Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
German data protection laws are ahead of the curve.
Are any changes to existing data protection legislation proposed or expected in the near future?
The federal government and all federal states have already adapted their respective data protection laws to conform to the requirements of the General Data Protection Regulation. On a European level, the EU ePrivacy Regulation is expected to be approved soon. The ePrivacy Regulation will replace the current ePrivacy Directive and is expected to align closely with the General Data Protection Regulation. Further, in September 2018, EU institutions started negotiations to reach a final agreement on the EU Cybersecurity Act, which is also expected to come into force in the near future. The proposed EU regulation should lay down the objectives, tasks and organisational aspects of ENISA – the EU Cybersecurity Agency – and should likewise create a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity in the European Union with regard to products that will store, retrieve, transmit or receive information electronically in a digital form.
What legislation governs the collection, storage and use of personal data?
The collection, processing and use of personal data are governed mainly by the General Data Protection Regulation and the Federal Data Protection Act. In addition, in certain areas (eg, internet-related activities or the monitoring of emails), more specific and thus overriding legislation (eg, the Telecommunications Act or the Telemedia Act) may apply, depending on the facts of the individual case.
Scope and jurisdiction
Who falls within the scope of the legislation?
The General Data Protection Regulation and the Federal Data Protection Act apply to public bodies and private entities that collect data for use in data processing systems and those that use such systems to process, use or collect data in or from non-automated filing systems, unless the data is collected, processed or used solely for personal or domestic activities.
What kind of data falls within the scope of the legislation?
The General Data Protection Regulation and the Federal Data Protection Act apply to personal data – this is, any information concerning the personal or material circumstances of an identified or identifiable natural person (ie, the data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Are data owners required to register with the relevant authority before processing data?
The data owner must register its data protection officer, if any, with the local data protection supervisory authority. Some authorities provide a registration form online.
Is information regarding registered data owners publicly available?
Not concerning private entities.
Is there a requirement to appoint a data protection officer?
Pursuant to the General Data Protection Regulation, private controllers and processors will designate a data protection officer in any case where the core activities of the controller or processor consist of:
- processing operations which, by virtue of their nature, scope and purpose, require regular and systematic monitoring of data subjects on a large scale; or
- processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10 of the General Data Protection Regulation.
In addition, pursuant to the Federal Data Protection Act, private controllers and processors should designate a data protection officer if, as a rule, they continually employ at least 10 persons dealing with the automated processing of personal data. If the controller or processor undertake processing subject to a data protection impact assessment pursuant to Article 35 of the General Data Protection Regulation, or if they commercially process personal data for the purpose of transfer, of anonymised transfer or for purposes of market or opinion research, they should designate a data protection officer regardless of the number of persons employed in processing.
Which body is responsible for enforcing data protection legislation and what are its powers?
There is a local supervisory authority in each federal state. The authorities monitor the implementation of the General Data Protection Regulation, the Federal Data Protection Act and other data protection provisions governing the processing of personal data. They advise and support data protection officials and data processing entities with due regard to their typical duties. The supervisory authority may also demand the removal of a data protection official from office if he or she does not have the necessary specialised knowledge and reliability to perform his or her duties. On request, they will provide administrative assistance to the supervisory authorities of other EU member states. If a supervisory authority finds that any of the data protection provisions have been violated, it can:
- notify the data subjects;
- report the violation to the bodies responsible for prosecution or punishment; and
- in case of serious violations, notify the trade supervisory authority in order to initiate measures under trade law.
Moreover, the competent authority has the power, among other things, to:
- order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information that it requires for the performance of its tasks;
- carry out investigations in the form of data protection audits;
- notify the controller or processor of an alleged infringement of data protection laws;
- obtain from the controller and processor access to all personal data and all information necessary for the performance of its tasks;
- obtain access to any premises of the controller and processor, including to any data processing equipment and means, in accordance with EU or member state procedural law;
- issue warnings to a controller or processor that intended processing operations are likely to infringe data protection law;
- issue reprimands to a controller or processor where processing operations have infringed data protection law;
- order the controller or processor to comply with the data subject's requests to exercise his or her rights;
- order the controller or processor to bring processing operations into compliance with the data protection law, where appropriate, in a specified manner and within a specified period;
- order the controller to communicate a personal data breach to the data subject;
- impose a temporary or definitive limitation including a ban on processing;
- order the rectification or erasure of personal data or restriction of processing and the notification of such actions to recipients to whom the personal data has been disclosed;
- impose an administrative fine; and
- order the suspension of data flows to a recipient in a third country or an international organisation.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Pursuant to the General Data Protection Regulation, processing is lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purpose;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In addition, the Federal Data Protection Act contains more specific provisions with respect to employment relationships.
