Berlin Data Protection Act. Law to Protect of Personal Data in the Berlin Administration. (Berlin Data Protection Act - BlnDSG)

Transcription

1 Berlin Data Protection Act Law to Protect of Personal Data in the Berlin Administration (Berlin Data Protection Act - BlnDSG) as of 17 December 1990 (GVBl pp. 16, 54), last amended by Act of 16 May 2012 (GVBl. p. 137) Part One General provisions Section 1 Purpose and Object of Data Protection (1) The purpose of this Act is to regulate the processing of personal data by public authorities and other public agencies in order to 1. protect the right of each individual to self-determine the disclosure and use of his or her data, unless any restrictions are permitted by this Act or by other legislation (informational self-determination), 2. to protect the constitutional order based on the principle of the separation of powers against any risk caused by automated data processing. (2) This law protects personal data collected, stored, modified, transferred, blocked, deleted or otherwise used by public authorities or other public bodies. Section 2 Scope of Application (1) All authorities and other public bodies (particularly institutions without legal capacity, hospital companies, municipal utilities and courts) of the State of Berlin and the state bodies, institutions and foundations under public law (section 28 of the General Jurisdiction Act) have the obligation to protect personal data under this Act. This shall also apply to natural and legal persons, companies and other associations of persons under private law, who fulfil any tasks of public administration. (2) Where data processing is related to earlier, existing or future legal service or employment relationships, section 28 paragraph 2 number 2, sections 31 to 35, 39 and section 43 of the Federal Data Protection Act shall apply instead of sections 9 to 17 of this Act, unless regulated otherwise. This shall also apply to processing in files. (3) For public bodies who participate in competition the provisions of sections 3, 6, 6a, 9 to 17 and 30 of this Act shall not apply. These bodies shall be subject to sections 11, 27 paragraph 2, sections 28 to 35, 39, 40, 42a and 43 of the Federal Data Protection Act.

2 (4) To the extent personal data are processed within the scope of the law on the procedure of the Berlin administration, the provisions of the Berlin Data Protection Act shall apply. (5) This law comprehensively regulates the protection of personal data for authorities and other public bodies. Other state laws may provide individual necessary deviations from this act for certain authorities and other public bodies; in all other respects data protection shall be subject to the provisions of this Act in those cases as well. Section 3 Processing of Personal Data on behalf of Others (1) The provisions of this Act shall also apply to the authorities and other public bodies to the extent that personal data are processed on their behalf by other persons or entities. In those cases the processor shall be chosen with care, taking especially under consideration the appropriateness of the technical and organizational measures taken by him (section 5 paragraph 1). The order must be placed in writing and shall particularly state the following: 1. the subject and duration of the order, 2. the extent, nature and purpose of the proposed collection, processing or use of data, the type of data and the scope of persons affected, 3. the technical and organizational measures to be taken under section 5, 4. the correction, deletion and blocking of data, 5. the checks to be carried out by the processor, 6. any entitlement to establish subcontract relationships 7. the control rights of the client and the corresponding toleration and cooperation obligations of the processor, 8. required reporting of any breach by the processor or persons employed by him of any regulations adopted to protect personal data or against the provisions made, 9. the scope of ordering powers, the client reserves versus the processor, 10. the obligation to return the data media provided to the processor and to delete the stored data after completion of the job. The client shall check compliance with the requirements specified in Clause 3 above. (2) Sections 9 and 17 of this Act shall not apply to the authorities and other public bodies to the extent they process personal data on behalf of others. In such cases the processing of personal data shall be allowed only as directed by the controller. Any instructions directed towards any data processing in violation of this Act or any other data protection legislation must not be executed. The controller and his supervisory authority shall be informed immediately. The same applies if data are to be processed which in the opinion of the processor were acquired in violation of law. (3) For legal persons, companies and other associations of persons under private law, where the State of Berlin or a state body, institution or foundation under public law holds

