Data Protection in Germany. Axel Freiherr von dem Bussche Markus Stamm



Similar documents
Improving self-regulation through (law-based) Corporate Data Protection Officials *

Panel 1. Greater Regulation of Special Threats to Privacy. Data Protection in the 21st Century

Data Protection, Software Licenses and other Legal Issues in the Cloud

Corporate Policy. Data Protection for Data of Customers & Partners.

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

BCS, The Chartered Institute for IT Consultation Response to:

The eighth data protection principle and international data transfers

THE TRANSFER OF PERSONAL DATA ABROAD

Data Protection Policy.

AIRBUS GROUP BINDING CORPORATE RULES

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.

The GmbH A Guide to the German Limited Liability Company

Liechtenstein. Heinz Frommelt. Sele Frommelt & Partners Attorneys at Law Ltd

Federal Act on Data Protection (FADP) Aim, Scope and Definitions

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Questions for National Reporters of LIDC STOCKHOLM 2015

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

All rights reserved. 2011, EuroPriSe/ULD

New EU Data Protection legislation comes into force today. What does this mean for your business?

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

The Payment Services Directive implementation in Germany regulatory part (Zahlungsdiensteaufsichtsgesetz/ZAG)

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

Data, Privacy, Cookies and the FTC in Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

Article 29 Working Party Issues Opinion on Cloud Computing

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

General Protocol relating to the collaboration of the insurance supervisory authorities of the Member States of the European Union March 2008

CONSULTATION ON A POSSIBLE STATUTE FOR A EUROPEAN PRIVATE COMPANY (EPC)

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

Johnson Controls Privacy Notice

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Principles of Best Practice applicable to the distribution of Life Insurance Products on a Cross-border Basis within the EU or a Third Country

AlixPartners, LLP. General Data Protection Statement

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Recommendations for companies planning to use Cloud computing services

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

I. Personal data and its use in the business to business environment.

Under European law teleradiology is both a health service and an information society service.

GUIDANCE NOTE ON THE CONCEPT OF RELIANCE

Merchants and Trade - Act No 28/2001 on electronic signatures

Corporate Governance Developments in Greece

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

QUESTIONNAIRE ON CONTRACT RULES FOR ONLINE PURCHASES OF DIGITAL CONTENT AND TANGIBLE GOODS

Appendix A Data Protection and Marketing Regulatory Considerations for the European Union

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Act on Payment Services

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

ACT on Payment Services 1 ) 2 ) of 19 August Part 1 General Provisions

NOTICE ON OUTSOURCING

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

The Legal Pitfalls of Failing to Develop Secure Cloud Services

This letter is to provide you with our views on the minimum criteria for the impact assessment and subsequent legislative proposal.

Finding your balance Top tips for successful HR delivery in multiple countries across Europe

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Mexico. Rodolfo Trampe, Jorge Díaz, José Palomar and Carlos López. Von Wobeser y Sierra, S.C.

Basel Committee on Banking Supervision. Consolidated KYC Risk Management

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

How To Limit Tax Competition In Swissitzerland

Data Processing Agreement for Oracle Cloud Services

Statement on the general concept of the European Union towards Data Protection by Aktion Freiheit statt Angst e.v.; EU Register ID

Bylaws of the Supervisory Board of K+S Aktiengesellschaft. Version of 21 November 2012 The German Version is binding.

ARTICLE 29 DATA PROTECTION WORKING PARTY

Data transfers in the Cloud

Transcription:

Data Protection in Germany Axel Freiherr von dem Bussche Markus Stamm Verlag C. H. Beck München 2013

