General Data Protection Regulation (GDPR) E-Book

Robert Kazemi

General DataProtectionRegulation (GDPR)

© 2018 Robert Kazemi

Verlag und Druck: tredition GmbH, Hamburg

ISBN

Hardcover:

978-3-7469-4764-8

e-Book:

978-3-7469-4765-5

Das Werk, einschließlich seiner Teile, ist urheberrechtlich geschützt. Jede Verwertung ist ohne Zustimmung des Verlages und des Autors unzulässig. Dies gilt insbesondere für die elektronische oder sonstige Vervielfältigung, Übersetzung, Verbreitung und öffentliche Zugänglichmachung.

Foreword

With entering into force of the General Data Protection Regulation (GDPR) on May 25, 2018, Data Protection Law in Europe will fundamentally change in many ways; still, some of the principles and legal regulatory instruments already known from the Privacy Policy and the BDSG are retained. Yes, it's hard to believe, but: despite considerable differences between ministries at the federal level and fierce criticism from the federal states, the Federal Government has also succeeded in completing its draft law – the Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680) (DSAnpUG-EU) – pushing it through parliamentary doors even before parliamentary elections and parliamentary vacations. On May 25, 2018, also the new Federal Data Protection Act (BDSG-new) will come into force. Data protectors and those interested in data protection law certainly will quickly get used to the new regulatory system; the debate on transitional standards has already begun shortly after the publication of the GDPR in the official Journal of the EU. Since then, numerous books, comments and essays have appeared that deal with the new regulation. This work is also part of it.

My biggest thanks go to my family, my wife and my little daughter, who – thankfully – have shown considerable appreciation over the past year and a half for me having spent my spare time with this book and not with them. I am really grateful to you, too, that I could always take the liberty of working on it.

Dr. Robert Kazemi

Bonn, June 2018

Bibliography

§ 1 From Directive to Regulation – European Data Protection Law de lege lata

A. Preliminary Remarks

B. General Data Protection Law of the European Union

I. Starting Point

II. Charter of Fundamental Rights

III. The data protection principle as a general principle of EU law

IV. Special protection against the action of the European Union

1. Scope of protection

2. Impairments and justification

C. Directive 95/46/EC

D. Deficits of the policy concept

E. The Directive goes, the Regulation comes

I. Legal nature of a regulation at EU level

II. Objectives of the GDPR

III. Structure of the GDPR

§ 2 Key Terms

A. Preliminary Note

B. The Protagonists of Data Protection Law

I. Controller

II. Data Subjects

III. Third Party

IV. Recipient

V. Processor

VI. Representatives

VII. Company and Group of Undertakings

VIII. Supervisory Authority

C. Subject matter of Data Protection Law

I. Personal data

II. Special categories of personal data – “sensitive data”

1. General provisions

2. Genetic Data

3. Biometric Data

4. Health data

D. Handling of data

I. Processing

1. Collection

2. Recording

3. Organization

4. Structuring

5. Storage

6. Adaptation

7. Alteration

8. Retrieval

9. Consultation

10. Use

11. Disclosure [by transmission & processing]

12. Alignment or Combination

13. Restriction

14. Erasure or Destruction

15. Pseudonymization

16. Anonymization

II. Automated Processing

III. Processing other than by automated means

E. Further legal definitions

§ 3 General Principles of Processing

A. Preliminary Note

B. Lawfulness, Fairness and Transparency

I. Lawfulness of Data Processing

II. Processing in accordance with Fairness

III. Transparency

C. Principle on purpose limitation

I. Specified Purpose

II. Explicit and Clear Purpose

III. Legitimate Purpose

IV. Further Processing

D. Data minimization

E. Accuracy

F. Storage limitation

G. Integrity and Confidentiality

H. Accountability

§ 4 Legal Basis of Processing

A. Data Processing Based on a Consent, Art. 6 (1) lit. a) GDPR

I. Content Requirements for the Consent of the Data Subject

1. Free Decision

a) Free Decision in Employment Relationship

b) Free Decision When Awarding Financial Incentives

c) Free Decision within Negotiation Imbalance

d) Forced Consent

2. Concrete Purpose Limitation “for the special case”

3. Informed consent

4. Unambiguous

II. Formal requirements, “clear affirmative action”

III. Pre-formulated Declarations

IV. Conditions applicable to child’s consent, Art. 8 GDPR

1. Information Society Services

2. Consent and Information Society Services

a) At Least 13, at the Most 16 Years

b) Direct Offer to Children

c) Necessity of Consent by the Holder of Parental Responsibility

aa) Holder of Parental Responsibility – One Parent Sufficient?

bb) Demonstration of Parental Consent

cc) No Impact on Contract Law

3. Requirements Outside the Services of the Information Society

V. Consent to the Processing of Special Categories of Personal Data

VI. Facilitation of the Granting of Consent in Research and Science

VII. Consent for Cookies, Web Bugs and Co

1. Cookies

a) Conceptuality and Function

b) Legal Assessment

aa) Consent Based on the Browser Settings of the Respective User

bb) No Application of the Provisions in §§ 14, 15 German Telemedia Act (TMG)

cc) Session Cookies

dd) Permanent Cookies

ee) Flash Cookies

2. Web Bugs

3. Use of So-Called Web Logs

4. Behavioral Targeting and Online Advertising

5. Control Considerations from Directive 2002/58/EC

6. Requirements for Consent

7. Future Revision – the ePrivacy Regulation

VIII. The Consent's Period of Validity

IX. Revocation of Consent

X. No Representation

XI. Special Issue: Consent Despite Other Existent Allowance

XII. Continuation of Old Consents

B. Data Processing as a Contractual Obligation, Art. 6 I lit. b) GDPR

I. Contract

II. Implementation/Fulfillment

III. Necessity of the Processing

C. Data Processing in Compliance With a Legal Obligation, Art. 6 I lit. c) GDPR

D. Data Processing for Protection of Vital Interests, Art. 6 (1).lit. d) GDPR

E. Data Processing for the Performance of a Task Carried .Out in the Public Interest, Art. 6 (1) lit. e) GDPR

F. Data Processing Necessary for the Purposes of the Legitimate Interests Pursued by the Controller or by a Third Party, Art. 6 (1) lit. f) GDPR

I. General Details and Background

II. The Concept of the “Legitimate Interest”

III. Interests of the Data Subject

IV. Balancing of Interests

1. General Requirements

2. Criteria to Be Considered in the Balancing Process

a) Importance, Nature and Source of the Legitimate Interest

aa) Asserting One's Own Fundamental Right Positions or Fundamental Freedoms

bb) Public Interests

(1) Information Transmission by Consumer Centers

(2) Press Information by Competitors

(3) Identifying Press Releases

(4) Political Dispute

cc) Processing Within a Group of Undertakings (Group Data Pro .cessing)

dd) Further Specifications

b) Importance, Nature and Source of the Data Subject’s Interest

aa) Children

bb) Sick and Otherwise “Vulnerable” Persons

cc) Public Function and Reputation of the Data Subject

dd) Social Sphere vs. Privacy

c) Data Affected by Processing – Categorization and Default Privacy Model

aa) Normal Protection Requirements

bb) High Protection Requirements

cc) Very High Protection Requirements

dd) “Public data”

d) Form of Intended Processing

e) Established Precautionary Measures – Safeguards

f) Possible Consequences of Processing for the Data Subject

g) Instructions by the Art. 29 Data Protection Working Party

h) Scoring Outside of a Concrete Decision-Making Process

i) Rights to Information Within an Association

G. Schematic Illustration of Processing

H. Purpose-Changing Further Processing

I. Art. 6 (4) GDPR

II. Further Processing Powers in the BDSG-new

1. Further Processing by Public Authorities, § 23 BDSG-new

a) Obviously “Presumed” Consent to Further Processing, § 23 (1) no. 1 BDSG-new

b) Verification of the Data Subject’s Data, § 23 (1) No. 2 BDSG-new

c) Protection Against Considerable Disadvantages for the Common .Good or Danger to Public Safety, § 23 (1) No. 3 BDSG-new

d) Prosecution of Criminal Offenses, Misdemeanors, Enforcement or Execution of Sentences, § 23 (1) No. 4 BDSG-new

e) Averting Serious Impairment of the Rights of Another Person

f) Exercise of Supervisory and Control Powers, etc., § 23 (1) No. 6 ..

g) Special Requirements for Further Processing of Special Categories .of Personal Data, § 23 (2) BDSG-new

2. § 24 BDSG-new

a) Further Processing to Avert Threats to State or Public Security or .for the Prosecution of Criminal Offenses, § 24 (1) No. 1 BDSG-new

b) Assertion, Exercise or Defense of Civil Law Claims, § 24 (1) No. 2 .BDSG-new

c) Special Requirement for Further Processing of Special Categories of .Personal Data, § 24 (2) BDSG-new

I. Processing of Special Categories of Personal Data, Art. 9 GDPR

I. Processing on the Basis of Consent

II. Processing Related to Labor Law, Social Security Law and Social Protection

III. Processing for the Protection of Vital Interests of the Data Subject or another Natural Person

IV. Processing by a Political, Ideological, Religious or Union-Oriented Foundation, Association or Other Organization

V. Processing of Data Obviously Made Public by the Data Subject

VI. Processing for the Assertion, Exercise or Defense of Legal Claims or for Acts of the Courts

VII. Processing Based on a Significant Public Interest

VIII. Processing in the Field of Health Care and Occupational Medicine

IX. Processing for Public Health Purposes or to Avert Serious Health Risks

X. Processing for Archival Purposes of Public Interest, for Scientific or Historical Research Purposes or Statistical Purposes

XI. Processing Powers in § 22 BDSG-new

1. General Provisions

2. Exceptions in Favor of Public and Non-Public Bodies, § 22 (1) No. 1 BDSG-new

a) Exercise of Rights and Fulfillment of Obligations in Connection with Social Security and Social Protection, § 22 (1) no. 1 lit. a) BDSG-new

b) Health Care, Assessment of Work Ability, Medical Diagnosis and Treatment, § 22 (1) no. 1 lit. b) BDSG-new

c) Processing for Reasons of Public Interest in the Area of Public Health, § 22 (1) no. 1 lit. c) BDSG-new