3 the majority of shares or is entitled to the majority of the votes, the provisions of the Part Four shall apply accordingly, provided that in the cases of paragraph 1 sentence 1 they become active by order. With regard to the powers granted under section 28 paragraph 1 the fundamental right of inviolability of the home (Article 13 of the Basic Law, Article 19 paragraph 2 sentence 1 of the Berlin Constitution) shall be restricted to operating and business hours. (4) Where the provisions of this Act do not apply to the processor, the controller shall be under the obligation to ensure by contract that the processor complies with the provisions of this Act and, to the extent data processing is carried out within the scope of application of this law, submits himself to the control by the Berlin Commissioner for Data Protection and Freedom of Information. If the data are processed in another federal state or in a member state of the European Union, it must be ensured that the processor is subject to data protection control by the responsible institution. The controller shall inform the Berlin Commissioner for Data Protection and Freedom of Information about the engagement. Section 3a Maintenance (1) Data processing systems shall be designed in such a way that access to personal data is not possible during their maintenance. If this is not ensured, the controller shall take technical and organizational measures to ensure that acess is possible only to those personal data that are absolutely necessary for maintenance. In particular, the following requirements shall be met: It shall be ensured that 1. only authorized staff performs the maintenance, 2. any maintenance operation can be performed only, if the storing institution is aware of the maintenance and wants it to be done. 3. any personal data are prevented from being removed or transferred without authorization in the course of maintenance, 4. all maintenance operations may be checked while being performed. 5. all maintenance operations may be traced later. 6. during maintenance any program not required for maintenance is prevented from being started. 7. during maintenance no data processing programs may be changed without authorization and 8. maintenance is organized and conceived in such a way that it meets the particular requirements of data protection. (2) Any maintenance by other institutions beyond the requirements specified in paragraph 1 shall require written agreements. Such agreements shall include the following regulations: 1. nature and extent of maintenance, 2. definition of rights and duties between controller and processor,

4 3. a controller's obligation to log all operations and the processor's obligation to comply with the customer's instructions for handling the data and to abide by his instructions, 4. data shall be used exclusively for the purpose of maintenance 5. it shall be ensured that the processor does not transmit any data to other bodies, 6. deletion of data after completion of maintenance work, 7. the technical connection must be established by the controller; where this is not possible, a mandatory recall procedure shall be established, 8. as far as possible, presence of the system administrator shall be ensured. 9. encryption of personal data during transfer shall comply with the current state of the art and 10. in the event that a processor operates outside the Member States of the European Union, the relevant provisions of section 14 regarding the transfer of personal data to foreign and international bodies shall apply. All people entrusted with maintenance works shall be bound to data confidentiality. (3) Where access to data during maintenance works is possible only in encrypted, pseudonymized and anonymized form, thus ensuring that the institution entrusted with maintenance cannot re-identify the persons affected, only the measures set out in paragraph 2, sentences 1 and 3 are required. Any access to data must be linked to a clearly defined purpose. (4) For the purposes of this Act, a) Maintenance shall mean the totality of measures taken to ensure the availability and integrity of the hardware and software of data processing systems, including the installation, maintenance, inspection and correction of software and the verification and repair or replacement of hardware, b) Remote maintenance shall mean the maintenance of the hardware and software of data processing equipment by means of data transfer systems from a location outside the place where the personal data are processed, and c) Encryption shall mean the replacement of plaintext words or characters with others in a way that the plaintext can be made readable again only with a disproportionate amount of time, money and manpower. Section 4 Definitions (1) For the purposes of this Act, personal data shall mean details about personal or material circumstances of an identified or identifiable natural person (data subject). The same applies to data on deceased persons, unless the legitimate concerns of the data subject can no more be affected.

5 (2) Data processing shall mean the processing, collection, storage, modification, transfer, blocking, deletion and use of personal data. For the purposes of the following provisions 1. data collection shall mean the acquisition of data about the data subject 2. data storage shall mean capturing, recording or storing data on a data storage medium, 3. modification shall mean changing the contents of stored data, regardless of the method used to do so, 4. transfer shall mean the disclosure to third parties of data stored or obtained by processing of obtained data in such a way that the controller submits the data to such third party or that the third party retrieves the data prepared for retrieval, 5. Blocking shall mean preventing further processing of stored data, 6. Deletion shall mean to eliminate stored data, 7. Use shall mean any other use of personal data. (3) For the purposes of this Act, 1. controller shall mean any authority or other public body that processes data for use by itself or has data processed by others; where it fulfils different legal duties, the one organizational unit to which the task has been assigned shall be deemed to be the controller, 2. Receiver shall mean any person or body who receives the data, 3. Third party shall mean any person or body outside the controller, except the data subject or those persons and bodies who in the cases covered by number 1 process data by order of others under the jurisdiction of the legislation for the protection of personal data of the Member States of the European Union 4. automated data processing shall mean any data processing performed automatically using a controlled technical process, 5. data file shall mean a collection of data that can be analysed by automated procedures (automated file), or a similarly structured collection of data that can be sorted and analysed according to certain characteristics (non-automated file) 6. file shall mean any other document for official purposes, to the extent it is not a data file as contemplated by number 5, including images and audio recordings but not preliminary drafts and notes not supposed to become part of a process, 7. Anonymization shall mean the modification of personal data in such a way that the details about personal or material circumstances can no longer or only with a disproportionate amount of time, cost and effort be assigned to an identified or identifiable natural person, 8. Pseudonymization shall mean replacing the name and other identifying characteristics with a mark in order to prevent or considerably complicate the identification of the data subject.