Preface What is the data privacy law in Europe? is perhaps one of the most frequently asked questions that lawyers face when supporting data privacy clients in an international context. Through the implementation of its directive 95/46/EC, the European Union, at least, has attempted to ensure the harmonisation of the data privacy frameworks of its member states a harmonisation which, even today, is far from having been achieved. The question, as it relates to Germany, must therefore at least for now and for the foreseeable future continue to be What is the data privacy law in Germany?. Due to the principle of territoriality in European data protection law, even companies or other entities not based in Germany are faced with Germany s implementation of the EU data protection framework. Companies that are not based within the European Union (EU) or the area of the European Economic Area (EEA) have to adhere to German data protection law if they intend to collect, process or use personal data in Germany. The same applies to companies within the EU or the EEA if they intend to render a specific data processing operation through a subsidiary based in Germany. In addition cross-border data transfer becomes more and more important the requirements that apply to such operations are relevant to many types of outsourcing, centralisation across legal entities, functional transfers, and all off-shoring activities. While these kinds of activities are most commonly associated with international groups of companies, any small or mid-sized business could face the same compliance requirements. Compliance with these requirements cannot be achieved unless those entities, respectively the persons entrusted with data protection and secrecy within these entities, are familiar with the complex legal framework of German data protection. This, however, poses difficulties even for Germen experts especially because of the fragmented and dense set of rules and regulations of the German Data Protection Act (BDSG), the German Telecommunications Act (TKG), the German Telemedia Act (TMG), respective state laws and further sector-specific regulations as well as with respect to their fine differentiation and separation between them. Germany is Europe s economic engine. This is also, and especially, being recognised outside Europe. In this regard data protection law is becoming an ever more important site factor. Consequently, inquiries for legal advice and counsel within the field of German data protection have increased noticeably in recent years. These inquiries are not only issued by large groups of companies with subsidiaries in Germany or IT-Outsourcing-Providers abroad, but also by foreign lawyers, economical auditors, and universities. What these stakeholders commonly share, is that they do not readily speak German, and if they do, they will find it difficult to command the vocabulary necessary to understand and implement advice and counsel in German. Therefore even the most elemental questions may fail merely because of the language barrier. When the authors of this book joined forces to conduct a workshop in German privacy law, for the benefit of foreign experts, at the European Data Protection Day 2011, it was a clearly appreciated advantage that they were able to present the matter to their audience in English. This book strives to share the authors knowledge in a language the reader will feel comfortable with. It is intended as an introduction to German data protection law in English language, which shall address the fundamentals as well as the typi-

cally occurring issues in practice with regard to German data protection law. The book has been conceived as a companion handbook not as a scientific textbook or commentary and thus corresponds with the expectations of especially the Anglo-American coined judicial area. The book s ambition is to provide business and practice oriented solutions of common issues within the field of German data protection law. The book primarily targets non-german speaking persons entrusted with data protective tasks within companies or other entities, which however are nevertheless faced with German data protection provisions due to the aforementioned principle of territoriality in course of their area of activity within the businesses of their employers. Additionally it shall serve any other persons being confronted with German data protection provisions within their professional practice like foreign lawyers, but also computer specialists, business managers, directors and entrepreneurs. German data protection law shall not act as a stumbling block for this audience on its way to the German market. This book shall furthermore illustrate how German data protection provisions can be effectively implemented in own business models as a business enabler and thus utilised to one s own advantage.

Abbreviations AG BCR BDSG BetrVG BGB BITKOM BVerfG CEO CR DPO DuD e.g. et seq. etc. EC/EG EEA EU EUCR ff. GG HR ID i.e. IFG IP IT ITRB JuS K&R LDSG MDStV MMR NGO no. /pl. nos. OECD p./pl. pp. Aktiengesellschaft (Public Company) Binding Corporate Rules Bundesdatenschutzgesetz (German Federal Data Protection Act) Betriebsverfassungsgesetz (Works Constitution Act) Bürgerliches Gesetzbuch (German Civil Code) Arbeitskreis Datenschutz des Bundesverbands Informationswirtschaft, Telekommunikation und neue Medien e.v. (Working Group Data Protection of the Registered Federal Association Informational Economy, Telecommunications and New Media) Bundesverfassungsgericht (Federal Constitutional Court) Chief Executive Officer Computer und Recht Datenschutzbeauftrager (Data Protection Officer) Datenschutz und Datensicherheit exempli gratia/zum Beispiel (for example) et sequentes/und Folgende (and the following) et cetera/und so weiter (and so forth) European Community/Europäische Gemeinschaft Europäischer Wirtschaftsraum (European Economic Area) Europäische Union (European Union) Europäische Menschenrechtskonvention (European Convention of Human Rights) und die folgenden Seiten (and the following pages) Grundgesetz (German Constitution) Human Resources Identitätsdokument (Identity Document) id est/das heißt (that is) Informationsfreiheitsgesetz (German Freedom of Information Act) Internet Protocol Informationstechnologie (Informational Technology) Der IT Rechtsberater Juristische Schulung Kommunikation & Recht Landesdatenschutzgesetz (State Data Protection Act) Mediendienstestaatsvertrag (State Treaty on Media Services) Multimedia und Recht Nichtstaatliche Organisation (Non-Governmental Organisation) Nummer(n) (number(s)) Organisation für wirtschaftliche Zusammenarbeit und Entwicklung (Organisation for Economic Co-operation and Development) Seite(n) (page(s))

