Page 1

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Federal Data Protection Act (BDSG)
BDSG
Date of issue: 06/30/2017
Full quote:
"Federal Data Protection Act of 30 June 2017 (Federal Law Gazette I p. 2097), which is amended by Article 12 of the Act of 20
November 2019 (Federal Law Gazette I p. 1626) has been changed "
Was standing:Amended by Art. 12 G v. 11/20/2019 I 1626
Replaces G 204-3 v. December 20, 1990 I 2954, 2955 (BDSG 1990)
footnote
(+++ Proof of text from: 25.5.2018 +++)
(+++ For application cf. §§ 4 Paragraph 4, 12 Paragraph 3, 16 Paragraph 5, 26 Paragraph 3,
38 para. 2, 40 para. 3 and 5, 56 para. 4, 65 para. 7, 66 para. 6, 75 para. 3,
80 para. 3, 81 para. 3, 84, 85 para. 2 and 3 +++)

The G was used as Art. 1 of the G v. June 30, 2017 I 2097 decided by the Bundestag with the consent of the Bundesrat.
It came into force on May 25, 2018 in accordance with Article 8, Paragraph 1, Clause 1 of this G.
Contents overview
Part 1
Common provisions

Chapter 1
scope of application
and definitions
§1

Scope of the law

§2

Definitions

§3

Chapter 2
Legal basis of
Processing of personal data
Processing of personal data by public bodies

§4

Video surveillance of publicly accessible rooms

Chapter 3
Data protection officers of public bodies
§5

designation

§6

position

§7

tasks

§ 8th

Chapter 4
The or the
Federal Commissioner for
data protection and freedom of information
Establishment

- Page 1 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 2

§9

Jurisdiction

§ 10

independence

§ 11

Appointment and term of office

§ 12

Office relationship

§ 13

Rights and obligations

§ 14

tasks

§ 15

Activity report

§ 16

Powers

§ 17

Chapter 5
Representation in
European Data Protection Board,
central point of contact, cooperation of
Federal and state supervisory authorities
in matters of the European Union
Representation in the European Data Protection Board, central contact point

§ 18

Procedure for cooperation between federal and state supervisory authorities

§ 19

Responsibilities

Chapter 6
Remedies
§ 20

Judicial legal protection

§ 21

Request from the supervisory authority for a judicial decision in the event of assumed illegality
a decision of the European Commission

Part 2
Implementing Regulations
for processing for purposes
according to Article 2 of Regulation (EU) 2016/679

Chapter 1
Legal basis of
Processing of personal data

Part 1
Processing special
Categories of personal
Data and processing for other purposes
§ 22

Processing of special categories of personal data

§ 23

Processing for other purposes by public bodies

§ 24

Processing for other purposes by non-public bodies

§ 25

Data transfers by public bodies

Section 2
Special processing situations
§ 26

Data processing for the purposes of the employment relationship

- Page 2 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 3

§ 27

Data processing for scientific or historical research purposes and to
statistical purposes

§ 28

Data processing for archiving purposes in the public interest

§ 29

Rights of the data subject and regulatory powers in the case of
Confidentiality obligations

§ 30

Consumer credit

§ 31

Protection of business transactions with scoring and credit reports

§ 32

Chapter 2
Rights of the data subject
Duty to provide information when collecting personal data from the data subject

Section 33

Duty to provide information if the personal data has not been collected from the data subject
were

§ 34

Right of the data subject to be informed

§ 35

Right to cancellation

§ 36

Right to object

§ 37

Automated decisions in individual cases including profiling

Chapter 3
Obligations of
§ 38

Controller and processor
Data protection officers of non-public bodies

§ 39

Accreditation

§ 40

Chapter 4
Supervisory authority
for data processing
by non-public bodies
Supervisory authorities of the federal states

§ 41

Chapter 5
Sanctions
Application of the rules on administrative fines and criminal proceedings

§ 42

Criminal regulations

§ 43

Fine regulations

§ 44

Chapter 6
Remedies
Lawsuits against the controller or processor

part 3
Provisions for
Processing for purposes
in accordance with Article 1 (1) of Directive (EU) 2016/680

Chapter 1

- Page 3 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 4

§ 45

Scope of application,
Definitions
and general principles for the
Processing of personal data
scope of application

Section 46

Definitions

Section 47

General principles for the processing of personal data

Section 48

Chapter 2
Legal basis of
Processing of personal data
Processing of special categories of personal data

Section 49

Processing for other purposes

Section 50

Processing for archival, scientific and statistical purposes

Section 51

consent

Section 52

Processing on the instructions of the person responsible

Section 53

Data secrecy

Section 54

Automated individual decision

§ 55

Chapter 3
Rights of the data subject
General information on data processing

Section 56

Notification of data subjects

Section 57

right of providing information

§ 58

Right to correction and deletion as well as restriction of processing

§ 59

Procedure for exercising the rights of the data subject

Section 60

Appeal to the Federal Commissioner

Section 61

Legal protection against decisions by or by the Federal Commissioner or by theirs
its inaction

Chapter 4
Obligations of
§ 62

Controller and processor
Order processing

Section 63

Jointly responsible

Section 64

Data processing security requirements

Section 65

Reporting violations of the protection of personal data to the or the
Federal Commissioner

Section 66

Notification of data subjects in the event of personal data breaches

Section 67

Carrying out a data protection impact assessment

Section 68

Cooperation with the Federal Commissioner

Section 69

Hearing of the Federal Commissioner

Section 70

Directory of processing activities

§ 71

Data protection through technology design and data protection-friendly default settings

§ 72

Differentiation between different categories of data subjects

- Page 4 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 5

Section 73

Differentiate between facts and personal assessments

Section 74

Procedure for transfers

Section 75

Correction and deletion of personal data and restriction of processing

Section 76

Logging

Section 77

Confidential reporting of violations

Chapter 5
Data transfers
to third countries and to
international organizations
§ 78

general requirements

Section 79

Data transfer with suitable guarantees

§ 80

Data transmission without suitable guarantees

§ 81

Other data transfer to recipients in third countries

§ 82

Chapter 6
Cooperation between the supervisory authorities
Mutual administrative assistance

Chapter 7
Liability and penalties
§ 83

Damages and Compensation

Section 84

Criminal regulations

Part 4
Special provisions for
Processing in the context of not in the
Areas of application of Regulation (EU) 2016/679
and the activities covered by Directive (EU) 2016/680
§ 85

Processing of personal data in the context of not in the scope of the
Regulation (EU) 2016/679 and Directive (EU) 2016/680 covered activities

Section 86

Processing of personal data for the purposes of government awards and honors

Part 1
Common provisions
Chapter 1
Scope and definitions
§ 1 Scope of the Act
(1) This law applies to the processing of personal data by
1. public authorities of the federal government,
2. Public authorities of the states, insofar as data protection is not regulated by state law and insofar as they are
a) execute federal law or
b) act as organs of the administration of justice and they are not administrative matters.
For non-public bodies, this law applies to fully or partially automated processing
personal data as well as the non-automated processing of personal data, which in a

- Page 5 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 6

File system are or should be saved, unless processing by natural
People are used to exercise exclusively personal or family activities.
(2) Other federal legislation on data protection takes precedence over the provisions of this Act.
If they do not regulate a situation to which this law applies, or not conclusively, see the regulations
application of this law. The obligation to comply with statutory confidentiality obligations or of
Professional or special official secrets that are not based on statutory provisions remain unaffected.
(3) The provisions of this Act take precedence over those of the Administrative Procedure Act, insofar as the
Determination of the facts personal data are processed.
(4) This Act applies to public bodies. It applies to non-public bodies,
provided
1. the controller or processor processes personal data domestically,
2. the processing of personal data in the context of the activities of a domestic branch
of the person responsible or processor takes place or
3. the controller or processor does not have an establishment in a member state of the
European Union or in another signatory state to the Agreement on the European
Economic area, but it falls within the scope of Regulation (EU) 2016/679 of the European
Parliament and the Council of April 27, 2016 on the protection of natural persons with regard to processing
personal data, the free movement of data and the repeal of Directive 95/46 / EC
(General Data Protection Regulation) (OJ L 119 of 4.5.2016, p. 1; L 314 of 22.11.2016, p. 72; L 127 of
23.5.2018, p. 2) in the currently applicable version.
If this law does not apply in accordance with sentence 2, for the person responsible or
Processors only §§ 8 to 21, 39 to 44.
(5) The provisions of this Act do not apply insofar as the law of the European Union, im
In particular, Regulation (EU) 2016/679 in the currently applicable version applies directly.
(6) In the case of processing for purposes in accordance with Article 2 of Regulation (EU) 2016/679, the contracting states are responsible
of the Agreement on the European Economic Area equal to the member states of the European Union.
In this respect, other countries are considered third countries.
(7) In the case of processing for the purposes of Article 1 (1) of Directive (EU) 2016/680 of the European
Parliament and the Council of April 27, 2016 on the protection of natural persons with regard to processing
personal data by the competent authorities for the purpose of prevention, investigation, detection
or prosecution of criminal offenses or the execution of sentences as well as for the free movement of data and for annulment
of Framework Decision 2008/977 / JHA of the Council (OJ L 119, 4.5.2016, p. 89), the implementation,
Application and development of the Schengen acquis member states of the associated states
European Union same. In this respect, other countries are considered third countries.
(8) For the processing of personal data by public bodies in the context of not in the
Areas of application of Regulation (EU) 2016/679 and Directive (EU) 2016/680
Regulation (EU) 2016/679 and Parts 1 and 2 of this Act apply accordingly, insofar as
not otherwise regulated in this law or any other law.
§ 2 Definitions
(1) Public authorities of the federal government are the authorities, the organs of the administration of justice and other public
Legally organized federal institutions, federal corporations, institutions and
Public law foundations and their associations regardless of their legal form.
(2) Public bodies of the federal states are the authorities, the organs of the administration of justice and others under public law
organized institutions of a state, a municipality, a municipality association or other supervisory bodies
legal persons under public law subordinate to the country and their associations regardless
their legal form.
(3) Associations under private law of public bodies of the Federation and the Länder, the tasks of
perform public administration are considered public regardless of the involvement of non-public bodies
Federal bodies if

- Page 6 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 7

1. they operate beyond the area of ​a country or
2. the federal government has the absolute majority of the shares or the absolute majority of the votes.
Otherwise they are considered to be public authorities of the federal states.
(4) Non-public bodies are natural and legal persons, companies and others
Associations of persons under private law, insofar as they do not fall under paragraphs 1 to 3. Take one
If a non-public body carries out sovereign tasks of the public administration, it is a public body in this respect
within the meaning of this law.
(5) Federal public bodies are non-public bodies within the meaning of this Act insofar as they are
public companies take part in the competition. As non-public bodies within the meaning of this
Law also apply to public bodies in the federal states, insofar as they are public companies on
Participate in the competition, implement federal law and data protection is not regulated by state law.

Chapter 2
Legal basis for processing personal data
§ 3 Processing of personal data by public bodies
The processing of personal data by a public body is permitted if it is necessary for the fulfillment of the
in the responsibility of the person responsible or in the exercise of official authority, which the
Responsible person is required.
§ 4 Video surveillance of publicly accessible rooms
(1) The observation of publicly accessible rooms with optical-electronic devices
(Video surveillance) is only permitted insofar as it
1. to fulfill the tasks of public bodies,
2. to exercise house rights or
3. to safeguard legitimate interests for specifically defined purposes
is required and there are no indications that the data subjects' interests are worthy of protection
predominate. When video surveillance of
1. publicly accessible large-scale facilities, such as in particular sports, assembly and
Amusement places, shopping malls or parking lots, or
2. Vehicles and publicly accessible large-scale facilities of the public rail, ship
and bus transport
The protection of life, health or freedom of people staying there is considered to be particularly important
Interest.
(2) The circumstance of observation and the name and contact details of the person responsible are through
to make suitable measures recognizable at the earliest possible point in time.
(3) The storage or use of data collected in accordance with paragraph 1 is permitted if it is necessary to achieve
is necessary for the intended purpose and there are no indications that legitimate interests of
affected people predominate. Paragraph 1 sentence 2 applies accordingly. For any other purpose they are only allowed to
are processed further to the extent that this is to avert threats to state and public safety
as well as for the prosecution of criminal offenses.
(4) If data collected by video surveillance is assigned to a specific person, it exists
the obligation to inform the data subject about the processing in accordance with Articles 13 and 14 of the
Regulation (EU) 2016/679. Section 32 applies accordingly.
(5) The data must be deleted immediately if they are no longer required to achieve the purpose
or legitimate interests of the data subjects oppose further storage.

Chapter 3
Data protection officers of public bodies

- Page 7 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 8

§ 5 Designation
(1) Public bodies appoint a data protection officer. this applies
also for public bodies according to § 2 paragraph 5 that take part in the competition.
(2) For several public bodies, taking into account their organizational structure and size, a
joint data protection officer or a joint data protection officer can be appointed.
(3) The data protection officer is based on his or her professional qualifications and
in particular named her or his specialist knowledge that she or he has in the field of data protection law
and who has data protection practice, as well as on the basis of his or her ability to fulfill the requirements set out in Section 7
mentioned tasks.
(4) The data protection officer may be an employee of the public body or
perform his or her duties on the basis of a service contract.
(5) The public body publishes the contact details of the data protection officer and shares them
Data from the Federal Commissioner for Data Protection and Freedom of Information.
§ 6 Position
(1) The public body ensures that the data protection officer is properly and promptly in
all questions related to the protection of personal data are included.
(2) The public body supports the data protection officer in the
Fulfill her or his tasks according to § 7 by doing the things necessary for the performance of these tasks
Resources and access to personal data and processing operations as well as those for preservation
provides his or her expertise with the necessary resources.
(3) The public body ensures that the data protection officer in fulfilling their
or his duties are not instructed to perform those duties. The or the
The data protection officer reports directly to the highest management level of the public body. The or the
Data protection officers are not allowed to work by the public body because of the performance of his or her duties
recalled or disadvantaged.
(4) The dismissal of the data protection officer is only possible in the corresponding application of §
626 of the Civil Code. The termination of the employment relationship is inadmissible, either
because that there are facts which the public body to terminate for an important reason without
Authorize compliance with a notice period. After the end of the activity as a data protection officer or
As a data protection officer, termination of the employment relationship within one year is not permitted
unless the public body to terminate for an important reason without observing a notice period
is justified.
(5) Affected persons can contact the data protection officer or the data protection officer with the
Processing your personal data and exercising your rights under the Regulation
(EU) 2016/679, this law as well as other legal provisions related to data protection
consult any questions. The data protection officer is responsible for secrecy about the
Identity of the person concerned as well as circumstances that allow conclusions to be drawn about the person concerned,
obliged, insofar as he or she is not exempted from this by the person concerned.
(6) If the data protection officer becomes aware of data during his or her work,
for the management or a person employed by the public body for professional reasons
If the right to refuse to testify is entitled, this right is also available to the data protection officer and
to his or her subordinate employees. The person who decides to exercise this right
who has the right to refuse to testify for professional reasons, unless this decision
cannot be brought about in the foreseeable future. As far as the right to refuse to testify of the or
of the data protection officer suffices, his or her files and other documents are subject to a
Confiscation prohibition.
footnote
(+++ § 6 Paragraph 4, 5 Clause 2 and Paragraph 6: for application see § 38 Paragraph 2 +++)

- Page 8 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 9

§ 7 tasks
(1) The data protection officer is responsible in addition to those mentioned in Regulation (EU) 2016/679
Tasks at least the following tasks:
1.Informing and advising the public body and the employees who carry out processing,
with regard to their obligations under this Act and other data protection regulations,
including the legislation enacted to implement Directive (EU) 2016/680;
2. Monitoring compliance with this Act and other data protection regulations,
including the legal provisions enacted to implement Directive (EU) 2016/680, as well as the
Public body strategies for the protection of personal data, including assignment
of responsibilities, awareness-raising and training of those involved in the processing operations
Employees and the related reviews;
3. Advice in connection with the data protection impact assessment and monitoring of their
Implementation in accordance with Section 67 of this Act;
4. Cooperation with the supervisory authority;
5. Acting as a contact point for the supervisory authority in questions related to processing,
including prior consultation in accordance with Section 69 of this Act, and, if necessary, advice on
all other questions.
In the case of a data protection officer appointed by a court, these tasks relate
does not affect the actions of the court in the course of its judicial activity.
(2) The data protection officer can perform other tasks and duties. The public body
ensures that such tasks and obligations do not lead to a conflict of interest.
(3) The data protection officer is responsible for carrying out his or her duties with the
Processing operations, due account being taken of the nature, extent, and nature of the processing operations
Circumstances and the purposes of the processing taken into account.

