Germany: Data Protection & Cyber Security

The In-House Lawyer Logo

This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in Germany.

This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/

  1. Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?

    In Germany, it is mainly the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA) which form the legal framework. The GDPR shall regulate the handling of personal data in the European Union and the EEA for the purpose of defining a uniform guideline. In addition, next to the FDPA, there are several federal state laws and federal laws that regulate data protection topics in certain constellations (e.g. Telecommunications Act (TKG), money-laundering act (GwG) and social security Act (SGB)).

    The GDPR contains about 70 opening clauses to enable the purposes of the GDPR by national legislation and therefore creates the European legal framework. It covers all areas regarding processing personal data wholly or partly by automatic means. The GDPR does not differentiate between public or private institutions. Hence, it applies to all public authorities, companies and other entities who process personal data of EU citizens.

    The main purpose is the strengthening of the rights of the individuals affected by infringements of privacy. Therefore, considering the lawfulness of data processing, Art. 6 GDPR is the center of the legal review since it establishes whether the data processing is covered by permission or otherwise like a contract or due to a consideration of interests.

    The reinforcement of the rights of the individuals affected can also be found in the third chapter. Possibly the most important right of data subjects is the right to information.

    The GDPR is enforced by independent data protection authorities. It regulates in Art. 51(1) GDPR that each member state must establish one or more independent supervisory authorities. Furthermore, supervisory authorities may impose sanctions. For certain legal infringements, fines up to 4% of a company's annual turnover, or 20 million EUR may be imposed, depending on which amount is higher.

    The FDPA is supplementary and applies to all sectors providing there are mandatory or optional opening clauses within the EU regulations (GDPR). The FDPA contains special rules about employee data protection, scoring and credit reports, data profiling and internal data protection officers (DPO).

    Whereas the FDPA differentiates between public and non-public sectors in § 1, most of substantive rules within the FDPA actually do apply to both, public sector and enterprises (e.g. in case of video surveillance). The distinction is mainly important for the differentiation of data protection authorities and self-regulation.

    Federal state law only applies if a regional body or other public organization of a county processes personal data and only applies in addition to the regulations of the GDPR.

  2. Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?

    Entities are required to publish the contact details of the data protection officer and communicate them to the supervisory authority. Of course, this applies only to entities which are obliged to apply a DPO acc. to Art. 37 GDPR (§ 38 FDPA).

    According to Art. 42 GDPR a data protection certification mechanism particularly at Union level is encouraged and further efforts will be made to gain accreditations by the official certifying organizations. These certifications are intended to demonstrate compliance with data protection laws. Likewise, controllers and processors who do not fall into the scope of the GDPR can prove suitable guarantees thereby. However, for the time being there are no certifications under Art. 42 GDPR in place.

  3. How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?

    ‘Personal data’ is the European equivalent of PII, but the term does not quite match the PII definition used in the United States. Basically, PII is more narrowly defined than the definition of personal data in the GDPR. For example, the IP address belongs to personal data under the GDPR, but conversely, does not fall under the term PII. Nevertheless, most people also classify personal data as PII.

    In the European sense, ‘personal data’ constitutes any information relating to an identified or identifiable natural person (‘data subject’). Amongst other key definitions Art. 4 GDPR provides a wide margin of interpretation for the term. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    The concept of sensitive data is covered under the term ‘special categories of personal data’ in Art. 9 GDPR. The article defines these special categories as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. While Art. 9 GDPR stipulates several exceptions, the general rule is that the processing of such data shall be prohibited.

    Further definitions for the terms ‘genetic data’, ‘biometric data’ and ‘data concerning health’ used in Art. 9 GDPR can - again - be found in Art. 4 GDPR. As the central section for definitions Art. 4 GDPR is well worth a look. Some other examples of key definitions therein include ‘processing’, ‘cross border processing’, ‘consent’, ‘pseudonymisation’, ‘controller’, ‘processor’ and ‘recipient’.

  4. Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?

