Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

Compliance with German Data Protection Law

advertisement 
BRYAN CAVE LLP
Data Privacy
and
Security
Compliance with German
Data Protection Law
OVERVIEW
Protection of Personal Data
Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person
concerned or some other legitimate basis laid down by law. Everyone has the right of access to data
which has been collected concerning him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent authority.
- Article 8 Charter of Fundamental Rights of the European Union -
For further information on
German data protection law,
please contact us:
Bryan Cave LLP
Hanseatic Trade Center
Am Sandtorkai 77
20457 Hamburg
Tel: +49 (0) 40 30 33 160
or through the direct link to
our website bryancave.com
Your personal contact:
Jana Fuchs
jana.fuchs@bryancave.com
+49 (0) 40 30 33 160
Introduction
As a member state of the European Union
(EU), Germany is like all other EU states
bound to comply with European law,
in particular with the EU Data Privacy
Directive (95/46/EC) and the principles
quoted above. Germany has therefore
implemented the EU provisions in its
national German Federal Data Protection
Act (“Bundesdatenschutzgesetz”).
Applicability / Jurisdiction
The main criteria in determining German
law as applicable national law are (i) having
a data controlling company that is legally
established in Germany or (ii) where a data
controlling company is established outside
the EU / EEA it uses means or equipment
located in Germany for its data processing.
Neither the nationality or place of residence
of the concerned person, nor the physical
location of the personal data, are decisive for
this purpose.
www.bryancave.com | A Global Law Firm
Personal Data
The protected asset is personal data.
Personal data can be any data that identifies
an individual, such as name, telephone
number or a photo. The more data is
available about a person, the more valuable
such information becomes. Data protection
law aims at restricting uncontrolled use
of personal data for unspecified purposes.
Even more stringent regulation applies
to sensitive data. Sensitive data comprises
data that relates to racial or ethnic origin,
political opinion, religious or philosophical
beliefs, trade union membership and data
concerning health or sexual preference.
Basic Principles
The basic principles of German (and
EU) data protection and security allow a
comprehensive appraisal of what needs to
be regarded, when using personal data.
n
Personal data must be processed fairly and
lawfully.
DATA PRIVACY AND SECURITY
Personal data must be collected for explicit and
legitimate purposes and must be used accordingly.
n Personal
data must be relevant and not excessive in
relation to the legitimate purpose.
n Personal
data must be accurate and if necessary kept up
to date.
n The
concerned individual (data subject) must be able to
rectify, erase or block incorrect data.
n Personal
data must not be kept longer than necessary.
n Personal
data must be protected by appropriate technical
and organizational measures against unauthorized or
unlawful processing, accidental loss and destruction.
n
Data Processing
The legal term ‘data processing’ stands, in particular,
for the collection, storage, modification and transfer of
personal data. All modalities of data usage are restricted
in the same way. Personal data may only be processed,
n if
the data subject has unambiguously given his or her
prior consent or
n if
data processing is permissible under the statutory
exemptions applying to data processing.
The above requirements of data processing do not in the
same manner apply to sensitive data. In principle, such
data may not be processed. Derogation is only permissible
under very specific circumstances, e.g. with the data
subject’s explicit consent (referring to the processing
of sensitive data) or if the processing of such data is
mandated by German employment law.
Consent
The data subject’s consent generally has to be in writing
(electronic form is permissible in specific cases, e.g. online
consent) and it needs to be voluntary and expressed
after being adequately informed about the intended data
processing and its purpose.
www.bryancave.com | A Global Law Firm
Statutory Exemptions - Data Processing without Consent
Without the data subject’s prior consent, data processing
is only allowed to the extent permissible by law. According
to statutory law, processing personal data without
consent is permitted, in particular, in cases where the data
processing is necessary for certain business purposes or
where data processing serves public interest. For example,
data processing is legitimate (without the data subject’s
prior consent)
to the extent that is necessary for the performance of a
contract involving the data subject.
n to
the extent that such data processing is covered by the
legitimate interest of the processing entity and nothing
leads to the assumption that the data subject’s privacy
interest prevails the entity’s legitimate interest.
n if
the personal data was publicly available.
n
Data Collection
From a practical perspective, legitimate collection of
personal data (with-out explicit prior consent) e.g. from
employees and customers is very important and concerns
most companies. As the collection of data is usually the
first step of data processing, any unlawful collection of
personal data affects the entire course of data processing.
