119:
September 2009. They change 18 paragraphs in the BDSG. Content includes changes to the list privilege for address trading, new regulations for market and opinion research, opt-in , coupling ban, employee data protection, order data processing, new powers for the supervisory authorities and new or greatly expanded fines, information obligations in the event of data breaches, dismissal protection for data protection officers. On June 11, 2010 changed the "Novelle III" as a small sub-item within the law implementing the EU Consumer Credit
Directive, the § 29 BDSG by two paragraphs.
1301:
501:(§ 4b II sentence 2 BDSG). The adequacy of protection shall be assessed by taking all the circumstances into account that are of importance for data transmission (§ 4b III BDSG). These include the type of data, the purpose, duration of processing, professional rules and security measures. In the opinion of the European Commission,
529:
protection of personal rights and must be approved in advance by the
Competent Authority (§ 4c BDSG II set 1). For international companies, it is advisable to obtain approval for standard contractual clauses. Even self-regulation in corporate policies can enable the data flow within multinational corporations. The
524:
For other third countries, it is hardly possible to determine the appropriate level of protection because of the complex criteria. For this reason certain exceptions (in § 4c I and II BDSG) under which a data transmission is allowed in third countries, even if an adequate level of data protection is
500:
Transfers to third countries must comply with the requirements of the
Federal Privacy Act (§ 4b II sentence 1 BDSG). The transmission must cease if the person has a legitimate interest in the prevention of transmission, especially if an adequate data protection in the third country is not guaranteed
118:
The BDSG was amended in 2009 and 2010 with three amendments: On April 1, 2010 came with the "Novelle I" a new regulation of the activities of credit bureaus and their counterparties (especially credit institutions) and scoring in force. The long and heavily debated "Novelle II" came into force on 1
316:
Public authorities of the federal states, the authorities and the institutions of justice and other public-law institutions of a federal state, community, a community association and other legal persons of public law, which are subordinated to the supervision of the federal state of public law and
79:
passed the first national data protection law, which was also the first data protection law in the world. In 1971, the first draft bill was submitted for a federal data protection act. Finally, on 1 January 1978, the first federal data protection act came into force. In the following years, as the
520:
Agreement. Through the Safe Harbor
Agreement (invalidated 6 October 2015 by Maximillian Schrems v. Data Protection Commissioner, and its successor, Privacy Shield, invalidated on 16 July 2020), the recipient in the United States commits itself to comply with certain data protection principles by
451:
on
October 24, 1995, that had to be transposed into internal law of the Member States by the end of 1998 (Directive 95/46/EC of the European Parliament and Council on the protection of individuals with the processing of personal data and on the free movement of such data). All member states have
66:
In the early 1960s, consideration for comprehensive data protection began in the United States and further developed with advancements in computer technology and its privacy risks. So a regulatory framework was needed to counteract the impairment of privacy in the processing of personal data.
528:
In all other cases, the "subject to approval" solution (§ 4c II BDSG) allows the manufacturing site to transfer data in recipient countries where an adequate level of data protection is ensured. The contractual clauses or "binding corporate rules" must offer adequate guarantees regarding the
491:
Through the implementation of the EU Data
Protection Directive, a uniform level of data protection has emerged in EU member countries. A company domiciled in Germany is therefore entitled to transfer personal data in Europe under the same rules as if it were to transfer data within Germany.
307:
Public authorities are the
Federal Authorities, the administration of justice and other public-law institutions of the Federation, the Federal Authorities, establishments, and foundations under public law and their associations, irrespective of their legal form (§ 2 I BDSG).
521:
means of statements that to the relevant U.S. authorities. No transfer framework currently applies and transfers to and from the U.S., as all third countries, requires another approved mechanism under the GDPR (e.g. binding corporate rules, standard contractual clauses).
819:
928:
662:
Directive 95/46/EC of the
European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
107:). The verdict confirmed that personal data are constitutionally protected in Germany. This means that individuals have the power to decide when and to what extent personal information is published.