    The GDPR is based on 7 principles for the legally compliant storage and processing of personal data. These principles are laid down in Art. 5 GDPR:

    1. lawfulness, fairness and transparency
    2. purpose limitation
    3. data minimization
    4. accuracy
    5. storage limitation
    6. integrity and confidentiality
    7. accountability

    In the light of these principles, any processing of data must be based on a legal basis. Therefore, processing of personal data shall be lawful only if one of the following conditions is met (Art. 6 GDPR):

    a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

    b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

    c) processing is necessary for compliance with a legal obligation to which the controller is subject;

    d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

    e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

    f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

    Furthermore, the principle of data minimization (Art. 5(1)(c) GDPR) is applicable, according to which the processing must be limited to the necessary extent required for the purpose of the data processing. Generally, this means that personal data must be deleted if their processing has fulfilled the purposes for which they were originally gathered. As soon as the purpose of the storage expires, the legitimation ends as well. Moreover, Art. 17 GDPR grants the data subject a right to erasure and imposes requirements for the deletion of data on the controller. While the data subject can require the deletion of personal data concerning him at any time, the controller will have to delete personal data without undue delay on any of the following grounds, even without a respective claim by the data subject (Art. 17 (1) GDPR):

    a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

    b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of
    Article 9(2), and where there is no other legal ground for the processing

    c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2)

    d) the personal data have been unlawfully processed;

    e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

    f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

  5. Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?

    Consent creates a legal basis for the processing of personal data according to Art. 6 (1) 1 a) GDPR. Typical cases where a consent is used are newsletter mailings, customer profiling, use of location data, use of employee images for the employer’s website and the processing of data concerning health.

    In most cases a data subject’s consent will be sought as a legal basis for the processing of personal data only where other grounds cannot be applied. This is because an effective consent has to meet very high requirements. Consent is defined in Art. 4 (11) GDPR as a ‘freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. .

    In order to obtain freely given consent, it must be given on a voluntary basis. The element ‘free’ implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. Additionally, the conclusion of a contract must not depend on a data subject’s consent in processing personal data, if the data is not necessary for the fulfillment of the contract. This kind of coupling services or products with data processing consents is prohibited.

    To meet the requirements of a specific and informed indication, certain information has to be disclosed to the data subject prior to the consent affirming action. These are the controller’s identity, the kind of data that will be processed, how it will be used and the purpose of the processing operations. The purposes of the processing operations must be sufficiently specified. Also, the data subject must be informed about its right to withdraw a given consent at any time.

    For the consent to be unambiguous it needs to be made in the form of a statement by the data subject or a clear affirmative action. The consent cannot be merely implied and any room for misinterpretation will be at the controller’s expense. However, there is no particular form required. The most widespread form of consent in an online setting is certainly the opt-in. To further illustrate the requirement of unambiguity: an opt-out function would not be considered an affirmative action and thus no effective consent.

    Controllers must document the given consent. Consumers should be offered a clear mechanism for opting out again and it should be as easy to withdraw as to give consent.

  6. What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?

    Art. 9 GDPR prohibits the processing of special categories of personal data unless certain requirements are met. According to paragraphs 2 and 3, if the data subject has given explicit consent to the processing or if the processing is necessary for an overriding interest, the processing is legitimate. Such an interest is for example given when processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity. The same applies if processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law or if processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

    These exceptions are then again restricted by European Union or member state law.

    Special categories of personal data encompass personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

    Considering the aforementioned exceptions, there is no category of personal data that is completely and strictly exempt from processing under the governance of the GDPR or the FDPA.

  7. How do the laws in your jurisdiction address children’s PII?

    Art. 8 GDPR specifies the conditions to a child’s consent in relation to information society services, which are defined as ‘any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service’. Such services are especially online shops, streaming services and communication networks.

    The processing of the personal data of a child according to Art. 8 GDPR shall generally be lawful when the child is at least 16 years old. If the data subject is younger than 16 years old, processing shall be lawful only if consent is given or authorized by the holder of parental responsibility over the child.

    The member states may lower the age by national law if the age is no lower than 13 years. Consequently, the minimum age can differ between member states. Germany did not enact a law that changes the minimum age so that from the age of 16 the child’s own consent is assumed to suffice.

    The controller shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the child. Controllers must take available technology into consideration.