Chapter 4
The Federal Commissioner for Data Protection and Freedom of Information
§ 8 Establishment
(1) The Federal Commissioner for Data Protection and Freedom of Information (Federal Commissioner) is
a supreme federal authority. The office is in Bonn.
(2) The civil servants of the Federal Commissioner are civil servants of the federal government.
(3) The Federal Commissioner can assign personnel administration and human resources management tasks to others
Confederation agencies are transferred to the extent that this does not result in the independence of the Federal Commissioner
is impaired. Personal data of the employees may be transmitted to these bodies,
as far as their knowledge is necessary to fulfill the assigned tasks.
§ 9 jurisdiction
(1) The federal commissioner is responsible for the supervision of the public authorities of the federal government, too
insofar as they take part in the competition as a public company, as well as through companies, insofar
these for the commercial provision of telecommunication services data from natural
or legal persons and the jurisdiction is not already based on Section 115 (4) of the
Telecommunications Act results. The provisions of this chapter also apply to processors, insofar as
they are non-public bodies in which the federal government owns the majority of the shares or the majority of the
Votes and the client is a public body of the federal government.
(2) The Federal Commissioner is not responsible for the supervision of the Federal Courts im
Processing carried out in the context of their judicial activity.
§ 10 Independence

- Page 9 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 10

(1) The Federal Commissioner acts in the fulfillment of his or her tasks and in the
Exercise his or her powers completely independently. He or she is subject neither directly nor indirectly
External influence and neither asks for instructions nor does she or he accept instructions.
(2) The Federal Commissioner is subject to the audit of the accounts by the Federal Audit Office, insofar as
this does not affect his or her independence.
footnote
(+++ § 10 Paragraph 1: for application see § 12 Paragraph 3 +++)
§ 11 Appointment and term of office
(1) The German Bundestag elects the Federal Commissioner on the proposal of the Federal Government without debate
or the Federal Commissioner with more than half the legal number of its members. The or
the person elected is to be appointed by the Federal President. The or the
Federal Commissioner must have reached the age of 35 when he or she is elected. He or she has to
about what is necessary for the performance of his or her duties and the exercise of his or her powers
Qualifications, experience and expertise, especially in the area of ​personal data protection
feature. In particular, the Federal Commissioner must have relevant professional experience
have acquired knowledge of data protection law and the qualification for judicial office or higher
Have administrative service.
(2) The Federal Commissioner shall do the following before the Federal President
Oath: "I swear that I will devote my energies to the well-being of the German people, to increase their benefits,
Avoid damage from him, uphold and defend the Basic Law and federal laws, mine
Will conscientiously perform duties and do justice to everyone. So help me God. " The
The oath can also be taken without a religious affirmation.
(3) The term of office of the Federal Commissioner is five years. One-time re-election is permitted.
§ 12 Office Relationship
(1) In accordance with this Federal Act, the Federal Commissioner is in a public
legal office relationship.
(2) The official relationship begins with the delivery of the certificate of appointment. It ends with the expiration of the
Term of office or with resignation. On the proposal of the Federal President, the Federal President shall remove the
President of the Bundestag the federal commissioner of his or her federal commissioner
his or her office if the Federal Commissioner has committed grave misconduct or the
Requirements for the performance of his or her duties are no longer met. In the event of termination
of the official relationship or the removal from office, the Federal Commissioner receives one from the
Certificate executed by the Federal President. Impeachment is carried out with the
Delivery of the certificate effective. If the office relationship ends at the end of the term of office, the
At the request of the President of the Bundestag, federal commissioners are obliged to issue the
Transactions up to the appointment of a successor for a maximum period of six
Months.
(3) The senior civil servant shall exercise the rights of the federal commissioner,
if the Federal Commissioner is prevented from exercising his or her office or if you or
his or her office ends and he or she is not obliged to continue business. § 10 paragraph 1 is
apply accordingly.
(4) The Federal Commissioner receives from the beginning of the calendar month in which the official relationship
begins until the end of the calendar month in which the office relationship ends, in the case of paragraph
2 sentence 6 until the end of the month in which the management ends, official remuneration in the amount of
Salary group B 11 as well as the family allowance according to Annex V of the Federal Salary Act.
The Federal Travel Expenses Act and the Federal Moving Costs Act are to be applied accordingly. Furthermore
are § 12 paragraph 6 as well as §§ 13 to 20 and 21a paragraph 5 of the Federal Ministers Act with the stipulations
apply that in place of the four-year term in Section 15 (1) of the Federal Ministers Act, a
Term of five years occurs. Notwithstanding sentence 3 in connection with §§ 15 to 17 and 21a paragraph 5 of the

- Page 10 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 11

Federal Minister Act, the pension of the Federal Commissioner is calculated by adding it
the term of office as a pensionable period of service in the corresponding application of the Civil Service Pension Act,
if this is more favorable and the Federal Commissioner immediately before his or her election for or
to the Federal Commissioner as a civil servant or as a judge at least in the last
usually found the office to be passed before reaching grade B11.
§ 13 Rights and Obligations
(1) The Federal Commissioner does not look to anybody with the tasks of his or her office
and do not engage in any other with his or her during his or her term of office
Offices not to be agreed paid or unpaid activity. In particular, the
Federal Commissioner has no other paid office besides his or her office, no trade and none
Exercise profession and neither the management nor the supervisory board or board of directors of a profit-oriented one
Corporation or federal or state government or legislative body
belong. He or she may not submit out-of-court opinions for a fee.
(2) The Federal Commissioner shall notify the President of the Bundestag
about giving gifts he or she receives in relation to the office. The President of the
The Bundestag decides on the use of the gifts. He or she can issue rules of procedure.
(3) The Federal Commissioner is entitled to discuss persons who are his or her in his or her
Capacity as federal commissioner or federal commissioner have entrusted facts, as well as about them
To refuse to testify to facts themselves. This also applies to the employees of the
Federal Commissioner with the proviso that the Federal Commissioner is responsible for exercising this right
decides. As far as the right of the Federal Commissioner to refuse to testify is sufficient, the submission may
or delivery of files or other documents are not required of him or her.
(4) The Federal Commissioner is obliged, even after the termination of his or her office,
to maintain secrecy about matters officially known to him or her. this applies
not for communications in business dealings or about facts that are obvious or their significance
do not require any confidentiality. The Federal Commissioner decides in accordance with the duty
Discretion as to whether and to what extent he or she testifies about such matters in or out of court
or makes statements; if she or he is no longer in office, approval is given by the incumbent
Federal Commissioner required. The legally established obligation to report criminal offenses remains unaffected
and to stand up for its preservation if the free democratic basic order is at risk.
For the Federal Commissioner and his or her employees
§§ 93, 97 and 105 paragraph 1, § 111 paragraph 5 in conjunction with § 105 paragraph 1 and § 116 paragraph apply
1 of the tax code is not. Sentence 5 does not apply if the tax authorities have the knowledge for
the implementation of a procedure for a tax offense as well as a related one
Need tax proceedings, in the pursuit of which there is an overriding public interest, or insofar as there is
deliberately false information from the party responsible for providing information or the persons working for him or her
acts. If the Federal Commissioner detects a data protection violation, he or she is authorized to do so
and to inform the person concerned about this.
(5) The Federal Commissioner may testify as a witness, unless the testimony would be
1. cause disadvantages for the well-being of the federal government or a state, in particular disadvantages for the security of the
Federal Republic of Germany or its relations with other states, or
2. Violate fundamental rights.
If the statement relates to ongoing or completed processes, which are the core area executive
Are or could be attributable to the federal government, the
or the Federal Commissioner can only testify in consultation with the Federal Government. § 28 des
The Federal Constitutional Court Act remains unaffected.
(6) Paragraphs 3 and 4, sentences 5 to 7 apply accordingly to the public bodies responsible for the control of the
Compliance with data protection regulations in the countries responsible.
footnote
(+++ Section 13, Paragraph 4, Clauses 4 to 7: for application, see Section 40, Paragraph 3 +++)

- Page 11 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 12

§ 14 Tasks
(1) In addition to the tasks specified in Regulation (EU) 2016/679, the Federal Commissioner shall also:
Tasks,
1.

the application of this Act and other data protection regulations, including
to monitor and monitor the legal provisions enacted to implement Directive (EU) 2016/680
enforce

2.

the public for the risks, regulations, guarantees and rights associated with the
Processing of personal data to raise awareness and educate them about it, being specific
Special attention is paid to measures for children,

3.

the German Bundestag and the Bundesrat, the Federal Government and other institutions and
Bodies on legislative and administrative measures to protect rights and freedoms

to advise natural persons on the processing of personal data,
4th

the persons responsible and the processors for them from this law and others
Data protection rules, including those implementing Directive (EU) 2016/680
enacted legal provisions to sensitize emerging obligations,

5.

upon request of any data subject, information about the exercise of their rights based on this
Law and other regulations on data protection, including those to implement the
Directive (EU) 2016/680, to make available and, if necessary, to
to cooperate with the supervisory authorities in other Member States for this purpose,

6th

deal with complaints from a data subject or complaints from a body or organization
or an association in accordance with Article 55 of Directive (EU) 2016/680 to refer the matter
to investigate the complaint to an appropriate extent and to inform the complainant within
to inform within a reasonable period of the progress and the result of the investigation,
especially if there is further investigation or coordination with another supervisory authority
necessary is,

7th

Cooperate with other supervisory authorities, including through information exchange, and them
To provide administrative assistance to ensure the uniform application and enforcement of this Act and others
Data protection rules, including those implementing Directive (EU) 2016/680
enacted legal provisions to ensure

8th.

Investigations into the application of this Act and other provisions on data protection,
including the legal provisions enacted to implement Directive (EU) 2016/680,
to be carried out, also on the basis of information from another supervisory authority or a
other authority,

9.

to follow significant developments insofar as they relate to the protection of personal data
impact, in particular the development of information and communication technology and the
Business practices,

10. To provide advice in relation to the processing operations referred to in Section 69 and
11. Contribute to the work of the European Data Protection Board.
In the area of ​application of Directive (EU) 2016/680, the Federal Commissioner also takes on the task
true according to § 60.
(2) In order to fulfill the task mentioned in paragraph 1 sentence 1 number 3, the Federal Commissioner
on all questions related to the protection of personal data
from or upon request, statements to the German Bundestag or one of its committees, the
To the Federal Council, the Federal Government, other institutions and bodies as well as to the public. On
At the request of the German Bundestag, one of its committees or the federal government, the or the
Federal Commissioner also provides information on data protection matters and processes in the public sector
Post the federal government.
(3) The Federal Commissioner facilitates the submission of the items mentioned in paragraph 1 sentence 1 number 6
Complaints through measures such as the provision of a complaint form, which is also electronic
can be completed without excluding other means of communication.

- Page 12 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 13

(4) The fulfillment of the tasks of the Federal Commissioner is free of charge for the person concerned. At
Obviously unfounded or, especially in the case of frequent repetition, excessive inquiries
the Federal Commissioner shall demand a reasonable fee based on the administrative costs
or refuse to act on the request. In this case, the Federal Commissioner bears the
Burden of proof for the manifestly unfounded or excessive nature of the request.
§ 15 Activity report
The Federal Commissioner prepares an annual report on his or her activities, which includes a list of
Types of violations reported and the types of actions taken, including those imposed
Sanctions and the measures under Article 58 (2) of Regulation (EU) 2016/679.
The Federal Commissioner forwards the report to the German Bundestag, the Bundesrat and the
Federal Government and makes it public, the European Commission and the European
Data protection committee accessible.
Section 16 Powers
(1) The Federal Commissioner shall take the powers within the scope of Regulation (EU) 2016/679
according to Article 58 of Regulation (EU) 2016/679 true. If the Federal Commissioner comes to the conclusion,
that violations of data protection regulations or other deficiencies in processing
personal data is available, he or she notifies the responsible legal or technical supervisory authority
with and gives this before exercising the powers of Article 58 paragraph 2 letters b to g, i and j of
Regulation (EU) 2016/679 to give the person responsible the opportunity to comment within a
reasonable time. The opportunity to comment can be waived if
an immediate decision appears necessary because of imminent danger or in the public interest, or
it is opposed to a compelling public interest. The opinion should also provide a representation of the
Contain measures that have been taken on the basis of notification by the Federal Commissioner.
(2) Provides the Federal Commissioner with data processing by public authorities of the federal government
Purposes outside the scope of Regulation (EU) 2016/679 violations of the regulations
this Act or against other regulations on data protection or other deficiencies in the
Processing or use of personal data, he or she will complain to the
competent supreme federal authority and asks it to comment within one of her or him
deadline to be determined. The Federal Commissioner can refrain from making a complaint or
refrain from commenting, especially if it is insignificant or has since been eliminated
Defects. The opinion should also contain a description of the measures that have been taken due to the
Complaints have been made by the Federal Commissioner. The Federal Commissioner can
also warn the person responsible that intended processing operations are likely to violate in
contained in this law and other provisions applicable to the respective data processing on the
Violate data protection.
(3) The powers of the Federal Commissioner also extend to
1. Personal data obtained from its or its supervisory bodies on the content and
the detailed circumstances of the letter, post and telecommunications traffic and
2. Personal data that are subject to special official secrecy, in particular tax secrecy
Section 30 of the Tax Code.
The basic right to the secrecy of letters, post and telecommunications under Article 10 of the Basic Law shall apply in this respect
limited.
(4) The public authorities of the Federation are obliged to inform the Federal Commissioner and their or
his agent
1. Access to the property and service rooms at any time, including all data processing systems
and devices, as well as all personal data and information necessary for the fulfillment of his or her
Tasks are necessary to grant and
2. to provide all information that is necessary for the performance of his or her tasks.
For non-public bodies, the obligation of sentence 1 number 1 only applies during normal operating
and business hours.

