German Data Protection Law in the European Context

An Overview

20 June 2011

I.                   The European Framework and Perspective

The minimum standards of data protection in the European Economic Area are laid out in the Data Protection Directive and the ePrivacy Directive.[1] The general underlying principle is that all information relating to an identified or identifiable person must only be collected and used electronically if this is expressly permitted by a privacy law provision or if the “data subject” has given his or her free and informed consent.

European law does not explicitly address current privacy law questions arising from the use of online social networking internet sites, mobile internet and cloud computing. Therefore, guidelines and opinions communicated by data protection commissioners on the national levels and the “Art. 29 (of the Data Protection Directive) Working Group” on the European level are of major interest to law practitioners.[2]

The perception of increased risks to data privacy in recent years and demands to facilitate data transfers, particularly beyond Europe, have led to calls for a reform. According to a communication by the European Commission published in November 2010[3], the measures currently under consideration include

  • enhanced information rights on data collected and processed, especially online,
  • a mandatory personal data breach notification for all industry sectors,
  • strengthening data subjects’ rights of informed consent, access, rectification and deletion (“right to be forgotten”),
  • expanding the categories of “sensitive data” that are subject to stricter protection,
  • making remedies and sanctions more effective,
  • simplifying and harmonising EU privacy laws, including the rules on international data protection transfers.

No consensus on privacy law reform has been reached yet. The United Kingdom strongly opposes the Commission’s suggestions, in particular, any attempt to further harmonise data privacy laws in Europe. With regard to international data transfers the UK advocates “moving from a system which restricts information based on national standards of data protection to a system based on a standard of data protection of the particular company involved – far more relevant to modern methods of business”.[4]

II.                Applicability of European Data Protection Law

Under art. 4 (1) lit. a) of the Data Protection Directive, the data protection laws of a member state of the EEA are applicable to the processing of data “carried out in the context of the activities of an establishment of the data controller on the territory of the member state”. The Art. 29 Working Party has declared that data processing is carried out “in the context of the activities of an establishment” in the EEA if

  • an establishment is responsible for relations with users of a search engine in a particular jurisdiction; or
  • a search engine provider establishes an office in a Member State (EEA) involved in the selling of targeted advertisements to the inhabitants of that state; or
  • the establishment of a search engine provider complies with court orders and/or law enforcement requests by the competent authorities of a Member State with regard to user data.

If data processing activities are carried out in the context of establishments in several member states, the laws of all those member states apply.

Under art. 4 (1) lit.c) of the Data Protection Directive, the laws of a member state also apply if personal data are processed using “equipment, automated or otherwise”, located in the member state by a data controller not having an establishment in the EEA. According to the Art. 29 Working Party, “equipment” includes the use of questionnaires (“non automated equipment”), servers and the data subject’s own hardware. Therefore, European data protection law is said to apply to the use of cookies, JavaScript, spyware and targeted advertising that “orders the browser (broadly, the computer) of the data subject to connect not only to the search engine he/she wants to visit, but also to the server of the advertising company”.[5] In an opinion issued in 2010 the Working Party has conceded that its interpretation of the term “equipment” may be too broad in some cases without any real connection with the EU, and has indicated that there is a need for clarification.[6]

Art. 4 (1) lit. c) does not apply if the data controller has an establishment in another member state than the one where the data are being processed or if the data processing equipment is only used for the purposes of transit through the territory of the EEA.

III.             Data transfers from the EEA to third countries

Under art. 25 of the Data Protection Directive, transfers of personal data to countries outside the EEA are only legal if the standard of protection of personal data in the third country is comparable to that of the EEA and thus, “adequate”. The list of countries considered to provide “adequate” protection is to date limited to Andorra, Argentina, Canada, Switzerland, the Faeroe Islands, Guernsey, Israel, the Isle of Man, and Jersey.[7] Data transfers to the United States are permitted if the relevant U.S. company adheres to the “Safe Harbor Privacy Principles”.[8]

Art. 26 of the Data Protection Directive provides for certain exceptions to the rule under art. 25. In particular, the data transfer is permitted if it is necessary for the performance of a contract, e.g., the booking of a hotel room on behalf of a data subject in a third country by a travel agency based in the EEA. Furthermore, data transfers to third countries outside the EEA not considered to have implemented “adequate” data protection standards are also permitted if the companies involved in the transfer use certain model clauses approved by the EU.[9] Multinational companies can use “binding corporate rules” for international transfers within the company.[10]

The rules of data transfers outside the EEA also apply to intergroup transfers and the transfer of employee data.

