Data protection supervision in the Federal Republic of Germany is regulated by the Federal Data Protection Act (FDPA), as well as each of the 16 states’ own data protection acts. The FDPA mainly deals with the use of data by public bodies that are either part of or influenced by the Federation and any use of data by private persons or enterprises. By contrast, the scope of application of the state Acts is limited to public bodies being part of, or being influenced by, the respective state. By far the majority of research institutions and universities (except some private universities) as well as more or less all public hospitals, are controlled by the state legislation (Kühn 2004). However, it seems that overall conditions are the same in the different State Acts, as well as in the FDPA.
Each individual German state has a Data Protection Authority which is responsible for the enforcement of data protection laws and competent for the supervision of data controllers established in the relevant state (The Federal Commissioner for Data Protection and Freedom of Information).
What is personal data?
According to the FDPA, personal data is defined as “any information concerning the personal or material circumstances of an identified or identifiable individual” (cf. Section 3 (1)).
What is sensitive personal data?
Sensitive personal data, or special categories of personal data as both the FDPA and the EC Directive 94/95 call it, includes the same categories as in the Directive; information on a person’s racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life (cf. Section 3 (9)).
Conditions for processing of personal data
Data controllers must safeguard the main data protection principles, which include:
Data reduction and data economy
The FDPA requires various safeguards against incompatible processing of personal data. Among others, the most important is the obligation to anonymise data as soon as the research purpose allows it. Until then, the data controller shall ensure that the information allowing the re-identification of individual data subjects is stored separately from the actual data that are used for the research, and only combined if required by the research purpose. Further, data processing systems shall be chosen and organized in accordance with the aim of limiting the processing of personal data as far as possible, and necessary technical and organizational measures should be undertaken to maintain the desired purpose of protection (cf. Section 3a and 9).
Lawfulness of data collection, processing and use
Processing of personal data is lawful only if expressly permitted by the FDPA or other law, or if the data subject has provided his or her consent (Section 4.1).
As a main rule, personal data should be collected from the data subject, except when this e. g. requires disproportionate effort and there is no indication that the data subject’s overriding interests would be adversely affected (Section 4.2).
The purposes for which data will be processed must be defined at the point of collection. Personal data collected for research purposes cannot be processed for other purposes than research (Section 40.1).
The data subject is entitled to access information that is stored concerning him or her (including the source of data, recipients, categories of recipients to whom data is transferred and the purpose of storage). When requested, the data controller must provide this information (Section 34).
Obligation to register processing of personal data
In theory, the FDPA requires notification to the supervisory authority of the processing of personal data by automatic means. However, this provision is exempted if the data controller has appointed a data protection official; whereas it is mandatory for public and private bodies with more than nine employees processing personal data by automatic means. State legislation regarding the duty to register processing of personal data varies slightly, however with mainly the same result. One group of states says that the data controller has an obligation to notify the supervisory authority unless a data protection official is appointed. The other group of states is operating with a mandatory appointment of officials, and therefore abstains from the additional duty to notify a supervisory authority. All the German universities, research centres and research hospitals have appointed such data protection officials and are therefore exempt from the notification duty (Kühn 2004).
Duties of the Data Protection Official
According to the FDPA, the data protection official shall work to ensure compliance with the Act and other data protection provisions. In particular, this work consists of (cf. Section 4g of the FDPA):
- Monitoring the proper use of data processing programs with the aid of which personal data are to be processed; for this purpose the official shall be informed in good time of projects for automatic processing of personal data,
- Familiarize the persons employed in the processing of personal data with the provisions of the Act and other provisions concerning data protection, and with the various special requirements of data protection,
- The controller shall provide the data protection official with an overview of the information listed below (cf. Section 4g). This is the same information required in a registration to the supervisory authorities. The data protection official shall, on request, make this information available to anyone in an appropriate manner:
o name and other contact details of the controller, including appointed managers and the persons placed in charge of data processing,
o purposes of collecting, processing or using data,
o description of the groups of data subjects and the categories of data,
o recipients or categories of recipients to whom the data may be transferred,
o standard periods for the erasure of data,
o any planned data transfer in third states,
o general description enabling preliminary assessment as to whether the measures to guarantee the safety of processing are adequate,
The processing of sensitive personal data is subject to an advanced examination (prior check) by the appointed data protection official unless the processing is based on consent from the data subject (cf. Article 4d of the FDPA). In case of doubt, the data protection official shall consult with the competent authorities on this matter.
A processor can only process personal data under the data controller’s instructions in compliance with the mandatory provisions on data processing. The contract between the processor and the data controller must specify the following (cf. Section 11 of the FDPA):
· the subject and duration of the work to be carried out,
· the extent, type and purpose of the intended collection, processing or use of data, the type of data and category of data subjects,
· the technical and organizational measures to be taken under section 9 of the FDPA,
· the rectification, erasure and blocking of data,
· the processor’s obligations under section 11, subsection 4, particularly in relation to monitoring,
· any right to issue subcontracts,
· the controller’s rights to monitor and the processor’s corresponding obligations to cooperate,
· rules applicable if the processor or its employees violates:
o provisions relating to the protection of personal data or
o terms specified by the controller which are subject to the obligation to notify,
· the extent of the controller’s authority to issue instructions to the processor,
· the return of data storage media and the erasure of data recorded by the processor after the work is completed
The Federal Commissioner for Data Protection and Freedom of Information
State Commissioners for Data Protection
The Federal Data Protection Act
Baden-Württemberg Data Protection Act
Berlin Data Protection Act
Brandenburg Data Protection Act
Bremen Data Protection Act
Hamburg Data Protection Act
Hessen Data Protection Act
Mecklenburg-Vorpommern Data Protection Act
Niedersachsen Data Protection Act
Nordrhein-Westfalen Data Protection Act
Rheinland-Pfalz Data Protection Act
Saarland Data Protection Act
Sachsen Data Protection Act
Sachsen-Anhalt Data Protection Act
Schleswig-Holstein Data Protection Act
Thüringen Data Protection Act
Kühn, H. 2004. The implementation of the Data Protection Directive 95/46/EC in Germany. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 121-140.
The Federal Personal Data Protection Act, 2009 [online]. Available at: <http://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009..... [Accessed 18. June 2014].