- Page 13 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 14

(5) The Federal Commissioner acts on the cooperation with the public authorities responsible for the
Control of compliance with the rules on data protection in the countries responsible, as well as with the
Supervisory authorities according to § 40. Section 40 (3) sentence 1 second half-sentence applies accordingly.
footnote
(+++ § 16 Paragraph 4: for application see § 40 Paragraph 5 and § 85 Paragraph 2 +++)

Chapter 5
Representation in the European Data Protection Board, central contact point,
Cooperation between the federal and state supervisory authorities in
European Union affairs
§ 17 Representation in the European Data Protection Committee, central contact point
(1) The joint representative in the European Data Protection Board and central contact point is the
Federal Commissioner (joint representative). As a representative of the joint representative
the Federal Council elects a head of the supervisory authority of a state (deputy). The optional
takes place for five years. With the departure from office as head of the supervisory authority of a
Landes ends at the same time the function as deputy. Re-election is permitted.
(2) The joint representative delegates in matters relating to the performance of a task for
which the countries alone have the right to legislate, or which the institution or the procedure
concern of state authorities, the deputy at his request the conduct of negotiations and the
Right to vote in the European Data Protection Board.
Section 18 Procedure for cooperation between the federal and state supervisory authorities
(1) The federal commissioner and the supervisory authorities of the federal states (federal supervisory authorities and
of the federal states) work in matters of the European Union with the aim of uniform application
Regulation (EU) 2016/679 and Directive (EU) 2016/680 together. Before submitting a
common position to the supervisory authorities of the other member states, the European Commission
or the European Data Protection Committee are the supervisory authorities of the federal and state governments
early opportunity to comment. For this purpose, they exchange among themselves all that are useful
Information from. The supervisory authorities of the Federation and the Länder involve the authorities referred to in Article 85
and 91 of Regulation (EU) 2016/679 established specific supervisory authorities, provided that they are supported by the
Matter are affected.
(2) Insofar as the supervisory authorities of the Federation and the Länder do not agree on the joint
Achieving a position shall be laid down by the lead authority or, in the absence of such, the joint authority
The representative and his alternate submit a proposal for a common position. Agree the
joint representative and his alternate not responding to a proposal for a common position,
lays down in matters that concern the performance of tasks for which the federal states alone have the right
the legislation, or which concern the establishment or the procedure of state authorities,
the alternate adopts the proposal for a common position. Missing in the remaining cases
By mutual agreement according to sentence 2, the joint representative determines the position. According to sentences 1 to 3
Proposed position is to be used as a basis for negotiations, if not the supervisory authorities of
The federal and state governments decide on a different point of view with a simple majority. The federal government and every country
each have one vote. Abstentions are not counted.
(3) The common representative and his / her deputy are to take part in the common position according to the
Paragraphs 1 and 2 and, taking into account this point of view, amicably set the respective
Negotiation firmly. Should an agreement not be reached, the decision in § 18 paragraph
2 sentence 2 mentioned matters of the deputy on the further conduct of negotiations. In the rest
In cases, the joint representative has the casting vote.
§ 19 Responsibilities
(1) Lead supervisory authority of a country in the procedure of cooperation and coherence according to
Chapter VII of Regulation (EU) 2016/679 is the supervisory authority of the country in which the person responsible
or the processor has its main place of business within the meaning of Article 4 number 16 of the Regulation

- Page 14 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 15

(EU) 2016/679 or its only establishment in the European Union within the meaning of Article 56 (1)
of Regulation (EU) 2016/679. In the area of ​responsibility of the Federal Commissioner, Article 56 applies
Paragraph 1 in conjunction with Article 4 Number 16 of Regulation (EU) 2016/679 accordingly. Consists of the
Leadership does not agree, the procedure for determining the lead supervisory authority is found
of § 18 paragraph 2 corresponding application.
(2) The supervisory authority to which a data subject has lodged a complaint shall file the complaint
to the lead supervisory authority according to paragraph 1, in the absence of such to the supervisory authority
of a country in which the controller or the processor has a branch. Will be a
If a complaint is submitted to a supervisory authority that is not competent, it will give in if a submission is made
Sentence 1 does not come into consideration, the complaint to the supervisory authority at the place of residence of the complainant
from. The receiving supervisory authority is deemed to be the supervisory authority in accordance with Chapter VII of the
Regulation (EU) 2016/679, to which the complaint was submitted, and meets the obligations
Article 60 paragraph 7 to 9 and Article 65 paragraph 6 of Regulation (EU) 2016/679. In the area of ​responsibility
the federal commissioner gives the supervisory authority to which a complaint was lodged,
this, if a charge according to paragraph 1 is not possible, to the Federal Commissioner or the
Federal Commissioner.

Chapter 6
Remedies
§ 20 Judicial legal protection
(1) For disputes between a natural or legal person and a supervisory authority of
Federal government or a state on rights according to Article 78 paragraph 1 and 2 of Regulation (EU) 2016/679 as well as §
61 the administrative legal process is given. Sentence 1 does not apply to fine proceedings.
(2) The administrative court rules shall apply in accordance with paragraphs 3 to 7.
(3) The administrative court in whose district the
Supervisory authority has its seat.
(4) The supervisory authority is able to participate in proceedings according to Paragraph 1 Clause 1.
(5) are involved in a procedure according to paragraph 1 sentence 1
1. the natural or legal person as the claimant or applicant and
2. the supervisory authority as the defendant or the respondent.
Section 63 numbers 3 and 4 of the Administrative Court Regulations remain unaffected.
(6) There will be no preliminary proceedings.
(7) The supervisory authority may not impose immediate enforcement against an authority or its legal entity
order in accordance with Section 80 (2) sentence 1 number 4 of the Administrative Court Regulations.
§ 21 Application by the supervisory authority for a judicial decision if accepted
Illegality of a decision of the European Commission
(1) If a supervisory authority holds an adequacy decision by the European Commission, a resolution
about the recognition of standard protection clauses or about the general validity of approved ones
Rules of conduct, the validity of which is important for a decision by the supervisory authority, for
unlawful, the supervisory authority has to suspend its proceedings and submit an application for judicial
Decision to make.
(2) Administrative legal channels are available for proceedings under paragraph 1. The administrative court code is
to be used in accordance with paragraphs 3 to 6.
(3) In the first and last instance, the shall decide on an application from the supervisory authority in accordance with paragraph 1
Federal Administrative Court.
(4) The supervisory authority is able to participate in proceedings under paragraph 1. In a procedure according to paragraph 1 is
the supervisory authority is involved as the applicant; Section 63 numbers 3 and 4 of the Administrative Court Rules remain

- Page 15 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 16

untouched. The Federal Administrative Court can give the European Commission the opportunity to make a statement
give a deadline to be determined.
(5) Is a procedure for checking the validity of a decision of the European Commission under paragraph
1 pending before the Court of Justice of the European Union, the Federal Administrative Court may order that
the hearing is to be suspended until the proceedings before the Court of Justice of the European Union have been settled.
(6) In proceedings according to Paragraph 1, Section 47 Paragraph 5 Clause 1 and Paragraph 6 of the Administrative Court Code apply
apply accordingly. If the Federal Administrative Court comes to the conclusion that the decision
of the European Commission under paragraph 1 is valid, it shall state this in its decision. Otherwise
it raised the question of the validity of the decision under Article 267 of the Treaty on the Functioning of the
European Union to the Court of Justice of the European Union for a decision.

Part 2
Implementing rules for processing for the purposes of Article 2 of the
Regulation (EU) 2016/679
Chapter 1
Legal basis for processing personal data
Part 1
Processing of special categories of personal data and processing
for other purposes
§ 22 Processing of special categories of personal data
(1) Notwithstanding Article 9 (1) of Regulation (EU) 2016/679, the processing is special categories
personal data within the meaning of Article 9 (1) of Regulation (EU) 2016/679
1. by public and non-public bodies, if they
a) is necessary to meet those arising from social security and social protection law
To exercise rights and to comply with related obligations,
b) for the purpose of preventive health care, for assessing the employee's ability to work, for
medical diagnostics, care or treatment in the health or social sector
or for the administration of systems and services in the health and social sector or due to
of a contract between the data subject and a healthcare professional
and this data is provided by medical staff or by other persons who have a corresponding
Are subject to confidentiality obligations or are processed under their responsibility,
c) for reasons of public interest in the area of ​public health, such as protection
against serious cross-border health threats or as a guarantee
high quality and safety standards in healthcare and pharmaceuticals
and medical devices is required; in addition to the measures mentioned in paragraph 2
are in particular the professional and criminal law requirements for safeguarding the
To maintain professional secrecy, or
d) is absolutely necessary for reasons of considerable public interest,
2. by public bodies if they
a) is necessary to avert a significant threat to public safety,
b) to avert significant disadvantages for the common good or to safeguard significant interests of the
The common good is imperative or
c) for imperative reasons of defense or the fulfillment of supranational or intergovernmental
Obligations of a public agency of the federal government in the field of crisis management or
Conflict prevention or humanitarian action is necessary
and as far as the interests of the person responsible in the data processing in the cases of number 1 letter
d and number 2 outweigh the interests of the data subject.
(2) In the cases of paragraph 1, appropriate and specific measures to safeguard the interests of
data subject to be provided. Taking into account the state of the art, the implementation costs

- Page 16 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 17

and the type, scope, circumstances and purposes of processing, as well as the different
The likelihood of occurrence and severity of the risks associated with the processing for the rights and
Freedoms of natural persons can include in particular:
1.

technical organizational measures to ensure that the processing is carried out in accordance with the
Regulation (EU) 2016/679 takes place,

2.

Measures to ensure that it can be subsequently checked and determined whether and from
to whom personal data has been entered, changed or removed,

3.

Raising the awareness of those involved in processing operations,

4th

Appointment of a data protection officer,

5.

Restriction of access to personal data within the responsible body and
from contract processors,

6th

Pseudonymization of personal data,

7th

Encryption of personal data,

8th.

Ensuring the ability, confidentiality, integrity, availability and resilience of the systems
and services related to the processing of personal data, including the
Ability to have availability and access quickly in the event of a physical or technical incident
restore,

9.

to ensure the security of the processing the establishment of a procedure for regular
Review, assessment and evaluation of the effectiveness of the technical and organizational
Measures or

10. Specific procedural rules that apply in the event of a transfer or processing for other purposes
ensure compliance with the requirements of this Act and Regulation (EU) 2016/679.
footnote
(+++ § 22 Paragraph 2: for application see § 26 Paragraph 3 +++)
§ 23 Processing for other purposes by public bodies
(1) The processing of personal data for a purpose other than that for which the data was sent
were collected by public bodies in the context of their task performance is permissible if
1. It is obvious that it is in the interests of the data subject and not a reason to believe
there is that she would refuse her consent knowing the other purpose,
2. Information from the data subject must be checked because there are actual indications for their
Inaccuracy exist,
3. to avert significant disadvantages for the common good or a danger to public safety,
defense or national security, for the protection of significant interests of the common good or for
It is necessary to secure the tax and customs revenue,
4. They are used for the prosecution of criminal offenses or administrative offenses, for enforcement or for enforcement
of penalties or measures within the meaning of Section 11 Paragraph 1 Number 8 of the Criminal Code or of
Educational measures or breeding materials within the meaning of the Juvenile Court Act or for the enforcement of
Fines are required,
5. it is necessary to avert a serious impairment of the rights of another person
or
6. they exercise supervisory and control powers, audit or
Conducting organizational investigations by the person in charge; this also applies to the
Processing for training and examination purposes by the person responsible, as far as worthy of protection
This does not conflict with the interests of the data subject.
(2) The processing of special categories of personal data within the meaning of Article 9 paragraph 1 of
Regulation (EU) 2016/679 is for a different purpose than that for which the data was collected
permissible if the requirements of paragraph 1 and an exception under Article 9 paragraph 2 of
Regulation (EU) 2016/679 or § 22 are available.

- Page 17 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 18

§ 24 Processing for other purposes by non-public bodies
(1) The processing of personal data for a purpose other than that for which the data was sent
collected by non-public bodies is permitted if
1. They are used to avert threats to state or public security or to pursue
Criminal offense is required or
2. it is necessary to assert, exercise or defend claims under civil law,
unless the interests of the data subject in the exclusion of processing outweigh this.
(2) The processing of special categories of personal data within the meaning of Article 9 paragraph 1 of
Regulation (EU) 2016/679 is for a different purpose than that for which the data was collected
permissible if the requirements of paragraph 1 and an exception under Article 9 paragraph 2 of
Regulation (EU) 2016/679 or § 22 are available.
§ 25 data transfers by public bodies
(1) The transmission of personal data by public bodies to public bodies is permitted,
if they are for the fulfillment of the responsibility of the transmitting body or of the third party to whom the
Data are transmitted, lying tasks are required and the prerequisites are met
Would allow processing according to § 23. The third party to whom the data is transmitted may only use it for the
Process the purpose for the fulfillment of which they are transmitted to him. Processing for other purposes is
permissible under the conditions of § 23.
(2) The transmission of personal data by public bodies to non-public bodies is permitted,
if
1. it is necessary for the fulfillment of the tasks which are the responsibility of the transmitting body and
the prerequisites exist that would allow processing according to Section 23,
2. the third party to whom the data is transmitted has a legitimate interest in knowing the to
transmitted data credibly and the data subject has no legitimate interest in the
Exclusion of the transmission has or
3. it is necessary to assert, exercise or defend legal claims
and the third party has undertaken to the transmitting public body to only use the data for the
To process the purpose for the fulfillment of which they are transmitted to him. Processing for other purposes is
permissible if a transmission according to sentence 1 would be permissible and the transmitting body has consented.
(3) The transmission of special categories of personal data within the meaning of Article 9 paragraph
1 of Regulation (EU) 2016/679 is permissible if the requirements of paragraph 1 or 2 and a
Exception according to Article 9 Paragraph 2 of Regulation (EU) 2016/679 or Article 22 exist.

