Data Advocacy for Germany

The main legal source of data protection in Germany is the Federal Data Protection Act (Bundesdatenschutzgesetz in German) (BDSG) which implements the European data protection directive 95/46/EC. Additionally, each German state has a data protection law of its own. In principle, the data protection acts of the individual states intend to protect personal data from processing and use by public authorities of the states whereas the BDSG intends to protect personal data from processing and use by federal public authorities and private bodies. Enforcement is through the data protection authorities of the German states. The competence of the respective state authority depends on the place of business of the data controller.

 

These will remain the legal sources until the European Data Protection Regulation comes into force in 2018. The Data Protection Regulation will then completely replace the BDSG and the European Data Protection Directive 96/46/EC.

 

The FDPA outlines the general requirements and obligations relating to the collection, processing and use of Personal Data by private bodies and by federal authorities and bodies. For state authorities and bodies, each German state (Bundesland) has its own state data protection act. If there are specific data privacy provisions, in particular sector-specific laws, the FDPA is generally superseded by such specific provisions and applies only in cases where there are gaps in the law, e.g., the German TMA, the Social Act No. 10 for pharmaceutical companies, or the Postal Act for postal services.

 

With respect to private bodies, the FDPA applies if the private body collects, processes or uses information relating to an individual in data processing systems or in or from non-automated filing systems, unless the information is collected, processed or used solely for personal or domestic activities. From a territorial perspective, the FDPA applies to private bodies located in Germany. The FDPA is not applicable in so far as a private body is located in another Member State of the EU/EEA, except where the relevant data collection, processing and use is carried out by an establishment in Germany. In this context, a recent decision of the ECJ must be considered which further defines the term “establishment” and expands it to a representative. The FDPA applies to data collected, processed or used in Germany by a private entity located outside the EU/EEA using, for the purposes of processing Personal Data, equipment, automated or otherwise, situated in Germany. In another decision of the ECJ against a global internet search engine provider located in the US, the ECJ held that EU Member State data protection law applies if a legal entity located in the US processes Personal Data of EU citizens and if a subsidiary of this US legal entity that is located in the EU is involved in the business operations of the US legal entity by providing marketing support, even though this subsidiary was not involved in the actual data processing activities. In the aftermath of these decisions, there is a risk that German DPAs and German courts apply the FDPA even broader, even if the black-letter law requirements for its application are not fulfilled.

Each individual German state has a Data Protection Authority which is responsible for the enforcement of data protection laws and competent in respect of data controllers established in the relevant state.

Data controllers that deploy more than nine persons in relation to the automated processing of personal data are obliged to appoint a DPO. Such a DPO may either be an employee or an external consultant that has sufficient knowledge in the field of data protection. The DPO is neither required to be a citizen nor a resident of Germany, but shall have the necessary expertise in German data protection law as well as reliability.

The DPO shall in particular monitor the proper use of data processing programs and take suitable steps to familiarise the persons employed in the processing of personal data with the provisions of data protection.

As far as sensitive personal data is concerned, such personal data is subject to examination prior to the beginning of processing (prior checking) by the appointed DPO unless the data subject has consented. In case of doubt, the DPO shall liaise with the competent authorities.

Any intentional or negligent infringement of the statutory obligation to appoint a DPO may result in fines up to EUR 50,000. However, the fine shall be higher than the economic advantage gained through the infringement. Therefore, depending on the individual case, the fine may eventually be higher than EUR 50,000.

In Germany, an organization must appoint a data protection officer if (i) it employees more than nine persons with automated processing of Personal Data, (ii) 20 or more persons with any other types of Personal Data processing activities, or (iii) it is subject to the prior checking procedure which is particularly required if (a) sensitive data is processed or (b) the processing of Personal Data is intended to evaluate the Data Subject’s personality, including his/her abilities, performance or conduct, unless such data processing activities are covered by a statutory obligation or the Data Subject’s consent or are necessary to perform a contract with the Data Subject.

A breach notification duty has recently been implemented into the BDSG. According to Sec. 42a BDSG the notification duty applies if:

  • sensitive personal data, personal data subject to professional secrecy, personal data related to criminal and/or administrative offences, personal data concerning bank or credit card accounts, certain telecommunications and online data is abused or lost and an unauthorised third party acquires knowledge, and
  • in case of telecommunications and online data, there is a serious threat of interference with interests of concerned individuals.

Data controllers are obliged to inform supervisory authorities and the concerned individuals.

