Bundesdatenschutzgesetz

Last updated
Bundesdatenschutzgesetz
Germany

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

Contents

Historical development

1960–1970

In the early 1960s, consideration for comprehensive data protection began in the United States and further developed with advancements in computer technology and its privacy risks. So a regulatory framework was needed to counteract the impairment of privacy in the processing of personal data.

1970–1990

In 1970, the federal state of Hesse passed the first national data protection law, which was also the first data protection law in the world. In 1971, the first draft bill was submitted for a federal data protection act. Finally, on 1 January 1978, the first federal data protection act came into force. [1] In the following years, as the BDSG was taking shape in practice, a technical development took place in data processing as the computer became increasingly important both at work and in the private sector. [2]

There were also significant changes in the legal field. With the Volkszählungsurteil  [ de ] [3] (in German) (census verdict) of December 15, 1983, the Federal Constitutional Court developed the right to self-determination of information (Article 1(1) in conjunction with Article 2(1) of the German Basic Law). The verdict confirmed that personal data are constitutionally protected in Germany. This means that individuals have the power to decide when and to what extent personal information is published. [4]

From 1990

In 1990, the legislature adopted a new data protection law based on the decision of the German Constitutional Court.

The BDSG was amended in 2009 and 2010 with three amendments: On April 1, 2010 came with the "Novelle I" a new regulation of the activities of credit bureaus and their counterparties (especially credit institutions) and scoring in force. The long and heavily debated "Novelle II" came into force on 1 September 2009. They change 18 paragraphs in the BDSG. Content includes changes to the list privilege for address trading, new regulations for market and opinion research, opt-in , coupling ban, employee data protection, order data processing, new powers for the supervisory authorities and new or greatly expanded fines, information obligations in the event of data breaches, dismissal protection for data protection officers. On June 11, 2010 changed the "Novelle III" [4] as a small sub-item within the law implementing the EU Consumer Credit Directive, the § 29 BDSG by two paragraphs.

In 2009, there were three amendments to the BDSG as a result of criticism from consumer advocates and numerous privacy scandals in business. The amendments addressed the following items: [5]

Amendments I and III

Amendment II

Overview of the BDSG

Purpose and scope

Purpose

The law should protect individuals' personal rights from being injured through the handling of their personal information (§ 1 I BDSG).

Scope

According to § 1 II BDSG the law applies to the collection, processing, and use of personal data by:

Exclusions

The Central Register of Foreign Nationals, according to § 22 and § 37 of the law, is excluded from certain sections of the Bundesdatenschutzgesetz. [6]

Public bodies of the Federation

Public authorities are the Federal Authorities, the administration of justice and other public-law institutions of the Federation, the Federal Authorities, establishments, and foundations under public law and their associations, irrespective of their legal form (§ 2 I BDSG).

Public authorities of the federal states

Public authorities of the federal states, the authorities and the institutions of justice and other public-law institutions of a federal state, community, a community association and other legal persons of public law, which are subordinated to the supervision of the federal state of public law and their associations, irrespective of their legal form (§ 2 II BDSG).

Non-public agencies

Non-public agencies are natural and legal persons, companies, and other associations of persons in private law that do not fall under the paragraphs of § 2 I-III BDSG (§ 2 IV BDSG).

Overview of the first principles

The BDSG contains seven first principles of data protection law: [7]

1. Prohibition with reservation of permission:

The collection, processing and use of personal data is strictly prohibited, unless it is permitted by the law or the person concerned gives consent (§ 4 I BDSG).

2. Principle of immediacy:

The personal data has to be collected directly from the person concerned. An exception of this principle is a legal permission or a disproportionate effort (§ 4 III BDSG).

3. Priority to special laws:

The BDSG supersedes any other federal law that relates to personal information and its publication (§ 1 III BDSG).

4. Principle of proportionality:

The creation of standards restrict the fundamental rights of the affected person. Therefore, these laws and procedures must be appropriate and necessary. A balancing of interests must occur.

5. Principle of data avoidance and data economy:

Through the use of data anonymization or pseudo-anonymization, every data processing system should achieve the goal to use no (or as little as possible) personally identifiable data.

6. Principle of transparency:

If personal data is collected, the responsible entity must inform the affected person of its identity and the purposes of the collection, processing or use (§ 4 III BDSG).

7. Principle of earmarking:

If data is permitted to be collected for a particular purpose, use of the data is restricted to this purpose. A new consent or law is required, if the data will be used for another purpose.

Types of personal data

Personal data means all data that provide information about personal relationships or facts about an identified or identifiable natural person. They include:

Protected personal data does not include anonymized data, where the person's identity is not discernible. Pseudonymized data (where the person's name is replaced with a pseudonym) is protected by the BDSG, because the data relates to a person whose identity is discernible. The BDSG does not protect the data of legal persons, such as corporations, although some courts have extended protection to legal persons.

Interaction with European law

The Council of Ministers and the European Parliament adopted the Data Protection Directive on October 24, 1995, that had to be transposed into internal law of the Member States by the end of 1998 (Directive 95/46/EC of the European Parliament and Council on the protection of individuals with the processing of personal data and on the free movement of such data). All member states have enacted their own data protection legislation. [8]

On 25 January 2012, the European Commission unveiled a draft General Data Protection Regulation that will supersede the Data Protection Directive.

