The German Data Protection Authorities of Berlin and North Rhine-Westphalia have issued a paper containing Frequently Asked Questions about the German statutory data breach notification requirement that went into effect on September 1, 2009. The paper provides detailed information on key questions concerning the procedure for notification as required by Section 42a of the German Federal Data Protection Act.
Pursuant to the notification obligation, private organizations (and public entities that compete in the free market) must notify without undue delay both the competent DPA and affected individuals of any unlawful transfer or other disclosure of certain types of personal data to third parties under certain circumstances. Relevant circumstantial requirements include the type(s) of data involved and whether there is a threat of serious effects on the rights or protected interests of the data subjects resulting from the transfer or disclosure.
The German data breach notification requirements are similar to the security breach notification scheme introduced in the revised EU e-Privacy Directive 2002/58/EC, albeit with a much broader scope. The German notification obligation applies to all companies subject to the German Federal Data Protection Act as well as to companies subject to the German Telecommunications Act (Telekommunikationsgesetz) (e.g., telecommunications providers), and the German Telemedia Act (Telemediengesetz) (e.g., website providers). The EU notification scheme applies only to the telecom and ISP industries.
The paper includes practical guidelines for organizations to help them (1) identify the circumstances requiring notification, and (2) act to comply with their notification obligations.
Specifically, Part A of the paper provides guidance on the following questions:
- Who is subject to the notification obligation?
- Are data processors also required to provide notification?
- Which types of data fall under the obligation?
- Under what circumstances should an organization presume that an unlawful disclosure of personal data has occurred?
- Under what circumstances would the rights or legitimate interests of data subjects be threatened?
Part B of the paper provides details regarding:
- The timing for providing notification to the DPA and affected individuals
- The content requirements for notification to the DPA
- The content and form requirements for notification to affected individuals
- The consequences of not providing notification, including those affecting an entity’s internal organization
German DPAs may impose a fine of up to €300,000 for failure to provide notification of a data breach, or for failing to provide notification correctly, completely, or in a timely manner.