Direct Collection
Even if the collection of personal data is generally
covered by consent or a statutory exemption provision,
the data processing entity still needs to comply with the
principle of direct collection. Personal data generally
has to be collected directly from and therefore with the
knowledge of the data subject. Data collection without
the data subject’s knowledge (indirect collection) is
subject to a few statutory exemptions, e.g. in cases where
direct collection would be commercially unreasonable as
opposed to indirect collection.
DATA PRIVACY AND SECURITY
Information Duties
When collecting data directly from an individual, the
data subject needs to be informed about
n the responsible data controller,
n the purpose of data processing and
n the recipients of the data.
Indirect collection, generally requires the collector to
inform the data subject accordingly after the collection
of such data.
Limitation by Purpose
Any collected personal data my only be used for the
specified purpose in compliance with the information
given to the data subject. For other purposes the data may
only be processed, for example,
n if
the processing entity or a third party has a legitimate
interest in doing so;
n if
the data is available to the public;
n for defense of public danger and criminal prosecution;
n and
in a very limited way for commercial purposes.
When personal data is legitimately used for commercial
purposes, the data subject needs to be informed about
the right to object to such use. The objection has to be
observed.
Data Transfer
The transfer of collected data is a very common use of
data. German data protection law defines transfer as
forwarding of data to a third party. Without the data
subject’s prior consent, the transfer has to be covered
by the statutory exemptions, e.g. the transfer has to be
necessary for the performance of a contract involving the
data subject or is covered by the legitimate interest of the
processing entity.
www.bryancave.com | A Global Law Firm
Data Transfer within a Group of Companies
Companies within a group of companies are not generally
privileged. Each company is regarded a separate entity.
The forwarding of data from one company to another
within a group of companies qualifies as transfer of data to
the effect that the general restrictions on data processing
apply. The exemption based on the processing entity’s
legitimate interest is often referred to for justification.
In these cases, however, the legitimate interest needs
to be demonstrated for every individual transfer. If, for
instance, the transfer of data in an anonymized form had
served in the purpose equally, the transfer of personal
data may no longer be covered by the legitimate interest.
Also, when relying on the exemption based on legitimate
interest, such interest has to prevail the data subject’s
privacy interest.
Data Processing on Behalf
Forwarding data to a third party is not considered as
transfer of data, provided that the processing entity has
by contract assigned the third party to process such data
on its behalf and also provided that such data processing
contract complies with corresponding data protection
regulation. Such data processing contract has to include
e.g. clear and binding instructions by the party providing
the data (data exporter) to be strictly observed by the
party receiving the (data importer). The data importer
may only use the data ac-cording to such instructions.
Such instructions have to ensure that the data importer
fully observes German data protection law. However,
vis-à-vis the data subject or other concerned parties (e.g.
competitors), the data ex-porter remains fully liable for
any violation of data protection law.
Data Transfer to the U.S.
The EU considers the U.S. a country with an inadequate
level of data protection. This evaluation leads to a general
prohibition of data transfer from the EU to the U.S. To
DATA PRIVACY AND SECURITY
avoid interference with economic needs, exemptions
are regulated to allow such transfer. Regardless of such
exemptions every data transfer still requires a legal basis,
i.e. without the concerned data subject’s consent such
transfer needs to be explicitly exempted from the consent
requirement by the German Data Protection Act.
The aforementioned exemptions generally apply when
the data exporter ensures that the data importer (in the
U.S. or any other state regarded as not having an adequate
level of data protection) provides an adequate level of data
protection according to EU standards.
Adequate Level of Data Protection
With the U.S. not being part of the small group of
countries being regarded as having an adequate level of
data protection by the EU Commission, for companies
doing business in or with the U.S. there remain three
possible tools for ensuring that the data importer
complies with the EU data protection principles and thus
is regarded as having an adequate level of data protection.
n Safe Harbor Certification
n EU Model Contracts for Data Transfer
n Binding Corporate Rules
Other exemptions – Direct business / interest exemptions
n Few
other exemptions apply in particular when explicit
consent was given, to cases where direct business with
a data subject in the EU is concerned or to prevailing
public interest.
Should an exemption apply, the data importer needs to be
instructed that the transferred data may only be used for
the purpose it was originally transferred for.
Compliance Control
German legislation has established two control instances
for data security compliance. All companies processing
www.bryancave.com | A Global Law Firm
data, except for small businesses, have to assign a data
protection officer (DPO). In addition, each federal state
has installed a data protection authority (DPA).