6 9. a mobile personal data processing and storage medium shall mean a data storage medium a) handed over to the data subject, b) on which beyond storage personal data may be automatically processed by the issuing institution or by another institution and c) where the data subject may influence such processing only by using the medium. Section 5 Technical and Organizational Measures (1) The implementation of the provisions of this Act and other regulations concerning data protection shall be ensured by technical and organizational measures. The type of such measures shall be appropriate for the intended purpose of protection and shall depend on the current state of the art. (2) If personal data are processed automatically, appropriate measures shall be taken to ensure that 1. only authorized persons may take notice of the data (confidentiality) 2. personal data remain intact, complete and up to date during processing (integrity), 3. personal data are available on time and may be processed properly (availability), 4. personal data may be related to their origin any time (authenticity), 5. it can be found out, who processed which personal data in what way at what time (auditability), and 6. the procedures governing the processing of personal data are complete, up to date and documented in such a manner that they can be understood in a reasonable time (transparency). (3) Before making a decision about the use or a significant change in automated data processing, the technical and organizational measures to be taken shall be determined on the basis of a risk analysis and a security concept. In procedures where data are processed that are subject to professional or special official secrecy or have been collected for the prosecution of crimes and administrative offences this shall include a prior analysis regarding any risks affecting the right of informational self-determination. According to technical development such analysis shall be repeated at appropriate intervals. Where despite feasible security measures there are still any remaining unacceptable risks that cannot be prevented by the measures referred to in paragraphs 1 and 2, or by any modification of automated data processing, the processing must not take place. (4) Where personal data are not processed automatically, the provisions of paragraph 2 numbers 1 to 4 shall apply accordingly. (5) Automated data processing shall be organized in such a way that it is possible to separate the data according to each intended purpose and according to the various data subjects already during processing, particularly during transfer, while taking notice in performing one's duties and during inspection.

7 Section 5 a Data Minimization Planning, design and selection of information technology products and processes shall be governed by the aim to process no or as few as possible personal data. In particular, the possibilities of anonymization and pseudonymization shall be used wherever possible and provided that costs are in a reasonable relation to the intended purpose of protection. Part Two Conditions of Data Processing and Rights of Data Subjects Section 6 Admissibility of Data Processing (1) The processing of personal data is only permissible if 1. either this Act or 2. a special law permits it or 3. the data subject has consented. Processing personal data is permitted under this Act, provided that the nature of the data, their obviousness or the nature of use does not affect the legitimate concerns of the data subject. Sentence 1, no. 2 shall apply only if the data protection ensured by the legal provision is comparable with this Act. (2) Where personal data are processed because of a legal provision of the Federal government without processing being regulated in detail, sections 13 to 15 of the Federal Data Protection Act shall apply. (3) Where data processing is based on the consent of the data subject, he shall be informed appropriately about the meaning of his consent, in particular about the intended use of the data. In case of intended transfers such duty to inform shall also include information regarding the recipient of the data and the purpose of transfer. The data subject shall be informed in detail about the legal consequences and the possibility to refuse to consent. (4) Consent requires the written form, unless a different form is appropriate in special circumstances. If consent is to be given together with other statements in writing, this shall be especially pointed out to the data subject electronically or in writing. (5) The person's consent is effective only if based on his free decision. Particularly it shall be ineffective if achieved under threat of unlawful disadvantages or due to lack of information. As far as special categories of personal data are processed according to section 6a paragraph 1, the consent shall relate expressly to those data. (6) Consent may also be given electronically. It must be ensured that the requirements for establishing the authenticity of the consent are in line with those required for the underlying administrative action.

8 Section 6 a Processing of Special Categories of Personal Data (1) Personal data as defined in article 8 paragraph 1 of Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, P ) - EC Data Protection Directive - may be processed only if there are adequate safeguards to protect the right to informational self-determination and provided that a special legal provision which defines the purpose of processing allows such processing. (2) Processing of those data is also permissible if the data subject has expressly consented or if processing is required in order to protect the vital interests of the data subject or a third party and provided that for legal or factual reasons the data subject is not in a position to give his consent. (3) The provisions of paragraphs 1 and 2 shall not apply if 1. data are processed on the basis of section 2 paragraph 2 and section 30 of this Act or 2. data processing is required for the purpose of preventive health measures, medical diagnosis, care or treatment or the management of health services and provided that those data are processed by medical staff or other persons subject to appropriate confidentiality obligations. Everyone has a right under this Act to Section 7 Rights of Data Subjects 1. information, notification and inspection (section 16), 2. rectification, blocking, erasure and objection (section 17); 3. indemnification and injunctive relief (section 18), 4. access to descriptions and registers (section 19 a), 5. appeal to the Berlin Commissioner for Data Protection and Freedom of Information (section 27). The data subject may not effectively waive those rights. Section 8 Data Confidentiality (1) The personnel of authorities and other public bodies who process data for these bodies or on behalf of others, is not allowed to process any personal data without authorization. For the staff of private contractors of public bodies who have official access to personal data that requirement shall be ensured by contract. (2) The personnel shall be subjected to the requirements of paragraph 1 upon starting their job. Their obligations shall persist after the termination of their job.

