From the general right of privacy, which was derived from the Basic Law, the right to informational self-determination has been developed. The specific right to informational self-determination and the increased sensitivity in Germany because of the historical events on this subject resulted in a radical amendment of the Federal Data Protection Act (hereinafter called “BDSG” = “FDPA”). While in other European countries personal data were particularly protected and always publically accessible, there was a rising demand in Germany to protect personal data from unauthorized access. In the first place the data should be safeguarded completely against unauthorized access by the state. A milestone was the judgement of 1983 by the Federal Constitutional Court concerning the census, in which the basic principles of data protection were laid down and which led to a revised version of the Federal Data Protection Act.
Apart from the Federal Data Protection Act there are numerous other laws which regulate the data protection. These laws are for instance the German Telecommunications Act, the Telemedia Act, the EU Directive on data protection or the Data Protection Act of the countries.
Only private persons are protected by the FDPA. Enterprise data are not covered by the FDPA. On the one hand, the data of private persons are protected from being accessed by the State, and by enterprises on the other hand. Personal data are deemed to be individual data that concern the personal and material circumstances of a specific or identifiable natural person (e.g. name, maiden name, address, date of birth, place of birth, telephone number, e-mail address and IP address).
The Federal Data Protection Act applies to public and private bodies which are processing data in whatever form. According to the Federal Data Protection Act, private bodies are any natural and legal persons, companies and other associations of individuals of private law. The processing of data has been defined in wide terms. This applies to collecting and analysing data (storing, amending, processing, deleting) and use of data.
A fundamental principle in the Federal Data Protection Act is the „prohibition reserving the right of permission“. This means the inadmissibility of collecting, storing and processing personal data for private enterprises which inadmissibility can only be lifted with the consent of the person concerned or with an exceptional provision.
A further principle of data protection is the principle of data avoidance and minimization by keeping the personal data processed to the absolute minimum, § 3 a Federal Data Protection Act, with the aim of collecting, processing or using no personal data or as little personal data as possible. In addition, the data must be used in anonymized or pseudonymized form. Apart from these principles, any undertaking collecting, processing and using personal data must follow specific legal regulations. In this connection the appointment of a data protection officer has to be mentioned, § 4 Federal Data Protection Act. However, this must not necessarily be an employee.
Furthermore, any undertaking which collects, processes or uses personal data may be required to maintain a directory of procedures. A distinction is made between the internal and the external directory of procedures.
This requirement results from the fact that based on the appointment of a data protection officer, the data controller is exempted from reporting requirements, § 4 d Federal Data Protection Act.
If no data protection officer has been appointed, the head of the private body, i.e. the general manager or the owner of a company, has the duty to ensure that the data protection officer’s functions are fulfilled in a different way, § 4 section 2a Federal Data Protection Act.
Pursuant to the above-mentioned prohibition reserving the right of permission, the responsible body must make sure that it is legally permissible or that the person concerned has given consent. This does also apply for the transmission of data between linked companies because the Federal Data Protection Act does not provide for an intra group exemption.
An exception of the consent is given if data are forwarded based on commissioned data processing. It is essential, however, to conclude a so-called separate data processing agreement in the sense of § 11 Federal Data Protection Act. Especially regarding the use of analysis tools on internet pages (for example Google Analytics) and regarding external software programs in which personal-related data are processed or stored and also in respect of outsourcing of accountancy or in respect of a personal file, the conclusion of such an agreement is absolutely necessary.
Aside from the Federal Data Protection Act, additional laws in the field of data protection are applicable. Within this context particular reference is made to the Telemedia Act which imposes certain obligations on the operators of online services. § 13 Telemedia Act indicates the obligation to keep available a Privacy Code on the internet page.
The team of NACHTWEY IP advises on the creation of Privacy Codes for websites. We provide comprehensive advice to companies in respect of data protection requirements to be observed. Furthermore, we readily offer you to create data processing agreements of every description.