Personal data of employees may be processed for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract or to exercise or satisfy the rights and obligations of employees’ representation laid down by law or collective agreements or by other agreements between the employer and staff council. Employees’ personal data may be processed to detect crimes only if there is a documented reason to believe that the employee has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the employee’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason.
If personal data of employees is processed on the basis of consent, then the employee’s level of dependence in the employment relationship and the circumstances under which consent was given will be taken into account in assessing whether such consent was freely given. Consent may be freely given in particular if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests. Consent will be given in written form, unless a different form is appropriate because of special circumstances. The employer will inform the employee in text form of the purpose of data processing and of the employee’s right to withdraw consent.
By derogation from Article 9(1) of the General Data Protection Regulation, the processing of special categories of personal data as referred to in Article 9(1) for employment-related purposes will be permitted if it is necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the employee has an overriding legitimate interest in not processing the data. If special categories of personal data are processed based on consent, such consent must explicitly refer to these data.
The processing of personal data, including special categories of personal data of employees for employment-related purposes, is also permissible based on collective agreements (eg, collective bargaining agreements or works council agreements). However, the collective agreements may not fall short of the data protection standards established by the General Data Protection Regulation.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
As a rule, personal data must be deleted once its further storage is no longer permissible or, if it is processed for own purposes, as soon as it is no longer needed to carry out the purpose for which it was stored. Certain other statutes (eg, tax laws or trade laws) provide for retention obligations of six or 10 years in relation to business documents.
Do individuals have a right to access personal information about them that is held by an organisation?
The data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her is being processed and, where that is the case, to access the personal data and following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data is not collected from the data subject, any available information as to its source;
- the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
Where personal data is transferred to a third country or an international organisation, the data subject will have the right to be informed of the appropriate safeguards relating to the transfer.
Further, the controller should provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information will be provided in a commonly used electronic form.
Do individuals have a right to request deletion of their data?
Yes, under certain circumstances.
Is consent required before processing personal data?
Not necessarily. Consent is one among various legal justifications for the collection, processing and use of personal data. In some cases where there is no statutory justification for the processing available, consent may be the only option.
If consent is not provided, are there other circumstances in which data processing is permitted?
Yes, if processing is necessary for:
- the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
- compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What information must be provided to individuals when personal data is collected?
That depends on whether the personal data is collected directly from the data subject or from another source, but generally speaking at the time when personal data is obtained the data subject must be notified of:
- the identity and the contact details of the controller and, where applicable, of the controller's representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data is intended as well as the legal basis for the processing;
- the legitimate interests pursued by the controller or by a third party where the processing is based on such legitimate interests;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the European Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy or where they have been made available;
- the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Data security and breach notification
Are there specific security obligations that must be complied with?
Yes. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security, an account will be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Are data owners/processors required to notify individuals in the event of a breach?
Yes. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller should communicate the personal data breach to the data subject without undue delay.
Are data owners/processors required to notify the regulator in the event of a breach?
Yes. In the case of a personal data breach, the controller should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
Yes. In principle, promotional emails are permitted only if the intended recipient agrees beforehand to receive such emails (Section 7 of the Act against Unfair Competition). This applies to both entrepreneurs and consumers. Exceptions are limited to narrow circumstances (see Section 7(3), 1-4 of the Act against Unfair Competition).
If the recipient has not given his or her express consent to receive promotional emails, he or she can request the sender to desist pursuant to Sections 823(1) and 1004(1) of the Civil Code. Moreover, competitors of the sender may request that the sender desist pursuant to Section 8(1) of the Act against Unfair Competition.
Further, the General Data Protection Regulation applies to the unsolicited use of email addresses as well. Email addresses that relate to an individual person are personal data, if that individual can be identified from the email address. The use of an email address to send marketing emails is a processing of personal data, which will have to be justified under Article 6 of the General Data Protection Regulation, likely, through consent.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
As a rule, personal data may be transferred to recipients in other EU member states or states that are parties to the EEA Agreement, because these countries have a level of data protection which is similar to that in Germany, provided that there is a justification for the data transfer. Moreover, according to European Commission decisions, a few other countries are deemed safe as regards their level of data protection.
If the recipient is located in a country where none of the aforementioned requirements are met and the recipient therefore does not ensure an adequate level of protection, data may be transferred if, among other things, the data subject has given his or her consent. Moreover, it is possible to establish an adequate level of data protection with the recipient; recognised ways of doing this are to conclude standard contractual clauses approved by the European Commission or implement so-called ‘binding corporate rules’.
Are there restrictions on the geographic transfer of data?
Yes. Countries outside the European Union and European Economic Area are generally considered to be unsafe. A data transfer to recipients in such countries may take place only in exceptional cases or where an adequate level of data protection has been established at the recipient (eg, by means of standard contractual clauses approved by the European Commission or the implementation of binding corporate rules).
