Part 1
Teil 2
Sub-chapter 1
- § 22Processing of special categories of personal data
- § 23Processing for other purposes by public bodies
- § 24Processing for other purposes by private bodies
- § 25Transfer of data by public bodies
- § 26Data processing for employment-related purposes
- § 27Data processing for purposes of scientific or historical research and for statistical purposes
- § 28Data processing for archiving purposes in the public interest
- § 29Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligations
- § 30Consumer loans
- § 31Protection of commercial transactions in the case of scoring and credit reports
Sub-Chapter 2
- § 32Information to be provided where personal data are collected from the data subject
- § 33Information to be provided where personal data have not been obtained from the data subject
- § 34Right of access by the data subject
- § 35Right to erasure
- § 36Right to object
- § 37Automated individual decision-making, including profiling
Teil 3
- § 55General information on data processing
- § 56Notification of data subjects
- § 57Right of access
- § 58Right to rectification and erasure and to restriction of processing
- § 59Modalities for exercising the rights of the data subject
- § 60Right to lodge a complaint with the Federal Commissioner
- § 61Legal remedies against decisions of the Federal Commissioner or if he or she fails to take action
- § 62Processing carried out on behalf of a controller
- § 63Joint controllers
- § 64Requirements for the security of data processing
- § 65Notifying the Federal Commissioner of a personal data breach
- § 66Notifying data subjects affected by a personal data breach
- § 67Conducting a data protection impact assessment
- § 68Cooperation with the Federal Commissioner
- § 69Prior consultation of the Federal Commissioner
- § 70Records of processing activities
- § 71Data protection by design and by default
- § 72Distinction between different categories of data subjects
- § 73Distinction between facts and personal assessments
- § 74Procedures for data transfers
- § 75Rectification and erasure of personal data and restriction of processing
- § 76Logging
- § 77Confidential reporting of violations
Teil 4
FDPA Part 3 - § 78
General requirements
- If all other conditions applicable to data transfers are met, the transfer of personal data to bodies in third countries or to international organizations shall be permitted if
- the body or international organization is responsible for the purposes referred to in Section 45, and
- the European Commission has adopted an adequacy decision pursuant to Article 36 (3) of Directive (EU) 2016/680.
- No transfer of personal data shall be permitted, despite an adequacy decision as referred to in subsection 1 no. 2 and the public interest in the data transfer to be taken into account, if in the individual case it cannot be ensured that the data will be handled appropriately in terms of data protection law and in accordance with fundamental human rights in the area of responsibility of the recipient, or if a transfer would conflict with other overriding legitimate interests of a data subject. The controller shall base its assessment on whether the recipient in the individual case guarantees appropriate protection of the transferred data.
- If personal data which have been transmitted or made available from another European Union Member State are to be transferred pursuant to subsection 1, the competent body of the other Member State must provide prior authorization of the transfer. Transfers without the prior authorization shall be permitted only if the transfer is necessary to prevent an immediate and serious threat to the public security of a country or to essential interests of a Member State and the prior authorization cannot be obtained in time. In the case of the second sentence, the other Member State’s body responsible for giving prior authorization shall be informed of the transfer without delay.
- The controller transferring data pursuant to subsection 1 shall take appropriate measures to ensure that the recipient will transfer the data onward to other third countries or other international organizations only with the prior authorization of the controller. When deciding whether to authorize the transfer, the controller shall take into account all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data were originally transferred and the level of personal data protection in the third country or international organization to which the data are to be transferred onward. The transfer shall be authorized only if a direct transfer to the other third country or international organization would be lawful. The responsibility for issuing authorization may also be otherwise provided for.
Quelle: Bundesamt für Justiz