3. Exceptions in Favor of Public Authorities, § 22 (1) No. 2 BDSG-new

4. Special Safeguards in the Context of the Processing of Special Categories of Personal Data, § 22 (2) BDSG-new

J. Processing of Personal Data Relating to Criminal Convictions and Offenses, Art. 10 GDPR

K. Profiling and Automated Individual Decision-Making

I. Profiling

1. Legal Definition, Art. 4 No. 4 GDPR, and Scope of Application

2. Application Examples

a) Big Data, Data Mining

b) Scoring

c) User Profiles on the Internet

II. Automated Individual Decision-Making

III. Exceptions to the Prohibition of Profiling and Automated Individual Decision-Making

1. Conclusion or Fulfillment of a Contract

2. Explicit Consent of the Data Subject

3. Admissibility in the Context of Providing Services Pursuant to an Insurance Contract, § 37 BDSG-new

a) Fully Sustaining Decision on a Claim for Benefits by the Data Subject, § 37 (1) No. 1 BDSG-new

b) Decision-Making Based on Binding Rules of Remuneration for Therapeutic Treatment

c) No Restriction to Certain Data Categories

4. Limitation of Processing Powers in Relation to Scoring and Credit Reports, § 31 BDSG-new

a) Subject Matter and Regulatory Authority

b) Use of Probability Values for the Purpose of Deciding on the Creation, Execution or Termination of a Contractual Relationship, § 31 (1) BDSG-new

c) Use of a Probability Value Calculated by Credit Reporting Agencies to Determine a Natural Person’s Ability and Willingness to Pay

IV. Safeguarding the Data Subject’s Interests, Art. 22 (3) GDPR

§ 5 Information and Notification Obligations of the Controller

A. Structure

B. Nature of the New Information Obligations When Collecting Data – Why and How?

I. Objective and Purpose – Why?

II. Formal Requirements of the Obligation to Inform – How?

1. Concise, Transparent, Easy to Understand and Easily Accessible

a) General Requirements

b) Icons

c) Increased Requirements for Information Towards Children

2. Formal Requirements

3. Costs

C. Information To Be Provided Where Personal Data Are Collected From The Data Subject (Direct Survey)

I. Structure of the Standard

1. Relationship between Information Referred to in Paragraph 1 and Paragraph 2

2. Information Only at the Time of First Collection or at Each Collection

II. Information Obligations Pursuant to Art. 13 (1) GDPR

1. Name and Contact Details

2. Contact Details of the Data Protection Officer

3. Purposes and Legal Basis of Processing

4. Legitimate Interests

5. Recipients or Categories of Recipients

6. Transmission to Third Countries or to International Organizations ….

III. Obligation to Provide Information pursuant to Art. 13 (2) GDPR (“Information for Retrieval”)

1. Duration of Storage or Criteria for Determining the Storage Duration

2. Rights of the Data Subject

a) Right of Access

b) Right to Rectification

c) Right to Erasure

d) Right to Restriction of Processing

e) Right to Object

a) Right to Data Portability

g) Right to Withdraw His or Her Consent

h) Right to Lodge a Complaint

3. Obligation to Making Available of Data

a) Provision of Information due to Legal Obligation

b) Provision of Information due to Contractual Obligations

c) Provision of Information Required for the Conclusion of a Contract

d) Obligation of the Data Subject to Provide Information and Consequences of Non-Provision

4. Automated Decision-Making including Profiling

IV. Obligation to Provide Information When Further Processing Data

V. Inapplicability of the Obligation to Provide Information

1. Knowledge of the Data Subject, Art. 13 (4) GDPR

2. Exception When Further Processing in the Form of Disclosure or Transmission to Persons Subject to a Legal Obligation of Professional Secrecy, § 29 (2) BDSG-new

3. Further Exceptions to the Obligation to Provide Information When Further Processing, § 32 Abs. 1 BDSG-new

a) Disproportionate Effort in Further Processing of “Analogue Stored Data”, § 32 (1) No. 1 BDSG-new

aa) Data Stored in Analogue Form

bb) Further Processing is Aimed Directly at the Data Subject

cc) Further Processing is Compatible with the Original Purpose of The Data Collection

dd) No Digital Communication

ee) Low Interest of the Data Subject in Information

ff) Case Study

b) Endangerment of the Proper Performance of Tasks as Referred to in Article 23 (1) (a) to (e) GDPR, acc. § 32 (1) No. 2 BDSG-new

c) Endangerment of Public Security or Order, § 32 (1) No. 3 BDSG-new

d) Interference with the Establishment, Exercise or Defense of Legal Claims, § 32 (1) No. 4 BDSG-new

e) Endangerment of Confidential Transfer of Data to Public Bodies, § 32 (1) No. 5 BDSG-new

4. Measures to Protect the Legitimate Interests of the Data Subject When Information is Not Provided, § 32 (2) and (3) BDSG-new

a) Setting Down in Writing the Reasons for the Non-Provision of Information to the Data Subject, § 32 (3) S. 3 BDSG-new

b) Special Precautionary Measures for Cases acc. § 32 (1) No. 1 - 3 BDSG-new

c) Providing Information within an Appropriate Period after a Temporary Obstacle, § 32 (3) BDSG-new

D. Obligation to Provide Information in the Context of Data Collection from Third Parties (Data Collection with Third Parties)

I. Structure of the Standard

1. Relationship between Information Referred to in Paragraph 1 and Paragraph 2

2. Information Only at the Time of First Collection or at Each Collection

II. Time of the Arising of the Information Obligations pursuant to Art. 14 (1) and (2) GDPR, Art. 14 (3) GDPR

1. Within One Month after Obtaining the Personal Data, Art. 14 (3) lit. a) GDPR

2. Time of First Notification to the Data Subject, Art. 14 (3) lit. b) GDPR

3. At the Time of the Disclosure, Art. 14 (3) lit. c) GDPR

III. Information Obligations Pursuant to Art. 14 (1) GDPR

1. Identity and Contact Details, Art. 14 (1) lit. a) GDPR

2. Data Protection Officer, Art. 14 (1) lit. b) GDPR

3. Purposes and Legal Basis, Art. 14 (1) lit. c) GDPR

4. Data Categories, Art. 14 (1) lit. d) GDPR

5. Recipients or Categories of Recipients, Art. 14 (1) lit. e) GDPR

6. Transmission to Third Countries, Art. 14 (1) lit. f) GDPR

IV. Information Obligations Pursuant to Art. 14 (2) GDPR

1. Period of Storage, Art. 14 (2) lit. a) GDPR

2. Legitimate Interests, Art. 14 (2) lit. b) GDPR

3. Rights of the Data Subject

a) Right of Access

b) Right to Rectification

c) Right to Erasure

d) Right to Restriction of Processing

e) Right to Object

f) Right to Data Portability

g) Right to Withdraw His or Her Consent

h) Right to Lodge a Complaint

4. Origin of Data – Data Source, Art. 14 (2) lit. f) GDPR

5. Automated Decision-Making, including Profiling, Art. 14 (2) lit. g) GDPR

V. Obligation to Provide Information when Further Processing Data, Art. 14 (4) GDPR

VI. General Non-Applicability of the Obligation to Provide Information

1. Knowledge of the Data Subject, Art. 14 (5) lit. a) GDPR

2. Impossibility or Disproportionate Effort, Art. 14 (5) lit. b) GDPR ….

a) The provision of information proves impossible

b) The provision of information involves a disproportionate effort ..

c) Protective Measures Provided for by the Controller

3. Obtaining or Disclosure Expressly Laid Down by Union or Member State Law, Art. 14 (5) lit. c) GDPR

4. Professional Secrecy, Art. 14 (5) lit. d) GDPR

5. Legitimate Secrecy Interests of a Third Party, § 29 (1) S. 1 BDSG-new

VII. Exemptions acc. § 33 BDSG-new

1. Non-Applicability of Information Obligations When Further Processing in the Case of a Public Body, § 33 (1) No. 1 BDSG-new

a) Endangerment of the Proper Performance of Tasks, § 33 (1) No. 1a) BDSG-new

b) Threat of the Public Security or Order or Otherwise Detrimental Circumstance to the Federation or a Land, § 33 (1) No. 1b) BDSG-new

2. Non-Applicability of Information Obligations When Further Processing in the Case of a Non-Public (Private) Body, § 33 (1) No. 2 BDSG-new

a) Interference with the Establishment, Exercise or Defense of Legal Claims under Private Law, § 33 (1) No. 2a) BDSG-new

b) Endangerment of a Confidential Transmission of Data to a Public Body, § 33 (1) No. 2b) BDSG-new

3. Special Safeguards, § 33 (2) and (3) BDSG-new

VIII. Relationship between Art. 13 and Art. 14 GDPR

E. Special Obligations to Provide Information in Connection with Processing acc. Art. 6 (1) lit. e) or f) GDPR and Direct Marketing, Art. 21 (4) GDPR