    A proven method to verify consent is using a double opt in process, where both the child and one parent must opt in. The company’s effort on checking consent must be increased regarding the processing of sensitive data.

  8. Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.

    All companies employing 250 employees or more must keep a record of processing activities (Art. 5 (2), 30 (1) (2) GDPR). Nonetheless, this obligation also applies to smaller enterprises if

    • the processing is likely to result in a risk to the rights and freedoms of data subjects,
    • the processing is not occasional,
    • the processing includes special categories of data as referred to in Art. 9(1) GDPR (e.g. ethnic origin, biometric data, data
    • related to political or philosophical beliefs), or

    • personal data relating to criminal convictions and offences referred to in Art. 10 GDPR.

    Therefore, many small and medium size enterprises are also obligated to keep the records.

    In accordance with Art. 30 GDPR the record shall contain all the following information:

    • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
    • the purposes of the processing;
    • a description of the categories of data subjects and of the categories of personal data;
    • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
    • where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization;
    • where possible, the envisaged time limits for erasure of the different categories of data;
    • where possible, a general description of the technical and organizational security measures referred to in Art. 32(1) GDPR.

    All the records of processing activities shall be in writing, including in electronic form.

    Since these obligations are rather extensive and can be quite complex depending on many factors like the number of controllers and possible processors, the purposes for which data is processed, which security measures are in place, etc., there is no particular means to the fulfillment of these obligations used by a majority of the obligated enterprises. Due to the high requirements, it is difficult for companies to fulfil the obligations. Processes and security measures are often not or not sufficiently documented. However, since the GDPR came into effect in May 2018 awareness has risen exceptionally and is expected to rise even more after information on actually imposed fines under the GDPR is released. We would highly recommend an enterprise affected by these obligations to consult with a data privacy/security specialist who can facilitate an assessment of the data processing activities and get the expected documentation in place.

  9. Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?

    According to Art. 35 GDPR, the supervisory authority should be consulted if a data protection impact assessment (DPIA) shows that the processing involves a high-risk potential and if the measures used by controller have not been efficient to minimize the risks.

    The consultation as such does not constitute an authorization procedure for the processing operations and failing to do so does not lead to the unlawfulness of the data processing. However, the violation of this provision may be punished with fines of up to 10 million EUR or up to 2% of the worldwide annual turnover (see Art. 83(4)(a) GDPR). In view of these high possible fines, the consultation obligation is likely to have the effect of a de facto authorization procedure.

  10. Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?

    According to Art. 35 GDPR, a data protection impact assessment (DPIA) must be performed if a type of data processing is likely to present a high risk to the rights and freedoms of the data subjects, given their nature, scope, circumstances and purposes.

    Art. 35 (3) GDPR lists three situations that require a DPIA: In the case of systematic and extensive evaluation of personal aspects giving evidence about the personality and the capabilities of that person (e.g. profiling); in the case of processing certain personal data like data referred to in Article 9(1) (e.g. health data or about religious beliefs), or of personal data relating to criminal convictions and offences referred to in Article 10; in case of systematic monitoring of a publicly accessible area on a large scale.

    In accordance with Art. 35(4)(5) GDPR, each national supervisory authority issues so-called ‘blacklists’ and ‘whitelists’, which contain a list of processing activities that require or explicitly do not require a data protection impact assessment. These lists can be published, a practice for example followed by the German authorities. The Blacklist published by the German Authorities include for example the processing of certain categories of personal data (e.g. biometric data under further requirements), cases of extensive processing and certain circumstances of processing (e.g. extensive aggregation and processing of data from different sources).

    The GDPR provides minimum requirements regarding the scope of the data protection impact assessment which include:

    • a systematic description of the envisaged processing operations and purposes of the processing, including where appropriate the legitimate interests pursued by the controller;
    • an assessment of the necessity and proportionality of the processing operations in relation to their purpose(s);
    • an assessment of the risks to the rights and freedoms of the data subjects; and
    • the corrective measures envisaged to address the risks.

    Depending on the scope of the DPIA, there are different approaches to assessment and documentation, ranging from workshops, task forces, audit and the like. It is always important to cover all eventualities in order to achieve a reliable and comprehensible risk assessment.

  11. Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?