para. Sec. /pl. Secs. SMS TDG TDDSG TKG TMG ULD UWG ZD Absatz (paragraph) Paragraph(en) (Section(s)) Short Message Service Teledienstegesetz (German Teleservices Act) Teledienstedatenschutzgesetz (German Data Security for Telecommunication Services Act) Telekommunikationsgesetz (German Telecommunications Act) Telemediengesetz (German Telemedia Act) Unabhängiges Landeszentrum für Datenschutz (Independent State Centre for Data Protection) Gesetz gegen den unlauteren Wettbewerb (Law Against Unfair Competition) Zeitschrift für Datenschutz

Table of Contents A. The Concept of Data Privacy and Protection in Germany... 1 I. Key Legislation: The structure and function of the Federal Data Protection Act... 1 1. The short history of Data Protection Law... 1 2. The European General Data Protection Regulation The Future of Data Protection?... 5 3. The legal structure of German Data Protection Law... 5 II. The underlying principles of the German Data Protection Concept... 7 1. General Principles... 7 a. Personal data... 7 b. Scope of the BDSG: automated and non-automated collection, processing and use of personal data... 8 c. Collection, processing and use of personal data... 9 d. Legal permission... 9 e. Consent... 9 aa. Free decision of the data subject... 10 bb. Informing the data subject... 11 cc. Consent for sensitive data... 11 dd. Formal requirements... 12 ee. Revocation of the consent... 12 f. Further requirements of lawful data processing... 12 aa. Collection from data subject... 12 bb. Principle of data reduction and data economy... 13 g. The controller... 14 2. When does German data protection law apply?... 14 III. Rights of the Data Subject and Legal Consequences of Breach of Law... 15 B. The Regulatory Framework: Supervisory Authorities and Compliance... 17 I. The Role and Position of the Supervisory Authorities... 17 1. The Federal and State Structure of the Supervisory Authorities... 17 2. The Separation between Public and Private entity Supervision... 17 3. Scrutiny of the Supervisory Authorities Roles and Dependencies... 17 4. Changes to the Judicial Review Process... 18 5. Headcount Ramp-up in the Supervisory Authorities... 18 6. The Role of the Düsseldorf Circle... 18 II. Notification Duties Not necessary in Germany!... 19 1. Obligation to notify... 20 2. Exceptions from the notification duty... 20