525:
not guaranteed, are important. § 4c I BDSG allows cross-border data transfer with the person's consent and subject to the fulfillment of a contract between the person and the responsible party.
923:
435:
data (where the person's name is replaced with a pseudonym) is protected by the BDSG, because the data relates to a person whose identity is discernible. The BDSG does not protect the data of
365:
The creation of standards restrict the fundamental rights of the affected person. Therefore, these laws and procedures must be appropriate and necessary. A balancing of interests must occur.
389:
If data is permitted to be collected for a particular purpose, use of the data is restricted to this purpose. A new consent or law is required, if the data will be used for another purpose.
127:
In 2009, there were three amendments to the BDSG as a result of criticism from consumer advocates and numerous privacy scandals in business. The amendments addressed the following items:
973:
373:
Through the use of data anonymization or pseudo-anonymization, every data processing system should achieve the goal to use no (or as little as possible) personally identifiable data.
325:
Non-public agencies are natural and legal persons, companies, and other associations of persons in private law that do not fall under the paragraphs of § 2 I-III BDSG (§ 2 IV BDSG).
988:
869:
80:
BDSG was taking shape in practice, a technical development took place in data processing as the computer became increasingly important both at work and in the private sector.
381:
If personal data is collected, the responsible entity must inform the affected person of its identity and the purposes of the collection, processing or use (§ 4 III BDSG).
349:
The personal data has to be collected directly from the person concerned. An exception of this principle is a legal permission or a disproportionate effort (§ 4 III BDSG).
1200:
908:
1165:
1104:
993:
296:
341:
The collection, processing and use of personal data is strictly prohibited, unless it is permitted by the law or the person concerned gives consent (§ 4 I BDSG).
859:
483:
For companies based in
Germany, the Federal Data Protection Act regulates the transfer of data differently in another EU member country and to a third country.
104:
938:
222:
Transitional arrangements for market and opinion researchers, as well as for promotional use of stored data recorded before
September 1, 2009 (§ 47 BDSG)
948:
864:
854:
427:, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life. These data are subject to special protection.
192:
New eligibility requirements and transparency in the use of personal data as part of the trade of addresses and promotional purposes (§ 28 III BDSG)
1180:
686:
620:
586:
570:
809:
1003:
1160:
968:
958:
918:
268:
The law should protect individuals' personal rights from being injured through the handling of their personal information (§ 1 I BDSG).
186:
Strengthening the position of internal data protection officer by training and explicit job protection law (§ 4f III sentence 5-7 BDSG)
900:
874:
834:
700:
646:
456:
213:
A duty to self-disclosure to the supervisory authority and the affected person for unlawfully obtaining knowledge of data (§ 42a BDSG)
189:
Extension of the requirement for the written content to be fixed in order data processing and control of the contractor (§ 11 II BDSG)
1077:
998:
983:
879:
743:
53:
and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.
766:
953:
884:
849:
512:
A further decision by the European Commission affects data transmission into the United States. According to the decision, the
1175:
1155:
1109:
1072:
978:
933:
1082:
913:
888:
155:
Information on claims against responsible agencies, especially in the case of scoring and commercial agencies (§ 34 BDSG)
103:
developed the right to self-determination of information (Article 1(1) in conjunction with Article 2(1) of the
1335:
943:
632:
100:
1330:
963:
513:
115:
In 1990, the legislature adopted a new data protection law based on the decision of the German Constitutional Court.
357:
The BDSG supersedes any other federal law that relates to personal information and its publication (§ 1 III BDSG).
210:
Extension of the arrangement powers of supervisory authorities on processing data protection and uses (§ 38 V BDSG)
400:
means all data that provide information about personal relationships or facts about an identified or identifiable
1195:
1139:
1119:
844:
804:
472:
448:
152:
Claims for credit rejection information for cross-border credit inquiry within the EU/EEA(§ 29 VI and VII BDSG)
1325:
1190:
1185:
1057:
299:, according to § 22 and § 37 of the law, is excluded from certain sections of the Bundesdatenschutzgesetz.