    All public authorities that process personally identifiable information must appoint a data protection officer (DPO) (Art. 37 (1) GDPR, § 5 FDPA). Organizations that are not public on the other hand are only required to appoint a DPO under specific conditions Artt. 37 in conjunction with 9, 10 GDPR). The controller and the processor shall designate a data protection officer in any case where

    • the core activities of the organization consist of processing operations which, by virtue of their nature, their purposes require regular and systematic monitoring of data subjects on a large scale,
    • the core activities of the organization consist of processing on a large scale of special categories of data,
    • the core task is defined as the most important work process and the organization’s principal activity

    These provisions are further extended by § 38 FDPA. According to the FDPA a non-public organization is required to implement a DPO if

    • they normally keep at least ten persons permanently engaged in the automated processing of personal data,
    • they carry out processing operations subject to a data protection impact assessment in accordance with Article 35 of Regulation (EU) 2016/679,
    • or if they process personal data commercially for the purpose of transmission, anonymous transmission or for purposes of market or opinion research.

    The data protection officer may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract.

    The GDPR states several legal responsibilities the data protection officer must bear.

    These include for example:

    • informing and advising the controller or the processor and employees about their data privacy management obligations,
    • monitoring compliance, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations,
    • providing advice where requested,
    • cooperate with the supervisory authority and act as the contact point for the supervisory authority on issues relating to processing.
  12. Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).

    The principles of good faith and transparency require that the data subject will be informed of the processing operation and of its purposes prior to processing. The controller must provide information on the processing including

    • information on the identity of the controller;
    • information on the purposes of data processing;
    • any other relevant information for data subjects to obtain their right of access;
    • information and education on the risks, rules, safeguards and rights related to the processing of personal data and how to assert their rights

    The rights to information are further substantiated by the provisions of Artt. 13, 14 GDPR. Regarding the requirements of Art. 13 GDPR, the controller must provide all information to the person concerned as set out in the catalogue of Art. 13 GDPR. Concerning the requirements of Art. 14 GDPR, the controller must provide all information to the person concerned such as contact information of the controller and the data protection officer, the purpose of the data processing and the legal basis, the recipients as well as information about whether the data is transferred to third countries.

    According to Art. 13 GDPR the controller is obliged to inform the data subject at the time when personal data are obtained. Depending on the specific situation, there are different possibilities how to inform the data subjects. If for example, the data processing happens on websites, the person concerned can be informed via a link to the information on a privacy policy subsite. In case of concluding contracts, the information can be provided in the T&Cs or elsewhere, such as separate instructions. If employees are concerned, they must be notified with info sheets.

  13. Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?

    The GDPR applies to the processing of personal data by a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU or not. So effectively the GDPR directly applies to service providers processing personal data in the EU.

    Certain contractual requirements are obligatory in data processing agreements between a controller and a processor processing personal data on behalf and subject to the instructions of the controller. In case the processor uses another subcontractor, the level of data protection cannot be lower than the level outlined in the primary data processing agreement according to Art. 28 (4) GDPR. Thus, such contracts usually contain flow-down provisions.

  14. Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?

    Where a service provider processes personal data on behalf of the controller and is subject to his instructions as to how he may process this data, the controller and the data processing service provider need to conclude a data processing agreement (DPA), Art. 28 GDPR. The DPA shall regulate the specifics of the data processing the processor conducts for the controller in accordance with Art. 28 (3) GDPR. The controller may only contract processors which guarantee a certain level of data protection. Besides, the controller needs to make sure that the processor adheres to certain standards of processing the personal data. Art. 28 (3) GDPR offers a catalogue of rules a DPA has to stipulate, amongst them the processors commitment to security measures required pursuant to Art. 32 GDPR, the commitment to delete or return all data after the end of the provision of services and to provide the controller with all necessary information to demonstrate compliance. Moreover, the controller is allowed to inspect all measures taken by the processor and conduct audits.

    A similar contract needs to be concluded, if two controllers process personal data for joint purposes (Art. 26 GDPR) or shared means of processing.