IV.              German Data Protection Law

Relevant statutes

The handling of personal data by private bodies is regulated by the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). As far as any special legislation for certain industries exists[11] it takes precedence over but is complemented by the BDSG.

A non official English translation of the BDSG and of the Telecommunications Act is available on the web site of the German Federal Commissioner for Data Protection and Freedom of Information.[12] The terminology of the BDSG partly differs from the European terminology.

The handling of employee personal data is regulated by section 32 BDSG in a very general manner. Several Employee Data Protection Bills drafted as amendments to the BDSG are currently being controversially discussed.

Legal data processing by private bodies

Most companies are required to appoint a data protection officer or to notify the Federal Data Commissioner before starting to collect and process personal data.[13]

The “collection, recording, alteration or transfer of personal data or their use as a means to pursue own commercial purposes” is only lawful if expressly permitted by a privacy law statute or if the “data subject” concerned has given his or her consent.

When personal data are collected, the purposes for which the data are to be processed or used must be specifically defined. This is not merely a formal requirement but determines the requirements for the lawfulness of any later use of the collected data. Sensitive data are also subject to special rules.

Section 28 par. (1) and (2) BDSG provide, in short, that the handling of data is legal

  • if necessary to carry out a contract with the data subject (this does not apply if the data were originally collected for other purposes),
  • as far as necessary to safeguard legitimate interests of the controller and there is no reason to assume that the data subject has an overriding legitimate interest in ruling out the possibility of processing or use, or
  • if the data are generally accessible (note: this is not the case merely because data have been published on the internet).

The processing or use of personal data for purposes of advertising or trading addresses is regulated by section 28 (3)-(5) BDSG.[14] It requires the data subject’s explicit consent.

The use of certain types of lists of data, the transfer of data to (credit) inquiry agencies, the trade in personal data, and the use of personal data for the purposes of market research and for scoring are regulated by special provisions.

Transfer of data from Germany to other countries

Data transfers to private bodies outside Germany require either a statutory permission (the main rules are sections 4b and 4c BDSG) or the data subject’s consent.

The mere processing of data by a data processor within the EEA on behalf and under the control of the company controlling the data (“Auftragsdatenverarbeitung”, section 11 BDSG) is not considered to be a data transfer. Therefore, a specific statutory permission or the data subject’s consent for the sending of the data to the processor is not required. The processing of data by data processors based in countries outside the EEA does never fall within the privilege of section 11 BDSG[15], even if the third country has adequate data protection standards.


[1] Directives 95/46/EC and 2002/58/EC. The European Economic Area comprises the members of the European Union plus Norway, Liechtenstein and Iceland.

[2] Index of the Working Group docs: http://ec.europa.eu/justice/policies/privacy/workinggroup/index_en.htm.

[3] COM(2010) 609 final.

[4] Speech of the UK Secretary of State for Justice, Kenneth Clarke, delivered on May 26, 2011, http://www.justice.gov.uk/news/features/feature260511b.htm.

[5] Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites (WP 56), confirmed by Opinion 1/2008 on data protection issues related to search engines, WP 148.

[6] Opinion 8/2010 on applicable law, WP 179.

[7] http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm .

[8] Commission Decision 2000/520/EC.

[9] Art. 26 (2)-(4) of the Data Protection Directive; Commission decision 2010/87/EU.

[10] Information on the procedure available at http://ec.europa.eu/justice/policies/privacy/binding_rules/index_en.htm .

[11] Data privacy provisions are contained in, inter alia, the Telecommunications Act (Telekommunikationsgesetz), the Telemedia Services Act (Telemediengesetz) and the Social Welfare Code (Sozialgesetzbuch).

[12] http://www.bfdi.bund.de/EN/DataProtectionActs/DataProtectionActs_node.html .

[13] Sections 4d-4f BDSG.

[14] Note that in addition, certain forms of direct marketing are illegal as “unconscionable pestering” under section 7 of the Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG). http://www.gesetze-im-internet.de/englisch_uwg/englisch_uwg.html#UWGengl_000P7 .

[15] See section 3 (4) no. 3 and section 3 (8) BDSG.