F. Communication of a Personal Data Breach to the Data Subject, Art. 34 GDPR

I. Prerequisite – Potentially High Risk

II. Consequences, Form and Content

III. Exceptions to the Obligation to Notify

1. Appropriate Technical and Organizational Protection Measures, Art. 34 (3) lit. a) GDPR

2. Subsequent Measures by the Controller, Art. 34 (3) lit. b) GDPR

3. Disproportionate Effort, Art. 34 (3) lit. c) GDPR

4. Secrecy Interests, § 29 (1) S. 3 BDSG-new

IV. Prohibition of Use in Criminal Proceedings, § 42 (4) BDSG-new

G. Notification of a Personal Data Breach to the Supervisory Authority, Art. 33 GDPR

I. Prerequisite – Expected Risk

II. Content of the Information to Be Transmitted

1. Nature of the Personal Data Breach

2. Categories and Approximate Number of Data Subjects Concerned …

3. Name and Contact Details of the Data Protection Officer or Other Contact Point where More Information Can Be Obtained

4. Description of the Probable Consequences of the Personal Data Breach

5. Measures Taken or Proposed to Be Taken by the Controller to Address the Personal Data Breach

III. Form and Deadline of the Communication

IV. Prohibition of Use in Criminal Proceedings, § 42 (4) BDSG-new

§ 6 Rights of the Data Subject

A. Preliminary Note

B. Right of Access, Art. 15 GDPR

I. Investigation Claim – Is Data About Me Processed at All?

II. Right of Access – What Data is Processed by Whom, for Whom, and What Can I Do About It?

1. General Part of the Claim for Access

a) Purposes of the Processing

b) Categories of Personal Data Being Processed

c) Recipients or Categories of Recipient

d) Envisaged Period For Which The Personal Data Will Be Stored Or The Criteria Used To Determine That Period

e) Rights of the Data Subject

aa) Right to Rectification

bb) Right to Erasure

cc) Right to Restriction of Processing

dd) Right to Object

ee) Right to Lodge a Complaint

f) All Available Information about the Origin of the Data

g) Automated Decision-Making including Profiling

h) Transmission to Third Countries

2. Special Part of the Claim for Access

a) All Processed Personal Data

b) Right to Free Copy of the Data

aa) Scale – What does “copy of personal data” mean?

bb) In General Free of Charge

cc) Special Problem: Information about the Content of Patient Files

3. Formal Requirements concerning the Provision of Information

a) In a Concise, Transparent, Intelligible and Easily Accessible Form

b) Without Undue Delay

c) In Paper Form, on Request Also Electronically

d) Provision to the Correct Data Subject

III. Limitations on the Right of Access

1. Limitations Necessary for the Fulfillment of the Research or Statistical Purposes , § 27 (2) BDSG-new

2. Restriction in favor of Public Interest Archives, § 28 (2) BDSG-new

3. Interest in Maintaining Confidentiality/Secrecy, § 29 (1) S. 2 BDSG-new

4. Restrictions under § 34 BDSG-new

a) No Obligation to Provide Information under § 33 BDSG-new, § 34 (1) No. 1 BDSG-new

b) Data Only Available due to Storage Obligations, § 34 (1) No. 2a) BDSG-new

c) Data Only Serve Purposes of Monitoring Data Protection or Safeguarding Data, § 34 (1) No. 2b) BDSG-new

d) Special Documentation Obligations and Purpose Limitation, § 34 (2) BDSG-new

e) Special Regulations in the Event of Refusal of Information by Public Authorities, § 34 (3) and (4) BDSG-new

IV. Right of Access towards Credit Bureaus in the Context of Consumer Loans, § 30 BDSG-new

C. Right to Rectification

I. Art. 16 GDPR

II. Restriction of Processing for Archiving Purposes in the Public Interest, § 28 (3) BDSG-new

III. Notification Obligation of the Controller towards Recipients, Art. 19 GDPR

D. Right to Erasure (‘Right to be Forgotten’), Art. 17 GDPR

I. Grounds for Erasure

1. Frustration of Purpose, Art. 17 (1) lit. a) GDPR

2. Consent Revocation, Art. 17 (1) lit. b) GDPR

3. Objection to the Processing, Art. 17 (1) lit. c) GDPR

a) Objection to Processing in the Context of Performing a Task in the Public Interest or Legitimate Interests of the Controller

b) Objection to Processing for Direct Marketing Purposes

4. Unlawful Processing

5. Erasure is Required to Fulfill a Legal Obligation

6. Data Collected in Relation to Information Society Services Offered Pursuant to Art. 8 (1) GDPR, Art. 17 (1) lit. f) GDPR

II. Non-Applicability of the Right/Obligation to Erasure

1. Exercise of the Right to Freedom of Expression and Information, Art. 17 (3) lit. a) GDPR

2. Fulfillment of a Legal Obligation, Art. 17 (3) lit b) Alt. 1 GDPR

3. Performance of a Task Carried Out in the Public Interest, Art. 17 (3) lit b) old 2 GDPR

4. Processing Carried Out in the Exercise of Official Authority, Art. 17 (3) lit b) old 3 GDPR

5. Reasons of Public Interest in the Area of Public Health, Art. 17 (3) lit. c) GDPR

6. Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes or Statistical Purposes, Art. 17 (3) lit d) GDPR

7. Establishment, Exercise or Defense of Legal Claims, Art. 17 (3) lit. e) GDPR

8. Restrictions under § 35 BDSG-new

a) Regulatory Power?

b) Disproportionate Effort in the Case of Non-Automated Data Processing, § 35 (1) BDSG-new

c) Obligation to Restrict Processing and Obligation to Inform the Data Subject, § 35 (2) BDSG-new

d) Conflict with Retention Periods set by Statute or Contract, § 35 (3) BDSG-new

III. Special Obligations for Making Data Publicly Accessible, Art. 17 (2) GDPR

IV. Notification Obligation of the Controller towards Recipients, Art. 19 GDPR

E. Right to Restriction of Processing, Art. 18 GDPR

I. Accuracy of the Personal Data is Contested, Art. 18 (1) lit a) GDPR

II. Unlawful Processing, Art. 18 (1) lit. b) GDPR

III. Frustration of Purpose by the Controller

IV. Objection to Processing in Accordance with Article 21 (1) GDPR

V. Legal Consequences of Processing, Art. 18 (2) GDPR

VI. Restriction of Rights under § 28 (4) BDSG-new

F. Right to Data Portability, Art. 20 GDPR

I. Affected Data

1. Provided

2. Personal Data Concerning the Data Subject

3. Processing due to Consent or Contract

4. Automated Processing

II. Scope of the Right to Data Portability

1. Structured, Common and Machine-Readable

2. Transmission to the Data Subject

3. Direct Transmission to a New Controller

III. Restrictions

IV. Obligations of the “New” Controller

G. Right to Object, Art. 21 GDPR

I. Overview of the Basic Content of the Right to Object

II. Objection under Art. 21 (1) GDPR

1. Subject Matter

2. Content Requirements

3. Formal Requirements/Time Limit

4. Legal Consequences

III. Objection to Processing with Marketing Purposes, Art. 21 (2) GDPR ….

1. Subject Matter, Content and Formal Requirements

2. Legal Consequences

IV. Objection to the Use of Data for Scientific or Historical Research Purposes or for Statistical Purposes, Art. 21 (5) GDPR

V. No Right to Object to Public Authorities, § 36 BDSG-new

VI. Restrictions for Archival and Research Purposes, § 27 (2) BDSG-new and § 28 (4) BDSG-new

§ 7 Safeguards for Ensuring Compliance with the GDPR

A. Preliminary Notes

B. Principles

C. Implementation of Technical and Organizational Measures, Art. 32 GDPR ..

I. Pseudonymization

1. Medical Research and Diagnostics

2. Video Surveillance

3. Test, Demonstration or Training Systems

4. Implementation Options for Pseudonymization

II. Encryption

III. Ensuring the Confidentiality, Integrity, Availability and Resilience of Systems and Services

1. Confidentiality

2. Integrity

3. Availability

4. Resilience

IV. Recoverability

V. Organizational Measures

VI. Regular Review, Assessment and Evaluation of the Effectiveness of Technical and Organizational Measures

D. Data Protection by Design and by Default, Art. 25 GDPR

I. Central Concepts and Their Foundations

1. Data Protection by (Technology) Design

a) Historical Development

b) Conclusions for the Content Determination of PbD

2. Data Protection by Privacy-Friendly Default Settings – Data Protection by Default

II. The Controller's Obligation to Implement

E. Documentation of Processing Activities

I. Records of Processing Activities of the Controller, Art. 30 GDPR

1. Deviations from the Previous Law

2. Formal and Content Requirements

3. Exceptions to the Obligation to Maintain Records of Processing Activities

II. Records of Processing Activities of the Controller

III. Documentation Obligations Derived from other Provisions

F. Data Protection Impact Assessment (DPIA)

I. Subject Matter and Scope of Application

1. Subject Matter – Target of Evaluation (ToE)

2. Potentially High Risk to the Rights and Freedoms of Natural Persons

a) High Risk

b) Likelihood and Time of Prediction of the High Risk

II. Specifications of Implementation

1. Consultation of the Data Protection Officer (DPO)

2. Form and Minimum Content

a) Systematic Description of Processing Operations and Purposes…

b) Assessment of the Necessity and Proportionality of the Processing Operations concerning the Purpose

c) Assessment of the Risks to the Rights and Freedoms of the Data Subject(s)

d) Presentation of Corrective Measures

e) Grouped Description

f) Reference to Existing Certification Processes and Guidelines

3. Understanding the Point of View of the Data Subject

4. Review Process

5. Group or Branch Impact Assessment?

III. Special Consultation Obligations

G. Data Protection Officer (DPO)

I. Obligation to Designate a Data Protection Officer (DPO)

1. Provisions within the GDPR, Art. 37 (1)

a) Processing Carried Out by a Public Authority or Body

b) The Core Activities Consist of Processing Operations which Require Regular and Systematic Monitoring of Data Subjects on a Large Scale

c) The Core Activities Consist of Processing on a Large Scale of Special Categories of Data pursuant to Article 9 GDPR or of Personal Data relating to Criminal Convictions and Offenses