  15. Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)

    According to European data protection law, there is no adequate level of data protection in countries outside the EU. In the opinion of the EU, the legal systems of these countries cannot adequately guarantee the protection of personal data. For this reason, Artt. 44 et seq. GDPR restricts international data transfers. Personal data may only be transferred to so-called "third countries" if

    1. An adequate level of data protection is ensured in the receiving State. The European Commission may take a decision to determine that a given country, but also an economic sector or an area outside the EU, ensures a high and therefore "adequate level of data protection". At present, however, the list of countries for which the Commission has adopted adequacy decisions is manageable: Andorra, Argentina, Canada (private entities only), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Men, Jersey, New Zealand and Uruguay. For the USA, there is only a sector-specific adequacy decision by the Commission. Personal data may only be transferred without further restrictions to US companies certified under the EU-U.S. Privacy Shield program.
      or
    2. the data importer establishes an adequate level of data protection through appropriate safeguards. The main alternative means of transmission are
      - Standard contractual clauses: These are data protection contracts provided for by the Commission and concluded between the data receiving and transmitting unit.
      - Binding corporate rules: Companies can also set their own internal rules for the cross-border transfer of personal data within the group and have them approved by the competent supervisory authority.
      - Code of conduct: Business associations now have the opportunity to draw up data protection codes of conduct for their sectors which will have to be approved by the respective supervisory authority.
      - Approved certifications: In the future, companies will also be able to prove compliance with the GDPR by means of an officially recognized "data protection certification".
    3. Additionally, the GDPR, like previous data protection law, allows exceptions for the transfer of personal data to companies in third countries for which there is neither an adequacy decision by the Commission nor the above-mentioned alternative instruments. The list of existing exceptions is broad, but their application is subject to strict conditions. However, such data transfers require the upfront approval of the respective supervisory authority.
  16. What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?

    Security obligations are imposed specifically by Artt. 5, 25 and 32 GDPR. Art. 5 GDPR establishes the principles of the GDPR, especially the protection of the right of data self-determination. According to this principle, service providers, controllers and processors alike, must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

    The concept of Privacy by Design set out in Art. 25 GDPR addresses the controller in particular. A controller is obliged to effectively implement technical and organizational measures to protect the rights of data subjects, taking into account the costs of implementation, the nature, scope, context and purposes of processing. Possible measures include purpose limitation, data minimization via privacy enhancing technologies, accuracy, storage limitation by setting up retention periods as well as providing integrity and confidentiality, e.g. by making sure, that no unauthorized third parties gain access to data.

    Art. 32 GDPR provides technical and organizational measures for controllers and processors to ensure an appropriate level of security, e.g. pseudonymization and encryption of personal data as well as a data protection management.

  17. Does your jurisdiction impose requirements of data protection by design or default?

    The GDPR imposes requirements of privacy by design and by default explicitly in Art. 25 GDPR.

    Under Privacy by design controllers must implement appropriate technical and organizational measures to safeguard the processing of personal data. Therefore especially the cost of implementation and the nature, scope, context and purposes of processing as well as risks for the rights and freedoms of the natural person must be taken into account.

    The taken measure could be the pseudonymization especially of the IP address or the name and address of a natural person, which is used for statistical purposes only. Furthermore, it could mean the splitting of databases for different purposes, e.g. one for order handling which is processing directly identifiable data and one for marketing and statistical purposes where pseudonymized data is processed.

    Privacy by default is along the same lines, so the controller has to implement appropriate technical and organizational measures to ensure that only personal data is processed which is actually necessary for the specific purpose. This especially contains the amount and the retention period of the personal data.

    For example, it could mean that a tracking technology automatically deletes personal logs of each visit after a particular period of time and does not store the full IP address because it is not actually necessary for this purpose. It could also mean to accept a Do Not Track option in the browser and do not track the user if it is activated. In Germany websites like the ones of the public broadcasting services ARD and ZDF do not display content of Twitter and Facebook by default, only if the user consents.

  18. Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?

    A personal data breach or security breach is defined in paragraph 12 of Art. 4 GDPR and implies any destruction, loss, alteration, unauthorized disclosure or access to processed personal data.

  19. Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?