9 Section 9 Necessity (1) Under the following provisions processing of personal data shall be allowed only if necessary for legitimate fulfilment of the tasks assigned to the data-processing body by law and for the purpose associated to each case. (2) Where personal data are connected in files in such a way that separation of necessary and non-necessary data is impossible even by copying and obliteration or if such separation is possible only with unreasonable effort, taking notice, forwarding within the controlling body and transfer of data that are not necessary to fulfil the corresponding task shall be permitted beyond paragraph 1. To that extent any use of those data shall be prohibited. Section 10 Data Collection (1) As a rule, personal data shall be collected only from and with the knowledge of the data subject under the conditions of section 6 paragraph 1 and section 6a paragraphs 1 and 2. (2) Where data are collected from and with the knowledge of the data subject, he shall be given appropriate information regarding the purpose of such data collection. Where data are intended to be transmitted, the duty of information also shall include disclosure of the recipient of the data. Where data are collected from the data subject on the basis of any obligation to provide information based on a legal provision, he shall be informed about such legal basis. In all other cases the data subject shall be informed that he may refuse to respond. Where information is required in order to grant any public benefits, the data subject shall be informed about the possible consequences of non-response. (3) In individual cases public authorities and other public bodies may collect data without knowledge of the data subject only, if 1. allowed by a legal provision, 2. the data subject has consented to this form of data collection or 3. timely information of the data subject is not possible and provided that there is no evidence that the legitimate concerns of the data subject could be affected. (4) Data may be collected from the data subject or from third parties outside the public sector without his knowledge only if provided by a legal regulation. (5) If data are collected without the knowledge of the data subject, he shall be notified soon as the legitimate performance of the tasks is no longer at risk by doing so. Such notification shall include the legal basis and the information provided for in paragraph 2, sentences 1 and 2.

10 Section 11 Use for Defined Purposes (1) As a rule, personal data may be processed only for the purpose for which they had been collected or stored. Personal data which an authority or public body has received without collecting them may only be used for purposes for which they had been stored first. (2) If personal data are to be processed for purposes they had not been acquired or stored for, processing is permissible only if 1. one of the requirements defined under section 6 paragraph 1 or section 6a paragraphs 1 or 2 apply, 2. this is required to avoid serious disadvantages for the common welfare or any other imminent threat to public security or to avert a serious impairment of the rights of another person or 3. any legitimate evidence for criminal or administrative offences is found while fulfilling legal tasks and information of the responsible law enforcement authorities is deemed necessary. Where the personal data are subject to professional or special official secrecy and provided that the person sworn to secrecy transmitted them to the controller in exercising its professional or official duties, sentence 1 no. 2 and 3 do not apply. (3) Where personal data are connected in files in such a way that separation by different purposes is impossible even by copying and obliteration or if such separation is possible only with unreasonable effort, separation shall be replaced by the prohibition of use as contemplated in paragraph 2 for those data which do not serve the purpose of the corresponding processing. (4) Data are not deemed to be processed for other purposes, if processed in exercising powers of supervision and control, internal auditing, financial auditing or in carrying out investigations. Access to personal data is permitted only to the extent it is indispensable for the exercise of those powers. Personal data may be used for education and further education purposes only, if this is indispensable and provided that it does not conflict with any legitimate concerns of the data subject; personal data must not be used for testing and verification purposes. (5) Personal data stored exclusively for purposes of monitoring data protection, data security or to ensure the proper operation of a data processing system must not be used for other purposes. Section 12 Data Transfer within the Public Sector (1) The transfer of personal data to authorities and other public bodies is permissible, if one of the prerequisites of section 11 paragraph 2 sentence 1 no. 1 to 3 is met. If the data are required by an authority or another public body for the same purpose for which the data had been collected, the transfer of personal data to authorities and other public bodies

