§ 1 Purpose and Scope of Application
(1) The purpose of this Act is to protect individuals against infringements of their right to privacy as a result of the handling of their personal information.
(2) This Act applies to the collection, processing and use of personal data for commercial purposes.
(3) In so far as other legal provisions of the Federation are applicable to personal data, including their publication, such provisions shall take precedence over the provisions of this Act. This shall not affect the duty to observe the legal obligation of maintaining secrecy, or professional or special official confidentiality not based on legal provisions.
(4) This Act shall not apply to data processors based in another EU member state or in a signatory state to the EEA Treaty and collecting, processing and using data in Germany unless these activities are carried out by a branch of the company that is based in Germany. This Act shall apply to data processors not based in an EU member state or in a signatory state to the EEA Treaty who collect process and use data in Germany. Where, within the scope of this Act, the data processor must be named, information regarding his representatives in Germany must also be disclosed. The 2nd and 3rd sentences above shall not apply to data processed in Germany solely for transit purposes. This shall not affect the disclosure requirements of the supervisory authority (see § 38 para. 1.1 of the Federal Data Protection Act).
§ 2 Definitions
(1) Personal data means any information concerning the personal circumstances of an identified individual or used alone or in conjunction with other information can cause the individual to be identified.
(2) Sensitive data means any information, alone or in conjunction with other information, regarding the sex-life, racial and ethnic background, political opinions, religious or philosophical beliefs, trade-union membership and health of the data subject.
(3) Collection means the preparation or acquisition of data on the data subject.
(4) Processing means the storage, modification, communication, blocking and erasure of personal data. In particular cases, irrespective of the procedures, media or forms of representation used:
a. storage means the entry, recording or preservation of personal data on a storage medium so that they can be processed or used again,
b. modification means the alteration of the substance of stored personal data,
c. communication means the disclosure to a third party of personal data stored or obtained by means of data processing either
aa. through transmission of the data to the third party by the controller of the data file or
bb. through the recipient inspecting or retrieving data held ready by the controller of the data file for inspection or retrieval,
d. blocking means labelling stored personal data so as to restrict their further processing or use,
e. erasure means the deletion of stored personal data.
(5) Use means any utilisation of personal data other than processing.
(6) Recipient means persons or bodies who obtain personal data.
(7) Controller of the data file means any person or body storing personal data on his or its own behalf or commissioning others to store them.
(8) Third party means any person or body other than the controller of the data file or an affiliated body (see § 15 AktG / German Stock Companies Act) or the data subject or any persons or bodies collecting, processing or using personal data to order in Germany, an EU member state or in a signatory state to the EEA Treaty.
(9) Geodata means all personal information directly or indirectly related to a particular place or geographical area.
§ 3 Data Protection Provisions
(1) Data processors who collect, process or use personal information for the purposes of creating, developing or amending a contractual relationship or through the operation of a telecommunications as set out under the provisions of § 1 para. 1 of the German Telemedia Act, are required to draw up and adhere to transparent data protection provisions.
(2)The data protection provisions must inform the data subjects in a generally understandable (transparent) manner about:
1. the means and scope of personal information that will be collected, processed and used,
2. the purpose of the collection, processing and use of the information as well as an explanation of why this information is required in this regard,
3. the communication of this information to third parties,
4. the right of the data processor to process and use the personal information provided by the data subject above and beyond the term of the contract or the period of use of the telecommunications medium,
5. the setting-up, processing and use of movement profiles based on geodata,
6. the collection, processing and use of information in order to assess the behaviour of the data subject (user profiles) with the intention of tailoring advertising to the interests of the user,
7. the technical and organisational measures taken by the data processor in order to protect the data against unauthorised access or damage by third parties including the process used to encrypt and anonymise the data (data security),
8. the means by which data subjects can obtain information regarding the data that has been collected, processed and used in order to ensure that errors are corrected, including the means by which data subjects can obtain access to the information and correct it themselves,
9. the processing of personal information in states outside the area of application of Guideline 95/46/EG of the European Parliament and of the Council of 24 October 1995 protecting individuals with regard to the processing of personal data and on the free movement of such data (OJl. EU No. L 281 S. 31);
10. the rights of the data subject to object to the collection, processing and use of information in part or in whole,
11. the data protection officer as set out in section 9, or other person appointed by the data processor to receive, process and respond to complaints from data subjects regarding the collection, processing and use of personal data, giving direct contact details,
12. the rights reserved by the data processor to change the circumstances of the collection, processing and use of personal data as defined under letters a to k above.
(3) Where the data processor expects that his clients or users will often be minors, he is required to word the data protection provisions such that they can be easily understood by minors.
(4) The data processor is required to provide a written version of the data protection provisions to his clients at all times, as set out under § 126 b of the German Civil Code (BGB). In the case of telemedia, users must be able to download the data protection provisions at all times.
(5) The data processor is required to update the data protection regulations on a regular basis. Where the collection, processing and use of personal data is carried out within the scope of a contractual relationship, the data processor is required to inform the client of all major changes to the data protection provisions. The data subject is entitled to reject changes in the collection, processing and use of personal data as set out under section 1 insofar as the interests of the data subject regarding the changes outweigh those of the data processor. The data processor is required to inform the data subject of his right of recourse as set out in the 2nd sentence above with regard to any changes to the data protection provisions as in the 1st sentence above.
