Alternative Draft Data Protection – Legislative Decree, August 2012 Version

§ 1 Purpose and Aims

(1) This decree protects individuals against infringements of their right to privacy and their right to informational self-determination as a result of the handling of their personal information during the collection, processing and use of personal data.

(2) The facilitation of the free-flow of personal data within the European Union is a further, equally important aim of this decree.

§ 2 Material Scope

(1) This decree applies to the partly- or wholly-automated and non-automated processing of personal data that is saved in a file or is intended to be saved in a file.

(2) This decree does not apply to the collections, processing, transfer or use of personal data by the public authorities of the European Union and its member states.

(3) Insofar as other legislation regarding personal data including the publication thereof applies, this will have precedence. Freedom of expression, freedom of information and freedom of the press are not affected.

(4) Legal, professional and other official obligations of confidentiality that are not based in legislation also remain unaffected.

§ 3 Territorial Scope

– not defined –

§ 4 Definitions

(1) Personal data means any information that can be applied to a natural person and that – used alone or in conjunction with other information – contains statements regarding that person.

(2) Sensitive data is any information that – alone or in conjunction with other information – contains statements regarding the sex-life of the person.

(3) Collection means the preparation or acquisition of information about a person.

(4) Processing means the storage, modification, blocking and erasure of personal data.

Specifically, irrespective of the procedures, media or forms of representation used:

a. storage means the entry, recording or preservation of personal data on a storage medium so that they can be processed or used again,

b. modification means the alteration of the substance of stored personal data,

c. blocking means labelling stored personal data so as to restrict their further processing or use,

d. erasure means the anonymising of stored personal data.

(5) Communication means the disclosure to a third party of personal data either

a. through passing the data on to the third party or

b. through the third party inspecting or retrieving data held ready for inspection or retrieval,

Third party means any person or body other than the data processor or an affiliated body (see § 15 AktG / German Stock Companies Act) or the affected person or any persons or bodies collecting, processing, transmitting or using personal data, to order in Germany, an EU member state or in a signatory state to the EEA Treaty.

(6) Use means any utilisation of personal data other than collecting, processing or transmitting.

(7) Recipient means every person or body who obtains personal data.

(8) Data processor means any natural or legal person who collects, processes, transmits or uses personal data.

(9) A file is any structured collection of personal information that can be accessed according to certain criteria, regardless of whether this collection is organised centrally, decentrally or according to functional or geographical aspects.

(10) Geodata means all information directly or indirectly related to a particular place or geographical area.

§ 5 General Data Processing Provisions

(1) Data processors are required to respect the personal rights of the individual concerned in the course of collecting, processing, transmitting and use of personal information (requirement of consideration).

(2) It is permitted to collect personal information. Where the information relates to details that contain statements about the individual’s personal or sex life, and – alone or in conjunction with other details – can make a meaningful picture of that individual, the person concerned must be informed of the collection of this data as long as the third party’s own prevailing interests are not thereby compromised. The person concerned is entitled to object to the processing, transmission and use of this information if the protection of the rights of the individual concerned could be damaged by the processing, transmission or use. If the individual concerned makes use of this right of objection, the third party is forbidden to collect, transmit or use this information.

(3) Personal information, not obtained by the data processor may be processed, transmitted and used as long as the data processor has obtained the information by legal means or in the event that the legitimate interests of the data processor in processing, transmitting and using the information outweigh those of the person concerned.

§ 6 Particular Obligations where Data is Processed by Entrepreneurs
(1) The collection, processing, transmission and use of personal data by an entrepreneur as defined under § 14 of the German Civil Code (BGB) must be carried out in good faith and for a clearly defined purposes. Entrepreneurs are particularly bound by the obligations arising out of §§ 6 to 11 of this decree.

(2) §§ 6 to 8 of this decree are intended to regulate market conduct in the interests of participants. Adherence to §§ 9 and 10 and 13 and 14 of this decree will be supervised by the Data Protection Supervisory Authorities.