2. Further Obligations in §§ 5-7 and 38 BDSG-new

II. Requirements for Being a Data Protection Officer

1. Professional Qualities

2. Independence

3. Obligation of Confidentiality

4. Internal or External Company Data Protection Officer

III. Tasks of the Data Protection Office

IV. Special Obligations of the Controller or the Processor

H. Certification

I. Code of Conduct

I. General Provisions

II. Requirements for Codes of Conduct

1. Authorization to Create a Code of Conduct

2. Admissible Content

3. Monitoring

III. Approval Procedure

IV. Legal Consequences

§ 8 Processing

A. General Provisions

B. Concept and Legal Basis of Processing

I. Position of the Processor – Differentiation from the Controller

II. Differentiation from Joint Responsibility pursuant to Art. 26 GDPR

1. Necessity of Differentiation / Liability Aspects

2. When is there a Case of Joint Responsibility?

3. Content Requirements for Joint Responsibility

a) Definition of the Respective Actual Functions and Relationships in an Agreement

b) Provision of Information to the Data Subject

III. Essence of the Order Processing – Privilege Function

C. Content Requirements for Processing

I. Justification by Contract or another Legal Instrument

II. Content Requirements for Contracts

1. General Requirements

2. Special Requirements

a) Action in Accordance with Documented Instructions

b) Confidentiality Obligation or Statutory Obligation of Secrecy

c) Taking Technical-Organizational Measures Pursuant to Art. 32 GDPR

d) Conditions for Utilising Sub-Processors

e) Assistance Related to the Fulfillment of Rights of Data Subjects .

f) Assistance in Fulfilling Obligations Placed on the Controller in Art. 32 to 35 GDPR

g) Obligations to Erase and to Return

h) Supervision and Entry and Information Rights of the Controller and Accountability and Information Obligations of the Processor

3. Useful Contractual Supplements

D. Other Obligations of the Processor

I. Obligation to Designate a Representative, Art. 27 GDPR

II. Maintaining a Record of Processing Activities, Art. 30 (2) GDPR

III. Co-operation with the Supervisory Authority, Art. 31 GDPR

IV. Obligation to Designate a Data Protection Officer, Art. 37 GDPR

V. Addressee of Powers of the Supervisory Authorities, Art. 58 GDPR

E. Obligations of the Client

§ 9 Employment Data Protection Law in the BDSG-new

A. Introduction

B. Legal Basis

I. Current Regulations on Employees Data Protection in the BDSG

II. Structure of § 26 BDSG-new

C. Data Protection in the Application Procedure

I. Introduction

II. Applicant Profile Creation with the Aid of Publicly Accessible Sources ..

III. Data Collection in Job Interviews

1 Limitation of the Right to Ask Questions

2. Behavioral Analyses, Personality Tests, Medical Examinations

IV. Unsuccessful Applicants

D. Data Protection within the Framework of Existing Employment Relationships

I. Introduction

II. Internet, Email, Telephone and Mobile Telephone Use in the Workplace

III. Employee Data in the Enterprise’s Internet Presence

1. Requirement to Obtain Consent

2. Images of Former Employees on the Internet

3. Admissible Content of Information on the Internet

IV. Establishing Electronic Information Databases

V. Maintaining so-called Skills Databases

E. Data Protection after Termination of the Employment Relationship

§ 10 Exporting Data to Third Countries

A. Preliminary Note

B. Adequacy Decision, Art. 45 GDPR

C. Provision of Appropriate Safeguards, Art. 46 GDPR

I. Binding Corporate Rules

1. Previous Legal Status

2. New Legal Situation

II. Standard Data Protection Clauses

III. Authorized Codes of Conduct and Certification

D. Other Derogations

§ 11 Remedies, Liability, Administrative Fines and Penalties .

A. Supervisory Powers and Measures

I. Supervisory Authorities

1. Independence Requirements

2. Determination of Local Competence

II. Tasks of the Supervisory Authority

III. Powers of the Supervisory Authorities

IV. Legal Remedies of the Controller and the Processor

B. Legal Position of the Data Subject

I. Right to Lodge a Complaint

1. Content

2. Legal Remedies

II. Right to Compensation

1. Content

2. Legal Remedies

C. Administrative Fines

I. Basis of Calculation

II. Administrative Fine Structure

III. Legal Remedies

IV. Addressees - Liability of Executive Bodies?

D. Provisions on Penalties

§ 12 Austria

A. Preliminary Note

B. Structure of the DSG 2018

C. Regulations in Detail

I. Rectification and Erasure of Personal Data, § 4 (2) DSG 2018

II. Processing of Data about Judicial or Administrative Offenses, § 4 (3) DSG 2018

III. Specification in relation to Art. 8 GDPR

IV. Data Protection Officer (DPO), § 5 DSG 2018

V. Data Confidentiality, § 6 DSG 2018

VI. Transmission of Address Data for the Purpose of Notification and Questioning, § 8 DSG 2018

VI. Media Privilege, § 9 DSG 2018

VII. Image Processing and Video Surveillance for Private Purposes, §§ 12, 13 DSG 2018

VIII. Data Protection Supervisory, §§ 14 – 23 DSG 2018

IX. Further Details on Legal Remedies, Liability and Sanctions, §§ 24 30 DSG 2018

1. Right to Lodge a Complaint, § 24 DSG 2018

2. Compensatory Damages – Administrative Responsibility

3. Administrative fines

Annex

Bibliography

Note:

The following sources refer to the respective German language versions (exceptions are the works cited in the original language). Interested readers should be aware of the fact that quotes from works that have been translated and published in several languages (e.g. Opinions of the Art. 29 Data Protection Working Party etc.) may therefore be found on different pages compared to other language versions.

Essays

Abel, Ralf B./Djagani, Wida, Weitergabe von Kreditnehmerdaten bei Forderungskauf und Inkasso, in: ZD 2017, 114.

Abril, Patricia Sánchez/Lipton, Jacqueline D., The Right to be Forgotten: Who Decides What the World Forgets?, in: Kentucky Law Journal 2015, 363.

Albrecht, Jan Philipp, Das neue EU-Datenschutzrecht – von der Richtlinie zur Verordnung, in: CR 2016, 88.

Arning, Marian/Moos, Flemming/Schefzig, Jens, Vergiss (,) Europa!, in: CR 2014, 447.

Assenbrunner, Benedikt, Gefährdungen der Privatsphäre durch die Internationalisierung des Datenverkehrs, in: DVBl 2016, 1491-1500.

Bahner, Beate, Das Patientenrechtegesetz: Der Behandlungsvertrag endlich im BGB verankert, in: MPR 2013, 73.

Berger, Klaus Peter/Arntz, Thomas, Treu und Glauben als Rechtsprinzip im englischen Wirtschaftsvertragsrecht, in: ZVglRWiss 2016, 167.

Bergt, Matthias, Das Safe-Harbor-Urteil des EuGH – viel Arbeit für Anwälte, in: AnwBl BE 2016, 8-10.

Betti, Emilio, in: Löhlein, Roland/Seidl, Erwin (ed.), Studien zum kausalen Rechtsdenken: Festgabe für Rudolf Müller-Erzbach, Munich 1954, p. 7.

Bieker, Felix/ Hansen, Marit/ Friedewald, Michael, Die grundrechtskonforme Ausgestaltung der Datenschutz-Folgenabschätzung nach der neuen europäischen Datenschutz-Grundverordnung, RDV 2016, 188-197.

Bock, Kirsten/Engeler, Malte, Die verfassungsrechtliche Wesensgehaltsgarantie als absolute Schranke im Datenschutzrecht, in: DVBl 2016, 593-599.

Boehme-Neßler, Volker, Das Recht auf Vergessenwerden – Ein neues Internet-Grundrecht im Europäischen Recht, in: NVwZ 2014, 825.

Börding, Andreas, Ein neues Datenschutzschild für Europa, in: CR 2016, 431-441.

Bretthauer, Sebastian, Anmerkung zum Urteil des EuGH vom 6.10.2015 (C-362/14) – Zur Unzulässigkeit der Safe Habor-Entscheidung der EU-Kommission, in K&R 2015, 717-719.

Brühann, Ulf, Die Veröffentlichung personenbezogener Daten im Internet als Datenschutzproblem – Zur Rechtsprechung des Europäischen Gerichtshofs, in: DuD 2004, 201.

Bruns, Alexander, Die Zukunft des Notariats in Europa – Dienstleistung oder vorsorgende Rechtspflege?, in: EuZW 2010, 247.

Buchner, Benedikt, Grundsätze und Rechtmäßigkeit der Datenverarbeitung unter der DS-GVO, in: DuD 2016, 155.

Culik, Nicolai/Döpke, Christian, Der Zweckverbindungsgrundsatz gegen einen unkontrollierten Einsatz von Big Data-Anwendungen, in: ZD 2017, 226.

Dammann, Ulrich, Der EuGH im Internet – Ende des internationalen Datenschutzes?, in: RDV 2004, 19.

Dammann, Ulrich, Erfolge und Defizite der EU-Datenschutzgrundverordnung – Erwarteter Fortschritt, Schwächen und überraschende Innovationen, in: ZD 2016, 307.

Dammann, Ulrich, Internationaler Datenschutz, in: RDV 2002, 70.

Dehmel, Susanne/Hullen, Nils, Auf dem Weg zu einem zukunftsfähigen Datenschutz in Europa? – Konkrete Auswirkungen der DS-GVO auf Wirtschaft, Unternehmen und Verbraucher, in: ZD 2013, 147.

Domke, Carsten, Was bedeutet die Safe-Harbor-Entscheidung des EuGH für Unternehmen und ihre Personalabteilungen?, in: BB 2015, 2804-2807.

Drewes, Stefan, Dialogmarketing nach der DSGVO ohne Einwilligung der Betroffenen, CR 2016, 721.

Drewes, Detlef, Die Daten sind weg, in: DRiZ 2015, 369.

Eckhardt, Jens, “Safe Harbor” ungültig: Wie geht es in der Praxis weiter?, DSB 2015, 236-238.

Ehmann, Eugen, Abschied von der Verpflichtung auf das Datengeheimnis?, in: ZD 2017, 453.

Eichenhofer, Johannes, “e-Privacy” im europäischen Grundrechtsschutz: Das “Schrems-Urteil” des EuGH, in: EuR 2016, 76-89.