1231:
829:
824:
771:
517:
431:
Protected personal data does not include anonymized data, where the person's identity is not discernible.
85:
1210:
781:
736:
1029:
814:
276:
According to § 1 II BDSG the law applies to the collection, processing, and use of personal data by:
543:
180:
90:
1246:
1114:
1099:
1049:
786:
468:
46:
1286:
245:
Third section (§ § 27-38a): Data processing by non-public bodies and public competitor companies
1256:
1039:
682:
616:
582:
566:
137:
50:
716:
1304:
1170:
1129:
1067:
1019:
776:
729:
530:
198:
Introduction of a prohibition of a coupling in connection with the consent (§ 28 IIIb BDSG)
1034:
1024:
708:
533:
must also give victims legal rights and certain guarantees, as is the case in contracts.
439:, such as corporations, although some courts have extended protection to legal persons.
1271:
1251:
1124:
401:
1319:
1241:
1236:
1134:
1094:
1089:
432:
424:
397:
1281:
1062:
436:
176:
207:
Expansion of disclosure requirements for moderate transmission list (§ 34 Ia BDSG)
1276:
796:
502:
660:
1261:
226:
143:
Permissibility and transparency in automated individual decisions (§ 6a BDSG)
1226:
195:
Tightening the consent requirements of non-written consent (§ 28 IIIa BDSG)
216:
Introduction of new fines (§ 43 I No. 2a, 2b, 3a, 8a and II No. 5a-7 BDSG)
204:
Rule on the admissibility of the processing of employment data (§ 32 BDSG)
752:
516:
assured a reasonable level of data protection through the negotiated
506:
467:
The following rules apply in accordance with the requirements of the
317:
their associations, irrespective of their legal form (§ 2 II BDSG).
411:: name, address, occupation, e-mail, IP address, or personal number
1266:
475:
to companies domiciled in Germany and for companies based abroad.
76:
447:
The Council of Ministers and the European Parliament adopted the
333:
The BDSG contains seven first principles of data protection law:
83:
There were also significant changes in the legal field. With the
1205:
251:
Fifth section (§ § 43-44): Criminal and civil penalty provisions
219:
Increasing the fine frame at €50,000 to €300,000 (§ 43 III BDSG)
725:
49:
act, that together with the data protection acts of the German
455:
On 25 January 2012, the European Commission unveiled a draft
201:
Relief for market and opinion research companies (§ 30a BDSG)
242:
Second section (§ § 12-26): Data processing by public bodies
140:
in the enforcement of data protection rights (§ 6 III BDSG)
721:
681:
Gola/Schomerus, BDSG Kommentar, page 151, München 2010,
565:
Gola/Schomerus, BDSG Kommentar, page 47, München 2010,
146:
Transmission of data to commercial agencies (§ 28a BDSG)
615:
Gola/Schomerus, BDSG Kommentar, page 54, München 2010,
581:
Gola/Schomerus, BDSG Kommentar, page 47, München 2010,
487:
Transmission from Germany to another EU member country
1219:
1148:
1048:
1012:
899:
795:
759:
459:that will supersede the Data Protection Directive.
26:
21:
1201:International Association of Privacy Professionals
254:Sixth section (§ § 45-46): Transitional provisions
239:First section (§ § 1-11): General and common rules
633:"AZRG - Gesetz über das Ausländerzentralregister"
158:New penalty offenses (§ 43 I No. 4a, 8b, 8c BDSG)
1166:Computer Professionals for Social Responsibility
369:5. Principle of data avoidance and data economy:
149:Admissibility in scoring procedures (§ 28b BDSG)
16:German law regarding data protection and privacy
452:enacted their own data protection legislation.
337:1. Prohibition with reservation of permission:
248:Fourth section (§ § 39-42): Special provisions
737:
168:Introducing a legal definition for the term “
8:
496:Transmission from Germany to a third country
35:
99:(census verdict) of December 15, 1983, the
744:
730:
722:
647:"Begriff und Geschichte des Datenschutzes"
312:Public authorities of the federal states
283:Public authorities of the federal states
558:
75:In the year 1970, the federal state of
509:have an adequate level of protection.