§ 7 Transparency

(1) If an entrepreneur collects, processes or uses personal information in order to for the purposes of creating, developing or amending a contractual relationship or through the operation of a telecommunications entrepreneur is required to draw up and adhere to transparent (i.e. clear and comprehensible) data protection provisions. If the data protection provisions of the entrepreneur are not transparent, the entrepreneur may not rely on them.

(2) The entrepreneur is required to provide a written version of the data protection provisions to his clients at all times. In the case of telemedia, users must be able to download the data protection provisions at all times.

(3) Where the data processor expects that his clients or users will often be minors, he is required to word the data protection provisions such that they can be easily understood by minors. The regulations governing the protection of minors remain unaffected.

(4) The data protection provisions must inform the person concerned in a clear and generally understandable (transparent) manner about

a. the manner and scope of the personal data that has been collected, processed, transmitted and used,

b. the purpose of the collection, processing and use of personal information as well as the reason why this information is required for this purpose,

c. the transmission of personal information to third parties,

d. the rights reserved by the entrepreneur to process and use the personal information of the person concerned throughout the course of the contract or use of the telemedium,

e. the setting-up, processing, transmission and use of movement profiles obtained through Geodata,

f. the collection, processing, transmission and use of personal information to assess the behaviour of the data subject (user profiles) with the intention of tailoring advertising to the interests of the user,

g. the technical and organisational measures taken by the data processor in order to protect the data against unauthorised access or damage by third parties including the process used to encrypt and anonymise the data (data security),

h. the means by which data subjects can obtain information regarding the data that has been collected, processed, transmitted and used in order to ensure that errors are corrected, including the means by which data subjects can obtain access to the information and correct it themselves,

i. the rights of the data subject to object to the collection, processing, transmission and use of information in part or in whole,

j. the data protection officer as set out in § 10, or other person appointed by the entrepreneur to receive, process and respond to complaints from data subjects regarding the collection, processing and use of personal data, giving direct contact details,

k. the codes of practice and other rules of conduct by which the entrepreneur is bound,

l. the rights reserved by the entrepreneur to change the circumstances of the collection, processing, transmission and use of personal data as defined under letters a to k above.

(5) Where the collection, processing and use of personal data is carried out within the scope of a contractual relationship, the data processor is required to inform the client of all major changes to the data protection provisions. (Revision Rights). These revision rights do not apply to the transmission of personal information to third parties.

(6) If the entrepreneur makes use of these revision rights, he is required to inform the person concerned of all significant changes to the data protection provisions. The data subject is entitled to reject changes in the collection, processing and use of personal data as set out under section 1 insofar as the legitimate interests of the data subject regarding the changes outweigh those of the data processor. The data processor is required to inform the data subject of his right of recourse as set out in the 2nd sentence above with regard to any changes to the data protection provisions as in the 1st sentence above.

(7) If an entrepreneur collects, processes or uses personal information for the purposes as set out under 4b above, he is entitled to collect, process and use this personal information insofar as this is permitted within the scope of the data protection provisions set out in 1 to 6 above. Collecting, processing and using personal data in such a way as to be at variance with the data protection provisions is forbidden.

(8) An entrepreneur may only transmit personal information to third parties if this is permitted within the scope of the data protection provisions or if the person concerned has given his or her consent thereto.

§ 8 Consent

(1) The data processor is only permitted to collect, process, transmit and use sensitive information with the prior agreement (consent) of the data subject or in line with a legal provision..

(2) The consent must be in the form of a separate declaration by the user and is valid only if made voluntarily by the data subject.

(3) Consent can be given electronically on condition that the data processor ensures that

a. the user has knowingly and explicitly given his consent,

b. the consent is recorded,

c. the user can download the content of the consent at any time and

d. the user can withdraw his consent at any time with regard to future use.

(4) The data processor informed the user prior to his giving consent of his rights as set out under (3) d. § 7 para. 2 2nd sentence applies equally.

(5) The evaluation of the user’s behaviour, particularly through the use of movement or user profiles (see § 7 para. 4 e and f), requires the consent of the data subject if the evaluation could contain details of his sex-life. (2) to (4) above also apply accordingly.