11 is also permissible, if required for the lawful fulfilment of the task assigned by law to the transferring body or authority or the receiving public body. (2) The transfer of personal data to institutions of religious communities incorporated under public law shall be permissible subject to the rules governing the transfer of data to authorities and other public bodies and provided that it is ensured that the third party takes adequate data protection measures. (3) The decision of whether or not a data transfer is permissible shall be taken by the transferring institution. Section 13 Transfer of Data to Institutions outside the Public Sector The transfer of personal data to persons and other entities outside the public sector as well to state bodies incorporated under public law that participate in competition shall be permissible, if allowed by a legal provision or if the data subject has agreed. Section 14 Data Transfer to Government Bodies outside the Scope of the Basic Law (1) For the transfer of personal data to authorities or other public bodies within the scope of application of the laws to protect personal data of the Member States of the European Union, section 12 paragraph 1 shall apply accordingly. (2) The transfer of personal data to authorities or other public bodies outside the scope of application of the legal regulations to protect personal data of the Member States of the European Union is permissible only to the extent such transfer is expressly regulated by a law, a legal act of the European Community or an international agreement and provided that an adequate level of data protection is ensured. The adequacy of the level of data protection shall be assessed by the transferring institution, taking into account all the circumstances of the intended data transfer, especially the type of data, their purpose, the duration of intended processing, the countries of origin and of final destination, the legal standards, professional rules and security measures the recipient is subject to. (3) Where in the cases contemplated under paragraph 2 an adequate level of data protection is not ensured, transfer of personal data shall be permissible, if 1. the data subject has agreed, 2. the transfer is required in order to safeguard an important public interest or to assert, exercise or defend legal claims in court, 3. the transfer is necessary in order to safeguard the vital interests of the data subject 4. the transfer is made from a register which is intended to inform the public or is open for inspection to any person who can demonstrate a legitimate interest, as far as the legal requirements are met in each case or 5. sufficient guarantees regarding the protection of personal rights and the exercise of related rights are ensured for the transfer or a category of transfers, particularly by way of a contractual agreement.

12 The institution to which the data are transferred shall be informed that under section 11 paragraph 1 the transferred data may only be used for a certain purpose. (4) The Department of Home Affairs of the Berlin Senate, the Berlin Commissioner for Data Protection and Freedom of Information and the Data Protection Officer must be informed in good time of any scheduled data transfer in accordance with paragraphs 2 and 3. According to section 19 paragraph 2 it shall be mentioned in the data file description. (5) Paragraphs 2 to 4 shall not apply to the extent personal data are transferred in the course of international mutual legal assistance which are not processed automatically and are not stored or intended to be stored in data files. In such case a transfer of personal data to authorities or other public bodies outside the scope of application of the legal regulations to protect personal data of the Member States of the European Union is permissible if 1. the transfer is expressly regulated in a law, a legal act of the European Communities or an international agreement or 2. the recipient is subject to equivalent data protection regulations and in case of transfer to a public body the requirements of sections 9 and 11 are met. Section 15 Automated Retrieval Procedure (1) An automated method to retrieve personal data by third parties may be established by authorities or other public bodies only, if expressly permitted by a law. The rules governing the permissibility of each retrieval shall remain unaffected. (2) The Senate shall by ordinance determine the details of the implementation of automated retrieval procedures. Such ordinance shall identify the data recipient, the type of data and the purpose of retrieval. It shall include measures to secure and control the data which shall be reasonably proportionate to the intended level of protection. (3) Personal data must not be made available for automated retrieval by institutions outside the public sector; this shall not apply to retrieval by the data subject. (4) The provisions of paragraphs 1 and 3 shall not apply to databases that are openly available for use by everyone without or after special permission or publication of which would be permissible. (5) The provisions of paragraphs 1, 2 and 4 shall be applied accordingly to the approval of regular automated data transfers. Section 15 a Prohibition of Automated Individual Decisions Decisions which have any legal consequences for or will significantly affect the data subject must not be based solely on automated processing of personal data used to evaluate certain personal aspects. A decision under sentence 1 may be permitted by law, provided that it ensures the safeguarding of the legitimate interests of the data subject.