Emmert, Ulrich, Europäische und nationale Regulierungen, in: DuD 2016, 34-37.

Engeler, Malte/Felber, Wolfram, Entwurf der ePrivacy-VO aus Perspektive der aufsichtsbehördlichen Praxis, ZD 2017, 251 – 257.

Erd, Rainer, Lobbyismus vs. Datenschutz: Zugang zu Dokumenten der Gemeinschaftsorgane, in: K&R 2010, 562.

Fassbender, Bardo, Der einheitliche Gesetzesvorbehalt der EU-Grundrechtecharta und seine Bedeutung für die deutsche Rechtsordnung, in: NVwZ 2010, 1049.

Fox, Dirk, Sicheres Löschen von Daten auf Festplatten, in: DuD 2009, 110.

Franck, Lorenz, Das System der Betroffenenrechte nach der Datenschutz-Grundverordnung (DS-GVO), in: RDV 2016, 111.

Franck, Lorenz, Wettbewerbsverstoß durch Werkseinstellungen – “Gesendet von meinem (Markengerät)”, in Kommunikation und Recht (K&R) 2017, 226.

Frenz, Walter, Industrie 4.0 und Datenschutz im fairen Wettbewerb, in: EuZW 2016, 121-122.

Fuchs, Jana, Personenbezogene Daten zwischen der EU und den USA – in Rückblick auf das sog. “Safe-Harbor-Urteil” des EuGH und ein Ausblick auf dessen Auswirkungen auf den transatlantischen Datenaustausch, in: BB 2015, 3074-3079.

Gardain, Anja-Maria, Transfer of personal data to third countries – Bind ing Corporate Rules – The new legal instruments – applicable law, conference report as of: 25.4.2005, available at: http://www.giodo.gov.pl/data/filemanager_pl/672.pdf.

Giesen, Thomas, Zum Begriff des Offenbarens nach § 203 StGB im Falle der Einschaltung privatärztlicher Verrechnungsstellen, in: NStZ 2012, 122.

Glöckner, Jochen/Henning-Bodewig, Frauke, EG-Richtlinie über unlautere Geschäftspraktiken: Was wird aus dem “neuen” UWG?, in: WRP 2005, 1311.

Glos, Alexander/Hildner, Alicia/Glasow, Falko, Der Regierungsentwurf zur Umsetzung der Vierten EU-Geldwäscherichtlinie – Ausweitung der geldwäscherechtlichen Pflichten außerhalb des Finanzsektors, in: CCZ 2017, 83.

Gola, Peter, Die Entwicklung des Datenschutzrechts in den Jahren 1999/2000, in: NJW 2000, 3749.

Gounalakis, Georgios/Mand, Elmar, Die neue EG-Datenschutzrichtlinie – Grundlagen einer Umsetzung in nationales Recht, in: GRURInt 1997, 431.

Graewe, Daniel/Freiherr von Harder, Stephan, Die Exkulpation von Vorstandsmitgliedern bei Einholung von Rechtsrat, npoR 2016, 148-153.

Grossen, Heiko/Schramm, Marc, Das Verarbeitungsverzeichnis der DS-GVO, in: Zeitschrift für Datenschutz (ZD) 2017, 7.

Guckelberger, Annette, Veröffentlichung der Leistungsempfänger von EU-Subventionen und unionsrechtlicher Datenschutz, in: EuZW 2011, 126.

Hammer, Volker, DIN 66398: Die Leitlinie Löschkonzept als Norm, in: DuD 2015, 528.

Hammer, Volker/Schuler, Karin, Löschen nach Regeln – die neue Norm hilft, in: CuA 2016, 30.

Hanloser, Stefan, 25.5.2018 und keine ePrivacy-Verordnung: Füllt das TMG die Lücke?, beck-community, abrufbar: https://community.beck.de/2017/07/10/25-mai-2018-und-keine-eprivacy-verordnung-fuellt-das-tmg-die-luecke

Henssler, Martin/Kilian, Matthias, Die Ausübung hoheitlicher Gewalt im Sinne des Art. 45 EG, in: EuR 2005, 192.

Haratsch, Andreas, Verweisungstechnik und gemeinschaftsgerichtete EG-Richtlinien – Anmerkungen zum neuen Datenschutzartikel des EG-Vertrages, in: EuR 2000, 42.

Härting, Niko, Datenschutz-Grundverordnung (DSGVO) – einige Grundlagen, in: AnwBl 2016, 810.

Härting, Niko, Der dauerhafte Datenträger, Kommentar zu OLG Munich vom 25.1.2011 – 29 U 4113/00, K&R 2001, 310.

Härting, Niko, Kopplungsverbot nach der DSGVO, in: ITRB 2017, 42.

Härting, Niko, Anmerkung zum Urteil des EuGH vom 6.10.2015 (C-362/14) – Zur Sichtweise des Gerichts betreffend die Safe Habor Entscheidung der EU-Kommission aus dem Jahr 2000, in: CR 2015, 640.

Heinemann, Oliver/Wäßle, Florian, Datenschutzrechtlicher Auskunftsanspruch bei Kreditscoring – Inhalt und Grenzen des Auskunftsanspruchs nach § 34 BDSG, in: MMR 2010, 600.

Henning-Bodewig, Frauke, Neuorientierung von § 4 Nr. 1 und 2 UWG?, in: WRP 2006, 621.

Hinrichs, Ole, Unsafe Harbor- was tun?, in: ITRB 2015, 285-290.

Hladjk, Jörg, EuGH erklärt Safe Harbor für unwirksam, in: DSB 2015, 234-235.

Hoeren, Thomas, Risikoprüfung in der Versicherungswirtschaft-Datenschutz und wettbewerbliche Fragen beim Aufbau zentraler Hinweissysteme, in: VersR 2005, 1014.

Holznagel, Bernd/Hartmann, Sarah, Das “Recht auf Vergessenwerden” als Reaktion auf ein grenzenloses Internet – Entgrenzung der Kommunikation und Gegenbewegung, MMR 2016, 228.

Jülicher, Tim/Röttgen, Charlotte/v. Schönfeld, Max, Das Recht auf Datenübertragbarkeit – Ein datenschutzrechtliches Novum, in: ZD 2016, 358.

Jürgens, Uwe, Die Vernichtung von Datenträgern mit personenbezogenen medizinischen Daten, in: DuD 1998, 449.

Kamp, Meike, Datenschutzkonformer Umgang mit staatlichen Auskunftsersuchen, in: RDV 2007, 236.

Kamps, Michael/Bonanni, Andrea, Was tun mit “Unsafe Harbor”?, in: Der Arbeitsrechts Berater (ArbRB) 2015, 378-381.

Kazemi, Robert, Die Datenschutzgrundverordnung in der medizinrechtlichen Praxis – Was ändert sich 2018?, in: Katzenmeier, Christian/Ratzel, Rudolf (ed.), Festschrift für Franz-Josef Dahm – Glück auf! Medizinrecht gestalten, Berlin 2017, 283.

Kersting, Christian, Organhaftung für Kartellbußgelder, ZIP 2016, 1266-1275.

Kiesche, Eberhard/ Wilke, Matthias, Safe Harbor-Urteil und die Folgen, in: Arbeitsrecht im Betrieb (AiB) 2016, Nr. 1, 31-34.

Kingreen, Thorsten, Die Gemeinschaftsgrundrechte, in: JuS 2000, 857.

Köhler, Helmut, Zum Anwendungsbereich der §§ UWG § 1 und UWG § 3 UWG nach Aufhebung von RabattG und ZugabeVO, in: GRUR 2001, 1067.

Kopp, Ferdinand, Tendenzen der Harmonisierung des Datenschutzrechts in Europa, in: DuD 1995, 204.

Kort, Michael, Datenschutzrechtliche und betriebsverfassungsrechtliche Fragen bei IT-Sicherheitsmaßnahmen, in: NZA 2011, 1319.

Kramer, Philipp, Datentransfer in die USA nach “Safe Harbor”: Abwarten oder handeln?, in: DSB 2015, 258-259.

Kranenborg, Herke, Google and the Right to Be Forgotten (Case C-131/12, Google Spain), in: EDPL 2015, 70.

Kugelmann, Dieter, Datenfinanzierte Internetangebote: Regelungs- und Schutzmechanismen der DSGVO, in: DuD 2016, 566.

Kühling, Jürgen, Rückkehr des Rechts: Verpflichtung von “Google & Co.” zu Datenschutz, in: EuZW 2014, 527.

Kühling, Jürgen/Martini, Mario, Die Datenschutz-Grundverordnung: Revolution oder Evolution im europäischen und deutschen Datenschutzrecht?, in: EuZW 2016, 448.

Kunz, Jens H., Die neue Geldtransferverordnung – Überblick zu den wesentlichen Änderungen, in: Compliance-Berater 2016, 54.

Krügel, Tina, Das personenbezogene Datum nach der DS-GVO, ZD 2017, 455-460.

Lachenmann, Matthias, Neue Anforderungen an die Videoüberwachung, ZD 2017, 405-411.

Lavranos, Nikolaos, Datenschutz in Europa – Am Beispiel der Datenschutzrichtlinien, des Schengen Information System (SIS) und Europol, in: DuD 1996, 400.

Lejeune, Mathias, Der EU-US Privacy Shield: eine neue Grundlage zum Datenaustausch mit den USA, in: ITRB 2016, 201-209.

Lejeune, Mathias, Datentransfer in die USA nach der EuGH-Entscheidung zum Safe Harbor Framework, in: ITRB 2015, 257-262.

Lenaerts, Koen/ Stappe, Tilo, Möglichkeiten und Grenzen des EuGH bei Bewältigung europäischer Krisen, in: AnwBl. 2016, 444-448.

Leutheusser-Schnarrenberger, Sabine, Das Recht auf Vergessenwerden – ein Durchbruch oder ein digitales Unding?, in: ZD 2015, 149.