Data Protection Officer
Every German company that employs more than 9 persons
with automated processing of personal data is obliged to
appoint a Data Protection Officer (DPO). Regardless of
the headcount, a DPO always has to be appointed if the
data processing company commercially transfers personal
data (e.g. address trade, marketing database).
The DPO needs to be assigned in writing within one
month after the beginning of operations. The assigned
DPO has to be an adequately qualified and reliable
person, e.g. an employee. The DPO obligation may also
be outsourced allowing an external assignee to supervise
internal data processing (e.g. certified attorneys or
certified DPO service providers). No conflicts to his or her
duties may arise, should the DPO also serve in an-other
position. The DPO is not subject to any instructions by
the management of the entity, when conducting his or her
duties as DPO. With respect to the organization of the
company, the DPO needs to be positioned directly under
the management. Furthermore, statutory law provides
for a certain level of protection with regard to the DPO’s
position as data protector and with the DPO’s position as
employee. In return and under strict provisions, the DPO
can be personally liable for breaches of compliance.
Data Protection Authority
For companies which are not required to assign a
DPO, the local Data Protection Authority (DPA) is
the responsible control instance. In addition, the DPO
is entitled to address the DPA in cases of doubt to seek
reassurance of his or her evaluation.
DATA PRIVACY AND SECURITY
Registration and Breach Notification Duties
To enable the DPA to perform supervision, companies
are generally obliged to register their data processing
tools and activities with the local DPA. However, where
companies have assigned a DPO the registration duties
are usually waived. Therefore a registration in Germany is
rather the exception than the rule.
In the event of a data breach companies must generally
notify their local DPA and the persons affected by the
breach if their data has been unlawfully disclosed and
such disclosure forms a threat of serious danger to the
concerned person (e.g. bank account data).
Technical Measurement and Organization
Processing entities have to ensure that appropriate
technical and organizational security measures are
installed to ensure an adequate level of data security. This
includes e.g. access control, data safety and data accuracy.
Consequences of Violation
Violation of data protection law could cause different
legal consequences. Some examples are outlined below:
n Civil claims by data subjects (tort).
n Civil
claims by competitors (in case of interference with
unfair competition law).
n Monetary Fines up to EUR 300.000 for regulatory
offences and possibly more if the economic benefit of
the breach exceeds this amount.
n
Criminal charges leading to higher fines or
imprisonment.
Summary
n Be
aware that usage of personal data is generally
restricted.
n Determine
whether your company is required to appoint
a DPO.
n Find
adequate and reliable DPO.
n Review
internal data processing for compliance with
your DPO.
n Address
local DPA in cases of doubt.
n If
your company is not required to appoint DPO, find
adequate consultancy to ensure compliance.
n Instruct
your employees to ensure compliance.
n Install
and observe necessary data protection measures.
Please note that the EU Commission is currently working
on a reform of the European data protection law. The reform
proposal was presented in January 2012 and will lead to
significant changes to the existing legal framework when
passed as proposed. The time frame for the reform process is
expected to be another 2 – 3 years. In addition the German
legislator is also working on a reform of the legal framework
for the processing of employee data. We will keep you updated
About Bryan Cave
Bryan Cave LLP (www.bryancave.com) has a diversified international legal practice. The firm represents a wide variety of business, financial, institutional and individual clients, including publicly held multinational corporations, large and mid-sized privately held companies, partnerships and
emerging companies. Aided by extensive investments in technology, Bryan Cave’s more than 1,000 attorneys across the United States, the United
Kingdom, Continental Europe and Asia serve clients’ needs in the world’s key business and financial markets.
Bryan Cave LLP makes available this information letter for informational purposes only. The information is general in nature and does not constitute individual legal
advice. Further, the use of the information provided herewith does not create any attorney-client relationship between us.
www.bryancave.com | A Global Law Firm
Related documents
agenda
agenda
To Whom It May Concern
To Whom It May Concern
Codes of Practice
Codes of Practice
MS WORD - Zero Project
MS WORD - Zero Project
Safeguards to classroom videotaping: - Rethinking-Precollege-Math
Safeguards to classroom videotaping: - Rethinking-Precollege-Math
A Pilot Trial of Paclitaxel-Herceptin Adjuvant Therapy for Early Stage
A Pilot Trial of Paclitaxel-Herceptin Adjuvant Therapy for Early Stage
Parent Consent for Formal Evaluation Proposal
Parent Consent for Formal Evaluation Proposal
Download
advertisement