection Act, an employee’s personal data may be collected, processed or used for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract.
Pursuant to Section 28 of the Federal Data Protection Act, personal data may be collected, processed or used, among other things, if necessary to create, perform or terminate a legal obligation with the data subject, or as far as is necessary to safeguard the legitimate interests of the data processing entity, provided that there is no reason to assume that the data subject has an overriding legitimate interest in preventing the possibility of processing or use.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
As a rule, personal data must be deleted once its further storage is no longer permissible or, if it is processed for own purposes, as soon as it is no longer needed to carry out the purpose for which it was stored. Certain other statutes (eg, tax laws or trade laws) provide for retention obligations of six or 10 years in relation to business documents.
Do individuals have a right to access personal information about them that is held by an organisation?
The data processing entity must provide information to data subjects on request concerning stored data relating to them, including information relating to:
- the source of the data;
- the recipients or categories of recipient to which the data is transferred; and
- the purpose of storing the data.
Do individuals have a right to request deletion of their data?
Yes, under certain circumstances.
Is consent required before processing personal data?
The collection, processing and use of personal data are permissible only if permitted or ordered by the Federal Data Protection Act or another law, or if the data subject has consented. Hence, prior consent is required only if there is no other legal basis (eg, a statutory provision or a works council agreement) that justifies the data processing.
If consent is not provided, are there other circumstances in which data processing is permitted?
Yes, if permitted or ordered by the Federal Data Protection Act or another law, including a works council agreement.
What information must be provided to individuals when personal data is collected?
If personal data is stored for own purposes for the first time without the data subject’s knowledge, he or she must be notified of:
- the storage;
- the type of data;
- the purpose of collection;
- the data’s processing or use; and
- the identity of the data processing entity.
If personal data is commercially stored for the purpose of transfer without the data subject’s knowledge, he or she must be notified of the initial transfer and the type of data being transferred. In these cases, the data subject must also be notified of the categories of recipient where, given the circumstances of the individual case, he or she need not expect that his or her data will be transferred to such recipients.
Click here to view the full article.