13 Section 16 Information, Notification and Inspection (1) Where personal data are stored in an automated process or in a data file, the controller shall, upon request, inform the data subject free of charge about 1. the personal data stored about him, 2. the purpose and legal basis for data processing, 3. the origin of the data and the recipients of data transfers within the last two years, 4. the logical structure of automatic processing of the data relating to him. (2) Where personal data are processed automatically, the data subject shall be notified of this fact in writing or electronically. Such notification shall include a reference to the data description according to section 19 paragraph 2. The notification may be combined with data collection. (3) The provisions of paragraphs 1 and 2 shall not apply to personal data that are exclusively stored for the purpose of data backup. (4) If personal data are stored in files, the data subject may apply to the controller asking for inspection of the files. If the files are held under the name of the data subject he shall identify them. If the files are not held under the name of the data subject, he shall provide information to enable the retrieval of personal data stored about him with reasonable effort. Inspection shall not be allowed if the data of the data subject are connected with data of third parties or confidential non-personal data in such a way that their separation according to different purposes is not possible even by duplication and obliteration, or only with disproportionate effort, in which case, the data subject shall be informed pursuant to paragraph 1. If the data subject agrees, he may also be given information about his personal data, rather than allowing him to inspect the files. (5) The provisions of paragraphs 1, 2 and 4 shall not apply if it is found after consideration that for compelling reasons the rights of the data subject are less important than the public interest in maintaining secrecy, or a predominant third party-interest in confidentiality, and the data subject shall be informed about the main reasons. The decision rests with the head of the controlling institution or his deputy. Where information or access is not authorized, the data subject shall be advised that he may appeal to the Berlin Commissioner for Data Protection and Freedom of Information. The controlling institution shall explain to the Berlin Commissioner for Data Protection and Freedom of Information the reasons for refusing information or access. Section 17 Correction, Blocking and Erasure of Data, Right to Object (1) Personal data shall be corrected, if inaccurate. The data subject shall be heard before correction. (2) Personal data shall be blocked, if the data subject disputes their accuracy and as long as it cannot be determined whether they are accurate or inaccurate. They shall also be blocked when the controller does no longer need to know them in order to fulfil the tasks

14 it is responsible for. Blocked data shall be provided with a corresponding note, they may no longer be processed, in particular they must not be transferred or used otherwise, except that their use is inevitable for scientific purposes or to remedy a lack of evidence and provided that the data subject has agreed to such use. (3) Personal data shall be erased, if the controller does no longer need to know them in order to legally fulfil the tasks it is responsible for and provided that there is no reason to assume that such erasure will affect the legitimate interests of the data subject. They shall be erased, if their storage was unlawful or if the data subject so requires in the cases contemplated in pragraph 2, sentence 2. In the cases described in sentence 2, 1 st alternative the data subject shall be heard before erasure. The same applies if the data were collected without the involvement of the data subject and if there had been no notification pursuant to section 10 paragraph 5. (4) In cases of paragraph 2, sentence 2 and paragraph 3 sentences 1 and 2, the controller may hand over the data to an archive that is subject to public law, rather than blocking or erasing them as contemplated in those paragraphs. In the case of paragraph 3, sentence 2 this shall require the data subject's consent. (5) The correction under paragraph 1, the blocking under paragraph 2 and erasure under paragraph 3 shall be reported in due course to the entities to which the data had been transferred in the course of regular data transfer. (6) If personal data are stored in files and cannot be blocked by copying and obliteration, they shall only be blocked in accordance with paragraph 2 sentence 1, if the whole file regarding the data subject is no longer required to fulfil the tasks specified there. In such case the data subject may not claim erasure according to paragraph 3 sentence 1. (7) If the data subject objects to data processing in writing giving reasons which show that lawful processing of his data conflicts with a legitimate special personal interest, data processing shall be permissible only if in that particular case the public interest in processing the data outweighs the personal interest of the data subject, and the data subject shall be informed about the result of such consideration in writing. Section 18 Indemnification and Injunctive Relief (1) If the data subject's legitimate interests have been affected by any data processing that is unlawful under this Act or under any other data protection legislation, the authority or other public body which processed or had processed the data according to section 3 paragraph 1 shall compensate the financial losses incurred. If there are more infringements of the law to be apprehended, the data subject may claim an injunction. In severe cases the data subject may also claim reasonable pecuniary compensation for immaterial damage. (2) Where several institutions are involved in automated processing and the institution which stored the data cannot be identified, each of those institutions shall be liable. (3) Claims for indemnification and injunctive relief on the basis of other regulations shall remain unaffected.

