Germany

Germany Image
LEG-01:

Legislation enacted specifically for data privacy?
– Federal Data Protection Act 2003 (BDSG).
Notes: Additionally, each German state has a data protection law of its own.

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Telecommunications Act 2004.
– Telemedia Act 2007 (TMA).
– The Act Against Unfair Competition 2010 (AAUC).
– Freedom of Information Act 2005.
– The Privacy and Electronic Communications Regulations 2003 (PEC).

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy.
– OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
– EU Data Protection Directive 1995/46/EC (DPD).
– EU Privacy and Electronic Communications Directive 2002/58/EC (EUPEC).
– EU Regulation 45/2001/EC (CIB).
Notes: “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ” is full title of DPD.
“Regulation (Ec) No 45/2001 of the European Parliament and of the Council Of 18 December2000
On the Protection of Individuals With Regard to the Processing of Personal Data by the Community
Institutions and Bodies and on the Free Movement of Such Data” is the full title of CIB.

LEG-04:

Local government has any Bills going through the legislative process.
– Gerneral Data Protection Regulation.
Notes: This will be a replacement for the current DPD (From 25 May 2018).

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Convention on Cyber-crime 2001.
Notes: Signed but not implemented.

LEG-06:

Has other state laws related to privacy.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.

PRI-02:

There is a requirement to establish a privacy commissioner.
– BDSG Section 22.
Notes: Federal Commissioner for Data Protection and Freedom of Information (BfDI).

PRI-03:

The functions of the authority clearly set out.
– BDSG Section 38.
– CIB Article 46.

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.
– BDSG Section 4f.
Notes: Data controllers that deploy more than nine persons with the automated processing of personal data are obliged to appoint a DPO.

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.

PRI-07:

An internal audit process is outlined for each company.
– BDSG Section 9a.
Notes: Note compulsory.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– BDSG Section 3 (1).
Notes: Personal data.

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline
– BDSG Section 3 9.
Notes: Special categories of personal data.

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– BDSG Section 4 1, 4a.
– TMA Section 13 (2).
– Telecommunications Act 2004 Section 94 (1).
– Freedom of Information Act 2005 Section 5 (1).
– CIB Article 5 (d).

PCP-05:

Type of consent required is either explicit or implicit.

PCP-06:

Consent needs to be written or verbal.
– BDSG Section 4a (1).
Notes: Consent shall be given in writing unless special circumstances warrant any other form.

PCP-07:

Level of consent different for different age groups .

PCP-08:

Consent may be withdrawn at any time.
BDSG Section 35 (2).
– Telecommunications Act 2004 Section 94 (4).

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– BDSG Section 4 (3).
– Telecommunications Act 2004 Section 93.

PRO-01:

Individual has the ability to access their data by request.
– BDSG Section 19, 34.
– CIB Article 13.

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– BDSG Section 20 (1), 35.
– CIB Article 14.

PRO-03:

Data can be sent to a third party for processing.
– BDSG Section 4b, 16.
– CIB Article 9 1, 6.
– Telecommunications Act 2004 Section 92.

PRO-04:

Data is only used for the purposed outlined at pre collection stage.
– CIB Article 6 1.

PRO-05:

Encryption used for processing of data to ensure anonymity
– BDSG Annex 2 -4.
Notes: The Annex relates to Section 9 and refers to the latest encryption procedures.

PRO-06:

Unique identifiers can be used .

PRO-07:

Information may not be disclosed, sold or interfered with. Note: Not including general exceptions that may apply, EG where safety or national security is involved.
– IDC Article 34, 34 – I.
– CIB Article 22 2.

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– IDC Article 50,51.
– Criminal Code 1994 Article- 226-16 to 226-24.
Notes: Article 50 advises offences are set out in the criminal code.

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– IDC Artilce 11 c.

STO-01:

All data is stored with at least a “reasonable” level of security.
– CIB Article 22 1.

STO-02:

Encryption techniques used to store data.
– IDC Article 34.
– CIB Article 4 1 (e).
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

STO-03:

Data can be transferred to third-parties to use.
– IDC Article 68, 69.
– IDC Article 31 6 III.
– CIB Articles 7 – 9.
Notes: Article 31, 6, III – “The CNIL shall publish the list of the countries that the Commission of the European Union considers provide an adequate level of protection in relation to the transfer or a category of transfers of personal data.”

STO-04:

Data can be stored off shore in different Country.
– IDC Article 34.
– CIB Articles 22 1.
Notes: Although storage is not specified, storage may be off shore if it is seen as a useful precaution.

STO-05:

Data can be stored off site but in same Country.
– IDC Article 34.
– CIB Articles 22 1.
Notes: Although storage is not specified, storage may be off site if it is seen as a useful precaution.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– IDC Article 6 5, 24 II, 64.
– PEC Section 26.
– CIB Article 4 1 (e).
Notes: The CNIL can define the retention period outlined in Article 24 and 64, however Article 6 5 states “…a period no longer than is necessary.”

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.
– IDC Article 40.
Notes: The Act and the CIB both refer to “processing” which covers a variety of operations, including erasing or destroying data.

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
– IDC Article 50,51.
– Criminal Code 1994 Article – 226-16 to 226-24.
Notes: Article 50 advises offences are set out in the criminal code.

STO-09:

Notification has to be given to individuals in case of a data breach.
– IDC Article 34 – II.
Notes: However not be required if the CNIL has found that appropriate protection measures have been implemented.

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.
– PECC Article L34-5.
Notes: Not clear but gives the recipient the option to refuse.

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– SPAM Article 19.

SPM-03:

Subject line to be clear and not misleading.

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.
– PECC Article L34-5.

SPM-05:

A form of a “Do Not Call” register is in place.

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.
– PECC Article L34-5.

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.

INT-03:

A warrant is needed to have the ability to intercept personal data.

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.

INT-05:

External countries have the ability to intercept data with permission from the host country.