Section 2
Special processing situations
Section 26 Data processing for the purposes of the employment relationship
(1) Personal data of employees may be processed for the purposes of the employment relationship
if this is necessary for the decision on the establishment of an employment relationship or after
Establishment of the employment relationship for its implementation or termination or for exercise
or fulfillment of a law or a collective agreement, a company or service agreement
(Collective agreement) resulting rights and obligations of the employee representatives are required
is. Personal data of employees may only then be processed in order to detect criminal offenses
if factual indications to be documented give rise to the suspicion that the person concerned
Person in the employment relationship has committed a criminal offense, the processing is necessary for detection
and the legitimate interest of the employee in the exclusion of the processing is not
predominates, in particular the type and extent are not disproportionate to the occasion.
(2) If the processing of personal data of employees takes place on the basis of consent,
so for the assessment of the voluntary nature of the consent in particular those in the employment relationship
existing dependency of the employed person as well as the circumstances under which the consent is given

- Page 18 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 19

has been taken into account. In particular, voluntariness can exist if a
legal or economic advantage is achieved or employer and employed person are the same
Pursue interests. Consent must be given in writing or electronically, unless due to
under special circumstances another form is appropriate. The employer has the employed person over the
Purpose of data processing and your right of withdrawal according to Article 7 Paragraph 3 of Regulation (EU) 2016/679
to be clarified in text form.
(3) Notwithstanding Article 9 (1) of Regulation (EU) 2016/679, the processing is special categories
personal data within the meaning of Article 9 (1) of Regulation (EU) 2016/679 for the purposes of
Employment relationship permitted if it is used to exercise rights or to fulfill legal obligations
from labor law, social security law and social protection law is required and not a reason
to the assumption that the legitimate interest of the data subject in the exclusion of the
Processing predominates. Paragraph 2 also applies to consent to the processing of special categories
personal data; the consent must explicitly refer to this data. § 22 paragraph
2 applies accordingly.
(4) The processing of personal data, including special categories of personal data
Data from employees for the purposes of the employment relationship is based on
Collective agreements permitted. The negotiating partners have Article 88 (2) of the Regulation (EU)
2016/679 to be observed.
(5) The person responsible must take suitable measures to ensure that in particular the in
Principles for the processing of personal data set out in Article 5 of Regulation (EU) 2016/679
be respected.
(6) The participation rights of the employee representatives remain unaffected.
(7) Paragraphs 1 to 6 also apply if personal data, including special ones
Categories of personal data that are processed by employees without being in a
File system are or are to be saved.
(8) Employees within the meaning of this Act are:
1. Employees, including temporary workers in
Relationship with the borrower,
2. Employees for their vocational training,
3. Participants in services for participation in working life as well as in clarifications of the
professional suitability or work trials (rehabilitation candidates),
4. employees in recognized workshops for disabled people,
5. Volunteers who do a service according to the Youth Voluntary Service Act or the
Perform the Federal Voluntary Service Act,
6. Persons who are to be regarded as similar to employees because of their economic independence
are; These also include those who work from home and their equals,
7. Federal civil servants, federal judges, soldiers
as well as community service providers.
Applicants for an employment relationship as well as persons whose employment relationship
is considered to be employees.
§ 27 Data processing for scientific or historical research purposes and for
statistical purposes
(1) Notwithstanding Article 9 (1) of Regulation (EU) 2016/679, the processing is special
Categories of personal data within the meaning of Article 9 (1) of Regulation (EU) 2016/679 even without
Consent is permitted for scientific or historical research purposes or for statistical purposes,
if the processing is necessary for these purposes and the interests of the person responsible in the
Processing outweighs the interests of the data subject in excluding processing.
The person responsible sees appropriate and specific measures to safeguard the interests of those affected
Person according to § 22 paragraph 2 sentence 2.

- Page 19 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 20

(2) The rights of the data subjects provided for in Articles 15, 16, 18 and 21 of Regulation (EU) 2016/679
Person are limited to the extent that these rights are likely to facilitate the realization of the research or
Making statistical purposes impossible or seriously affecting them and restricting the fulfillment of the
Research or statistical purposes is necessary. The right of access under Article 15 of the Regulation
(EU) 2016/679 does not exist if the data are used for scientific research purposes
are necessary and the provision of information would require a disproportionate effort.
(3) In addition to the measures mentioned in Section 22 (2), there are also scientific or historical measures
Special categories of personal data processed for research purposes or for statistical purposes
To anonymize data within the meaning of Article 9 (1) of Regulation (EU) 2016/679 as soon as this is done after
Research or statistical purposes are possible, unless there are legitimate interests of the data subject
against that. Until then, the characteristics are to be saved separately with which individual information about personal
or factual circumstances can be assigned to a specific or identifiable person. they may
are only merged with the individual information if the research or statistical purpose requires this.
(4) The person responsible may only publish personal data if the person concerned
has consented or this for the presentation of research results on events in contemporary history
is essential.
§ 28 Data processing for archiving purposes in the public interest
(1) Notwithstanding Article 9 (1) of Regulation (EU) 2016/679, the processing is special categories
personal data within the meaning of Article 9 (1) of Regulation (EU) 2016/679 permitted if they
is required for archiving purposes in the public interest. The person responsible sees appropriate and
take specific measures to safeguard the interests of the data subject in accordance with Section 22 (2) sentence 2.
(2) The data subject has the right to information in accordance with Article 15 of Regulation (EU) 2016/679
not if the archive material has not been identified by the person's name or if no information has been given
that enable the archive material in question to be found with a reasonable administrative effort.
(3) The data subject has the right to rectification in accordance with Article 16 of Regulation (EU) 2016/679
not if the personal data are processed for archival purposes in the public interest.
If the data subject disputes the accuracy of the personal data, they have the option of one
Granting a reply. The responsible archive is obliged to provide a reply to the documents
to add.
(4) The provisions in Article 18 (1) (a), (b) and (d), Articles 20 and 21 of Regulation (EU) 2016/679
provided rights do not exist insofar as these rights are likely to result in the realization of the public
Make archiving purposes of interest impossible or seriously impair them and the exceptions for the
Fulfill these purposes are necessary.
§ 29 rights of the data subject and supervisory authority in the case of
Confidentiality obligations
(1) The obligation to inform the data subject in accordance with Article 14 (1) to (4) of Regulation (EU)
2016/679 is in addition to the exceptions mentioned in Article 14 (5) of Regulation (EU) 2016/679
not, insofar as their fulfillment reveals information that is essentially due to its nature
the overriding legitimate interests of a third party must be kept secret. The right to
Information from the data subject in accordance with Article 15 of Regulation (EU) 2016/679 does not exist if the
Disclosure Information would be disclosed according to a legal provision or its nature, in particular
because of the overriding legitimate interests of a third party, must be kept secret. The duty
for notification in accordance with Article 34 of Regulation (EU) 2016/679, in addition to that in Article
34 (3) of Regulation (EU) 2016/679 does not apply to the extent that the notification
Information would be disclosed according to a legal regulation or its nature, in particular because of
the overriding legitimate interests of a third party must be kept secret. Different
from the exception under sentence 3, the person concerned is entitled to under Article 34 of Regulation (EU) 2016/679
notify if the interests of the data subject, especially taking into account threatening
Damage outweighs the interest in secrecy.
(2) If data from third parties are transferred to a person in the course of admission or as part of a mandate
The transferring agency is obliged to inform the

- Page 20 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 21

data subject according to Article 13 (3) of Regulation (EU) 2016/679 not, unless the interest
the data subject predominates in the provision of information.
(3) Towards the persons named in Section 203 (1), (2a) and (3) of the Criminal Code or their
Processors have the powers of investigation of the supervisory authorities in accordance with Article 58 (1)
Letters e and f of Regulation (EU) 2016/679 not, insofar as the use of the powers for a
Breach of the confidentiality obligations of these persons. Obtained a regulatory authority
In the course of an investigation, knowledge of data that is subject to a duty of confidentiality within the meaning of sentence 1
the duty of confidentiality also applies to the supervisory authority.
Section 30 Consumer Credit
(1) A body that collects personal data on a business basis that is used to assess the creditworthiness of
May be used by consumers, collects, stores or changes for the purpose of transmission
Requests for information from lenders from other member states of the European Union are also accepted
treat like requests for information from domestic lenders.
(2) Anyone who concludes a consumer loan contract or a contract for a fee
Refuses financial aid with a consumer as a result of information from a body within the meaning of paragraph 1,
must inform the consumer immediately about this and about the information received. The briefing
does not take place if this would jeopardize public safety or order. Section 37 remains unaffected.
§ 31 Protection of commercial transactions with scoring and credit reports
(1) The use of a probability value about certain future behavior of a
natural person for the purpose of deciding on the establishment, implementation or termination of a
Contractual relationship with this person (scoring) is only permitted if
1. the provisions of data protection law have been complied with,
2. the data used to calculate the probability value based on a
scientifically recognized mathematical-statistical procedure verifiable for the calculation of the
Probability of certain behavior are significant,
3. Address data was not used exclusively for calculating the probability value and
4. in the case of the use of address data, the data subject before the calculation of the
Probability value has been informed about the intended use of this data; the
Information is to be documented.
(2) The use of a probability value determined by credit agencies about the solvency and
A natural person's willingness to pay is only in the case of the inclusion of information about claims
permissible as long as the requirements according to paragraph 1 are met and only those claims over an owed
Services that have not been provided despite the due date are taken into account,
1. which have been determined by a final judgment or judgment that has been declared provisionally enforceable or
for which there is a debt instrument pursuant to Section 794 of the Code of Civil Procedure,
2. those determined in accordance with Section 178 of the Insolvency Code and not disputed by the debtor in the examination date
have been,
3. which the debtor has expressly recognized,
4. at those
a) the debtor has been reminded in writing at least twice after the due date of the claim
has been,
b) the first reminder was at least four weeks ago,
c) the debtor beforehand, but at the earliest with the first reminder, about a possible consideration
has been informed by a credit agency and
d) the debtor has not disputed the claim or
5. whose underlying contractual relationship is terminated without notice due to payment arrears
can and where the debtor previously has a possible consideration by a credit agency
has been taught.

- Page 21 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 22

The permissibility of the processing, including the determination of probability values, by others
Data relevant to creditworthiness according to general data protection law remains unaffected.

Chapter 2
Rights of the data subject
Section 32 Duty to provide information when collecting personal data from the data subject
(1) The obligation to inform the data subject in accordance with Article 13 (3) of Regulation (EU) 2016/679
does not exist in addition to the exception mentioned in Article 13 (4) of Regulation (EU) 2016/679,
if the provision of information about the intended further processing
1. concerns the further processing of data stored in the same way, in which the person responsible through the
Further processing applies directly to the person concerned, the purpose with the original
The purpose of the survey in accordance with Regulation (EU) 2016/679 is compatible with the communication with the
data subject does not take place in digital form and the interest of the data subject in the
Provision of information according to the circumstances of the individual case, in particular with a view to the context,
in which the data was collected is to be regarded as low,
2. in the case of a public body, the proper fulfillment of the obligations under the jurisdiction of
Responsible tasks within the meaning of Article 23 paragraph 1 letters a to e of the Regulation
(EU) 2016/679 and the interests of the person responsible in not issuing the
Information outweigh the interests of the data subject,
3. endanger public safety or order or otherwise the well-being of the federal government or a state
Would cause disadvantages and the interests of the person responsible in the non-disclosure of the information
The interests of the data subject prevail,
4. would impair the establishment, exercise or defense of legal claims and the
Interests of the person responsible in not providing the information, the interests of those concerned
Person outweigh or
5. would jeopardize the confidential transmission of data to public bodies.
(2) If the data subject is not informed in accordance with paragraph 1, the shall take action
Those responsible take appropriate measures to protect the legitimate interests of the data subject,
including the provision of those mentioned in Article 13 (1) and (2) of Regulation (EU) 2016/679
Information for the public in a precise, transparent, understandable and easily accessible form
in clear and simple language. The person responsible sets out in writing the reasons for which he is from
has sought information. Sentences 1 and 2 do not apply in the cases of paragraph 1 numbers 4 and 5
Application.
(3) If the notification is omitted in the cases of paragraph 1 because of a temporary one
Obstacle, comes the person responsible for the information obligation taking into account the specific
Circumstances of processing within a reasonable period after the reason for the hindrance no longer applies,
however, within two weeks at the latest.
footnote
(+++ § 32: for the application see § 4 paragraph 4 +++)
(+++ § 32 Paragraph 2: for application see § 85 Paragraph 3 +++)
Section 33 Duty to provide information if the personal data is not with the data subject
were collected
(1) The obligation to inform the data subject in accordance with Article 14 (1), (2) and (4) of Regulation (EU)
2016/679 is in addition to those in Article 14 Paragraph 5 of Regulation (EU) 2016/679 and in Section 29 Paragraph
1 sentence 1 does not apply if the information is provided
1. in the case of a public body
a) the proper fulfillment of the tasks within the responsibility of the person responsible
Would endanger the meaning of Article 23 paragraph 1 letters a to e of Regulation (EU) 2016/679 or
b) endanger public safety or order or otherwise the well-being of the federal government or one of them
Disadvantages for the country

- Page 22 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 23

and therefore the interest of the data subject in the provision of information must be withdrawn,
2. in the case of a non-public body
a) impair the assertion, exercise or defense of claims under civil law
or the processing involves data from civil law contracts and the prevention of
Damage caused by criminal offenses serves, unless the legitimate interest of the person concerned in the
The provision of information predominates, or
b) the responsible public body has established to the person responsible that the
If the data becomes known, they endanger public safety or order or otherwise endanger the welfare
would be disadvantageous to the federal government or a state; in the case of data processing for purposes
criminal prosecution does not require a determination according to the first half-sentence.

(2) If the data subject is not informed in accordance with paragraph 1, the shall take action
Those responsible take appropriate measures to protect the legitimate interests of the data subject,
including the provision of those referred to in Article 14 (1) and (2) of Regulation (EU) 2016/679
Information for the public in a precise, transparent, understandable and easily accessible form in
clear and simple language. The person responsible sets out in writing the reasons for which he is asked by a
Information.
(3) Refers to the provision of information on the transmission of personal data by public
Positions at the constitution protection authorities, the Federal Intelligence Service, the military counterintelligence service and,
as far as the security of the federal government is affected, other authorities of the Federal Ministry of Defense
they are only permitted with the consent of these bodies.
footnote
(+++ Section 33 Paragraph 2: for application see Section 85 Paragraph 3 +++)
Section 34 Right of the data subject to obtain information
(1) The data subject has the right to information in accordance with Article 15 of Regulation (EU) 2016/679
in addition to the exceptions mentioned in Section 27 (2), Section 28 (2) and Section 29 (1) sentence 2, not if
1. the person concerned is not to be informed in accordance with Section 33 (1) number 1, 2 letter b or paragraph 3,
or
2. the data
a) are only stored because they are due to legal or statutory
Retention regulations may not be deleted, or
b) are used exclusively for data backup or data protection purposes
and the provision of information would require a disproportionate effort and processing
for other purposes is excluded through appropriate technical and organizational measures.