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
The controller will use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the General Data Protection Regulation and ensure the protection of the rights of the data subject. Processing by a processor will be governed by a contract or other legal act under EU or member state law, that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act should stipulate, in particular, that the processor:
- processes the personal data only on documented instructions from the controller;
- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- takes all necessary technical and organisational measures;
- respects the conditions for engaging sub-processors;
- taking into account the nature of the processing, assists the controller for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights;
- assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation;
- at the request of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless EU or member state law requires storage of the personal data; and
- makes available to the controller all information necessary to demonstrate compliance with the aforementioned obligations and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
The General Data Protection Regulation provides for fines up to €20 million or, in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is the higher. In addition, the Federal Data Protection Act provides for up to three years’ imprisonment in case of a criminal offence.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
Yes. On 25 July 2015 the IT Security Act entered into force. The act, which, among other things, amended the Act on the Federal Office for Information Security, was a response to more frequent and complex attacks against information infrastructure in Germany in recent years. The Act on the Federal Office for Information Security applies to private and public infrastructure operators in Germany and requires operators of critical infrastructure to implement minimum security measures and report security incidents to the Federal Office for Information Security.
Based on Section 10 of the Act on the Federal Office for Information Security, the Federal Office for Information Security issued an ordinance, which, in principle, defines the energy, IT, telecoms, water, food, health, finance and insurance, transport and traffic industry sectors to contain critical infrastructures.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
The Communication on a Cybersecurity Strategy of the European Union and the European Agenda on Security for 2015 to 2020 provide the overall strategic framework for the EU initiatives on cybersecurity and cybercrime.
In August 2016, the EU Directive on Security of Network and Information Systems entered into force. The directive provides legal measures to boost the overall level of cybersecurity by, among other things, enhancing cooperation on cybersecurity among member states. In 2017 the directive was implemented into German law by, among other things, amending the Act on the Federal Office for Information Security and the Telecommunications Act.
Since then, the EU Council has presented a proposal for a regulation on the EU Cybersecurity Agency and on Information and Communication Technology. The proposal forms part of a wider plan by the European Commission to boost cybersecurity resilience within the European Union.
Which cyber activities are criminalised in your jurisdiction?
The relevant legal provisions of the Criminal Code penalise:
- data espionage (Section 202a);
- phishing (Section 202b);
- preparatory acts to data espionage and phishing (Section 202c);
- violations of postal and telecoms secrets (Section 206);
- computer fraud (Section 263a);
- suppression of legally relevant electronic data (Section 274);
- data tampering (Section 303a);
- computer sabotage (Section 303b); and
- disruption of telecoms facilities (Section 317).
Which authorities are responsible for enforcing cybersecurity rules?
The competent law enforcement agencies include, but are not limited to, state and federal police.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Yes – many insurers offer insurance for cybersecurity breaches.
Are companies required to keep records of cybercrime threats, attacks and breaches?
The Act on the Federal Office for Information Security does not specifically require operators of critical infrastructure to keep records of cybercrime threats, attacks or breaches. However, pursuant to Section 8b(2) of the Law on the Federal Office for Information Security, the Federal Office for Information Security must collect information relating to possible cybersecurity attacks.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
Pursuant to Section 8b(3) of the Act on the Federal Office for Information Security, operators of critical infrastructure must report significant security incidents without delay to the Federal Office for Information Security. Further, pursuant to Section 44b of the Atomic Energy Act, operators of nuclear power plants must report cybersecurity incidents that could constitute serious nuclear safety risks. Further, pursuant to Article 33 of the General Data Protection Regulation, in the case of a personal data breach, the controller should without undue delay notify the personal data breach to the competent supervisory authority.
Are companies required to report cybercrime threats, attacks and breaches publicly?
No – not under the Act on the Federal Office for Information Security. However, pursuant to Section 8d of the act, the Federal Office for Information Security can, in limited circumstances and on request, provide third parties with information on reported cybersecurity incidents.
Further, pursuant to Article 34 of the General Data Protection Regulation, when a personal data breach is likely to result in a high risk to an individual’s rights or freedoms, the controller should communicate the personal data breach to the data subject. However, if the personal communication would involve disproportionate effort, there can instead be a public communication.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
It depends on the applicable criminal rule. In principle, anyone who commits a criminal offence could be liable to imprisonment or a fine.
What penalties may be imposed for failure to comply with cybersecurity regulations?
An operator of critical infrastructure that fails to report cybersecurity incidents to the Federal Office for Information Security properly could be liable to a fine of up to €50,000, depending on the circumstances of the case (Section 14(2) of the Act on the Federal Office for Information Security). Other issues – for example, failure to implement organisational rules and technical preventative measures to protect critical IT systems (Section 8a(1) of the Act on the Federal Office for Information Security) – could lead to a fine up to €100,000.
Further, pursuant to Article 83(4) of the General Data Protection Regulation, the infringement of technical and organisational security measures will be subject to administrative fines up to €10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is the higher.