    For controllers, Art. 33 GDPR legally requires the notification of the supervisory authority without undue delay, at least within 72 hours upon becoming aware of a data privacy incident. It must contain the nature of breach as well as the categories or number of persons affected/ data records. Moreover, it must contain the likely consequences and measures planned by the controller. Also, it must involve the name of a contact person, e.g. the DPO.

    If the personal data incident causes a high risk to the rights and freedoms of a natural person, the controller must also notify the data subject immediately (Art. 34(1) GDPR). This notification must be made in clear and plain language. The controller, however, shall not be under any obligation to notify the person affected, if the said data is secured and protected from unauthorized access via technical and organizational security measures or if the notification would involve disproportionate effort (Art. 34(3) GDPR). In the last case a public communication or a similar measure can suffice (e.g. publication in the newspaper or on the internet).

    Processors shall notify the controller without undue delay about the data breach.

  20. Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.

    The rights of the data subjects are governed by chapter 3 of the GDPR. These are the right of access by the data subject, the right to erasure, the right to restriction of data processing, the right to object and the right to data portability.

    Right of access: According to Art. 15 GDPR, the data subject may, upon request, obtain confirmation as to whether personal data relating to him or her is processed. If so, the personal data collected alongside the following information must be communicated to the data subject:

    • purpose of processing;
    • categories of data processed;
    • (Intended) recipients of the data;
    • the planned period of retention or the criteria for determining it;
    • the existence of a right to rectification/deletion of the data and to limitation/opposition of the processing;
    • the origin of the data if they have not been collected from the data subject;
    • the existence of an automated decision-making procedure (including profiling) and its logic and purpose.
    • Appropriate safeguards (e.g. certifications) if data are transferred to third countries or international organizations.

    Upon further request, the controller has to provide a copy of said data (e.g. in digital form).

    Right of rectification and erasure: The data subject may request that untrue data about him or her may be corrected or supplemented accordingly (Art. 16 GDPR). According to Art. 17 GDPR a data subject may at any time request the deletion of his data. Deletion means that the data must actually be destroyed. Even without such a request, the controller is obliged to delete personal data if one of the following conditions is met:

    • the data is no longer necessary for the processing purpose;
    • revocation of the data subject's consent to data processing (if there is no other legal basis for the processing);
    • objection by the data subject to the processing (see below) and absence of a legitimate and overriding reason for doing so;
    • unlawful processing of data;
    • other cancellation obligations under national or Union law.

    However, if the processing is necessary, the rules for deletion above do not apply. According to paragraph 3 of Art.17 GDPR the processing is considered necessary:

    • for exercising the right of freedom of expression and information;
    • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
    • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    • for the establishment, exercise or defense of legal claims.

    In addition, the right to be forgotten has been enshrined in law, which is particularly relevant in the case of published information and is intended to give data subjects the opportunity to leave the past behind them. If personal data was made public, controllers must do what is technologically and cost-technically possible, reasonable and reasonable for him to inform other processors of a restriction, deletion or correction request of the data subject.

    Right of restriction of data processing: The data subject has the right to limit the processing of his/her data (Art. 18 GDPR). This right is also of interest if the deletion is impossible or disproportionate. If he demands the restriction, these data (except for the storage itself) may only be stored with his consent, for the enforcement of legal claims or legal protection or in the case of an important public interest of the EU or a Member State.

    However, the restriction can only be demanded under one of the conditions set out in Art. 18 (1) GDPR,

    • if the data subject disputes the accuracy of his/her data for a period of time which enables the controller to verify the accuracy of the personal data;
    • in the case of unlawful data processing, when the data subject requests the restriction instead of deletion;
    • the data controller no longer needs the data for his purposes, but the data subject needs them to enforce a claim, or
    • if the data subject objects to the processing by the data controller pursuant to Art. 21 (1) GDPR, as long as it has not yet been determined whose interests are worthier of protection in the specific case.

    Right to data portability: Art. 20 DSGVO also grants the data subject the right to receive all personal data in a structured and machine-readable format, or to transfer them directly to another controller, provided that the processing is based on consent, a contract or automated procedures. The data subject may also obtain the direct transfer of the data to the other controller, unless the processing by the first controller is related to the performance of a task assigned to him in the public interest or the effort involved exceeds the interests and possibilities of the entrepreneur.