(2) The reasons for the refusal to provide information must be documented. The refusal to provide information
is to be justified to the person concerned, unless by the communication of the actual and
Legal reasons on which the decision is based, the purpose pursued with the refusal to provide information
would be endangered. For the purpose of providing information to the data subject and for their preparation
Stored data may only be processed for this purpose and for data protection control purposes
become; for other purposes, the processing is in accordance with Article 18 of Regulation (EU) 2016/679
to restrict.
(3) If the data subject is not provided with any information by a public agency of the federal government, it is
to issue the Federal Commissioner at their request, unless the relevant supreme authority
Federal authority determines in individual cases that this endangers the security of the federal government or a state
would. The notification of the Federal Commissioner to the person concerned about the result of the
The data protection check must not allow any conclusions to be drawn about the level of knowledge of the person responsible,
unless they consent to further information.
(4) The right of the data subject to information about personal data obtained by a public
Place neither processed automatically nor processed automatically and in a file system

- Page 23 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 24

only exists if the data subject provides information that enables the data to be found
enable, and the effort required to provide the information is not disproportionate to that of the
data subject asserted interest in information.
§ 35 right to erasure
(1) Is a deletion in the case of non-automated data processing due to the special type of storage
not possible or only possible with disproportionately high effort and is in the interest of the person concerned
to be regarded as minor in terms of deletion, the data subject has the right to and the duty of
Responsible for the deletion of personal data according to Article 17 paragraph 1 of the Regulation (EU)
2016/679 in addition to the exceptions mentioned in Article 17 (3) of Regulation (EU) 2016/679.
In this case, instead of deletion, processing is restricted in accordance with Article 18 of the
Regulation (EU) 2016/679. Sentences 1 and 2 do not apply if the personal data
have been processed unlawfully.
(2) In addition to Article 18 paragraph 1 letters b and c of Regulation (EU) 2016/679, paragraph 1 sentence 1 and applies
2 accordingly in the case of Article 17 paragraph 1 letters a and d of Regulation (EU) 2016/679, as long as and
insofar as the person responsible has reason to believe that deletion will result in interests worthy of protection
the data subject would be affected. The person responsible informs the data subject about
the restriction of processing, unless the information proves to be impossible or one
would require disproportionate effort.
(3) In addition to Article 17 paragraph 3 letter b of Regulation (EU) 2016/679, paragraph 1 applies accordingly in
Case of Article 17 Paragraph 1 Letter a of Regulation (EU) 2016/679, if a deletion is in accordance with the statutes
or contractual retention periods conflict.
Section 36 Right to Object
The right to object under Article 21 (1) of Regulation (EU) 2016/679 to a
public body does not exist if there is an overriding public interest in the processing that
the interests of the data subject prevail, or a legal provision obliges processing.
Section 37 Automated decisions in individual cases including profiling
(1) The right under Article 22 (1) of Regulation (EU) 2016/679, none exclusively on one
To be subject to automated processing-based decision is based on the in Article
22 (2) letters a and c of Regulation (EU) 2016/679 do not apply if the
Decision is made in the context of the provision of services under an insurance contract and
1. the request of the person concerned has been granted or
2. the decision is based on the application of binding fee regulations for medical treatment and
the person responsible in the event that the application is not granted in full, appropriate
Takes measures to safeguard the legitimate interests of the data subject, including at least that
Right to obtain the intervention of a person on the part of the person responsible, to have one's own statement
Standpoint and to contest the decision counts; the person responsible informs the person concerned
Person about these rights at the latest at the time of notification from which it follows that the application
the person concerned is not granted in full.
(2) Decisions under paragraph 1 may be based on the processing of health data within the meaning of Article 4
Number 15 of Regulation (EU) 2016/679. The person in charge sees appropriate and specific
Measures to safeguard the interests of the data subject in accordance with Section 22 (2) sentence 2.

Chapter 3
Obligations of the controllers and processors
§ 38 data protection officers of non-public bodies
(1) In addition to Article 37 paragraph 1 letters b and c of Regulation (EU) 2016/679, the
The person responsible and the processor is a data protection officer or a data protection officer,
insofar as they usually have at least 20 people constantly using automated processing
deal with personal data. Take the controller or the processor
Processing operations that require a data protection impact assessment in accordance with Article 35 of Regulation (EU) 2016/679

- Page 24 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 25

are subject to, or do they process personal data commercially for the purpose of transmission,
the anonymized transmission or for purposes of market or opinion research, they have independent
a data protection officer or a
Appoint data protection officer.
(2) Section 6 (4), 5 (2) and (6) apply, but Section 6 (4) only applies if a
or a data protection officer is mandatory.
Section 39 Accreditation
The granting of the authority to act as a certification body in accordance with Article 43 Paragraph 1 Clause 1 of the Regulation (EU)
To become active in 2016/679 is carried out by the certification body responsible for data protection supervision
competent supervisory authority of the federal or state governments on the basis of an accreditation
the German accreditation body. Section 2 (3) sentence 2, Section 4 (3) and Section 10 (1) sentence 1 number 3
of the Accreditation Bodies Act apply with the proviso that data protection as a
Scope of application of Section 1, Paragraph 2, Clause 2 applies.

Chapter 4
Supervisory authority for data processing by non-public bodies
§ 40 supervisory authorities of the federal states
(1) The authorities responsible under state law monitor within the scope of the Regulation (EU)
2016/679 the application of the data protection regulations for the non-public bodies.
(2) If the controller or processor has several domestic branches, finds for
the determination of the competent supervisory authority Article 4 number 16 of Regulation (EU) 2016/679
appropriate application. If several authorities consider themselves responsible or not responsible or
if the jurisdiction is doubtful for other reasons, the supervisory authorities make the decision
takes place jointly in accordance with Section 18 (2). Section 3 (3) and (4) of the Administrative Procedure Act
appropriate application.
(3) The supervisory authority may only process the data it has saved for the purposes of supervision; here
it may transmit data to other supervisory authorities. Processing for another purpose is over
Article 6 (4) of Regulation (EU) 2016/679 permissible if
1. It is obvious that it is in the interests of the data subject and not a reason to believe
there is that she would refuse her consent knowing the other purpose,
2. They are used to avert significant disadvantages for the common good or a danger to public safety
or is necessary to safeguard significant interests of the common good or
3. They are used for the prosecution of criminal offenses or administrative offenses, for enforcement or for enforcement
of penalties or measures within the meaning of Section 11 Paragraph 1 Number 8 of the Criminal Code or of
Educational measures or breeding materials within the meaning of the Juvenile Court Act or for the enforcement of
Fines is required.
If the supervisory authority detects a violation of the data protection regulations, it is authorized to
to inform the persons concerned about the violation to others for prosecution or punishment
notify the competent authorities and, in the event of serious violations, the trade supervisory authority
To instruct the implementation of commercial law measures. Section 13 (4) sentences 4 to 7 apply accordingly.
(4) The bodies subject to supervision as well as the persons entrusted with their management have one
To provide the supervisory authority with the information necessary for the performance of its tasks upon request. The
The person responsible for providing information can refuse to answer such questions, which he himself or
one of the relatives of the danger named in Section 383 (1) numbers 1 to 3 of the Code of Civil Procedure
expose to criminal prosecution or to proceedings under the Administrative Offenses Act
would. The party responsible for providing information is to be made aware of this.
(5) A supervisory authority responsible for monitoring compliance with data protection regulations
Commissioned persons are authorized to assign property and business premises to the position in order to fulfill their tasks
and get access to all data processing systems and devices. The position is so far to
Duldung obligated. Section 16 (4) applies accordingly.

- Page 25 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 26

(6) The supervisory authorities advise and support the data protection officers with regard to theirs
typical needs. You can request the dismissal of the data protection officer if you
or he does not have the necessary specialist knowledge to fulfill his or her tasks or in the case of the
Article 38 (6) of Regulation (EU) 2016/679 there is a serious conflict of interest.
(7) The application of the trade regulations remains unaffected.
footnote
(+++ Section 40 (3) sentence 1: for application see Section 16 (5) +++)

Chapter 5
Sanctions
Section 41 Application of the regulations on administrative fines and criminal proceedings
(1) For violations according to Article 83 Paragraph 4 to 6 of Regulation (EU) 2016/679, unless this Act does not apply
otherwise determined, the provisions of the law on administrative offenses correspondingly. Sections 17, 35 and 36
of the law on administrative offenses do not apply. Section 68 of the Administrative Offenses Act
applies with the proviso that the district court decides if the fine is the
Exceeds one hundred thousand euros.
(2) For proceedings due to a violation under Article 83 paragraphs 4 to 6 of Regulation (EU) 2016/679,
Unless this Act provides otherwise, the provisions of the Act on Administrative Offenses
and the general laws on criminal proceedings, namely the Code of Criminal Procedure and the
Courts Constitution Act, accordingly. Sections 56 to 58, 87, 88, 99 and 100 of the Act on
Administrative offenses do not apply. Section 69 (4) sentence 2 of the Administrative Offenses Act
applies with the proviso that the public prosecutor's office only opens the procedure with the consent of the
The supervisory authority that issued the fine.
Section 42 Penal Provisions
(1) Anyone who does not knowingly is generally punished with imprisonment of up to three years or with a fine
accessible personal data of a large number of people without being authorized to do so,
1. transmitted to a third party or
2. makes it accessible in other ways
and acts on a commercial basis.
(2) Anyone who provides personal data is punished with imprisonment of up to two years or a fine
are not generally accessible,
1. without being authorized to do so, processed or
2. Surreptitiously through incorrect information
and acts in return for payment or with the intention of enriching himself or another person or another
to harm.
(3) The offense will only be prosecuted upon request. The person concerned, the person responsible, who
or the federal commissioner and the supervisory authority.
(4) A notification in accordance with Article 33 of Regulation (EU) 2016/679 or a notification in accordance with Article
34 Paragraph 1 of Regulation (EU) 2016/679 may be used in criminal proceedings against the person obliged to report or
The notifying person or his or her relatives designated in Section 52 (1) of the Code of Criminal Procedure are only included
Consent of the notifying party or notifying party may be used.
footnote
(+++ § 42: for application see § 84 +++)
(+++ § 42 Paragraph 4: for application see § 65 Paragraph 7 and § 66 Paragraph 6 +++)

- Page 26 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 27

Section 43 Administrative fines
(1) An administrative offense is committed by anyone who willfully or negligently
1. contrary to Section 30 (1), incorrectly handling a request for information or
2. contrary to Section 30 (2) sentence 1, not, not correctly, not completely or not in time a consumer
informed.
(2) The regulatory offense can be punished with a fine of up to fifty thousand euros.
(3) There are no fines against authorities and other public bodies within the meaning of Section 2 (1)
imposed.
(4) A notification in accordance with Article 33 of Regulation (EU) 2016/679 or a notification in accordance with Article 34
Paragraph 1 of Regulation (EU) 2016/679 may be used in proceedings under the Administrative Offenses Act
against the notifying party or notifying party or his / her in Section 52 (1) of the Code of Criminal Procedure
designated relatives are only used with the consent of the notifying party or the notifying party
become.

Chapter 6
Remedies
Section 44 Lawsuits against the controller or processor
(1) Legal actions by the data subject against a controller or a processor because of a
Violation of data protection regulations within the scope of Regulation (EU) 2016/679
or the rights of the data subject contained therein can be raised at the court of the place,
where a branch of the controller or processor is located. Actions under sentence 1
can also be raised at the court of the place where the person concerned has their ordinary
Has whereabouts.
(2) Paragraph 1 does not apply to actions against authorities that have acted in the exercise of their sovereign powers
are.
(3) Does the controller or processor have a representative in accordance with Article 27 (1) of the Regulation
(EU) 2016/679, the latter is also considered to be authorized to process deliveries in civil court proceedings
To receive paragraph 1. Section 184 of the Code of Civil Procedure remains unaffected.

part 3
Provisions for processing for purposes in accordance with Article 1 paragraph 1 of the
Directive (EU) 2016/680
Chapter 1
Scope, definitions and general principles for the
Processing of personal data
Section 45 Scope
The provisions of this part apply to the processing of personal data by those responsible for the prevention,
Investigation, detection, prosecution or punishment of criminal offenses or administrative offenses
public bodies, insofar as they process data for the purpose of fulfilling these tasks. The public
Positions are considered to be responsible. The prevention of criminal offenses within the meaning of sentence 1 includes the
Protection against and averting threats to public safety. Sentences 1 and 2 also find
Application to those public bodies responsible for the execution of penalties, of measures im
Within the meaning of Section 11 Paragraph 1 Number 8 of the Criminal Code, of educational measures or breeding materials in
Meaning of the Juvenile Court Act and fines are responsible. As far as this part regulations for
Contains contract processors, it also applies to them.
Section 46 Definitions
The terms:

- Page 27 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 28

1.

"Personal data" means any information that relates to an identified or identifiable
refer to natural person (data subject); a natural person is regarded as identifiable,
directly or indirectly, in particular by means of assignment to an identifier such as a name, to a
Identification number, location data, an online ID or one or more special ones
Traits expressing the physical, physiological, genetic, psychological, economic,
cultural or social identity of that person can be identified;

2.

“Processing” means any operation or process carried out with or without the aid of automated processes
such series of processes in connection with personal data such as the collection, recording,
the organization, the ordering, the storage, the adaptation, the change, the reading out, that
Query, use, disclosure by transmission, dissemination or any other form of the
Provision, comparison, linking, restriction, deletion or destruction;

3.

"Restriction of processing" the marking of stored personal data with the aim of
limit their future processing;

4th

"Profiling" any type of automated processing of personal data in which this data
used to refer to certain personal aspects that relate to a natural person
evaluate, in particular aspects of job performance, economic situation, health, the
personal preferences, interests, reliability, behavior, whereabouts or
Analyze or predict a change of location of this natural person;

5.

"Pseudonymization" is the processing of personal data in a way in which the data can be accessed without
Access to additional information is no longer assigned to a specific data subject
provided that this additional information is kept separate and technical
and organizational measures to ensure that the data is not affected
Can be assigned to a person;

6th

"File system" any structured collection of personal data that is based on certain criteria
are accessible regardless of whether this collection is centralized, decentralized or according to functional or
is organized according to geographical criteria;

7th

"Responsible" the natural or legal person, authority, institution or other body that
alone or together with others about the purposes and means of processing personal data
Data decides;

8th.

