German Federal Data Protection Act (FDPA)
The German Federal Data Protection Act (FDPA) [Bundesdatenschutzgesetz (BDSG)] has been announced as Art. 1 of the Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 [Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU – DSAnpUG-EU)]).
Quick start
Part 1 - Common provisions |
Chapter 1 | - | 1 2 |
Chapter 2 | - | 3 4 |
Chapter 3 | - | 5 6 7 |
Chapter 4 | - | 8 9 10 11 12 13 14 15 16 |
Chapter 5 | - | 17 18 19 |
Chapter 6 | - | 20 21 |
Part 2 - Implementing provisions for processing for purposes in accordance with Article 2 of Regulation (EU) 2016/679 |
Chapter 1 | - | 22 23 24 25 26 27 28 29 30 31 |
Chapter 2 | - | 32 33 34 35 36 37 |
Chapter 3 | - | 38 39 |
Chapter 4 | - | 40 |
Chapter 5 | - | 41 42 43 |
Chapter 6 | - | 44 |
Part 3 - Implementing provisions for processing for purposes in accordance with Article 1 (1) of Directive (EU) 2016/680 |
Chapter 1 | - | 45 46 47 |
Chapter 2 | - | 48 49 50 51 52 53 54 |
Chapter 3 | - | 55 56 57 58 59 60 61 |
Chapter 4 | - | 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
Chapter 5 | - | 78 79 80 81 |
Chapter 6 | - | 82 |
Chapter 7 | - | 83 84 |
Part 4 - Special provisions for processing in the context of activities outside the scope of Regulation (EU) 2016/679 und Directive (EU) 2016/680 |
85 |
Full text of the FDPA
The Bundestag has adopted the following Act with the approval of the Bundesrat: Article 1 Federal Data Protection Act (FDPA)
Part 1 – Common provisions
Chapter 1 – Scope and definitions
- § 1 Scope of the Act
- § 2 Definitions
Chapter 2 – Legal basis for processing personal data
- § 3 Processing of personal data by public bodies
- § 4 Video surveillance of publicly accessible spaces
Chapter 3 – Data protection officers of public bodies
Chapter 4 – Federal Commissioner for Data Protection and Freedom of Information
- § 8 Establishment
- § 9 Competence
- § 10 Independence
- § 11 Appointment and term of office
- § 12 Official relationship
- § 13 Rights and obligations
- § 14 Tasks
- § 15 Activity reports
- § 16 Powers
Chapter 5 – Representation on the European Data Protection Board, single contact point, cooperation among the federal supervisory authorities and those of the Länder concerning European Union matters
- § 17 Representation on the European Data Protection Board, single contact point
- § 18 Procedures for cooperation among the federal and Länder supervisory authorities
- § 19 Responsibilities
Chapter 6 – Legal remedies
- § 20 Judicial remedy
- § 21 Application of the supervisory authority for a court decision if it believes that an adequacy decision by the European Commission violates the law
Part 2 – Implementing provisions for processing for purposes in accordance with Article 2 of Regulation (EU) 2016/679
Chapter 1 – Legal basis for processing personal data
Sub-chapter 1 – Processing of special categories of personal data and processing for other purposes
- § 22 Processing of special categories of personal data
- § 23 Processing for other purposes by public bodies
- § 24 Processing for other purposes by private bodies
- § 25 Transfer of data by public bodies
Sub-chapter 2 – Special processing situations
- § 26 Data processing for employment-related purposes
- § 27 Data processing for purposes of scientific or historical research and for statistical purposes
- § 28 Data processing for archiving purposes in the public interest
- § 29 Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligations
- § 30 Consumer loans
- § 31 Protection of commercial transactions in the case of scoring and credit reports
Chapter 2 – Rights of the data subject
- § 32 Information to be provided where personal data are collected from the data subject
- § 33 Information to be provided where personal data have not been obtained from the data subject
- § 34 Right of access by the data subject
- § 35 Right to erasure
- § 36 Right to object
- § 37 Automated individual decision-making, including profiling
Chapter 3 – Obligations of controllers and processors
- § 38 Data protection officers of private bodies
- § 39 Accreditation
Chapter 4 – Supervisory authorities for data processing by private bodies
Chapter 5 – Penalties
- § 41 Application of provisions concerning criminal proceedings and proceedings to impose administrative fines
- § 42 Penal provisions
- § 43 Provisions on administrative fines
Chapter 6 – Legal remedies
Part 3 – Implementing provisions for processing for purposes in accordance with Article 1 (1) of Directive (EU) 2016/680
Chapter 1 – Scope, definitions and general principles for processing personal data
- § 45 Scope
- § 46 Definitions
- § 47 General principles for processing personal data
Chapter 2 – Legal basis for processing personal data
- § 48 Processing of special categories of personal data
- § 49 Processing for other purposes
- § 50 Processing for archiving, scientific and statistical purposes
- § 51 Consent
- § 52 Processing on instructions from the controller
- § 53 Confidentiality
- § 54 Automated individual decision
Chapter 3 – Rights of the data subject
- § 55 General information on data processing
- § 56 Notification of data subjects
- § 57 Right of access
- § 58 Right to rectification and erasure and to restriction of processing
- § 59 Modalities for exercising the rights of the data subject
- § 60 Right to lodge a complaint with the Federal Commissioner
- § 61 Legal remedies against decisions of the Federal Commissioner or if he or she fails to take action
Chapter 4 – Obligations of controllers and processors
- § 62 Processing carried out on behalf of a controller
- § 63 Joint controllers
- § 64 Requirements for the security of data processing
- § 65 Notifying the Federal Commissioner of a personal data breach
- § 66 Notifying data subjects affected by a personal data breach
- § 67 Conducting a data protection impact assessment
- § 68 Cooperation with the Federal Commissioner
- § 69 Prior consultation of the Federal Commissioner
- § 70 Records of processing activities
- § 71 Data protection by design and by default
- § 72 Distinction between different categories of data subjects
- § 73 Distinction between facts and personal assessments
- § 74 Procedures for data transfers
- § 75 Rectification and erasure of personal data and restriction of processing
- § 76 Logging
- § 77 Confidential reporting of violations
Chapter 5 – Transfers of data to third countries and to international organizations
- § 78 General requirements
- § 79 Data transfers with appropriate safeguards
- § 80 Data transfers without appropriate safeguards
- § 81 Other data transfers to recipients in third countries
Chapter 6 – Cooperation among supervisory authorities
Chapter 7 – Liability and penalties
- § 83 Compensation
- § 84 Penal provisions
Part 4 – Special provisions for processing in the context of activities outside the scope of Regulation (EU) 2016/679 und Directive (EU) 2016/680
Articles 2 to 7 of the DSAnpUG-EU define adjustments that have become necessary in other German laws as well as changes that have already been made to the old FDPA. These changes are not listed here.
The full text of the DSAnpUG-EU corresponds to the publication in the Bundesgesetzblatt (Federal Law Gazette), Part I No. 44 issued in Bonn on 5 July 2017, p. 2097ff. The translation was provided by the Federal Ministry of the Interior. No liability is assumed for any errors. The original German publication remains the authoritative version.