Cross-border data transmission

The following rules apply in accordance with the requirements of the European Commission's Data Protection Directive to companies domiciled in Germany and for companies based abroad.

Companies domiciled in Germany

For companies based in Germany, the Federal Data Protection Act regulates the transfer of data differently in another EU member country and to a third country.

Transmission from Germany to another EU member country

Through the implementation of the EU Data Protection Directive, a uniform level of data protection has emerged in EU member countries. A company domiciled in Germany is therefore entitled to transfer personal data in Europe under the same rules as if it were to transfer data within Germany.

Transmission from Germany to a third country

Transfers to third countries must comply with the requirements of the Federal Privacy Act (§ 4b II sentence 1 BDSG). The transmission must cease if the person has a legitimate interest in the prevention of transmission, especially if an adequate data protection in the third country is not guaranteed (§ 4b II sentence 2 BDSG). The adequacy of protection shall be assessed by taking all the circumstances into account that are of importance for data transmission (§ 4b III BDSG). These include the type of data, the purpose, duration of processing, professional rules and security measures. In the opinion of the European Commission, Switzerland and Canada have an adequate level of protection.

A further decision by the European Commission affects data transmission into the United States. According to the decision, the U.S. Department of Commerce assured a reasonable level of data protection through the negotiated Safe Harbor Agreement. Through the Safe Harbor Agreement (invalidated 6 October 2015 by Maximillian Schrems v. Data Protection Commissioner, and its successor, Privacy Shield, invalidated on 16 July 2020), the recipient in the United States commits itself to comply with certain data protection principles by means of statements that to the relevant U.S. authorities. No transfer framework currently applies and transfers to and from the U.S., as all third countries, requires another approved mechanism under the GDPR (e.g. binding corporate rules, standard contractual clauses).

For other third countries, it is hardly possible to determine the appropriate level of protection because of the complex criteria. For this reason certain exceptions (in § 4c I and II BDSG) under which a data transmission is allowed in third countries, even if an adequate level of data protection is not guaranteed, are important. § 4c I BDSG allows cross-border data transfer with the person's consent and subject to the fulfillment of a contract between the person and the responsible party.

In all other cases, the "subject to approval" solution (§ 4c II BDSG) allows the manufacturing site to transfer data in recipient countries where an adequate level of data protection is ensured. The contractual clauses or "binding corporate rules" must offer adequate guarantees regarding the protection of personal rights and must be approved in advance by the Competent Authority (§ 4c BDSG II set 1). For international companies, it is advisable to obtain approval for standard contractual clauses. Even self-regulation in corporate policies can enable the data flow within multinational corporations. The codes of conduct must also give victims legal rights and certain guarantees, as is the case in contracts. [9]

See also

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 185 national constitutions mention the right to privacy. On 10 December 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR); while the right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015, by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

Telephone call recording laws are legislation enacted in many jurisdictions, such as countries, states, provinces, that regulate the practice of telephone call recording. Call recording or monitoring is permitted or restricted with various levels of privacy protection, law enforcement requirements, anti-fraud measures, or individual party consent.

ePrivacy Directive

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

Data protection (privacy) laws in Russia are a rapidly developing branch in Russian legislation that have mostly been enacted in the 2005 and 2006. The Russian Federal Law on Personal Data, implemented on July 27, 2006, constitutes the backbone of Russian privacy laws and requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access". Amendment was signed on December 20, 2020 and came into effect on March 1, 2021. The amendment requires "personal data made publicly available" needs to receive consent from the data subject. Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media is the government agency tasked with overseeing compliance.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">Data Protection Act, 2012</span> Legislation by the Parliament of Ghana

The Data Protection Act, 2012 is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

Data re-identification or de-anonymization is the practice of matching anonymous data with publicly available information, or auxiliary data, in order to discover the person to whom the data belongs. This is a concern because companies with privacy policies, health care providers, and financial institutions may release the data they collect after the data has gone through the de-identification process.

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

The once-only principle is an e-government concept that aims to ensure that citizens, institutions, and companies only have to provide certain standard information to the authorities and administrations once. By incorporating data protection regulations and the explicit consent of the users, the public administration is allowed to re-use and exchange the data with each other. The once-only principle is part of the European Union's (EU) plans to further develop the Digital Single Market by reducing the administrative burden on citizens and businesses.

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

References

  1. Gola/Schomerus, BDSG Kommentar, page 47, München 2010, ISBN   978-3-406-59834-0
  2. Gola/Schomerus, BDSG Kommentar, page 47, München 2010, ISBN   978-3-406-59834-0
  3. BVerfGE 65, page 1 ff.
  4. BVerfGE 65, 1 (41 ff.)
  5. Gola/Schomerus, BDSG Kommentar, page 54, München 2010, ISBN   978-3-406-59834-0
  6. "AZRG - Gesetz über das Ausländerzentralregister".
  7. "Begriff und Geschichte des Datenschutzes". 28 May 2014.
  8. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, vol. OJ L, 1995-11-23, retrieved 2020-11-22
  9. Gola/Schomerus, BDSG Kommentar, page 151, München 2010, ISBN   978-3-406-59834-0