Germany/ 5.1 General legislation  

5.1.8 Data protection laws

At the national level, the Federal Data Protection Act (BDSG) of January 1st, 1978 regulates the data security of the federal authorities and for the private sector, including business enterprises. In addition, the federal states' (Länder) data security laws apply on the level of state and municipal authorities. The purpose of the data security laws is to protect "the individual against an infringement of his personal rights through the misuse of his personal data" (§ 1.1 BDSG). This right of "information self-determination" is considered, according to a ruling of the Federal Constitutional Court, as a fundamental right of all German citizens. The basic principle of the law is a general ban on the collection, processing and use of person related data, except where explicitly permitted by law or individually approved – usually in writing – by the person concerned. Other important principles of the law include those on "data avoidance" and "data thrift" (e. g. the former Federal film statistics were abolished, in this context). A Federal Representative for Data Security and Access to Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI) and similar officials in the federal states (Länder) are responsible for supervising and guaranteeing these provisions.

On 23rd May 2001, the European directive on data protection, which defines minimum standards for data protection of EU member states, adopted by the European Parliament and by the Council of the European Union in 1995, was transposed into German national law through the amendment of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). However, as the Federal Republic of Germany failed to adopt this transposition within three years after the enactment of the European directive, the European Commission initiated an infringement procedure against the Federal Republic of Germany.

Moreover, in 2005 the European Commission criticised the German implementation of the European directive in respect to contents as insufficiant since the absolute independence from state interference of data protection supervision is not satisfied. Up to now, the BfDI had been under legal supervision of the Federal Government and administrative supervision of the Federal Ministry of the Interior (BMI) and resorted moreover to the organizational and administrative infrastructure of the latter.

Therefore, the European Commission initiated a new infringement procedure. In 2010 the European Court of Justice passed the judgement that the European directive on data protection had not been transposed correctly into German national law: The control of data protection in the EU member states may not be subject to any other executive state bodies, as they could possibly have a political interest in the non-compliance of data protection laws.

From January 2016 onwards, the BfDI will be restructured into an entirely independent supreme Federal authority. In the course of conversion, the legal supervision of the Federal Government as well as the administrative supervision of the Federal Ministry of the Interior will be abolished and the BfDI will remain subject to parliamentary and juridical control only.

These general data protection laws are complemented and clarified by many other data regulations, e.g. in the social security domain or with regard to church life. However, the BDSG regulations are also relevant in the cultural area, where they have gained relevance e. g. in the marketing work of cultural facilities. Since May 23rd, 2004, companies are obliged to appoint a data security official in cases where more than five employees handle, or have access to, personal data.

Chapter published: 12-09-2016