§ 4 Consent
(1) The data processor is only permitted to collect, process and use sensitive information with the prior agreement (consent) of the data subject or in line with a legal provision.
(2) The consent must be in the form of a separate declaration by the user and is valid only if made voluntarily by the data subject. The data subject must be informed of the purpose of the collection, processing and use of this data.
(3) Consent can be given electronically on condition that the data processor ensures that
a. the user has knowingly and explicitly given his consent,
b. the consent is recorded,
c. the user can download the content of the consent at any time and
d. the user can withdraw his consent at any time with regard to future use.
(4) The data processor informed the user prior to his giving consent of his rights as set out under (3) d. § 3 para. 4 2nd sentence applies equally.
(5) The evaluation of the user’s behaviour, particularly through the use of movement or user profiles (see § 3 para. 2 e and f), requires the consent of the data subject if the evaluation could contain details of his sex-life. (2) to (4) above also apply accordingly.
§ 5 Transfer of Information
Information collected, processed or used in order to create, develop or amend a contractual relationship or through telecommunication as set out under § 1 para. 1 of the German Telemedia Act (TMG) may only be transferred to third parties if the data processor has included this in the data protection provisions or if the data subject has consented to the transfer. § 4 remains unaffected.
§ 6 Prohibitions
(1) A data processor collecting, processing or using personal data fort he purposes as set out under § 3 para. 2 may collect, process or use this personal data as long as the data protection provisions inform the data subject of this collection, processing or use. All collection, processing or use above and beyond the data protection provisions is forbidden.
(2) The collection, processing or use of sensitive information is forbidden if the data subject has not given his binding consent hereto (see § 4 para. 2 to 4). The same applies to the use of movement or user profiles if the evaluation could contain information regarding the sex-life of the data subject (see § 4 para. 5).
(3) Third parties may collect personal data. Should this information, however, contain references to the private or sex-life of the data subject and – on its own or in conjunction with other information – make it possible to identify the individual concerned, then the data subject must be notified of the collection, as long as this would not adversely affect the overriding interests of the third party. The data subject is entitled to object to the processing and use of the data. If the data subject makes use of his right of to object then the third party is prohibited from processing or using the data.
(4) Third parties are not entitled to process or use personal data that they have not collected themselves if the data was acquired illegally – particularly if in breach of § 5.
(5) Personal data may not be transferred if the conditions under § 5 have not been fulfilled.
(6) Article 5 of the German Constitution (GG) remains unaffected.
§ 7 Compensation
(1) If a data processor harms a data subject through collection, processing or use of his or her personal data which is unlawful or improper under this Act or other data protection provisions, they shall be obligated to compensate the data subject for damage suffered. The obligation to pay compensation shall be waived if the controller exercised due care if the processor can prove that he acted in compliance with the data protection laws (see § 8 para. 1 2nd sentence).
(2) If a data processor commits a breach of the prohibition as set out under § 6 para. 2 then § 97 para. 2 2nd sentence and 3 of the German Copyright Law shall govern the calculation of the amount of compensation applicable.
(3) The data subject is also entitled to claim monetary compensation for non-monetary damage if and insofar as this is fair.
§ 8 Designing of Procedures
(1) Data processors must ensure, at each stage of the development, design, amendment and expansion procedures used or intended to be used, that the privacy rights of the individual are not at risk when personal data is collected, processed or used. The data processor is therefore obligated to comply with the following guidelines insofar as this is possible with regard to the purpose and the effort required is in reasonable proportion to the desired purpose of protection.
(2) Procedures are to be so designed as to collect, process or use as little personal data as possible. Personal data must be rendered anonymous or encrypted.
(3) Procedures must be designed such that personal data is deleted automatically as soon as they are no longer needed.
(4) Personal data must be protected against unlawful or access or misuse by third parties as far as current technology allows.
(5) Information that contains details of the private or sex-life of the data subject and could – on its own or in conjunction with other information – make it possible to identify the individual concerned must be afforded a higher degree of protection. Sensitive information must be afforded the highest level of protection. This must be a particular consideration in the context of the design of administrator and viewing rights.
(6) The data protection provisions (§ 3) or content forms (§ 4) as well as other notices regarding the collection, processing or use of personal data must be formulated in line with generally prevailing standards and in a form familiar to users.
(7) Personal data that is transferred and used must be traceable.
(8) Where movement or user profiles are created (see§ 3 para. 2 e and f), the procedures must be designed such that the data subject is provided with the technical means to prevent the creation of such profiles, either permanently or temporarily.
(9) The data subject must be provided with appropriate technical means with which to detect and correct incorrect personal data.
§ 9 Complaints Officer
Companies that process personal data and regularly employ at least 20 people are required to appoint a complaints officer. The complaints officer is responsible for receiving and responding to complaints from data subjects regarding the collection, processing or use of personal data. He or she may, at the same time, be the data protection officer (§ 4 f Federal Data Protection Act).