From Wikipedia, the free encyclopedia
Jump to: navigation, search

The German Bundesdatenschutzgesetz (BDSG), a Federal Data Protection Act, regularizes together with the Data Protection Acts of the German federal states and other area specific regulations the exposure to personal data which are manually processed or processed in IT systems.

Historical development[edit]


In the early 1960s the experience in Germany grew by the realization of the United States through the progressive use of information technology. So a regulatory framework needed to be created to counteract the impairment of legitimate interests of the aggrieved person in the processing of personal data.


In the year 1970 the federal state of Hesse passed the first national data protection law, which was also the first data protection law in the world. In 1971 the first draft bill was submitted for a federal data protection act. Eight years later, on 1.1.1979, the first federal data protection act came into force.[1] In the following years in which the BDSG was taking shape in practice, a technical development took place in the data processing as the computer both at work and in the private sector became increasingly important.[2]

Even in the legal field there were significant changes. With the Volkszählungsurteil[3] (census verdict) of December 15, 1983, the Constitutional Court developed the right to informational self-determination (Article 1 I Constitution in conjunction with Article 2 I Constitution). It follows that personal data in Germany are constitutionally protected. This means that individuals have the power to even be allowed to decide when and to what extent personal information is published.[4]

From 1990[edit]

In 1990 the legislature adopted a new data protection law based on the decision of the German Constitutional Court.

The legal amendment[edit]

In 2009 there were three amendments to the BDSG due to criticism from consumer advocates and numerous privacy scandals in business. These contained the following points:[5]

Amendments I and III[edit]

  • Strict earmarking in the enforcement of data protection rights (§ 6 III BDSG)
  • Permissibility and transparency in automated individual decisions (§ 6a BDSG)
  • Transmission of data to commercial agencies (§ 28a BDSG)
  • Admissibility in scoring procedures (§ 28b BDSG)
  • Claims for credit rejection information for cross-border credit inquiry within the EU/EEA(§ 29 VI and VII BDSG)
  • Information on claims against responsible agencies, especially in the case of scoring and commercial agencies (§ 34 BDSG)
  • New penalty offenses (§ 43 I No. 4a, 8b, 8c BDSG)

Amendment II[edit]

  • Introducing a legal definition for the term “Beschäftigte” (employees) (§ 3 XI BDSG)
  • Extension of the target data economy and data avoidance (§ 3a BDSG)
  • Strengthening the position of internal data protection officer by training and explicit job protection law (§ 4f III sentence 5-7 BDSG)
  • Extension of the requirement for the written content to be fixed in order data processing and control of the contractor (§ 11 II BDSG)
  • New eligibility requirements and transparency in the use of personal data as part of the trade of addresses and promotional purposes (§ 28 III BDSG)
  • Tightening the consent requirements of non-written consent (§ 28 IIIa BDSG)
  • Introduction of a prohibition of a coupling in connection with the consent (§ 28 IIIb BDSG)
  • Relief for market- and opinion research companies (§ 30a BDSG)
  • Rule on the admissibility of the processing of employment data (§ 32 BDSG)
  • Expansion of disclosure requirements for moderate transmission list (§ 34 Ia BDSG)
  • Extension of the arrangement powers of supervisory authorities on processing data protection and uses (§ 38 V BDSG)
  • A duty to self-disclosure to the supervisory authority and the affected person for unlawfully obtaining knowledge of data (§ 42a BDSG)
  • Introduction of new fines (§ 43 I No. 2a, 2b, 3a, 8a and II No. 5a-7 BDSG)
  • Increasing the fine frame at 50.000 to 300.000 Euro (§ 43 III BDSG)
  • Transitional arrangements for market and opinion researchers, as well as for promotional use of stored data recorded before September 1, 2009 (§ 47 BDSG)
  • Emphasis on the use of encryption (Annex of § 9 sentence 1 BDSG)

Overview of the BDSG[edit]

  • First section (§ § 1-11): General and common rules
  • Second section (§ § 12-26): Data processing by public bodies
  • Third section (§ § 27-38a): Data processing by non-public bodies and public competitor companies
  • Fourth section (§ § 39-42): Special provisions
  • Fifth section (§ § 43-44): Criminal and civil penalty provisions
  • Sixth section (§ § 45-46): Transitional provisions

Purpose and scope[edit]


The law should protect individuals from being affected by handling their personal information in their personal rights (§ 1 I BDSG).


According to § 1 II BDSG the law applies to the collection, processing and use of personal data by:

  • Public bodies of the Federal
  • Public authorities of the federal states
  • Non-public agencies


The Central Register of Foreign Nationals (Germany) is according to § 22 and § 37 of the law establishing the central register excluded from certain sections of the Bundesdatenschutzgesetz. [6]

Public bodies of the Federation[edit]

Public authorities are the Federal Authorities, the administration of justice and other public-law institutions of the Federation, the Federal Authorities, establishments, and foundations under public law and their associations irrespective of their legal form (§ 2 I BDSG).

Public authorities of the federal states[edit]

Public authorities of the federal states, the authorities and the institutions of justice and other public-law institutions of a federal state, community, a community association and other legal persons of public law which are subordinated to the supervision of the federal state of public law and their associations irrespective of their legal form (§ 2 II BDSG).

Non-public agencies[edit]

Non-public agencies are natural and legal persons, companies and other associations of persons in private law as they do not fall under the paragraphs of § 2 I-III BDSG (§ 2 IV BDSG).