    Right to object: Pursuant to Art. 21 (1) GDPR, data subjects have the right to object at any time to data processing for the performance of a public service task or to safeguard the interests of the data controller. Pursuant to (6), this also applies if the processing is carried out for historical, scientific or statistical purposes (Art. 89 (1)), unless it is necessary for the performance of a task in the public interest. In these cases, further processing is only permissible if you can assert that considerable and irreversible disadvantages arise without this processing (e.g. collection procedures).

  21. Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?

    Every person, who has suffered material or non-material damage because of an infringement of the GDPR has the right to receive compensation (Art. 82(1) GDPR). Any controller involved in processing and any processor, who has not complied with the obligations of a processor, is liable according to Art. 82(2) GDPR for this damage. They can be exempt from liability, if they are not responsible in any way for the damage (Art. 82(3) GDPR).

    Related to non-material damage, a district court in Germany expressed considerable doubts in its decision in 2018, whether a single undue email without the consent of the data subject causes a right to receive compensation. The court clarified that such a single infringement of the GDPR – the email – does not give the data subject this right if there is no damage which consists of a noticeable disadvantage and is not only a trifle without serious impairment.

    Besides, each data subject has the right to an effective judicial remedy against the controller or the processor and has the right to lodge a complaint to the supervisory authority in case of infringements against the GDPR according to Art. 77, 79 GDPR.

  22. How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?

    Every member state of the EU must provide one or more independent public authorities (Art. 51 GDPR), which are responsible for monitoring the implementation of and compliance with the GDPR. They have investigative and corrective powers, including the sanctions of administrative fines according to Art. 83 GDPR. But of course, administrative fines are not the only penalties for infringements. Especially the corrective powers include issuing warnings and reprimands.

    Every data subject has the right to lodge a complaint to such a supervisory authority according to Art. 77 GDPR. Furthermore, there is the right to an effective judicial remedy according to Art. 78 GDPR against a legally binding decision of the supervisory authority. Also, the right to an effective judicial remedy against the controller or processor is provided in Art. 79 GDPR. Besides this, each natural or legal person always has the right to other administrative or non-judicial remedy according to Artt. 78 GDPR et seq..

    Each administrative fine because of infringements of the GDPR must be effective, proportionate and dissuasive (Art. 83(1) GDPR). Therefore, the decision for a fine must consider especially the nature, gravity and duration of the infringement. The administrative fines range up to 10 million EUR or 2% of the total worldwide annual turnover in cases of Art. 83(4) GDPR or even up to 20 million EUR or 4% in cases of Art. 83(5) GDPR.

  23. Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.

    In Art. 85 GDPR the GDPR allows the possibility for member states of the EU to make exceptions from a number of the regulation for journalistic, scientific, artistic or literary purposes in national law. This should reconcile the right to protect personal data with the right to freedom of expression and information.

    For example, member states can give media privileges so that broadcasters and the press can still do their job without considering every general requirement of the GDPR. In Germany the so called ‘Medienprivileg’ is governed by the ‘Rundfunkstaatsvertrag’ (Broadcasting Treaty) and the many Press Laws of the federal states. These Press Laws might deviate from each other rendering the situation quite complex. In general, the media is bound by the GDPR and the FDPA with several exceptions. Journalists do not have to prove a legal ground for the processing of personal data, including legitimate interest in processing, nor do they have to inform data subjects about their rights regarding personal data security. The data subject’s rights themselves are also limited. For example, neither the right to access nor the right to object are applicable, where a media agent is processing personal data. However, the processing of data by the media is governed by other laws. As an example §§ 9 and 57 of the Broadcasting Treaty provide a right to information for the subjects of media coverage, albeit under more restrictive conditions than the right to access for data subjects under the GDPR.

    Furthermore, the processing in the context of employment according to Art. 88 GDPR offers the member states the option to provide more specific rules to ensure the protection of the rights and freedoms of employees’ personal data. In Germany these can be found in § 26 FDPA and include certain rules for company-, service- or collective agreements as well as criteria for consent in the employment context considering possible dependency issues.