Leutheusser-Schnarrenberger, Sabine, Der EuGH stärkt den Zusammenhalt in der Europäischen Union, in: DuD 2016, 354-356.

Licht, Susanne, Das Verarbeitungsverzeichnis nach der DSGVO, ITRB 2017, 65.

Martini, Mario, Do it yourself im Datenschutzrecht, in: NVwZ-Extra 2/2016.

Meyer, Sebastian, Mitarbeiterüberwachung: Kontrolle durch Ortung von Arbeitnehmern, in: K&R 2009, 14.

Möhrke-Sobolewski, Christine/Klas, Benedikt, Zur Gestaltung des Minderjährigendatenschutzes in digitalen Informationsdiensten, in: K&R 2016, 373.

Monreal, Manfred, “Der für die Verarbeitung Verantwortliche” – das unbekannte Wesen des deutschen Datenschutzrechts – Mögliche Konsequenzen aus einem deutschen Missverständnis, in: ZD 2014, 611.

Monreal, Manfred, Weiterverarbeitung nach einer Zweckänderung in der DS-GVO, in: ZD 2016, 507.

Moos, Flemming/Schefzig, Jens, “Safe Harbor” hat Schiffbruch erlitten – Auswirkungen des EuGH-Urteils C-362/14 in Sachen Schrems ./. Data Protection Commissioner, in: CR 2015, 625-633.

Müller, Christopher, Arbeitnehmerdatenschutz im Lichte der EU-Datenschutzrichtlinie, in: Köbler/ Heinze/ Hromadka (ed.), Europas universale rechtsordnungspolitische Aufgabe im Recht des dritten Jahrtausends, Festschrift für Alfred Söllner zum 70. Geburtstag, Munich 2000, 809.

Müller, Nadja, Transparenz auf allen Ebenen- Zur Umsetzung der Vierten Geldwäscherichtlinie – Teil 1, in: NZWiSt 2017, 87.

Müller, Nadja, Transparenz auf allen Ebenen- Zur Umsetzung der Vierten Geldwäscherichtlinie – Teil 2, in: NZWiSt 2017, 121.

Muser, Albrecht, Was kommt nach Safe Harbor?, in: Arbeit und Arbeitsrecht (AuA) 2016, 523-526.

Nolte, Norbert, Das Recht auf Vergessenwerden – mehr als nur ein Hype?, in: NJW 2014, 2238.

Nord, Jantina/Manzel, Martin, “Datenschutzerklärungen” – misslungene Erlaubnisklauseln zur Datennutzung – “Happy-Digits” und die bedenklichen Folgen im E-Commerce, in: NJW 2010, 3756.

Petri, Thomas, Die Safe-Harbor-Entscheidung, in: DuD 2015, 801-805.

Piltz, Carlo, Die Datenschutz-Grundverordnung, in: K&R 2016, 629.

Piltz, Carlo, Datentransfers nach Safe Harbor: Analyse der Stellungnahmen und mögliche Lösungsansätze, K&R 2016, 1-7.

Prantl, Heribert, Weltweiter Datenschutz und zukünftiger Schutz der Grundrechte, in: DuD 2016, 347-353.

Reimer, Sebastian/Artmann, Jörg/Stroetmann, Karl A., Rechtliche Aspekte der Nutzung von elektronischen Gesundheitsdaten: Europäischer Rahmen und nationale Erfahrungen, in: DuD 2013, 154.

Ress, Georg, Konsequenzen des Beitritts der EU zur EMRK, in: EuZW 2010, 841.

Röhrig, Bernd/du Prel, Jean-Baptist/Blettner, Maria, Studiendesign in der medizinischen Forschung, in: Deutsches Ärzteblatt 2009, 184.

Rost, Martin/Bock, Kirsten, Privacy By Design und die Neuen Schutzziele, in: DuD 2011, 30

Roßnagel, Alexander/Kroschwald Steffen, Was wird aus der Datenschutzgrundverordnung? – Die Entschließung des Europäischen Parlaments über ein Verhandlungsdokument, in: ZD 2014, 495.

Roßnagel, Alexander/Nebel, Maxi/Richter, Philipp, Was bleibt vom Europäischen Datenschutzrecht? – Überlegungen zum Ratsentwurf der DS-GVO, in: ZD 2015, 455.

Roßnagel, Alexander/Scholz, Philip, Datenschutz durch Anonymität und Pseudonymität – Rechtsfolgen der Verwendung anonymer und pseudonymer Daten, in: MMR 2000, 721.

Ruppert, Stefan, Vierte Geldwäscherichtlinie verabschiedet – Was ändert sich für Steuerberater?, in: DStR 2015, 1708.

Sanner, Julian Alexander, Der Schutz personenbezogener Daten beim Zugang zu Dokumenten der Unionsorgane, in: EuZW 2010, 774.

Schafft, Thomas/Ruoff, Andreas, Nutzung personenbezogener Daten für Werbezwecke zwischen Einwilligung und Vertragserfüllung – Eröffnet das Datenschutzrecht Wege zu innovativen Geschäftsmodellen oder schützt es den Einzelnen vor sich selbst?, in: CR 2006, 499.

Schanz, Peter, Die Datenschutz-Grundverordnung – Beginn einer neuen Zeitrechnung im Datenschutzrecht, in: NJW 2016, 1841.

Schapper, Claus Henning/Dauer, Peter, Die Entwicklung der Datenschutzaufsicht im nicht-öffentlichen Bereich (1), in: RDV 1987, 169.

Scheuing, Dieter H., Zur Grundrechtsbindung der EU-Mitgliedstaaten, in: EuR 2005, 162.

Schild, Hans-Hermann/Tinnefeld, Marie-Theres, Entwicklungen im Arbeitnehmerdatenschutz, in: DuD 2009, 469.

Schild, Hans-Herrmann, Die EG-Datenschutz-Richtlinie, in: EuZW 1996, 549.

Schleipfer, Stefan, Datenschutzkonformes Webtracking nach Wegfall des TMG, ZD 2017, 460 – 466.

Schmidt, Bernd/Freund, Bernhard, Perspektiven der Auftragsverarbeitung, in: ZD 2017, 14.

Schmitz, Barbara/v. Dall’Armi, Jonas, Auftragsdatenverarbeitung in der DS-GVO – das Ende der Privilegierung? – Wie Daten künftig von Dienstleistern verarbeitet werden müssen, in: ZD 2016, 427.

Schmitz, Barbara /von Dall’Armi, Jonas, Datenschutz-Folgenabschätzung – verstehen und anwenden, ZD 2017, 57 – 64.

Schmitz, Peter, E-Privacy-VO – unzureichende Regeln für klassische Dienste, ZRP 2017, 172-175.

Schnabel, Christoph, “Ungültigkeit” der Vorratsdatenspeicherungsrichtlinie?, in: K&R 2009, 358.

Schweizer, Rainer J., Die Rechtsprechung des Europäischen Gerichtshofes für Menschenrechte zum Persönlichkeits- und Datenschutz, in: DuD 2009, 462.

Schuster, Fabian/Hunzinger, Sven, Zulässigkeit von Datenübertragungen in die USA nach dem Safe-Harbor-Urteil, in: CR 2015, 787-794 .

Schwartmann, Rolf, Datentransfer in die Vereinigten Staaten ohne Rechtsgrundlage, in: EuZW 2015, 864-868.

Seibel, Mark, Abgrenzung der “allgemein anerkannten Regeln der Technik” vom “Stand der Technik”, in: NJW 2013, 3000.

Simitis, Spiros, Arbeitnehmerdatenschutzgesetz – Realistische Erwartung oder Lippenbekenntnis?, in: AuR 2001, 429.

Simitis, Spiros, Zur Internationalisierung des Arbeitnehmerdatenschutzes – Die Verhaltensregeln der Internationalen Arbeitsorganisation, in: Hanau/Heither/Kühling (ed.), Richterliches Arbeitsrecht – Festschrift für Thomas Dieterich, Munich, 1999, 601.

Spindler, Gerald, Durchbruch für ein Recht auf Vergessen(werden)? – Die Entscheidung des EuGH in Sachen Google Spain und ihre Auswirkungen auf das Datenschutz- und Zivilrecht, in: JZ 2014, 981.

Strohn, Lutz, Pflichtenmaßstab und Verschulden bei der Haftung von Organen einer Kapitalgesellschaft, CCZ 2013, 177-184.

Stuart, Allyson Haynes, Google Search Results: Buried if Not Forgotten, in: North Carolina Journal of Law & Technology Volume 15, Issue 3: Spring 2014, 463.

Steinbeck, Anja, Die Zukunft der aggressiven Geschäftspraktiken, in: WRP 2008, 865.

Taeger, Jürgen, Verbot des Profiling nach Art. 22 DS-GVO und die Regulierung des Scoring ab Mai 2018, in: RDV 2017, 3.

Tavanti, Pascal, Datenverarbeitung zu Werbezwecken nach der Datenschutz-Grundverordnung (Teil 2), in: RDV 2016, 295.

Thüsing, Gregor, Verbesserungsbedarf beim Beschäftigtendatenschutz, in: NZA 2011, 16.

Thüsing, Gregor/Lambrich, Thomas, Das Fragerecht des Arbeitgebers – aktuelle Probleme zu einem klassischen Thema, in: BB 2002, 1146.

Trittin, Wolfgang/Fischer, Esther D., Datenschutz und Mitbestimmung – Konzernweite Personaldatenverarbeitung und die Zuständigkeit der Arbeitnehmervertretung, in: NZA 2009, 343.

Veil, Winfried, DS-GVO: Risikobasierter Ansatz statt rigides Verbotsprinzip – Eine erste Bestandsaufnahme, in: ZD 2015, 347 et seq.

v. Danwitz, Thomas, Die Grundrecht auf Achtung der Privatsphäre und auf Schutz personenbezogener Daten: Die jüngere Rechtsprechung des Gerichtshofes der Europäischen Union, in: DuD 2015, 581.

