Since 1 September 2009, pursuant to amendments to the German Data Protection Act, German companies that experience data security breaches affecting specific categories of personal data have been required to inform both the data protection authority and the data subjects affected.

Obligation to inform

The new duty to notify applies where personal data falling under one of the following categories is affected by a security leakage:

  • "special categories of personal data" within the meaning of Article 2 of the EU Data Protection Directive 95/46/EC (i.e. data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, health or sex life);
  • personal data relating to bank account or credit card information;
  • personal data subject to professional secrecy (e.g. personal data collected and stored by insurance companies, auditing and tax consulting firms); or
  • personal data which refers to criminal offences or misdemeanours or to the suspicion of criminal offences or misdemeanours.

The notification duty is triggered when personal data in one of these categories has been unlawfully disclosed or otherwise made available to any third party, and there is a risk that the protected rights and interests of the data subjects are seriously impaired by such disclosure.

Scope and content of the obligation to inform

While the competent data protection authority needs to be notified immediately, notifying data subjects may be deferred until "reasonable measures to secure the data" have been taken (or such point in time when they could have been taken) or notification no longer potentially jeopardises criminal investigations against the alleged suspects.

Legal consequences of a violation of the obligation to inform

If a company either fails to make the required notification or makes it incorrectly, incompletely or with delay, it may be liable to administrative fines of up to €300,000.

Developments at the EU level

The German changes are in harmony with recent amendments to the E-Privacy Directive. Under Article 4, providers of public communication services will have to notify data security breaches that result in personal data being lost or compromised to the relevant national authority as well as any user(s) concerned.