“Processor” means a natural or legal person, authority, agency or other body that
processes personal data on behalf of the controller;

9.

“Recipient” a natural or legal person, authority, agency or other body that
personal data is disclosed, regardless of whether it is a third party
act or not; Authorities who, within the scope of a specific investigation, according to the
Union law or other legal provisions received personal data, but are not considered
Receiver; the processing of this data by the named authorities is carried out in accordance with the
applicable data protection regulations according to the purposes of the processing;

10. "Personal data breach" means a security breach leading to
unintentional or unlawful destruction, loss, alteration or unauthorized use
Disclosure of or unauthorized access to personal data that has been processed
were;
11. "genetic data" personal data relating to the inherited or acquired genetic
Characteristics of a natural person who have unique information about the physiology or the
Provide health of this person, especially those obtained from the analysis of a biological sample of the
Person were won;
12. "Biometric data" acquired personal data using special technical processes
the physical, physiological or behavioral characteristics of a natural person who
enable or confirm the unique identification of this natural person, in particular
Facial images or dactyloscopic data;
13. "Health data" personal data relating to the physical or mental health of a
natural person, including the provision of health services
which provide information about their state of health;
14. "special categories of personal data"

- Page 28 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 29

a) Data showing the racial or ethnic origin, political opinions, religious or
ideological convictions or trade union membership emerge,
b) genetic data,
c) biometric data for the unique identification of a natural person,
d) health data and
e) data on sex life or sexual orientation;
15. "Supervisory authority" means one of a Member State in accordance with Article 41 of Directive (EU) 2016/680
established independent government agency;
16. “international organization” an organization under international law and its subordinate bodies as well as
any other body established by an agreement or by two or more states
the basis for such an agreement was created;
17. “Consent” each voluntarily for the specific case, in an informed manner and unambiguously
Declaration of intent given in the form of a declaration or other unequivocal confirmatory
Action by which the data subject indicates that they are processing them
I agree to the personal data concerned.
Section 47 General principles for the processing of personal data
Personal data must
1. processed in a lawful manner and in good faith,
2. collected for specified, explicit and legitimate purposes and not in conjunction with these purposes
processed in a manner to be agreed,
3. correspond to the processing purpose, be necessary for the achievement of the processing purpose and
their processing is not disproportionate to this purpose,
4. be factually correct and, if necessary, up to date; all of them are reasonable
Measures to be taken so that personal data are processed with a view to the purposes of their processing
are incorrect, deleted or corrected immediately,
5. Not stored in a form longer than is necessary for the purposes for which they are processed
which enables the identification of the data subjects, and
6. processed in a way that ensures adequate security of personal data
guaranteed; this also includes appropriate technical and organizational measures
guaranteeing protection against unauthorized or unlawful processing, accidental loss,
accidental destruction or damage.

Chapter 2
Legal basis for processing personal data
Section 48 Processing of special categories of personal data
(1) The processing of special categories of personal data is only permitted if it is used for
Task fulfillment is absolutely necessary.
(2) If special categories of personal data are processed, suitable guarantees are required for the
Provide legal interests for the data subjects. Suitable guarantees can be in particular
1.specific requirements for data security or data protection control,
2. the definition of special removal test periods,
3. raising the awareness of those involved in processing operations,
4. the restriction of access to personal data within the responsible body,
5. processing that is separate from other data,
6. the pseudonymization of personal data,
7. the encryption of personal data or

- Page 29 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 30

8. Specific procedural rules that apply in the event of a transfer or processing for other purposes
Ensure lawfulness of processing.
Section 49 Processing for other purposes
Processing of personal data for a purpose other than that for which it was collected
is permitted if the other purpose is one of the purposes mentioned in § 45,
the controller is authorized to process data for this purpose and the processing for this purpose
is necessary and proportionate. The processing of personal data to another, in § 45 not
mentioned purpose is permissible if it is provided for in a legal regulation.
Section 50 Processing for archival, scientific and statistical purposes
Personal data may be used within the scope of the purposes mentioned in § 45 in archival, scientific
or in statistical form if there is a public interest and appropriate
Guarantees are provided for the legal interests of the data subjects. Such guarantees can be included in a
anonymization of personal data as soon as possible, in precautions against
their unauthorized knowledge by third parties or in terms of their location and organization by others
Specialized tasks consist of separate processing.
Section 51 Consent
(1) As far as the processing of personal data according to a legal regulation on the basis of a
Consent can be given, the person responsible must prove the consent of the person concerned
can.
(2) If the data subject gives his / her consent by means of a written declaration, the other
As far as facts are concerned, the request for consent must be in an understandable and easily accessible form in a
clear and simple language in such a way that it can be clearly distinguished from the other issues.
(3) The person concerned has the right to withdraw their consent at any time. By revoking the
Consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation
touched. The person concerned must be informed of this before giving their consent.
(4) The consent is only effective if it is based on the free decision of the person concerned. At
When assessing whether the consent was given voluntarily, the circumstances of the grant must be taken into account
become. The data subject must be informed of the intended purpose of the processing. Is this after the
Circumstances of the individual case required or if the person concerned requests this, they are also aware of the consequences of the
Refusal of consent to instruct.
(5) If special categories of personal data are processed, consent must be obtained
expressly refer to this data.
Section 52 Processing on the instructions of the person responsible
Any person reporting to a controller or processor who has access to
has personal data, this data may only be processed on the instructions of the person responsible,
unless it is obliged to process according to a legal regulation.
Section 53 data secrecy
Persons involved in data processing may not process personal data without authorization
(Data secrecy). They are to be committed to data secrecy when they begin their work. The
Data secrecy persists even after the termination of your activity.
Section 54 Automated Individual Decision-Making
(1) A decision based solely on automatic processing that involves a disadvantageous
Legal consequence for the data subject is connected or significantly affects them, is only permissible if they are in
a legal provision is provided.

- Page 30 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 31

(2) Decisions under paragraph 1 may not be based on special categories of personal data,
unless appropriate measures are taken to protect legal interests and the legitimate interests of
affected persons were hit.
(3) Profiling, which results in data subjects based on special categories
discriminating against personal data is prohibited.

Chapter 3
Rights of the data subject
§ 55 General information on data processing
The person responsible has information available in a general form and accessible to everyone
put about
1. the purposes of the processing carried out by him,
2. the rights of those affected with regard to the processing of their personal data
Persons for information, correction, deletion and restriction of processing,
3. the name and contact details of the person responsible and the data protection officer,
4. the right to call the Federal Commissioner, and
5. the availability of the Federal Commissioner.
Section 56 Notification of Data Subjects
(1) Is the notification of data subjects about the processing of personal data concerning them
Data provided or arranged in special legal provisions, in particular in the case of covert measures,
this notification must contain at least the following information:
1. the information specified in Section 55,
2. the legal basis for processing,
3. the storage period applicable to the data or, if this is not possible, the criteria for determining it
this duration,
4. where applicable, the categories of recipients of the personal data and
5. If necessary, further information, in particular if the personal data is unknowingly
were collected from the data subject.
(2) In the cases referred to in paragraph 1, the person responsible may notify us to this extent and for as long
postpone, restrict or refrain from doing otherwise
1. the fulfillment of the tasks mentioned in § 45,
2. public safety or
3. Legal interests of third parties
would be endangered if the interest in avoiding these dangers the information interest of the
affected person predominates.
(3) If the notification relates to the transmission of personal data
Constitutional Protection Authorities, the Federal Intelligence Service, the Military Counter-Intelligence Service and, as far as the
Federal security is affected, other authorities of the Federal Ministry of Defense, it is only with
Approval from these bodies is permitted.
(4) In the case of the restriction under Paragraph 2, Section 57 Paragraph 7 applies accordingly.
Section 57 Right to Information
(1) Upon request, the person responsible shall provide data subjects with information on whether they are concerned
Data processed. Data subjects also have the right to receive information about

- Page 31 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 32

1. the personal data that are the subject of processing and the category to which they belong
belong,
2. the information available on the origin of the data,
3. the purposes of the processing and their legal basis,
4. the recipients or the categories of recipients to whom the data has been disclosed,
in particular for recipients in third countries or international organizations,
5. the storage period applicable to the data or, if this is not possible, the criteria for determining it
this duration,
6. the existence of a right to correct, delete or restrict the processing of the data
by the person responsible,
7. the right according to § 60 to call the Federal Commissioner or the Federal Commissioner, as well as
8. Information on the availability of the Federal Commissioner.
(2) Paragraph 1 does not apply to personal data that are only processed because they are due to
statutory retention requirements may not be deleted or for the sole purpose of
Data backup or data protection control are used if the provision of information is disproportionate
Would require effort and processing for other purposes by suitable technical and
organizational measures are excluded.
(3) The provision of information is to be refrained from if the person concerned does not provide any information that would
Make it possible to find the data, and therefore the effort required to provide the information except
Is in relation to the interest in information asserted by the data subject.
(4) Under the conditions of Section 56 (2), the person responsible can use the information pursuant to (1) sentence
1 or partially or completely restrict the provision of information in accordance with paragraph 1 sentence 2.
(5) Does the provision of information relate to the transmission of personal data
Constitutional Protection Authorities, the Federal Intelligence Service, the Military Counter-Intelligence Service and, as far as the
Federal security is affected, other authorities of the Federal Ministry of Defense, it is only with
Approval from these bodies is permitted.
(6) The person responsible has the data subject to refrain from or restrict information
to be informed immediately in writing. This does not apply if the provision of this information is already a
Would pose a risk within the meaning of Section 56 (2). The notification according to sentence 1 must be justified,
unless the communication of the reasons is related to the refusal or restriction of the information
would endanger the purpose pursued.
(7) If the data subject has refrained from or restricted the information in accordance with paragraph 6
informed, she can also exercise her right to information via the Federal Commissioner or the Federal Commissioner
exercise. The person responsible has to inform the person concerned about this possibility as well as about
that they call the Federal Commissioner or the Federal Commissioner in accordance with Section 60 or take legal action
Can seek legal protection. If the person concerned makes use of his or her right under sentence 1, the
To provide information to the Federal Commissioner at your request, unless the responsible supreme authority
Federal authority determines in individual cases that this endangers the security of the federal government or a state
would. The Federal Commissioner must at least inform the person concerned that
all necessary tests have been carried out or a review has been carried out by them. This message
can contain the information whether violations of data protection law have been found. The communication of the
or the Federal Commissioner to the person concerned may not draw any conclusions about the level of knowledge of the
Allow the person responsible, unless they agree to any further information. The person in charge may
refuse consent only insofar and as long as he refrains from providing information in accordance with paragraph 4 or
could limit them. The Federal Commissioner also has the data subject's right to
to inform judicial protection.
(8) The person responsible must document the factual or legal reasons for the decision.
footnote
(+++ Section 57 Paragraph 7: for application see Section 56 Paragraph 4 and Section 58 Paragraph 7 +++)

- Page 32 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 33

(+++ Section 57 Paragraph 8: for application see Section 58 Paragraph 7 +++)
§ 58 Right to correction and deletion as well as restriction of processing
(1) The data subject has the right to have the person responsible rectify them without delay
to request incorrect data in question. In particular, in the case of statements or assessments, the
The question of correctness is not the content of the statement or assessment. If the correctness or incorrectness of the
If the data cannot be determined, the rectification is replaced by a restriction on processing.
In this case, the person responsible has to inform the data subject before applying the restriction again
cancels. The data subject can also have incomplete personal data completed
request if this is appropriate taking into account the purposes of the processing.
(2) The data subject has the right to request the data controller to delete the data relating to them without delay
To request data if its processing is inadmissible, knowledge of which is not necessary for the performance of the task
more is required or they have to be deleted to fulfill a legal obligation.
(3) Instead of deleting the personal data, the person responsible can process them
restrict if
1. There is reason to believe that deletion would be legitimate interests of a data subject
would affect
2. The data must be kept for evidence purposes in proceedings that serve the purposes of Section 45
or
3. No deletion due to the special type of storage or only with a disproportionate amount
Effort is possible.
Restricted data in accordance with sentence 1 may only be processed for the purpose of theirs
Deletion opposed.
(4) In the case of automated file systems, it must be technically ensured that processing is restricted
is clearly recognizable and processing for other purposes is not possible without further examination.
(5) If the person responsible has made a correction, he has a body that gives him the personal
Data has previously transmitted to notify the correction. In cases of correction, deletion or
The person responsible has the restriction of processing according to paragraphs 1 to 3 recipients to whom the
Data have been transmitted to notify these measures. The recipient has to correct the data, too
delete or restrict their processing.
(6) The person responsible has the data subject refrain from rectification or deletion
personal data or about the processing restriction taking their place in writing
teaching. This does not apply if the provision of this information already poses a risk within the meaning of Section 56
Paragraph 2 would involve. The notification according to sentence 1 must be justified, unless the notification
the reasons would jeopardize the purpose pursued by refraining from providing information.
(7) Section 57 (7) and (8) apply accordingly.
footnote
(+++ Section 58 Paragraphs 3 to 5: for application see Section 75 Paragraph 3 +++)
Section 59 Procedure for exercising the rights of the data subject
(1) The person responsible has to deal with data subjects using clear and simple language
Communicate in a precise, understandable and easily accessible form. Notwithstanding special
When answering applications, he should always use the form chosen for the application
use.
(2) In the case of applications, the person responsible must inform the data subject, without prejudice to Section 57 (6) and Section 58
To inform paragraph 6 immediately in writing of how the procedure was carried out.
(3) The provision of information according to Section 55, the notifications according to Sections 56 and 66 and the
Processing of applications according to Sections 57 and 58 is free of charge. In the case of manifestly unfounded or
Excessive applications according to Sections 57 and 58, the person responsible can either charge a reasonable fee

- Page 33 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 34

request on the basis of administrative costs or refuse to act on the request. In
In this case, the controller must identify the manifestly unfounded or excessive nature of the request
can prove.
(4) If the person responsible has justified doubts about the identity of a data subject who has submitted an application
the §§ 57 or 58 has provided, he can request additional information from her to confirm her
Identity are required.
Section 60 Appeal to the Federal Commissioner
(1) Without prejudice to other legal remedies, any data subject may lodge a complaint with the
Federal Commissioners or the Federal Commissioner contact, if they are of the opinion, during the processing
Your personal data by public bodies for the purposes mentioned in § 45 in your rights
to have been hurt. This does not apply to the processing of personal data by courts,
insofar as they have processed the data in the course of their judicial activity. The Federal Commissioner
has to inform the person concerned about the status and the result of the complaint and to do so
to point out the possibility of judicial protection according to § 61.
(2) The Federal Commissioner has lodged a complaint with him or her about processing,
which falls under the responsibility of a supervisory authority in another member state of the European Union,
immediately forward to the competent supervisory authority of the other country. She or he has in
In this case, to inform the person concerned about the forwarding and, upon request, to inform them further
To provide support.
Section 61 Legal protection against decisions by the Federal Commissioner or by theirs
its inaction
(1) Without prejudice to other legal remedies, any natural or legal person can take legal action against a
binding decision of the Federal Commissioner.
(2) Paragraph 1 applies accordingly in favor of the persons concerned if the Federal Commissioner agrees
a complaint according to § 60 is not dealt with or the person concerned does not respond within three months
Filing the complaint has informed about the status or the result of the complaint.