Notice Requirements:

An organization that collects Personal Data must provide Data Subjects with information about: the organization’s identity; the types of Personal Data being collected; the purposes of collecting Personal Data; its privacy practices (which must be given in a clear and transparent way); third parties to which the organization will disclose the Personal Data; the consequences of not providing consent; and where the Personal Data is to be transferred.

Opt-in regime: no direct marketing electronic mail can be legally sent without the express consent of the receiver, unless a pre-existing business or commercial relationship exists. (Consent is however not mandated for marketing to legal persons.)

Also, a specific opt out must be offered with each message. Disguised sender identities are prohibited, and a valid return address must be provided.

The term “Opt-Out Rule” means that the sending of e-marketing to the recipient is permitted on an opt-out basis if:

  • the recipient’s details were originally collected “in the context of a sale”.
  • the entity sending the marketing is the same legal entity that collected the recipient’s details initially.
  • the marketing relates to “similar” products and/or services for which the recipient’s details were originally obtained.
  • the recipient is given the opportunity free of charge to object to the e-marketing, both at the time their details were collected and in each subsequent communication.

Applicable Legislation:

German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb) (‘UCA’) as last amended 1 October 2013

 

First party e-marketing

(entity that collects the data will send the e-marketing itself)

B2C: Double opt-in.1 Opt-out permitted where Opt-Out Rule applies.

B2B: Double opt-in. Opt-out permitted where Opt-Out Rule applies.

Third party e-marketing

(entity that collects the data will share with third party partner for e-marketing)

B2C: Double Opt-in

B2B: Double Opt-in.