Wehmeyer, Stefan, Datenschutz-Grundverordnung und Unternehmenstransaktionen – Was gilt zukünftig für den Umgang mit Kundendaten?, in: PinG 2016, 215.

Weichert, Thilo, Geodaten – Datenschutzrechtliche Erfahrungen, Erwartungen und Empfehlungen, in: DuD 2009, 347.

Weichert Thilo/Schuler, Karin, Ein “Export-Import-Standardvertrag” für den Drittauslands-Datentransfer, in: DuD 2016, 386-388 .

Weisser, Ralf/Färber, Klaus, Kein “Sicherer Hafen” für Daten in den USA, in: DB 2015, 2621-2622.

Weitz, Manfred, Überblick über aktuelle Datenschutzthemen 2016, in: JurPC 2016, Web-Dok. 5/16.

Werner, Rüdiger, Die Haftung des GmbH-Geschäftsführers für Wettbewerbsverstöße und Immaterialgüterrechtsverletzungen durch die Gesellschaft, GRUR 2015, 739-744.

Wolff, Heinrich Amadeus/Stemmer, Bastian, Die Entscheidung der Kommission zur Angemessenheit des Datenschutzniveaus in den USA, in: BayVBl 2016, 181-187.

Wybitul, Tim, EuGH erschwert Übermittlung von Daten in die USA – Safe-Harbor-Abkommen ungültig!, in: CCZ 2015, 241.

Ziegenhorn, Gero/Gaub, Daniela, Die EU-Datenschutz-Grundverordnung – Eine erste Analyse für den Bereich der Inkassodienstleistungen, in: PinG 2016, 89.

Ziegenhorn, Gero/v. Heckel, Katharina, Datenverarbeitung durch Private nach der europäischen Datenschutzreform, NVwZ 2016, 1585.

Zscherpe, Kerstin A., Anforderungen an die datenschutzrechtliche Einwilligung im Internet, in: MMR 2004, 723.

Comments / Guides / Text books / Monographs

Albrecht, Jan Philipp/Jotzo, Florian, Das neue Datenschutzrecht der EU, Baden-Baden 2016.

Bergmann, Lutz/Möhrle, Roland/Herb, Armin, Datenschutzrecht – Kommentar zum Bundesdatenschutzgesetz, den Datenschutzgesetzen der Länder und zum bereichsspezifischen Datenschutz, Loseblatt, Stuttgart 1977, as of: 2017.

Calliess, Christian/Ruffert, Matthias (ed.), EUV/EGV, 3rd edition, Munich 2007.

Calliess, Christian/Ruffert, Matthias (ed.), EUV/AEUV, 5th edition, Munich 2016.

Capurro, Rafael/Eldred, Michael/Nagel, Daniel, Digital Whoness, Identity, Privacy and Freedom in the Cyberworld, Heusenstamm 2013.

Däubler, Wolfgang/Klebe, Thomas/Wedde, Peter/Weichert, Thilo (ed.), Bundesdatenschutzgesetz, 3rd edition, Frankfurt a.M. 2010.

Ehlers, Dirk, Europäische Grundrechte und Grundfreiheiten, 3rd edition, Berlin 2009.

Ehmann, Eugen/Helfrich, Marcus, EG-Datenschutzrichtlinie, Cologne 1999.

Ehmann, Eugen/Selmayr, Martin (ed.), Datenschutz-Grundverordnung, Munich 2017.

Ennulat, Mark, Datenschutzrechtliche Verpflichtungen der Gemeinschaftsrechtsorgane und –einrichtungen, Frankfurt a.M. 2008.

Eßer, Martin/Kramer, Philip/v. Lewinski, Kai (ed.), Auernhammer –Bundesdatenschutzgesetz und Nebengesetze, 4th edition, Cologne 2014.

Eßer, Martin/Kramer, Philip/v. Lewinski, Kai (ed.), Auernhammer – Datenschutz-Grundverordnung, Bundesdatenschutzgesetz und Nebengesetze, 5th edition, Cologne 2017.

Feiler, Lukas/Forgó, Nikolaus, EU-Datenschutz-Grundverordnung, Vienna 2016.

Fichte, Wolfgang/Plagemann, Hermann/Waschull, Dirk (ed.), Sozialverwaltungsverfahrensrecht, Baden-Baden 2008.

Frenz, Walter, Handbuch Europarecht, Band 4: Europäische Grundrechte, Berlin/Heidelberg 2009.

Friedewald, Michael/Obersteller, Hannah/Nebel, Maxi/Bieker, Felix, Rost, Martin, White Paper DATENSCHUTZFOLGENABSCHÄTZUNG – Ein Werkzeug für einen besseren Datenschutz, 2nd edition, Karlsruhe 2016, available at: https://www.forum-privatheit.de/forum-privatheit-de/publikationen-und-downloads/veroeffentlichungen-des-forums/themenpapiere-white-paper/Forum_Privatheit_White_Paper_Datenschutz-Folgenabschaetzung_2016.pdf.

Ghadiri, Argang/Ternès, Anabel/Peters, Theo (ed.), Trends im Betrieblichen Gesundheitsmanagement, Wiesbaden 2016.

Goebel, Frank-Michael (ed.), AnwaltFormular Zwangsvollstreckung, 5th edition, Bonn 2016.

Gola, Peter, Datenschutz-Grundverordnung: DS-GVO, Munich 2017.

Gola, Peter/Klug, Christoph, Grundzüge des Datenschutzrechts, Munich 2003.

Gola, Peter/Schomerus, Rudolf (ed.), Bundesdatenschutzgesetz, 10th edition, Munich 2010.

Gola, Peter/Schomerus, Rudolf (ed.), Bundesdatenschutzgesetz, 12th edition, Munich 2015.

Götting, Horst-Peter/Schertz, Christian/Seitz, Walter, Handbuch des Persönlichkeitsrechts, Munich 2008.

Gounalakis, Georgios (ed.), Rechtshandbuch Electronic Business, Munich 2003.

Grabenwarter, Christoph, Europäische Menschenrechtskonvention, 4th edition, Munich, 2009.

Graf von Westphalen, Friedrich/Thüsing, Gregor (ed.), Vertragsrecht und AGB-Klauselwerke, 38. Ergänzungslieferung, Munich 2016.

Grabitz, Eberhard/Hilf, Meinhard/Nettesheim, Martin (ed.), Das Recht der Europäischen Union, Loseblatt, 61. Ergänzungslieferung, Munich 2017.

Haggerty, Kevin D./Ericson, Richard V., The New Politics of Surveillance and Visibility, Toronto 2006.

Herberger, Maximilian/Martinek, Michael/Rüßmann, Helmut/Weth, Stephan (ed.), juris PraxisKommentar BGB, 8th edition, Saarbrücken 2017.

Heselhaus, Sebastian/Nowak, Carsten (ed.), Handbuch der Europäischen Grundrechte, Munich i.a. 2006.

Hesse, Konrad, Grundzüge des Verfassungsrechts der Bundesrepublik Deutschland, 20th edition, Heidelberg 1999.

Jarass, Hans D., Charta der Grundrechte der Europäischen Union, Munich 2010.

Jarass, Hans D., EU-Grundrechte, Munich 2005.

Jarass, Hans D./Petersen, Frank (ed.), Kreislaufwirtschaftsgesetz, Munich 2014.

Kaldenbach, Kirstin, Das Problem der Informationsgewinnung für die vorvertragliche Risikoprüfung auf Seiten des privaten Berufsunfähigkeitsversicherers, Düsseldorf 2011.

Kazemi, Robert/Lenhard, Thomas H., Datenschutz und Datensicherheit in der Rechtsanwaltskanzlei – eBroschüre, 3rd edition, Bonn 2017.

Kazemi, Robert/Leopold, Anders, Das Datenschutzrecht in der anwaltlichen Beratung, Bonn 2011.

Köhler, Helmut/Bornkamm, Joachim, Gesetz gegen den unlauteren Wettbewerb, 28th edition, Munich 2010.

Köhler, Helmut/Bornkamm, Joachim, Gesetz gegen den unlauteren Wettbewerb, 34th edition, Munich 2016.

Kunst, Heiko, Individualarbeitsrechtliche Informationsrechte des Arbeitnehmers, Frankfurt a.M. 2003.

Kühling, Jürgen/Martini, Mario/Heberlein, Johanna/Kühl, Benjamin/Nink, David/Weinzierl, Quirin/Wenzel, Michael, Die Datenschutz-Grundverordnung und das nationale Recht, Münster 2016.

Kühling, Jürgen/Buchner, Benedikt (ed.), Datenschutz-Grundverordnung: DS-GVO, Munich 2017.

Laue, Philip/Nink, Judith/Kremer, Sascha, Das neue Datenschutzrecht in der betrieblichen Praxis, Baden-Baden 2016.

Laufs, Adolf/Kern, Bernd-Rüdiger (ed.), Handbuch des Arztrechts, 4th edition, Munich 2010.

Lenhard, Thomas H., Datensicherheit, Wiesbaden 2017.

Lepperhoff, Niels/Müthlein, Thomas, Leitfaden zur Datenschutz-Grundverordnung, Munich 2017.

Mascalzoni, Deborah (ed.), Ethics, Law and Governance of Biobanking, Dordrecht 2015.

Maunz, Theodor/Dürig, Günter (ed.), Grundgesetz-Kommentar, Loseblatt, 78. Ergänzungslieferung, Munich 2016.

Meyer, Jürgen (ed.), Charta der Grundrechte der Europäischen Union, 3rd edition, Baden-Baden 2011.

Meyer-Ladewig, Jens, EMRK Konvention zum Schutz der Menschenrechte und Grundfreiheiten, 2nd edition, Baden-Baden 2006.

Moos, Flemming, Datenschutzrecht – schnell erfasst, Berlin/Heidelberg 2006.

Müller-Glöge, Rudi/Preis, Ulrich/Schmidt, Ingrid (ed.), Erfurter Kommentar zum Arbeitsrecht, 11th edition, Munich 2011.