(6) The entrepreneur is not permitted to collect, process, transmit or use sensitive information if the person concerned has not given effective consent.

§ 9 Designing of Procedures

(1) The entrepreneur must ensure at each stage of the development, design, amendment and expansion procedures used or intended to be used, that the following guidelines are adhered to insofar as this is possible with regard to the purpose and the effort required is in reasonable proportion to the desired purpose of protection.

(2) Procedures are to be so designed such that personal information is deleted automatically as soon as it is no longer required for the original purpose and as long as there is no legal requirement for this information to be stored. Archiving and use exclusively for the purpose of proof is permitted.

(3) Security measures are to be of the highest technical standard. In particular, personal information must be protected against unlawful or access by third parties as far as current technology allows.

(4) Information that contains details of the private or sex-life of the person concerned and could – on its own or in conjunction with other information – make it possible to identify the individual concerned must be afforded a higher degree of protection. This must be a particular consideration in the context of the design of administrator and viewing rights.

(5) The data protection provisions (§ 7) or consent forms (§ 8) as well as other notices regarding the collection, processing or use of personal data must be formulated in line with  generally prevailing standards and in a form familiar to users.

(6) All personal data that is collected and transferred must be traceable. This also applies to all versions of the data protection laws (see §7).

(7) Where movement or user profiles are created (see § 7 para. 4 e and f), the procedures must be designed such that the person concerned is provided with the technical means to prevent the creation of such profiles, either permanently or temporarily.

(8) The data subject must be provided with appropriate technical means with which to detect and correct incorrect personal data. Sensitive information must be afforded the highest level of protection.

§ 10 Individual Privacy Protection Officer

Companies that process personal information and regularly employ at least 20 people are required to appoint an Individual Privacy Protection Officer. In companies whose main business activity is data processing, and therefore, the processing of personal information, must appoint an individual privacy protection officer regardless of size. The individual privacy protection officer is responsible for receiving and responding to complaints from persons concerned regarding the collection, processing or use of personal data. He or she may, at the same time, be the data protection officer.

§ 11 Compensation

(1) If a data processor harms a person concerned through collection, processing, transmission or use of his or her personal information, they shall be obligated to compensate the data subject for damage suffered. The obligation to pay compensation shall be waived if the company can prove that they acted in compliance with the data protection laws (see § 9 para. 1 2nd sentence).

(2) If a company commits a breach of the prohibition as set out under § 8 para. 6 then § 97 para.2 2nd sentence and 3 of the German Copyright Law shall govern the calculation of the amount of compensation applicable.

(3) The data subject is also entitled to claim monetary compensation for non-monetary damage if and insofar as this is fair. This is generally the case if an illegal breach of privacy has been committed or if privacy rights have been breached within the scope of disclosure (see §13).

(4) If the person concerned can prove that his or her privacy has been breached, he or she is entitled to be demand that the company state whether or not the infringement has been documented according to § 14. If the infringement has not been recorded, it will be assumed that illegal activity has taken place.

§ 12 Notification, Correction and Deletion

– not defined –

§ 13 Disclosure

(1) In the event that a company processes sensitive information or significant amounts of other information in an illegal manner or a third party obtains illegal access to this information, they are required to inform the persons concerned individually and immediately upon discovery. This applies particularly in the case of the illegal use of information e.g. in order to compile profiles and where significant breaches of security have occurred. A significant breach of security is one that can lead to information being accessed illegally.

(2) In addition to the persons concerned, the appropriate authorities must also be informed. The persons concerned are to be informed of their rights under this law, particularly of § 11.

§ 14 Documentation

(1) The entrepreneur is required to document the design of all processes as set out under § 9. Business processes, typical processing steps, the purpose of the processing, the types of information collected and their provenance as well as the recipient and all related technical and organisational security processes must be documented insofar as this does not compromise security.

(2) Procedures for identifying illegal activity and breaches of security as defined under § 13 must also be documented.

(3) This documentation is to be organised such that it can be inspected without breaching the rights of third parties and without compromising the security or the legitimate interests of the company.