III. The Data Protection Officer and how to integrate him into your Compliance Organisation... 21 1. Obligation to appoint a Data Protection Officer... 21 2. The German DPO a unique Function in the EU... 22 3. Dispensing with Notification Requirements... 23 4. The Duties of the DPO in General... 23 5. Does the DPO need to be a Lawyer?... 23 6. Beware of the Placeholder DPO... 24 7. The DPO and its Interface to the Supervisory Authority... 24 8. Avoiding Conflicts of Interest... 24 9. The external DPO as an alternative... 25 10. The Future of the DPO on an EU Level... 25 C. Customer and Supplier Data Protection Proving a Web Trust to your Partners... 27 I. General requirements... 27 II. Use of customer data for own commercial purpose (Sec. 28 para. 1 BDSG)... 27 III. Use of customer data for marketing purposes (Sec. 28 para. 3 BDSG)... 28 1. The use of personal data for marketing purposes without consent... 29 a. Use of personal data for advertising purposes... 29 b. Transferring for advertising purposes and address trading. 30 2. The use of personal data for marketing purposes with consent... 32 a. Formal requirements... 32 b. Using of standard consent forms... 32 c. Consent under the TMG... 33 3. Restrictions of unfair competition law (UWG)... 33 a. Distinction between marketing measures... 33 b. Declaration of consent (Double Opt-In)... 34 4. Commercial data collection and recording for the purpose of market or opinion research... 35 IV. Data protection in regard to website publishers... 35 1. Privacy Policy... 35 2. Online marketing and corresponding consent... 36 3. Use of cookies, tracking and analytic tools... 37 a. Use of cookies... 37 b. Use of web tracking and analytic tools... 38 V. Video surveillance & Street View... 39 1. Video surveillance... 39 2. Google Street View... 40 VI. Disclosure of Data Consequences of breaching applicable data protection rules... 40 VII. Annex: Useful Toolkit for companies for compliance with data protection law... 41

D. Employee Data Protection Using Employee Data in Globally Operating Organisations... 43 I. Centralised Functions and the Use of Personal Data... 43 1. General Concepts of Centralised Functions... 43 2. The Legal Employer and its Key Position... 43 3. The Absence of Group Regulations and its Effects... 43 4. The Position of the Düsseldorf Circle... 44 5. Practical Implementation of Düsseldorf Circle Guidance... 44 6. The N+x Approach... 44 7. Self-Generated and Perceived Needs to Know... 45 8. The Issue of Consent in Employee Relationships... 45 9. Anticipated Development on the EU Level... 45 II. The Role of the German Works Council Co-Determination and Information Obligations... 46 1. Works Council and Works Agreement... 46 2. Matching Works Councils and DPOs... 47 a. Limits to the Works Council Codetermination Rights... 47 b. The DPO as Expert for the Works Council... 47 c. Supervision of Works Councils by the DPO... 47 d. Cases of Conflict between Works Council and DPO... 48 III. Social Media and Social Networks... 48 1. Use of Social Media and Social Networks as Sources of Information... 48 2. Use of Social Media and Social Networks as Means of Publication... 49 IV. Compliance Requirements vs. Data Protection Requirements... 50 V. Mergers & Acquisitions and personal data in due diligence procedures... 51 E. International Transfer of Personal Data... 53 I. Legal requirements according to Sec. 4b BDSG... 53 1. International data transfer within the EU or EEA area... 53 2. International data transfer to countries outside of the EU or EEA area... 54 II. Safeguarding data transfers to the US Safe Harbor Principles. 54 III. Derogations according to Sec. 4c para. 1 BDSG... 55 IV. Derogations according to Sec. 4c para. 2 BDSG... 56 1. Standard Contractual Clauses... 56 2. Binding Corporate Rules... 56 a. Misconceptions as to the BCR... 57 b. Drawbacks in the implementation... 57 c. Future Development of BCR... 57 d. BCR Still the method of choice?... 58 F. Commissioned Data Processing in- and outside of the EU/EEA... 59 I. System and legal requirements for commissioned data processing... 59

1. Commissioned data processing in Germany, within the EU and the area of the EEA... 59 a. General Principles... 59 b. Agreement on commissioned data processing... 60 2. No privilege for commissioned data processing outside the area of the European Union and the EEA... 62 a. Is Sec. 11 BDSG applicable to commissioned data processing outside of the EU or EEA?... 62 b. Deviation from European regulations... 63 II. Central Processing and End-to-End Transfer of Personal Data within Groups of Companies... 64 1. A Viable Model... 64 2. Use of Central Platform Resources by the Controllers... 65 3. End-to-End Transfer of Personal Data between Controllers.. 65 III. Data Protection in the Cloud.... 66 Annex Federal Data Protection Act (bi-lingual German-English)... 69 Index... 159

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information