Chapter 4
Obligations of the controllers and processors
§ 62 order processing
(1) Are personal data on behalf of a responsible person by other persons or bodies
processed, the person responsible for compliance with the provisions of this law and other regulations
to worry about data protection. The rights of the data subjects to information, correction, deletion,
Restriction of processing and damages are in this case towards the person responsible
to assert.
(2) A person responsible may only process data processors with the processing of personal data
instruct them to take appropriate technical and organizational measures to ensure that the
Processing is carried out in accordance with the legal requirements and the protection of the rights of the data subjects
People is guaranteed.
(3) Processors may not use any further without the prior written consent of the person responsible
Call in processors. Does the controller give the processor general approval
for the involvement of other processors, the processor has the controller over
to inform of any intended addition or replacement. In this case, the person responsible can use the
Prohibit addition or replacement.
(4) If a processor brings in another processor, he has the same for him
Impose obligations arising from his contract with the person responsible under paragraph 5, which also apply to him
apply insofar as these obligations for the further processor are not already due to other regulations
are binding. If another processor does not meet these obligations, he is liable
commissioning processors vis-à-vis the person responsible for compliance with the obligations of the
further processor.

- Page 34 of 45 -

Page 35

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

(5) The processing by a processor has been carried out on the basis of a contract or another
Legal instrument that binds the processor to the controller and the
or the subject matter, duration, type and purpose of processing, the nature of the personal data
Data that defines the categories of data subjects and the rights and obligations of the person responsible. The
Contract or other legal instrument must in particular provide that the processor
1. only acts on the documented instructions of the person responsible; the processor is of the opinion
He must inform the person responsible immediately that an instruction is unlawful;
2. ensures that the persons authorized to process the personal data are used
Confidentiality is required unless there is an appropriate statutory obligation of confidentiality
subject;
3. Supports those responsible with appropriate means in ensuring compliance with the provisions on the
Guarantee the rights of the data subject;
4. all personal data after completion of the processing services of your choice
of the person responsible returns or deletes and destroys existing copies, if not after one
There is a legal requirement to store the data;
5. all necessary information to the person responsible, in particular the protocols drawn up in accordance with Section 76,
provides evidence of compliance with his obligations;
6. Checks carried out by the person responsible or an auditor commissioned by him
be made possible and contribute to it;
7. the conditions listed in paragraphs 3 and 4 for the use of the services of another
The processor complies with;
8. takes all measures required according to § 64 and
9. taking into account the type of processing and the information available to it
Supports those responsible in complying with the obligations specified in Sections 64 to 67 and 69.
(6) The contract within the meaning of paragraph 5 must be drawn up in writing or electronically.
(7) A processor who uses the purposes and means of processing in violation of this provision
is deemed to be the controller with regard to this processing.
Section 63 Jointly Responsible
If two or more controllers jointly determine the purposes and means of processing, apply
them as jointly responsible. Jointly responsible persons have their respective tasks and
Define data protection responsibilities in a transparent form in an agreement, insofar as
these are not already set out in legislation. In particular, the agreement must show
who has to comply with which information obligations and how and to whom affected persons their
Can exercise rights. A corresponding agreement does not prevent the data subject from exercising their rights
to assert against each of the jointly responsible parties.
Section 64 Requirements for the security of data processing
(1) The controller and the processor, taking into account the state of the art,
the implementation costs, the type, scope, circumstances and purposes of the processing as well
the probability of occurrence and the severity of the risks associated with the processing for the
Legal interests of the data subjects to the necessary technical and organizational measures
take to ensure a level of protection appropriate to the risk when processing personal data
guarantee, in particular with regard to the processing of special categories of personal data.
The person responsible has the relevant technical guidelines and recommendations of the Federal Office
for security in information technology.
(2) The measures mentioned in paragraph 1 can include pseudonymisation and encryption
personal data, insofar as such means are possible in view of the processing purposes.
The measures in accordance with paragraph 1 are intended to result in:
1. the confidentiality, integrity, availability and resilience of the related systems and services
be ensured in the long term with the processing and

- Page 35 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 36

2. the availability of personal data and access to them in the case of a physical or
technical incident can be quickly recovered.
(3) In the case of automated processing, the controller and the processor have a
Risk assessment to take measures with the aim of:
1.

Denying access to processing equipment used to carry out the processing for
Unauthorized persons (access control),

2.

Prevention of unauthorized reading, copying, changing or deleting of data carriers
(Data carrier control),

3.

Prevention of unauthorized entry of personal data as well as unauthorized
Acknowledgment, modification and deletion of stored personal data
(Memory control),

4th

Prevention of the use of automated processing systems with the help of facilities for
Data transmission by unauthorized persons (user control),

5.

Ensuring that those authorized to use an automated processing system
Access only to the personal data included in your access authorization
have (access control),

6th

Ensuring that it can be checked and determined where personal data is received
were transmitted or made available with the help of data transmission facilities or
can be (transmission control),

7th

Ensuring that it can be subsequently checked and determined which personal
Data entered or changed in automated processing systems at what time and by whom
have been (input control),

8th.

Ensuring that when transferring personal data and when transporting
Data carriers the confidentiality and integrity of the data are protected (transport control),

9.

Guarantee that the systems in use can be restored in the event of a fault
(Recoverability),

10. Guarantee that all functions of the system are available and any malfunctions that occur
are reported (reliability),
11. Ensuring that stored personal data is not caused by system malfunctions
can be damaged (data integrity),
12. Guarantee that personal data that is processed in the order are only processed in accordance with
Instructions from the client can be processed (order control),
13. Guarantee that personal data are protected against destruction or loss
(Availability control),
14. Ensuring that personal data collected for different purposes is kept separate
can be processed (separability).
A purpose according to sentence 1 numbers 2 to 5 can in particular through the use of the state of the art
corresponding encryption method can be achieved.
§ 65 reporting of violations of the protection of personal data to the or the
Federal Commissioner
(1) The person responsible has a violation of the protection of personal data immediately and if possible
to the Federal Commissioner within 72 hours of becoming aware of it
report, unless the violation is unlikely to pose a threat to the legal interests of natural persons
brought with it. If the report is not made to the Federal Commissioner or the Federal Commissioner
reasons for the delay must be given within 72 hours.
(2) A processor has a violation of the protection of personal data immediately
Report the responsible person.
(3) The report according to paragraph 1 must contain at least the following information:

- Page 36 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 37

1. a description of the nature of the personal data breach which, as far as possible,
Information about the categories and the approximate number of persons concerned, about the persons concerned
Categories of personal data and the approximate number of personal data affected
Has to contain records,
2. the name and contact details of the data protection officer or another person or
Body that can provide further information,
3. a description of the likely consequences of the injury and
4. a description of the measures taken or proposed by the controller
Treatment of the injury and the measures taken to mitigate its possible adverse effects
Effects.
(4) If the information according to paragraph 3 cannot be transmitted together with the report, the
Responsible person to submit them immediately as soon as they are available to him.
(5) The person responsible must document violations of the protection of personal data. The
Documentation has all the facts related to the incidents, their effects and the
to include corrective action taken.
(6) As far as personal data is affected by a violation of the protection of personal data
by or to a responsible person in another member state of the European Union
have been transmitted, the information mentioned in paragraph 3 must be sent to the person responsible there immediately
to submit.
(7) Section 42 (4) applies accordingly.
(8) Further obligations of the person responsible for notifications of breaches of protection
personal data remain unaffected.
Section 66 Notification of data subjects in the event of violations of the protection of personal data
Data
(1) If a personal data breach is likely to pose a significant risk to
If legal interests of data subjects result, the person responsible has the data subjects immediately
to notify of the incident.
(2) The notification according to paragraph 1 shall state the nature of the breach of protection in clear and simple language
to describe personal data and at least those mentioned in Section 65 Paragraph 3 Numbers 2 to 4
To contain information and actions.
(3) The notification in accordance with paragraph 1 can be dispensed with if
1. the person responsible has taken suitable technical and organizational safety precautions and
these precautions apply to the data affected by the personal data breach
were applied; This applies in particular to precautions such as encryption, through which the data for
made inaccessible to unauthorized persons;
2. the person responsible has ensured through measures taken following the violation that
in all probability there is no longer any significant risk within the meaning of paragraph 1, or
3. this would involve a disproportionate effort; in this case has a
public notice or similar action to be taken by the data subjects
be informed in a similarly effective manner.
(4) If the person responsible informs the data subjects about a violation of the protection of personal data
Has not notified the data, the Federal Commissioner can formally state that his or her
in his opinion, the conditions mentioned in paragraph 3 are not met. Here she or he has the
Probability to take into account that the violation represents a significant risk within the meaning of paragraph 1
Consequence.
(5) The notification of the persons concerned according to paragraph 1 can be done under the ones mentioned in § 56 paragraph 2
Conditions are postponed, restricted or omitted, unless the interests of the

- Page 37 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 38

affected person due to the considerable risk arising from the violation within the meaning of paragraph 1
predominate.
(6) Section 42 (4) applies accordingly.
Section 67 Carrying out a data protection impact assessment
(1) Has a form of processing, especially when using new technologies, due to the type
the scope, circumstances and purposes of the processing are likely to pose a significant risk to the
Legal interests of data subjects, the person responsible has to assess the consequences of the
to carry out the processing operations provided for the data subjects.
(2) For the investigation of several similar processing operations with a similarly high risk potential
a joint data protection impact assessment can be carried out.
(3) The person responsible has the data protection officer in charge of the implementation
to participate in the impact assessment.
(4) The impact assessment must take into account the rights of the data subjects affected by the processing
and contain at least the following:
1. a systematic description of the planned processing operations and the purposes of the processing,
2. an assessment of the necessity and proportionality of the processing operations in relation to their
Purpose,
3. an assessment of the dangers to the legal interests of the persons concerned and
4. the measures with which existing dangers are to be remedied, including the guarantees,
the security measures and procedures by which the protection of personal data
ensured and compliance with the legal requirements is to be demonstrated.
(5) If necessary, the person responsible must carry out a check as to whether the processing is the
This is followed by the criteria that resulted from the impact assessment.
Section 68 Cooperation with the Federal Commissioner
The person responsible has to work with the Federal Commissioner in the performance of his or her duties
to work together.
Section 69 Hearing of the Federal Commissioner
(1) The person responsible must have the
To hear the federal commissioner or the federal commissioner, if
1. from a data protection impact assessment according to § 67 it emerges that the processing is a significant
Risk to the legal interests of the data subjects would result if the person responsible does not
Would take remedial action, or
2. the form of processing, especially when using new technologies, mechanisms or
Proceedings which result in a significant risk to the legal interests of the data subjects.
The Federal Commissioner can draw up a list of the processing operations that are subject to the obligation to
Hearing according to sentence 1 are subject.
(2) In the case of paragraph 1, the Federal Commissioner shall be presented with:
1. the data protection impact assessment carried out in accordance with Section 67,
2. If applicable, information on the respective responsibilities of the person responsible who jointly
Responsible persons and the processors involved in the processing,
3. Information on the purposes and means of the intended processing,
4. Information on the measures planned to protect the legal interests of the data subjects and
Guarantees and
5. Name and contact details of the data protection officer.

- Page 38 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 39

Upon request, he or she must also be provided with all other information that he or she
required to ensure the lawfulness of the processing and, in particular, that relating to the protection of the
personal data of the data subjects and the related guarantees
to be able to evaluate.
(3) If the Federal Commissioner is of the opinion that the planned processing violates legal requirements
Specifications would be violated, in particular because the person responsible does not sufficiently determine the risk
or has not taken adequate corrective action, he or she can contact the person responsible and
if necessary, to the processor within a period of six weeks after the initiation of the
Consultation, make written recommendations on what measures should still be taken. The
or the Federal Commissioner can extend this period by one month if the planned processing
is particularly complex. In this case, he or she shall have the. Within one month of the start of the hearing
To inform the person responsible and, if necessary, the processor about the extension of the deadline.
(4) Does the intended processing have considerable significance for the performance of the controller's tasks
and if it is therefore particularly urgent, he can start processing after the start of the hearing, but before
The expiry of the period specified in Paragraph 3 Clause 1 begins. In this case, the recommendations of the
Federal Commissioners to take into account in retrospect and the manner of processing thereupon
adapt if necessary.
Section 70 Directory of processing activities
(1) The person responsible must keep a list of all categories of processing activities that are included in his
Jurisdiction fall. This directory must contain the following information:
1. the name and contact details of the person responsible and, if applicable, jointly with him
Responsible person as well as the name and contact details of the data protection officer,
2. the purposes of the processing,
3. The categories of recipients to whom the personal data have been disclosed
or should be disclosed,
4. a description of the categories of data subjects and the categories of personal data,
5. if necessary, the use of profiling,
6. where applicable, the categories of transfers of personal data to bodies in a third country
or to an international organization,
7. information about the legal basis of the processing,
8. the deadlines provided for the deletion or the review of the necessity of storing the
different categories of personal data and
9. a general description of the technical and organizational measures in accordance with § 64.
(2) The processor must keep a list of all categories of processing that he has commissioned
carried out by a responsible person, which must contain the following:
1. the name and contact details of the processor, each person responsible, on whose behalf the
The processor is active, as well as the data protection officer, if applicable,
2. if necessary, transfers of personal data to bodies in a third country or to a
international organization, specifying the state or organization and
3. a general description of the technical and organizational measures according to § 64.
(3) The lists mentioned in Paragraphs 1 and 2 are to be kept in writing or electronically.
(4) Responsible persons and processors have their lists of the or the upon request
To make available to federal commissioners.
§ 71 Data protection through technology design and data protection-friendly default settings
(1) The person responsible has both at the time of determining the means for processing and
to take reasonable precautions at the time of processing that are suitable for the
Effectively implement data protection principles such as data economy and ensure that