web.de  11849343

gmx.de  10208229

yahoo.de  8286900

lycos.de  5629212

epost.de  5574462

hotmail.de  2910890

t-online.de  1239863

gmx.net  1042448

freenet.de  958769

live.de  735685

arcor.de  492945

gmx.com  363902

online.de  238908

aol.de  68114

tonline.de  48257

onlinehome.de  41297

versanet.de  38649

netcologne.de  34336

kabelmail.de  32481

fteenet.de  31345

email.de  28092

o2online.de  24524

mail.de  22480

unitybox.de  18337

vodafone.de  17471

alice.de  17240

163.de  16755

vr-web.de  12996

msn.de  12640

osnanet.de  10608

alice-dsl.de  10155

outlook.de  9912

tiscali.de  9556

kabelbw.de  9431

webmail.de  9413

gmail.de  8842

diddlpost.de  8555

ish.de  8541

googlemail.de  8278

nexgo.de  7861

teleos-web.de  7584

compuserve.de  7404

emailn.de  7365

tele2.de  7281

htp-tel.de  7249

eb.de  6999

haefft.de  6463

126.de  6445

wegwerfemail.de  6149

gmx-topmail.de  5550

ok.de  5066

mx.de  4991

otmail.de  4772

go4more.de  4755

marketplace.amazon.de  4654

toggo.de  4372

cuvox.de  4312

orange.de  4249

berlin.de  4162

abwesend.de  4082

wtnet.de  3990

trash-mail.de  3872

jubii.de  3706

hamburg.de  3673

imail.de  3633

abacho.de  3628

fantasymail.de  3603

freakmail.de  3538

koeln.de  3472

emailgo.de  3440

xemail.de  3413

ist-einmalig.de  3413

uni.de  3293

goodmails.de  3286

we.de  3257

hotmai.de  3107

1und1.de  3048

byom.de  3020

myspace.de  2982

nurfuerspam.de  2838

sxmail.de  2797

gelsennet.de  2789

email.vodafone.de  2764

superkabel.de  2759

cityweb.de  2725

strato.de  2718

unliminet.de  2680

secretemail.de  2651

jahoo.de  2635

surfeu.de  2619

ahoo.de  2524

sofort-mail.de  2516

vollbio.de  2422

mnet-online.de  2290

bossmail.de  2208

genion.de  2199

vorsicht-bissig.de  2138

homail.de  2127

web3411.de  2110

justmail.de  2110

21cn.de  2095

dlh.de  2076

firemail.de  2044

goldmail.de  2043

telekom.de  2010

12move.de  1999

snafu.de  1990

btinternet.de  1985

uni-muenster.de  1966

allianz.de  1961

partyheld.de  1937

mailde.de  1922

muenster.de  1900

rub.de  1895

ist-willig.de  1895

google.de  1881

kurzepost.de  1815

bmw.de  1814

rwth-aachen.de  1806

quantentunnel.de  1711

hotmal.de  1635

addcom.de  1631

wanadoo.de  1597

wb.de  1545

gentlemansclub.de  1531

alpenjodel.de  1531

gamigo.de  1493

poppen.de  1481

dvag.de  1479

t.online.de  1467

-online.de  1454

uni-bonn.de  1411

planet-interkom.de  1398

gamigo-mail.de  1386

wolfsburg.de  1382

ive.de  1359

chefmail.de  1349

infocity.de  1342

emaildienst.de  1329

12online.de  1327

spambog.de  1318

myskoda.de  1314

bayern-mail.de  1314

acor.de  1309

twinmail.de  1294

spaml.de  1283

freemail.de  1283

alphafrau.de  1276

unterderbruecke.de  1269

helimail.de  1269

vorsicht-scharf.de  1266

bertelsmann.de  1261

rtlworld.de  1240

gtz.de  1234

turboprinz.de  1227

uni-bremen.de  1226

hotmil.de  1220

safetypost.de  1192

zehnminutenmail.de  1187

partybombe.de  1187

schmusemail.de  1185

posteo.de  1182

47t.de  1178

herr-der-mails.de  1170

mnet-mail.de  1164

hotmail.co.de  1159

flirtday.de  1155

hotmial.de  1143

test.de  1136

trashmail.de  1132

mysc.de  1130

hotmeil.de  1088

charite.de  1087

loop.de  1086

wek.de  1066

uboot.de  1061

macnews.de  1060

uni-rostock.de  1034

volkswagen.de  1031

monster.de  1030

free.de  1030

uni-jena.de  1019

freent.de  997

tu-bs.de  978

bimbel.de  972

west.de  970

uni-konstanz.de  967

hulapla.de  964

telebel.de  959

rz-online.de  958

uni-duesseldorf.de  937

kidstation.de  928

streber24.de  918

r7.de  917

zedat.fu-berlin.de  916

ymail.de  916

blue-cable.de  914

uni-bielefeld.de  901

fettabernett.de  900

01019freenet.de  899

saeuferleber.de  890

t-mobile.de  887

gmxpro.de  885

hotamil.de  880

wed.de  859

mytum.de  857

yahho.de  855

polizisten-duzer.de  847

worldonline.de  844

deutschepost.de  833

maxi-dsl.de  830

sags-per-mail.de  829

uni-potsdam.de  828

versatel.de  827

t-onlin.de  823

com.de  818

dontsendmespam.de  815

yahoo.co.de  808

arcormail.de  798

public-files.de  797

bayer-ag.de  796

lol.de  793

musicmeister.de  781

ngi.de  780

popmessenger.de  775

overmail.de  771

ntlworld.de  762

comeenet.de  758

gwdg.de  754

giz.de  754

5×2.de  751

net.de  745

dlr.de  736

sofortsurf.de  735

inbox.de  735

mailueberfall.de  729

guru.de  723

vrweb.de  718

ich-will-net.de  715

lizzynet.de  707

uni-trier.de  705

bycall24.de  705

frenet.de  704

zdf.de  698

myway.de  698

will-hier-weg.de  697

yhoo.de  688

students.uni-mainz.de  687

spoofmail.de  686

uos.de  685