15 Section 18a Security Breach Notification (1) If a controller becomes aware that any personal data stored by him have been unlawfully transferred or otherwise unlawfully disclosed to any third party and provided that this may seriously affect the rights or legitimate interests of the data subjects, he shall inform the data subject and the Berlin Commissioner for Data Protection and Freedom of Information without delay. (2) Information of the data subject pursuant to paragraph 1 may be deferred only as long as the controller first has to take appropriate measures to safeguard the data. If he does not take such action immediately, notification of the data subject shall not be delayed. Sentence 1 shall apply accordingly, where immediate information of the data subject would endanger prosecution. The data subjects shall be informed about the nature of illegal obtainment of knowledge and the measures taken to mitigate any negative consequences. Where notification of the data subjects would require a disproportionate effort, it shall be replaced by reasonable information of the public. Section 19 Implementation of Data Protection and Data File Description (1) The controllers which in the cases of section 4 paragraph 3 no. 1, clause 2 shall include the respective authorities or other public bodies and the supervision authorities shall ensure the implementation of this Act and any other legal regulations on data protection for their area of accountability. They shall in particular ensure the proper application of data processing programs used to process personal data. (2) As regards automated data processing, the controller shall specify electronically or in writing: 1. name and address of the controller, 2. purpose and legal basis of data processing, 3. description of group of data subjects and the related data or data categories 4. recipients or categories of recipients to whom the data are disclosed, 5. origin of regularly received data, 6. authorized persons or groups of people, 7. time limits for blocking and erasure of the data 8. scheduled transfer of personal data to authorities or other public bodies outside the scope of application of the legal regulations to protect personal data of the Member States of the European Union, 9. mode of procedure, type of equipment, sites where the equipment is located and the methods used to transfer, block, erase data and to provide information, 10. description of measures taken to ensure the security of data processing (section 5 paragraph 3 sentence 1),

16 11. results of preliminary checks (section 19a paragraph 1 sentence 3 No. 1). (3) Paragraph 2 shall not apply to data files that in case of automated processing are held temporarily and exclusively for processing purposes. Section 19a Data Protection Officer (1) The authorities and other public bodies shall appoint in writing data protection officers (of the authority) and one deputy each. Several authorities or other public bodies may appoint a joint data protection officer. The Data Protection Officers shall in particular 1. in the cases of data processing involving special risks for the rights and freedoms of data subjects, check the effectiveness of technical and organizational measures according to section 5 before processing (preliminary check), 2. monitor the proper use of data processing programs used to process personal data, 3. take appropriate measures in order to make the staff processing personal data familiar with the provisions of this Act and other regulations concerning data protection, in regard of the particular conditions in this area of accountability and the resulting special data protection requirements and 4. support the authority or other public body in ensuring data protection, they shall also support the staff representatives in ensuring data protection, to the extent they process personal data. The Data Protection Officer shall maintain the descriptions and lists according to section 19. Those lists may be inspected by any person free of charge. This shall not include the information required by section 19 paragraph 2 no 9 to 11, as far as it affects the security of the technical process. This shall not apply to descriptions of tasks of the Office for the Protection of the Constitution, the preservation of public order and security, prosecution and law enforcement and tax administration, to the extent the controller in particular cases declares such inspection to be incompatible with the performance of its duties, nor does it apply to public bodies participating in competition. (2) Only such person may be appointed as Data Protection Officer who possesses the required expertise and trustworthiness to fulfil his tasks and whose appointment does not result in a conflict of interests with other official duties. He must be in a service or employment relationship with an authority or other public body of the State of Berlin or a state body, institution or foundation under public law. His appointment may not be revoked against his will, unless for good cause in appropriately applying section 626 of the German Civil Code. The termination of employment of the Data Protection Officer appointed according to paragraph 1 shall not be permissible, unless there are facts which entitle the authorities and other public bodies to termination without notice for good cause. After cancellation of the appointment as Data Protection Officer termination of employment shall not be permissible within one year after cancellation of appointment, unless the authorities and other public bodies are entitled to termination without notice for good cause. In matters of data protection the Data Protection Officer may apply directly to the head of the appropriate authority or other public body and he shall not be subject to any directions on data protection matters. He must not be discriminated because of the

17 performance of his duties. He shall be obliged not to disclose the identity of data subjects and any circumstances which would allow drawing conclusions on data subjects, unless the data subject approves such disclosure. (3) The Data Protection Officer is authorized to process personal data to the extent necessary to fulfil his tasks. The respective authority or public body shall assist the Data Protection Officer in performing his duties and in particular make available office space, facilities, equipment and resources for him as far as required in order to fulfil his tasks. He shall be informed in good time about projects of automated data processing. (4) The Data Protection Officer may at any time contact the Berlin Commissioner for Data Protection and Freedom of Information. In cases of doubt regarding preliminary checks the Berlin Commissioner for Data Protection and Freedom of Information shall be consulted. (5) In order to acquire and maintain the expertise required to perform his duties the authorities and other public bodies shall enable the Data Protection Officer to participate in professional training and further education courses and pay the related costs. Part Three Data for the Berlin Parliament and Borough Assemblies Section 20 (1) The authorities and other public bodies shall provide the Berlin Parliament, its constitutional institutions and the parliamentary groups of the Berlin Parliament with the information on data requested in order to fulfil their tasks. Personal data may be disclosed to those institutions in order to fulfil their tasks, provided that the requirements set out in section 28 paragraph 1 sentence 1 number 2 or 3 of the Federal Data Protection Act are met. (2) The same obligation exists with regard to the borough assemblies, their constitutional institutions and their parliamentary groups to the extent they request information on data within their scope of responsibility. (3) Drafts bills shall include information about the data required in order to implement the law with data processing systems, and the way in which data are intended to be processed.