- Page 39 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 40

the legal requirements are complied with and the rights of the data subjects are protected.
He has the state of the art, the implementation costs and the type, scope and circumstances
and the purposes of the processing as well as the different probability of occurrence and severity of the
to take into account the dangers associated with processing for the legal interests of the data subjects.
In particular, the processing of personal data and the selection and design of
Align data processing systems with the goal of keeping as little personal data as possible
to process. Personal data must be anonymized or closed at the earliest possible point in time
pseudonymize, as far as this is possible according to the processing purpose.
(2) The person responsible must take suitable technical and organizational measures to ensure
that by default, only personal data can be processed,
the processing of which is necessary for the specific processing purpose in each case. This affects the
Amount of data collected, the scope of their processing, their storage period and their accessibility. The
Measures must in particular ensure that the data is not automated by default settings
can be made available to an indefinite number of people.
Section 72 Differentiation between different categories of data subjects
When processing personal data, the person responsible has as much as possible between
differentiate between the different categories of data subjects. This applies in particular to the following
Categories:
1. persons against whom there is reasonable suspicion that they have committed a criminal offense,
2. Persons against whom there is reasonable suspicion that they will commit a crime in the near future
become,
3. convicted offenders,
4. Victims of a crime or persons who have certain facts that suggest they are victims of a
Could be a criminal offense, and
5. other persons such as in particular witnesses, whistleblowers or persons with the persons listed in numbers 1 to
4 mentioned persons are in contact or connection.
Section 73 Differentiation between facts and personal assessments
When processing the data, the person responsible has to differentiate as much as possible according to whether
personal data are based on facts or on personal assessments. To this end it aims
he, as far as this is possible and appropriate in the context of the respective processing, assessments based on
are based on personal assessments and identify them as such. It must also be possible to determine which
Body maintains the documents on which the assessment based on a personal assessment is based.
Section 74 Procedure for transfers
(1) The person responsible must take appropriate measures to ensure that
personal data that are incorrect or no longer up-to-date, not transmitted or otherwise available
be asked. For this purpose, he has, as far as this is possible with reasonable effort, the quality of the
Verify data before it is transmitted or made available. Each time personal
In addition, as far as this is possible and appropriate, the data must be attached to information that is available to the recipient
allow the correctness, completeness and reliability of the data as well as their timeliness
judge.
(2) If special conditions apply to the processing of personal data, at
Data transmissions, the transmitting body informs the recipient of these conditions and the obligation to their
Attention. The notification requirement can be fulfilled by marking the data accordingly
become.
(3) The transmitting agency may refer to recipients in other member states of the European Union and to
Institutions and other bodies that are under Chapters 4 and 5 of Title V of Part Three of the Contract
established on the functioning of the European Union, do not apply conditions that are not also applicable to
corresponding national data transfers apply.
Section 75 Correction and deletion of personal data and restriction of processing

- Page 40 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 41

(1) The person responsible must correct personal data if they are incorrect.
(2) The person responsible must delete personal data immediately if they are being processed
is inadmissible, they have to be deleted in order to fulfill a legal obligation or their knowledge for
his task is no longer required.
(3) Section 58 (3) to (5) shall apply accordingly. Are incorrect personal data or
If personal data has been transmitted unlawfully, this must also be communicated to the recipient.
(4) Without prejudice to the maximum storage or deletion periods stipulated in legal provisions, the person responsible has
for the deletion of personal data or a regular review of the necessity of their
Provide storage for reasonable periods of time and ensure through procedural precautions,
that these deadlines are met.
Section 76 Logging
(1) In automated processing systems, those responsible and contract processors have at least the
to log the following processing operations:
1st survey,
2. change,
3. query,
4. Disclosure including transmission,
5. combination and
6. Deletion.
(2) The records of inquiries and disclosures must allow the justification, the date and
the time of these operations and, as far as possible, the identity of the person receiving the personal data
queried or disclosed, and to establish the identity of the recipient of the data.
(3) The logs may only be used to check the legality of the data processing
by the data protection officer or the data protection officer, the federal commissioner or the
Federal Commissioner and the person concerned as well as for self-monitoring, for ensuring the
Integrity and security of personal data and used for criminal proceedings.
(4) The log data are to be deleted at the end of the year following their generation.
(5) The person responsible and the processor have the minutes of the Federal Commissioner
Requirement to provide.
Section 77 Confidential reporting of violations
The person responsible has to enable confidential reports to be sent to him in his
Any breaches of data protection regulations occurring can be forwarded to the area of ​responsibility.

Chapter 5
Data transfers to third countries and international organizations
Section 78 General requirements
(1) The transfer of personal data to bodies in third countries or to international organizations
is permissible if the other conditions applicable to data transmission are met, if
1. the body or international organization is responsible for the purposes specified in Section 45 and
2. the European Commission in accordance with Article 36 (3) of Directive (EU) 2016/680 a
Has passed an adequacy decision.
(2) The transmission of personal data has to take place despite the existence of an adequacy decision
within the meaning of paragraph 1 number 2 and the public interest to be taken into account in the
To refrain from data transmission if in individual cases a data protection law is appropriate and the

- Page 41 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 42

Handling of the data by the recipient in accordance with basic human rights is not adequately secured
or otherwise overriding legitimate interests of a data subject conflict. At his
Assessment, the person responsible has to take into account whether the recipient has a
Appropriate protection of the transmitted data is guaranteed.
(3) If personal data is transferred from another member state of the European Union
or were made available, are to be transmitted in accordance with paragraph 1, this transmission must be carried out beforehand
approved by the competent authority in the other Member State. Submissions without prior notice
Approval are only permitted if the transmission is necessary to an immediate and
serious danger to the public security of a state or to the essential interests of a
Member State and the prior authorization cannot be obtained in time. In the case
of sentence 2 is the body of the other Member State that was responsible for issuing the permit
would be to inform immediately of the transmission.
(4) The person responsible who transmits data in accordance with paragraph 1 must take suitable measures to ensure that
that the recipient will only forward the transmitted data to other third countries or other international
Organizations forwarded if the controller has previously approved this transfer. In the
The responsible party has to take all relevant factors into account when deciding whether to grant the permit
take into account, in particular, the gravity of the offense, the purpose of the original transmission and the
in the third country or international organization to which or to which the data will be transmitted
should, existing level of protection for personal data. Approval may only be granted if
A direct transfer to the other third country or the other international organization is also permitted
would. The responsibility for issuing the permit can also be regulated differently.
Section 79 Data transmission with suitable guarantees
(1) If, contrary to Section 78 (1) number 2, there is no decision under Article 36 (3) of Directive (EU) 2016/680
transmission is also permitted if the other requirements of Section 78 are met if
1. Appropriate guarantees for the protection of personal data in a legally binding instrument
are provided or
2. The person responsible after assessing all the circumstances that play a role in the transmission to the
It has come to the conclusion that there are appropriate safeguards for the protection of personal data.
(2) The person responsible must document transmissions in accordance with paragraph 1 number 2. The documentation
has the time of transmission, the identity of the recipient, the reason for the transmission and the
to contain transmitted personal data. It is available to the Federal Commissioner on request
to provide.
(3) The person responsible has the Federal Commissioner or the Federal Commissioner at least annually
To notify transmissions that have been made on the basis of an assessment in accordance with paragraph 1 number 2. In the
Information, he can appropriately categorize the recipients and the purposes of transmission.
footnote
(+++ § 79 Paragraph 2: for application see § 80 Paragraph 3 and § 81 Paragraph 3 +++)
(+++ Section 79 Paragraph 3: for application see Section 81 Paragraph 3 +++)
§ 80 data transmission without suitable guarantees
(1) If, contrary to Section 78 (1) number 2, there is no decision under Article 36 (3) of Directive (EU) 2016/680
and if there are no suitable guarantees within the meaning of Section 79 (1), a transmission is included
The other prerequisites of Section 78 are also admissible if the transmission is necessary
1. to protect the vital interests of a natural person,
2. to safeguard the legitimate interests of the data subject,
3. to avert a current and significant threat to the public security of a state,
4. in individual cases for the purposes mentioned in § 45 or
5. in individual cases for the establishment, exercise or defense of legal claims in connection
with the purposes mentioned in § 45.

- Page 42 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 43

(2) The person responsible has to refrain from a transmission according to paragraph 1 if the fundamental rights of
data subject outweighs the public interest in the transmission.
(3) For transmissions according to paragraph 1, § 79 paragraph 2 applies accordingly.
§ 81 Other data transfers to recipients in third countries
(1) Responsible persons can apply for the data transfer to third countries if the others are available
Prerequisites in special individual cases personal data directly to not in § 78 paragraph 1
Number 1 named bodies in third countries, if the transmission is necessary for the fulfillment of their tasks
is absolutely necessary and
1. in the specific case no fundamental rights of the data subject the public interest in a transfer
predominate,
2. the transmission to the bodies named in Section 78 (1) number 1 would be ineffective or unsuitable,
especially because it cannot be carried out on time, and
3. the person responsible informs the recipient of the purposes of the processing and informs him that
the transmitted data may only be processed to the extent that they are processed for them
Purposes is required.
(2) In the case of Paragraph 1, the person responsible shall immediately have the bodies named in Section 78 Paragraph 1 Number 1
to inform about the transmission, unless this is ineffective or unsuitable.
(3) For transmissions according to paragraph 1, § 79 paragraphs 2 and 3 apply accordingly.
(4) In the case of transmissions in accordance with paragraph 1, the person responsible must oblige the recipient to accept the transmitted
to process personal data without his consent only for the purpose for which it was transmitted
have been.
(5) Agreement in the field of judicial cooperation in criminal matters and police cooperation
stay untouched.

Chapter 6
Cooperation between the supervisory authorities
Section 82 Mutual administrative assistance
(1) The Federal Commissioner has the data protection supervisory authorities in other member states of the
To transmit information to the European Union and to provide administrative assistance, as far as this is necessary for a uniform
Implementation and application of Directive (EU) 2016/680 is required. The administrative assistance concerns in particular
Requests for information and supervisory measures, such as requests for consultation or order
Carrying out reviews and investigations.
(2) The Federal Commissioner shall take all appropriate measures to respond to requests for administrative assistance
to be done immediately and at the latest within one month of receipt.
(3) The Federal Commissioner may only reject requests for administrative assistance if
1. she or he for the subject matter of the request or for the measures that she or he is to carry out,
is not responsible or
2. Responding to the request would violate the law.
(4) The Federal Commissioner has the requesting supervisory authority of the other state over the
To inform about the results or, if applicable, about the progress of the measures that have been taken to
to comply with the request for assistance. In the case of paragraph 3, he or she has the reasons for rejecting the
Request to explain.
(5) The Federal Commissioner has the information required by the supervisory authority of the
other state has been requested, usually electronically and in a standardized format.

- Page 43 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 44

(6) The Federal Commissioner shall deal with requests for administrative assistance free of charge, insofar as he or she is not in the
Has agreed on a case-by-case basis with the supervisory authority of the other state that expenses incurred will be reimbursed.
(7) A request for administrative assistance from the Federal Commissioner must contain all the necessary information;
this includes in particular the purpose and justification of the request. The ones submitted on request
Information may only be used for the purpose for which it was requested.

Chapter 7
Liability and penalties
Section 83 Damages and Compensation
(1) Has a person responsible for a data subject by processing personal data that
was unlawful under this Act or under other regulations applicable to their processing, a
If damage is caused, he or his legal entity is obliged to pay compensation to the person concerned. The
The obligation to pay compensation does not apply if, in the case of non-automated processing, the damage is not at fault
of the person responsible.
(2) For damage that is not pecuniary damage, the person concerned can claim a reasonable amount
Demand compensation in cash.
(3) In the case of automated processing of personal data, it cannot be determined which
has caused the damage by several responsible persons involved, each responsible person is liable
or its legal entity.
(4) If the person concerned was at fault in the occurrence of the damage, Section 254 of the
To apply accordingly to the Civil Code.
(5) The statute of limitations applies to the statute of limitations applicable to unlawful acts
Application in accordance with the Code.
Section 84 Penal Provisions
For the processing of personal data by public bodies in the context of activities according to § 45
Clause 1, 3 or 4 applies accordingly to Section 42.

Part 4
Special provisions for processing in the context of not in the
Scope of application of Regulation (EU) 2016/679 and Directive (EU)
2016/680 covered activities
§ 85 Processing of personal data in the context of not in the areas of application of
Regulation (EU) 2016/679 and Directive (EU) 2016/680 covered activities
(1) The transfer of personal data to a third country or to supranational or intergovernmental bodies
or international organizations in the context of not falling within the scope of the Regulation (EU)
2016/679 and Directive (EU) 2016/680 are covered by the activities already under Regulation (EU)
2016/679 permissible cases are also permissible if they are compulsory for the fulfillment of one's own tasks
Reasons of defense or to fulfill supranational or international obligations of a public
Federal agency in the field of crisis management or conflict prevention or for humanitarian issues
Action is required. The recipient is to be informed that the transmitted data is only for the
May be used for the purpose for which they were transmitted.
(2) For processing in the context of not falling within the scope of Regulation (EU) 2016/679 and the
Activities covered by Directive (EU) 2016/680 by departments within the scope of the Federal Ministry
§ 16 paragraph 4 does not apply to the defense if the Federal Ministry of Defense determines in individual cases
that the fulfillment of the obligations mentioned there would jeopardize the security of the federal government.
(3) For processing in the context of not falling within the scope of Regulation (EU) 2016/679
and the Directive (EU) 2016/680 covered activities by public authorities of the federal government
Duty to provide information in accordance with Article 13 (1) and (2) of Regulation (EU) 2016/679, if

- Page 44 of 45 -

A service of the Federal Ministry of Justice and Consumer Protection
as well as the Federal Office of Justice - www.gesetze-im-internet.de

Page 45

1. it concerns cases of § 32 paragraph 1 numbers 1 to 3 or
2. by its fulfillment, information would be revealed according to a legal regulation or its nature
after, in particular because of the overriding legitimate interests of a third party, kept secret
must be, and therefore the interest of the data subject in the disclosure of the information
must resign.
If the person concerned is not to be informed in the cases of sentence 1, there is also no right to information. §
32 Paragraph 2 and Section 33 Paragraph 2 do not apply.
Section 86 Processing of personal data for the purposes of state awards and honors
(1) For the preparation and implementation of state procedures for awards and honors
both the responsible and other public and non-public bodies provide the necessary information
personal data, including special categories of personal data within the meaning of
Article 9 (1) of Regulation (EU) 2016/679, even without the knowledge of the data subject. For
Non-public bodies, Section 1 Paragraph 8 applies accordingly. Processing of personal data
according to sentence 1 for other purposes is only permitted with the consent of the person concerned.
(2) Insofar as processing takes place exclusively for the purposes specified in paragraph 1 sentence 1, the articles are
13 to 16, 19 and 21 of Regulation (EU) 2016/679 do not apply.
(3) When processing special categories of personal data within the meaning of Article 9 paragraph 1 of
Regulation (EU) 2016/679, the person responsible sees appropriate and specific measures to maintain the
Rights of the data subject in accordance with Section 22 (2).

- Page 45 of 45 -

