Part 1
Teil 2
Sub-chapter 1
- § 22Processing of special categories of personal data
- § 23Processing for other purposes by public bodies
- § 24Processing for other purposes by private bodies
- § 25Transfer of data by public bodies
- § 26Data processing for employment-related purposes
- § 27Data processing for purposes of scientific or historical research and for statistical purposes
- § 28Data processing for archiving purposes in the public interest
- § 29Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligations
- § 30Consumer loans
- § 31Protection of commercial transactions in the case of scoring and credit reports
Sub-Chapter 2
- § 32Information to be provided where personal data are collected from the data subject
- § 33Information to be provided where personal data have not been obtained from the data subject
- § 34Right of access by the data subject
- § 35Right to erasure
- § 36Right to object
- § 37Automated individual decision-making, including profiling
Teil 3
- § 55General information on data processing
- § 56Notification of data subjects
- § 57Right of access
- § 58Right to rectification and erasure and to restriction of processing
- § 59Modalities for exercising the rights of the data subject
- § 60Right to lodge a complaint with the Federal Commissioner
- § 61Legal remedies against decisions of the Federal Commissioner or if he or she fails to take action
- § 62Processing carried out on behalf of a controller
- § 63Joint controllers
- § 64Requirements for the security of data processing
- § 65Notifying the Federal Commissioner of a personal data breach
- § 66Notifying data subjects affected by a personal data breach
- § 67Conducting a data protection impact assessment
- § 68Cooperation with the Federal Commissioner
- § 69Prior consultation of the Federal Commissioner
- § 70Records of processing activities
- § 71Data protection by design and by default
- § 72Distinction between different categories of data subjects
- § 73Distinction between facts and personal assessments
- § 74Procedures for data transfers
- § 75Rectification and erasure of personal data and restriction of processing
- § 76Logging
- § 77Confidential reporting of violations
Teil 4
FDPA Part 2 - § 40
Supervisory authorities of the Länder
- The authorities pursuant to Land law shall monitor the application by private bodies of data protection legislation within the scope of Regulation (EU) 2016/679.
- 1If the controller or processor has more than one establishment in Germany, Article 4 no. 16 of Regulation (EU) 2016/679 shall apply accordingly in determining which supervisory authority is competent. 2If more than one authority considers itself competent or not competent, or when the competence is unclear for other reasons, the supervisory authorities shall make a joint decision in accordance with Section 18 (2). 3Section 3 (3) and (4) of the Administrative Procedure Act shall apply accordingly.
- 1The supervisory authority may process the data it has stored only for purposes of supervision; to this end, it may transfer data to other supervisory authorities. 2Processing for another purpose shall be permitted in addition to Article 6 (4) of Regulation (EU) 2016/679 if
- it is obviously in the interest of the data subject and there is no reason to assume that the data subject would refuse consent if he or she were aware of the other purpose;
- processing is necessary to prevent substantial harm to the common good or a threat to public security or to safeguard substantial concerns of the common good; or
- processing is necessary to prosecute crimes or administrative offences, to carry out or enforce punishment or measures as referred to in Section 11 (1) no. 8 of the Criminal Code or educational or disciplinary measures as referred to in the Juvenile Court Act or to enforce fines.
- 1The bodies subject to monitoring and the persons responsible for their management shall provide a supervisory authority on request with the information necessary to perform their tasks. 2The person required to provide information may refuse to answer those questions which would expose him- or herself or a relative as referred to in Section 383 (1) nos. 1 to 3 of the Code of Civil Procedure to the risk of criminal prosecution or proceedings under the Administrative Offences Act. 3The person required to provide information shall be informed accordingly.
- 1Persons assigned by the supervisory authority to monitor compliance with data protection legislation shall be authorized, as needed to perform their tasks, to enter the property and premises of the body and to have access to all data processing equipment and means. 2The body shall be obligated to tolerate such access. 3Section 16 (4) shall apply accordingly.
- 1The supervisory authorities shall advise and support the data protection officers to meet their typical needs. 2They may demand the dismissal of a data protection officer if he or she does not have the expert knowledge needed to perform his or her tasks or if there is a serious conflict of interests as referred to in Article 38 (6) of Regulation (EU) 2016/679.
- The application of the Trade Regulation Code shall remain unaffected.
3If the supervisory authority determines that data protection legislation has been violated, it shall have the power to inform the data subjects concerned, to report the violation to other bodies responsible for prosecution or punishment and, in the case of serious violations, to notify the trade supervisory authority to take measures under trade and industry law. Section 13 (4), fourth to seventh sentences shall apply accordingly.
Quelle: Bundesamt für Justiz