18:
1181:Electronic Privacy Information Center
297:Central Register of Foreign Nationals
7:
1161:Center for Democracy and Technology
457:General Data Protection Regulation
14:
1300:
1299:
767:Right of access to personal data
701:Overview of the First Principles
361:4. Principle of proportionality:
329:Overview of the first principles
303:Public bodies of the Federation
280:Public bodies of the Federation
1176:Electronic Frontier Foundation
1156:American Civil Liberties Union
1110:Privacy-enhancing technologies
479:Companies domiciled in Germany
463:Cross-border data transmission
229:(Annex of § 9 sentence 1 BDSG)
1:
443:Interaction with European law
421:Special kind of personal data
377:6. Principle of transparency:
665:, vol. OJ L, 1995-11-23
353:3. Priority to special laws:
101:Federal Constitutional Court
901:Data protection authorities
514:U.S. Department of Commerce
385:7. Principle of earmarking:
172:” (employees) (§ 3 XI BDSG)
1352:
1105:Social networking services
417:: income, taxes, ownership
345:2. Principle of immediacy:
1295:
1196:Global Network Initiative
1140:Virtual assistant privacy
1120:Privacy-invasive software
473:Data Protection Directive
449:Data Protection Directive
175:Extension of the target
1191:Future of Privacy Forum
1186:European Digital Rights
225:Emphasis on the use of
37:Bundesdatenschutzgesetz
22:Bundesdatenschutzgesetz
1232:Cellphone surveillance
1149:Advocacy organizations
772:Expectation of privacy
606:BVerfGE 65, 1 (41 ff.)
597:BVerfGE 65, page 1 ff.
409:Personal relationships
393:Types of personal data
57:Historical development
36:
1211:Privacy International
782:Right to be forgotten
415:Factual circumstances
234:Overview of the BDSG
131:Amendments I and III
1336:Data laws of Europe
1247:Global surveillance
1115:Privacy engineering
1100:Personal identifier
1050:Information privacy
787:Post-mortem privacy
717:English translation
544:Volkszählungsurteil
469:European Commission
321:Non-public agencies
286:Non-public agencies
123:The legal amendment
86:Volkszählungsurteil
1331:Privacy in Germany
1287:Personality rights
1313:
1312:
1257:Mass surveillance
687:978-3-406-59834-0
621:978-3-406-59834-0
587:978-3-406-59834-0
571:978-3-406-59834-0
259:Purpose and scope
31:
30:
1343:
1303:
1302:
1171:Data Privacy Lab
1130:Privacy software
777:Right to privacy
746:
739:
732:
723:
713:
705:
689:
679:
673:
672:
671:
670:
657:
651:
650:
643:
637:
636:
629:
623:
613:
607:
604:
598:
595:
589:
579:
573:
563:
549:
531:codes of conduct
404:. They include:
105:German Basic Law
98:
94:
51:federated states
39:
19:
1351:
1350:
1346:
1345:
1344:
1342:
1341:
1340:
1316:
1315:
1314:
1309:
1291:
1215:
1144:
1044:
1008:
895:
889:amended in 2020
791:
755:
750:
711:
703:
697:
692:
680:
676:
668:
666:
659:
658:
654:
645:
644:
640:
631:
630:
626:
614:
610:
605:
601:
596:
592:
580:
576:
564:
560:
556:
547:
539:
498:
489:
481:
465:
445:
395:
331:
323:
314:
305:
293:
274:
266:
261:
236:
165:
133:
125:
113:
96:
88:
73:
64:
59:
47:data protection
45:) is a federal
17:
12:
11:
5:
1349:
1347:
1339:
1338:
1333:
1328:
1326:Law of Germany
1318:
1317:
1311:
1310:
1308:
1307:
1296:
1293:
1292:
1290:
1289:
1284:
1279:
1274:
1272:Search warrant
1269:
1264:
1259:
1254:
1252:Identity theft
1249:
1244:
1239:
1234:
1229:
1223:
1221:
1217:
1216:
1214:
1213:
1208:
1203:
1198:
1193:
1188:
1183:
1178:
1173:
1168:
1163:
1158:
1152:
1150:
1146:
1145:
1143:
1142:
1137:
1132:
1127:
1125:Privacy policy
1122:
1117:
1112:
1107:
1102:
1097:
1092:
1087:
1086:
1085:
1080:
1075:
1065:
1060:
1054:
1052:
1046:
1045:
1043:
1042:
1037:
1032:
1027:
1022:
1016:
1014:
1010:
1009:
1007:
1006:
1004:United Kingdom
1001:
996:
991:
986:
981:
976:
971:
966:
961:
956:
951:
946:
941:
936:
931:
926:
921:
919:European Union
916:
911:
905:
903:
897:
896:
894:
893:
892:
891:
877:
875:United Kingdom
872:
867:
862:
857:
852:
847:
842:
837:
835:European Union
832:
827:
822:
817:
812:
807:
801:
799:
793:
792:
790:
789:
784:
779:
774:
769:
763:
761:
757:
756:
751:
749:
748:
741:
734:
726:
720:
719:
714:
706:
696:
695:External links
693:
691:
690:
674:
652:
649:. 28 May 2014.
638:
624:
608:
599:
590:
574:
557:
555:
552:
551:
550:
538:
535:
497:
494:
488:
485:
480:
477:
464:
461:
444:
441:
429:
428:
418:
412:
402:natural person
394:
391:
330:
327:
322:
319:
313:
310:
304:
301:
292:
289:
288:
287:
284:
281:
273:
270:
265:
262:
260:
257:
256:
255:
252:
249:
246:
243:
240:
235:
232:
231:
230:
223:
220:
217:
214:
211:
208:
205:
202:
199:
196:
193:
190:
187:
184:
181:data avoidance
173:
164:
161:
160:
159:
156:
153:
150:
147:
144:
141:
132:
129:
124:
121:
112:
109:
72:
69:
63:
60:
58:
55:
29:
28:
24:
23:
15:
13:
10:
9:
6:
4:
3:
2:
1348:
1337:
1334:
1332:
1329:
1327:
1324:
1323:
1321:
1306:
1298:
1297:
1294:
1288:
1285:
1283:
1280:
1278:
1275:
1273:
1270:
1268:
1265:
1263:
1260:
1258:
1255:
1253:
1250:
1248:
1245:
1243:
1242:Eavesdropping
1240:
1238:
1237:Data security
1235:
1233:
1230:
1228:
1225:
1224:
1222:
1218:
1212:
1209:
1207:
1204:
1202:
1199:
1197:
1194:
1192:
1189:
1187:
1184:
1182:
1179:
1177:
1174:
1172:
1169:
1167:
1164:
1162:
1159:
1157:
1154:
1153:
1151:
1147:
1141:
1138:
1136:
1135:Secret ballot
1133:
1131:
1128:
1126:
1123:
1121:
1118:
1116:
1113:
1111:
1108:
1106:
1103:
1101:
1098:
1096:
1095:Personal data
1093:
1091:
1088:
1084:
1081:
1079:
1076:
1074:
1071:
1070:
1069:
1066:
1064:
1061:
1059:
1056:
1055:
1053:
1051:
1047:
1041:
1038:
1036:
1033:
1031:
1028:
1026:
1023:
1021:
1018:
1017:
1015:
1011:
1005:
1002:
1000:
997:
995:
992:
990:
987:
985:
982:
980:
977:
975:
972:
970:
967:
965:
962:
960:
957:
955:
952:
950:
947:
945:
942:
940:
937:
935:
932:
930:
927:
925:
922:
920:
917:
915:
912:
910:
907:
906:
904:
902:
898:
890:
886:
883:
882:
881:
880:United States
878:
876:
873:
871:
868:
866:
863:
861:
858:
856:
853:
851:
848:
846:
843:
841:
838:
836:
833:
831:
828:
826:
823:
821:
818:
816:
813:
811:
808:
806:
803:
802:
800:
798:
794:
788:
785:
783:
780:
778:
775:
773:
770:
768:
765:
764:
762:
758:
754:
747:
742:
740:
735:
733:
728:
727:
724:
718:
715:
710:
707:
702:
699:
698:
694:
688:
684:
678:
675:
664:
663:
656:
653:
648:
642:
639:
634:
628:
625:
622:
618:
612:
609:
603:
600:
594:
591:
588:
584:
578:
575:
572:
568:
562:
559:
553:
546:
545:
541:
540:
536:
534:
532:
526:
522:
519:
515:
510:
508:
504:
495:
493:
486:
484:
478:
476:
474:
470:
462:
460:
458:
453:
450:
442:
440:
438:
437:legal persons
434:
433:Pseudonymized
426:
425:ethnic origin
422:
419:
416:
413:
410:
407:
406:
405:
403:
399:
398:Personal data
392:
390:
387:
386:
382:
379:
378:
374:
371:
370:
366:
363:
362:
358:
355:
354:
350:
347:
346:
342:
339:
338:
334:
328:
326:
320:
318:
311:
309:
302:
300:
298:
290:
285:
282:
279:
278:
277:
271:
269:
263:
258:
253:
250:
247:
244:
241:
238:
237:
233:
228:
224:
221:
218:
215:
212:
209:
206:
203:
200:
197:
194:
191:
188:
185:
182:
178:
174:
171:
167:
166:
162:
157:
154:
151:
148:
145:
142:
139:
135:
134:
130:
128:
122:
120:
116:
110:
108:
106:
102:
95:
92:
87:
81:
78:
70:
68:
61:
56:
54:
52:
48:
44:
40:
38:
25:
20:
1282:Human rights
839:
797:Privacy laws
677:
667:, retrieved
661:
655:
641:
627:
611:
602:
593:
577:
561:
542:
527:
523:
511:
499:
490:
482:
466:
454:
446:
430:
423:: racial or
420:
414:
408:
396:
388:
384:
383:
380:
376:
375:
372:
368:
367:
364:
360:
359:
356:
352:
351:
348:
344:
343:
340:
336:
335:
332:
324:
315:
306:
294:
275:
267:
177:data economy
170:Beschäftigte
169:
163:Amendment II
126:
117:
114:
84:
82:
74:
65:
42:
34:
32:
1277:Wiretapping
989:Switzerland
974:South Korea
964:Philippines
954:Netherlands
949:Isle of Man
870:Switzerland
850:New Zealand
712:(in German)
704:(in German)
548:(in German)
518:Safe Harbor
503:Switzerland
183:(§ 3a BDSG)
97:(in German)
89: [
33:The German
1320:Categories
1262:Panopticon
885:California
760:Principles
669:2020-11-22
554:References
291:Exclusions
227:encryption
138:earmarking
1227:Anonymity
1063:Financial
1040:Workplace
1030:Education
939:Indonesia
909:Australia
865:Sri Lanka
860:Singapore
805:Australia
709:Full text
111:From 1990
71:1970–1990
62:1960–1970
1305:Category
1220:See also
1073:Facebook
1068:Internet
1020:Consumer
994:Thailand
537:See also
1083:Twitter
1035:Medical
1025:Digital
944:Ireland
929:Germany
914:Denmark
840:Germany
830:England
825:Denmark
753:Privacy
264:Purpose
136:Strict
27:Germany
1078:Google
999:Turkey
984:Sweden
969:Poland
959:Norway
924:France
855:Russia
815:Canada
810:Brazil
685:
619:
585:
569:
507:Canada
1267:PRISM
1090:Email
1013:Areas
979:Spain
934:India
845:Ghana
820:China
272:Scope
93:]
77:Hesse
1206:NOYB
683:ISBN
617:ISBN
583:ISBN
567:ISBN
505:and
295:The
179:and
43:BDSG
1058:Law
471:'s
1322::
887:,
91:de
745:e
738:t
731:v
635:.
41:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.