Overview of the first principles[edit]

The BDSG contains seven first principles of data protection law:[1]

1. Prohibition of conditional permission:

The collection, processing and use of personal data is strictly prohibited, unless it is permitted by the law or the person concerned gives consent (§ 4 I BDSG).

2. Principle of immediacy:

The personal data has to be collected directly from the person concerned. An exception of this principle is a legal permission or a disproportionate effort (§ 4 III BDSG).

3. Priority to special laws:

As far as other federal law to personal information including their publication are applicable, these are priority to the BDSG (§ 1 III BDSG).

4. Principle of proportionality:

The approve of standards restrict the fundamental rights of the affected person. Therefore, these laws and procedures must be appropriate and necessary. So a balancing of interests has to take place.

5. Principle of Data Avoidance and Data Economy:

  • Economy of data: Data that are not absolutely necessary to collect for the purpose of achievement may not be applicable
  • Data avoidance: If data must be collected, dealing with them must be limited to the necessary minimum

6. Principle of Transparency:

If personal data of the person concerned are collected, he/she has to be informed by the responsible entity of its identity and the purposes of the collection, processing or use (§ 4 III BDSG).

7. Principle of Earmarking:

If data can be collected for a particular purpose, dealing with them is bound to this purpose. A new purpose-setting requires a law or consent.

Types of personal data[edit]

Personal data means all data that give information about the personal and the factual of an identified or identifiable natural person. They include:

  • Personal relationships: name, address, occupation, e-mail
  • Factual circumstances: income, taxes, ownership
  • Special kind of personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life. These data are subject to special protection.

European law[edit]

The Council of Ministers and the European Parliament adopted a general data protection directive on October 24, 1995, that had to be implemented in the law of the Member States (Directive 95/46/EC of the European Parliament and Council on the protection of individuals with the processing of personal data and on the free movement of such data) by the end of 1998. Except for France and Ireland, all EU member states have transposed the directive.

The harmonization of data protection law in the European Union was already drafted by the "Convention for the Protection of Individuals with regard to automatic processing of personal data". Once the Convention are signed the signatories are obliged to guarantee to treat the principles laid down as a common data protection law to at least a minimum. An obligation on Member States to the sales in domestic law was not connected.

Such an obligation has been incurred only with the general Data Protection Directive.

Cross-border data transmission[edit]

The following rules apply in accordance with the requirements of the European Commission's Data Protection Directive to companies domiciled in Germany and for companies based abroad.

Companies domiciled in Germany[edit]

For companies based in Germany, the Federal Data Protection Act regulates the transfer of data differently in another EU member country and to a third country.

Transmission from Germany to another EU member country[edit]

Through the implementation of the EU Data Protection Directive in the member countries in the EU area a uniform level of data protection has emerged. A company domiciled in Germany is therefore entitled to transfer personal data in Europe, if that right in accordance to § 28 BDSG exists.[7]

Transmission from Germany to a third country[edit]

Transfers to third countries must comply with the requirements of the Federal Privacy Act (§ 4b II sentence 1 BDSG). The transmission must cease if the person has a legitimate interest in the prevention of transmission, especially if an adequate data protection in the third country is not guaranteed (§ 4b II sentence 2 BDSG). The adequacy of protection shall be assessed by taking all the circumstances into account that are of importance for data transmission (§ 4b III BDSG). These include the type of data, the purpose, duration of processing, professional rules and security measures. In the opinion of the European Commission, Switzerland and Canada have an adequate level of protection. A further decision by the European Commission has taken to data transmission into the United States. According to the decision the U.S. Department of Commerce assured a reasonable level of data protection by the negotiated Safe Harbor Agreement. Through the Safe Harbor Agreement, the recipient in the United States commits by statements to the relevant U.S. authorities to comply with certain data protection principles. For other third countries, it is hardly possible to determine the appropriate level of protection because of the complex criteria. For this reason certain exceptions (in § 4c I and II BDSG) under which a data transmission is allowed in third countries, even if an adequate level of data protection is not guaranteed, are important.

§ 4c I BDSG allows the person's consent and submission to the fulfillment of a contract between the parties and the responsible party to cross-border data transfer.

In all other cases the "subject to approval contract solution" (§ 4c II BDSG) allows the manufacturing site to transfer data in recipient countries where an adequate level of data protection is ensured. The contractual clauses or "binding corporate rules" must offer adequate guarantees regarding the protection of personal rights and must be approved in advance by the Competent Authority (§ 4c BDSG II set 1). For international companies it is advisable to resort approval procedures for standard contractual clauses of the European Commission. Even self-regulation in corporate policies can enable the data flow within multinational corporations. The codes of conduct must also give victims legal rights guaranteed positions, as is the case in contract solutions.[8]


  1. ^ Gola/Schomerus, BDSG Kommentar, page 47, München 2010, ISBN 978-3-406-59834-0
  2. ^ Gola/Schomerus, BDSG Kommentar, page 47, München 2010, ISBN 978-3-406-59834-0
  3. ^ BVerfGE 65, page 1 ff.
  4. ^ BVerfGE 65, 1 (41 ff.)
  5. ^ Gola/Schomerus, BDSG Kommentar, page 54, München 2010, ISBN 978-3-406-59834-0
  6. ^ http://www.gesetze-im-internet.de/azrg/BJNR226500994.html#BJNR226500994BJNG000200000
  7. ^ Gola/Schomerus, BDSG Kommentar, page 140 f., München 2010, ISBN 978-3-406-59834-0
  8. ^ Gola/Schomerus, BDSG Kommentar, page 151, München 2010, ISBN 978-3-406-59834-0

External links[edit]