    Also, other articles in the GDPR offer the possibility for member states to specify certain aspects of data privacy in national law, especially in Art. 23 GDPR for national and public security as well as prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

  24. Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?

    Profiling is legally defined in Art. 4(4) GDPR and described as any form of automated processing of personal data to evaluate certain aspects relating to a natural person. Except for the general requirements of Art. 6 GDPR, profiling has further requirements according to Art. 22 GDPR, if the automated processing has legal effects (or similarly significantly affects) on the data subject. In this case the profiling is forbidden, if not one of the exceptions in Art. 22(2) GDPR applies.

    Therefore, a contract between the data subject and a data controller, or a law authorized by the European Union or a member state is necessary, or the processing needs to be based on the explicit consent of the data subject. In the first and last case the data controller must implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests according to Art. 22(3) GDPR.

    For decisions based on the processing of special categories of personal data a simple contract does not suffice. In this case the processing is only lawful on the basis of the data subject’s consent or if there is a legal requirement in European or member state law.

    The data subject has the right to object to the profiling under the requirements of Art. 22 GDPR. One typical application is the scoring of data subjects as practiced by providers of financial services. Regulations concerning scoring can also be found in § 31 FDPA, which requires different premises, such as the provisions of data protection law, calculations on the basis of a scientifically recognized mathematic-statistical procedure, that other data in addition to address data is used to calculate the probability value and finally, the person affected must be notified of the planned use of these data.

    Because tracking technologies are usually using personal data like the user’s IP address, this kind of processing is restricted by the GDPR. Even if the IP address becomes pseudonymized, the user is identifiable. Cookies, which have a pseudonymized ID to track a previous visitor again, gather personal data as well. Therefore, there needs to be a legal basis in Art. 6 GDPR for using tracking technologies.

    Whereas statements of different regional supervisory authority imply, that for this purpose, the consent of the person affected must be given, other legal professionals and scholars as well as many private enterprises do propose that other legal grounds are sufficient, depending on the type of tracking technologies. Therefore, not all websites gain consent for tracking technologies at the moment. Still common is the use of a cookie banner with opt-out possibilities.

    Probably the most common ground consulted for user tracking is the website provider’s legitimate interests in the procedure (Art. 6(1)(f) GDPR). Such a legitimate interest could be the optimization of the website by analyzing the visitor’s activities on the website.

    Even if the website provider has a legitimate interest and you would consider this a sufficient legal ground for the processing, it is nonetheless necessary to pseudonymize the IP address to fulfil the principle of data minimization according to Art. 5(1)(c) GDPR. Furthermore, the visitors must be informed of the data processing taking place according to Art. 13 GDPR. Opt-out possibilities have to be provided.

    Overall, the legal basis for the use of tracking is currently very controversial and unclear in Germany. Irrespective of a decision expected by the European Court of Justice in the ´Planet49 case´, clarity will not be achieved until the ePrivacy Regulation has been adopted. The ePrivacy Regulation is intended to clarify and supplement the GDPR with regard to electronic communications as sector-specific data protection law and to make it applicable as a matter of priority in this respect. It is unclear when an implementation can be expected, but a new draft was recently published under the Romanian Council Presidency at the end of February 2019.

  25. Please describe any laws addressing email communication or direct marketing?

    Article 21 of the GDPR regulates the right of data subjects to object to direct marketing concerning them at any time.

    § 7 UWG (Act Against Unfair Competition) and Art. 13 ePrivacy Directive 2002/58/EG regulate advertising via e-mail (and other channels). Although the UWG is not technically data protection law, however, § 7 UWG can be understood as implementation of the ePrivacy Directive. In general advertising via e-mail without prior express consent is defined as unreasonable harassment and is therefore prohibited. However, under certain conditions direct email marketing within existing customer relationships is possible according to paragraph 3 of the § 7 UWG. These cumulative conditions are:

    • the customer has provided his email address to an enterprise in connection with the sale of goods or services,
    • the enterprise uses the address for directly marketing its own similar goods or services,
    • the customer has not objected to the use and
    • the customer is clearly informed when the address is collected and each time it is used that he can object to the use at any time without costs other than the transmission costs according to the basic tariffs.