Oppermann, Thomas/Classen, Claus Dieter/Nettesheim, Martin, Europarecht, 4th edition, Munich 2009.

Paal, Boris P./Pauly, Daniel (ed.), Datenschutz-Grundverordnung: DS-GVO, Munich 2017.

Paefgen, Franziska, Der von Art. 8 EMRK gewährleistete Schutz vor staatlichen Eingriffen in die Persönlichkeitsrechte im Internet, Berlin 2016.

Peters, Falk/Kersten, Heinrich/Wolfenstetter, Klaus-Dieter, Innovativer Datenschutz, Berlin 2012.

Pickel, Harald/Marschner, Andreas (ed.), SGB X – Kommentar zum Sozialgesetzbuch Zehntes Buch, Loseblatt, Munich 2017.

Plath, Kai-Uwe (ed.), Bundesdatenschutzgesetz/Datenschutz-Grundverordnung, Cologne 2016.

Rabe, Christian, Der Schutz der Persönlichkeit vor Kritik an professionellen Leistungen, Baden-Baden 2014.

Reiche, Esther, Heimliche Vaterschaftstests – Eine Untersuchung aus verfassungsrechtlicher Sicht, Baden-Baden 2008.

Roßnagel, Alexander (ed.), Handbuch Datenschutzrecht, Munich 2003.

Schaffland, Hans-Jürgen/Wiltfang, Noeme (ed.), Bundesdatenschutzgesetz, Loseblatt, Berlin 2016.

Schimansky, Herbert/Bunte, Hermann-Josef/Lwowski, Hans-Jürgen, Bankrechts-Handbuch, 5th edition, Munich 2017.

Schulze, Reiner/Zuleeg, Manfred/Kadelbach, Stefan (ed.), Europarecht, 2nd edition, Baden-Baden 2010.

Schwarze, Jürgen (ed.), EU-Kommentar, 2nd edition, Baden-Baden 2009.

Siemen, Birte, Datenschutz als europäisches Grundrecht, Berlin 2006.

Simitis, Spiros (ed.), Bundesdatenschutzgesetz, 6th edition, Baden-Baden 2006.

Simitis, Spiros (ed.), Bundesdatenschutzgesetz, 8th edition, Baden-Baden 2014.

Streinz, Rudolf (ed.), EUV/EGV – Vertrag über die Europäische Union und Vertrag zur Gründung der Europäischen Gemeinschaft, Munich 2003.

Streinz, Rudolf (ed.), EUV/AEUV – Vertrag über die Europäische Union und Vertrag über die Arbeitsweise der Europäischen Union, 2nd edition, Munich 2012.

Sydow, Gernot, Europäische Datenschutzgrundverordnung, Munich 2017.

Taeger, Jürgen/Gabel, Detlev (ed.), Bundesdatenschutzgesetz, Frankfurt a.M. 2010.

Taeger, Jürgen/Gabel, Detlev (ed.), Bundesdatenschutzgesetz, 2nd edition, Frankfurt a.M. 2013.

Taeger, Jürgen/Wiebe, Andreas, Von AdWords bis Social Networks – neue Entwicklung im Informationsrecht, Tagungsband Herbstakademie 2008, Edewecht 2008.

Tettinger, Peter J./Stern, Klaus (ed.), Kölner Gemeinschaftskommentar zur Europäischen Grundrechte-Charta, Munich 2006.

Thüsing, Gregor/Wurth, Gilbert, Social Media im Betrieb, Munich 2015.

Vedder, Christoph/Heintschel v.Heinegg, Wolff (ed.), Europäischer Verfassungsvertrag, Baden-Baden 2007.

Viethen, Alexander, Datenschutz als Aufgabe der EG – Bestandsaufnahme des datenschutzspezifischen Sekundärrechts und Analyse anhand der Kompetenzordnung des EG-Vertrages, Münster/Hamburg 2003.

Viola de Azevedo Cunha, Mario, Market Integration Through Data Protection, Dordrecht 2013.

Von Maydell, Bernd Baron/Ruland, Franz/Becker, Ulrich (ed.), Sozialrechtshandbuch (SRH), 4th edition, Baden-Baden 2008.

Weick, Karl, Der Prozeß des Organisierens, Frankfurt 1985.

Wenzel, Karl Egbert (Begr.), Das Recht der Wort- und Bildberichterstattung, 5th edition, Cologne 2003.

Wenzel, Franck (ed.), Handbuch des Fachanwalts Medizinrecht, 3rd edition, Munich 2013.

Wolff, Heinrich Amadeus/Brink, Stefan (ed.), Beck’scher Online-Kommentar Datenschutzrecht, 20th edition, Munich, as of: 2017.

Wulffen, Matthias von (ed.), SGB X – Sozialverwaltungsverfahren und Sozialdatenschutz, 7th edition, Munich 2010.

Wybitul, Tim, EU-Datenschutz-Grundverordnung, Frankfurt a.M. 2017.

Zimmermann, Reinhard/Whittaker, Simon (ed.), Good Faith in European Contract Law, Cambridge 2000.

§ 1 From Directive to Regulation – European Data Protection Law de lege lata

A. Preliminary Remarks

1 Data protection law is a relatively young field of law. It was not until the mid-1960s when mainframe technology was developed that data protection became the focus of public attention for the first time. As electronic data processing became widespread in the United States, two complexes of problems emerged that created a major public debate.

On the one hand, in the context of the examination of individual creditworthiness, there were frequent errors in the processing of personal data, which led, for example, to the shutdown of electricity in the case of allegedly defaulting or insolvent debtors, or to non-granting of credits. On the other hand, efforts were made to set up a national database for collecting all available information of all citizens of the United States of America. This request – as was the case with the census project in the Federal Republic of Germany – encountered a considerable resistance in the population, in particular when it became known that individual dossiers already existed on a large number of people, and that these datasets were to be combined in the envisaged database. The still ubiquitous fear of total surveillance thus led to a broad public discussion, which in turn led to the demand for action by the legislature to secure a right to privacy protection in connection with the exploding data flows.

Since then, data protection law has experienced an intensive development worldwide. Regulations in connection with this are nowadays not only at a national, but also at a supra-national level. Thus, the topic of data protection is addressed in several treaties and declarations at international and at European level, e.g. in the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), the Universal Declaration of Human Rights of the UN (UDHR) or the International Covenant on Civil and Political Rights (OHCHR). But, with the exception of the European Court of Justice in Strasbourg, there is no international body that controls compliance with the treaties; these have generally not gained any paramount importance.

However, the law of the European Union has for many years been of particular importance, as its provisions form the legal framework within which both the national legislator and the legal practitioners based in Germany have to move. With the European Court of Justice in Luxembourg also exists a judicial body which can ensure the effectiveness of the numerous supranational legal regulations. So it is the right of the European Union, too, which has already set the main course in the field of data protection for many years.

2 In the European Union, there is an explicitly data-protection-oriented system of fundamental rights at the level of the so-called “primary law”, i.e. the Treaty on European Union (TEU),1 the Treaty on the Functioning of the European Union (TFEU)2 – under Art. 1 (2) S. 2 TFEU referred to as “the Treaties” – and the Charter of Fundamental Rights (the Charter).3

B. General Data Protection Law of the European Union

I. Starting Point

3 It is fitting in the time when people were just beginning to develop an awareness of the careful use of data that data protection was the starting point for the development of fundamental rights in the European Union in 1969.

The case, which gave rise to this, with all due brevity: According to a Commission decision, it was possible to sell butter at reduced prices to citizens in need of help. The German version of this decision provided that the buyer had to reveal his name to the seller. Other language versions of the Commission's decision did not contain this requirement, but allowed for other possibilities of individualization of the claimant. The European Court of Justice4 recognized the explosive nature of the matter and at the time chose an interpretation of the Commission decision, taking into account the different language versions, in order to “call into question the fundamental rights of the person contained in the general principles of the Community legal order which the Court has to safeguard”.

A – at that time as yet unnamed – fundamental data protection law was born. In the ensuing period, the European Court of Justice has developed further this fundamental right in a number of judicatures.5

4 After several changes to the contractual basis of the European Union, Art. 6 TEU is today's starting point for questions of fundamental rights protection. In the current version, which has received the provision by the Treaty of Lisbon, it says:

5           Art. 6

(1) The Union recognizes the rights, freedoms and principles set out in the Charter of Fundamental Rights of the European Union of 7 December 2000, as adapted at Strasbourg, on 12 December 2007, which shall have the same legal value as the Treaties.

The provisions of the Charter shall not extend in any way the competences of the Union as defined in the Treaties.

The rights, freedoms and principles in the Charter shall be interpreted in accordance with the general provisions in Title VII of the Charter governing its interpretation and application and with due regard to the explanations referred to in the Charter, that set out the sources of those provisions.

(2) The Union shall accede to the European Convention for the Protection of Human Rights and Fundamental Freedoms. Such accession shall not affect the Union's competences as defined in the Treaties.

(3) Fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and as they result from the constitutional traditions common to the Member States, shall constitute general principles of the Union's law.

6 It is clear from this standard that the general European protection of Fundamental Rights is currently based on two equal pillars, namely the Charter (Sec.1) and the fundamental rights developed by the case-law of the European Court of Justice as general principles of Union's law (Sec. 3). In addition, the Treaties provide for further safeguards of data protection.6

II. Charter of Fundamental Rights

7 The Charter of Fundamental Rights of the European Union7, referred to in Article 6 (1) TEU, codifies fundamental and human rights within the European Union. It was originally drafted by the first European Convention chaired by Roman Herzog. For the first time, the Charter sets out EU fundamental rights in comprehensive writing and in an understandable form. The content of the Charter is largely based on the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe (ECHR).8 However, it is also influenced by court ruling of the European Court of Justice on fundamental rights as general principles of EU law.9 However, due to the opposition of several Member States, the Charter10