18 Part Four Berlin Commissioner for Data Protection and Freedom of Information Section 21 Appointment and Dismissal (1) The Berlin Commissioner for Data Protection and Freedom of Information is elected by the Berlin Parliament by a vote of a majority of its members and appointed by the Speaker of the Berlin Parliament. He also assumes the duties of the Commissioner for the Inspection of Files in accordance with section 18 paragraph 1 of the Berlin Freedom of Information Act of 15 October 1999 (GVBl. p. 561), as amended by Article XXII of the Act of 16 July 2001 (GVBl. p. 260) and shall carry the official title "Berlin Commissioner for Data Protection and Freedom of Information" in its masculine or feminine form. (2) The Berlin Commissioner for Data Protection and Freedom of Information shall take the following oath before the Speaker of the Berlin Parliament: "I swear to perform my duties fairly and impartially, in keeping with the Basic Law, the Constitution and the laws of Berlin and to put all my efforts into this office, so help me God." The oath may also be taken without religious affirmation. (3) The official term of the Berlin Commissioner for Data Protection and Freedom of Information shall be five years; after the end of the term he shall remain in office upon request of the Presiding Committee of the Berlin Parliament until a successor is appointed. Re-election shall be permissible. Before the expiry of his term the Berlin Commissioner for Data Protection and Freedom of Information may be dismissed against his will only if there are reasons that would justify the dismissal of a judge for life. Section 22 Legal Status (1) According to this Act the Berlin Commissioner for Data Protection and Freedom of Information is a public office. (2) The Berlin Commissioner for Data Protection and Freedom of Information shall be established as supreme state authority; he shall be independent in performing his duties and shall only be subject to law. He shall be under the supervision of the Speaker of the Berlin Parliament to the extent his independence is not compromised. (3) The Berlin Commissioner for Data Protection and Freedom of Information must not exercise any other salaried office or trade in addition to his duties and must not belong neither to the management or the supervisory board or board of directors of any profitoriented company nor to a government or legislative body of the Federal government or a state. He must not issue out-of-court expert opinions for a consideration. In all other aspects his status shall be determined by contract.

19 (4) The Berlin Commissioner for Data Protection and Freedom of Information is entitled and may be requested by the majority of the Berlin Parliament or any of its committees to appear and make statements before Parliament or the relevant committee. Section 23 Duty of Confidentiality The Berlin Commissioner for Data Protection and Freedom of information shall be bound to confidentiality with regard to the matters he gets to know officially, even after the end of his term in office. This does not apply to information received in official communication or relating to facts that are obvious or not sufficiently important to warrant confidential treatment. The Berlin Commissioner for Data Protection and Freedom of Information must not make any statements or declarations about such matters, neither in court nor out of court, even when he is no longer in office, unless with the permission of the Speaker of the Berlin Parliament. Section 24 Functions and Powers (1) The Berlin Commissioner for Data Protection and Freedom of Information shall monitor compliance with the provisions of this Act and other regulations concerning data protection by the authorities and other public bodies. To this end, he may make recommendations to improve data protection, in particular he may advise the Berlin government (Senate) and individual members of the Senate as well as the other authorities and public bodies in matters of data protection. He must be heard before adopting laws, regulations and administrative provisions, if they refer to the processing of personal data. The Berlin Commissioner for Data Protection and Freedom of Information must be involved in the preliminary checks contemplated in section 5 paragraph 3, if they refer to the intended use of cross-administrative procedures. He shall also have the powers international or European law has assigned to supervisory authorities and control bodies responsible for data protection. (2) Courts shall be exempt from paragraph 1 as far as they are not taking action in administrative matters. Where courts are using automated data processing systems in order to fulfil their statutory duties, the regularity and legality of the methods shall be, without prejudice to judicial independence, controlled by the Berlin Commissioner for Data Protection and Freedom of Information. (3) The Berlin Commissioner for Data Protection and Freedom of Information shall monitor the effects of automated data processing on the working methods and decisionmaking powers of the authorities and other public bodies to see whether they lead to a restriction of control by the Berlin Parliament or the borough assemblies. He may suggest protective action against such effects. The Berlin Commissioner for Data Protection and Freedom of Information shall be informed, when new automation projects and any significant changes in automated data processing are introduced in the authorities and other public bodies. (4) The Berlin Commissioner for Data Protection and Freedom of Information shall work together with the authorities and other public bodies responsible for monitoring