swschwedt.de  678

freudenkinder.de  671

muenchen-mail.de  670

online-fuchs.de  660

hormail.de  657

life.de  654

yaoo.de  653

uni-mainz.de  652

gm.de  652

dhbwloerrach.de  649

ewt-net.de  646

kiddinxmail.de  645

de.de  645

lg-bs.de  644

kindercampus.de  642

uni-ulm.de  641

punk.de  641

necnet.de  640

asd.de  632

mdcc-fun.de  631

sowhat-guild.de  630

cablemail.de  623

rocketmail.de  621

faz.de  620

axelspringer.de  617

uni-koeln.de  614

uni-dortmund.de  613

alicedsl.de  612

yahoo.com.de  611

campus.lmu.de  610

uni-oldenburg.de  609

vdi.de  605

topmail-files.de  605

habmalnefrage.de  603

sofortstart.de  600

libero.de  596

homtail.de  594

home.de  592

bla.de  590

tu-ilmenau.de  586

wtal.de  582

die-genossen.de  578

hotail.de  573

bigfoot.de  572

dhbw-loerrach.de  556

hotmaill.de  553

mail.misterpinball.de  551

audi.de  549

wen.de  548

trashemail.de  548

hitmail.de  548

muskelshirt.de  542

feenet.de  542

uni-koblenz.de  541

sina.de  540

gmy.de  540

bahn.de  537

uni-hohenheim.de  529

tortenboxer.de  529

hot.de  525

unicum.de  524

t-oline.de  524

privy-mail.de  524

xyz.de  522

unicreditgroup.de  520

o2.de  520

turboprinzessin.de  518

r-online.de  517

hsu-hh.de  517

tu-dortmund.de  513

nwn.de  512

kwick.de  512

htmail.de  505

hvb.de  502

gotmail.de  502

ergo.de  502

discardmail.de  502

onewaymail.de  497

axa.de  497

wep.de  494

schafmail.de  491

bin-wieder-da.de  489

rats-os.de  485

dieoberpfalz.de  483

xboxdynasty.de  477

victoria.de  476

oldthing.de  476

yahooo.de  475

conti.de  475

mobileemail.vodafone.de  474

deloitte.de  474

bremen.de  474

vattenfall.de  473

hrz.tu-chemnitz.de  473

uni-tuebingen.de  472

instant-mail.de  472

7fun.de  469

hotnail.de  466

yogahausweb.de  463

stuffmail.de  459

rtl.de  458

buerotiger.de  458

gnx.de  457

globo.de  457

htwm.de  454

ebs.de  453

nixneues.de  452

gekkoos.de  452

wobline.de  449

tiscalinet.de  445

germanynet.de  443

bigpond.de  443

rambler.de  440

uni-due.de  437

shared-files.de  436

danielshan.de  436

t-mobile-sidekick.de  433

caramail.de  429

unibw.de  425

hab-verschlafen.de  425

med.uni-muenchen.de  423

moneymail.de  422

geekmail.de  420

t-hotmail.de  418

merck.de  418

fh-zwickau.de  418

gmx-ist-cool.de  415

fu-berlin.de  415

rosen-direct.de  414

igs-peine.de  413

badoo.de  413

seznam.de  409

frennet.de  409

elementworld.de  408

wp.de  407

mlp.de  406

meinmessenger.de  404

loveyouforever.de  404

es-ist-liebe.de  403

gaussschule-bs.de  399

lht.dlh.de  398

jetzweb.de  397

ki.tng.de  393

squizzy.de  390

hg-gf.de  390

dmx.de  390

optusnet.de  389

anpa.de  387

marsmail.de  383

excite.de  383

mh-hannover.de  382

hozmail.de  382

center-kredit.de  382

hotmaile.de  381

ltown.de  376

coole-files.de  374

em.uni-frankfurt.de  373

kdwelt.de  370

tu-dresden.de  368

tu-berlin.de  366

wudu.de  365

naver.de  362

feinripptraeger.de  359

dodgemail.de  359

darc.de  359

hbosplc.de  356

fz-juelich.de  356

jvm.de  350

ewetel.de  350

igsquerum.de  349

teleson-mail.de  348

o2mail.de  348

nline.de  348

kgs-hambergen.de  347

swr.de  346

cablenet.de  346

uni-greifswald.de  343

netterchef.de  342

dzbank.de  342

cneweb.de  342

example.de  341

ruhr-uni-bochum.de  340

oberchef.de  340

uni-wuppertal.de  339

ojooo.de  339

odn.de  339

asdf.de  338

tif.de  337

mail.isis.de  337

htomail.de  335

tu-clausthal.de  334

plus.cablesurf.de  334

betriebsdirektor.de  334

ism-dortmund.de  333

abc.de  333

hotmali.de  330

guj.de  330

guerrillamail.de  330

wel.de  329

jacobs-university.de  329

langenfeldmail.de  328

congstar.de  325

draexlmaier.de  323

tesionmail.de  322

in.tum.de  320

worldoftitus.de  318

mailme.de  317

pennergame.de  315

freeenet.de  314

hdm-stuttgart.de  313

wdr.de  311

adinet.de  311

rumms.uni-mannheim.de  310

hochtief.de  310

t-onlie.de  308

giga4u.de  308

wer.de  307

awd.de  307

herzovision.de  305

uniklinik-freiburg.de  304

brennendesreich.de  304

sofort-start.de  303

hotmsil.de  300

macbay.de  297

smail.uni-koeln.de  296

bs.konicaminolta.de  296

zbavitu.de  295

teleosweb.de  294

pgs-portal.de  294

arbeitsagentur.de  293

hotamail.de  292

tum.de  291

med.uni-heidelberg.de  290

weg.de  289

raubtierbaendiger.de  288

terra.de  287

fh-bielefeld.de  287

arcore.de  287

yahoogroups.de  286

hhl.de  286

haw-hamburg.de  286

students.uni-marburg.de  285

lycosxxl.de  285

emaos.de  285

versanet-online.de  283

hmx.de  283

stud.uni-frankfurt.de  280

hs-pforzheim.de  280

yhaoo.de  279

tmo.de  278