1. No category

(Berlin Data Protection Act

Berlin Data Protection Act
Law to Protect of Personal Data in the Berlin Administration
(Berlin Data Protection Act - BlnDSG)
as of 17 December 1990 (GVBl. 1991 pp. 16, 54),
last amended by Act of 16 May 2012
(GVBl. p. 137)
Part One
General provisions
Section 1
Purpose and Object of Data Protection
(1) The purpose of this Act is to regulate the processing of personal data by public
authorities and other public agencies in order to
1. protect the right of each individual to self-determine the disclosure and use of his
or her data, unless any restrictions are permitted by this Act or by other legislation
(informational self-determination),
2. to protect the constitutional order based on the principle of the separation of
powers against any risk caused by automated data processing.
(2) This law protects personal data collected, stored, modified, transferred, blocked,
deleted or otherwise used by public authorities or other public bodies.
Section 2
Scope of Application
(1) All authorities and other public bodies (particularly institutions without legal
capacity, hospital companies, municipal utilities and courts) of the State of Berlin and the
state bodies, institutions and foundations under public law (section 28 of the General
Jurisdiction Act) have the obligation to protect personal data under this Act. This shall
also apply to natural and legal persons, companies and other associations of persons under
private law, who fulfil any tasks of public administration.
(2) Where data processing is related to earlier, existing or future legal service or
employment relationships, section 28 paragraph 2 number 2, sections 31 to 35, 39 and
section 43 of the Federal Data Protection Act shall apply instead of sections 9 to 17 of this
Act, unless regulated otherwise. This shall also apply to processing in files.
(3) For public bodies who participate in competition the provisions of sections 3, 6, 6a,
9 to 17 and 30 of this Act shall not apply. These bodies shall be subject to sections 11, 27
paragraph 2, sections 28 to 35, 39, 40, 42a and 43 of the Federal Data Protection Act.
(4) To the extent personal data are processed within the scope of the law on the
procedure of the Berlin administration, the provisions of the Berlin Data Protection Act
shall apply.
(5) This law comprehensively regulates the protection of personal data for authorities
and other public bodies. Other state laws may provide individual necessary deviations
from this act for certain authorities and other public bodies; in all other respects data
protection shall be subject to the provisions of this Act in those cases as well.
Section 3
Processing of Personal Data on behalf of Others
(1) The provisions of this Act shall also apply to the authorities and other public bodies
to the extent that personal data are processed on their behalf by other persons or entities.
In those cases the processor shall be chosen with care, taking especially under
consideration the appropriateness of the technical and organizational measures taken by
him (section 5 paragraph 1). The order must be placed in writing and shall particularly
state the following:
1. the subject and duration of the order,
2. the extent, nature and purpose of the proposed collection, processing or use of
data, the type of data and the scope of persons affected,
3. the technical and organizational measures to be taken under section 5,
4. the correction, deletion and blocking of data,
5. the checks to be carried out by the processor,
6. any entitlement to establish subcontract relationships
7. the control rights of the client and the corresponding toleration and cooperation
obligations of the processor,
8. required reporting of any breach by the processor or persons employed by him of
any regulations adopted to protect personal data or against the provisions made,
9. the scope of ordering powers, the client reserves versus the processor,
10. the obligation to return the data media provided to the processor and to delete the
stored data after completion of the job.
The client shall check compliance with the requirements specified in Clause 3 above.
(2) Sections 9 and 17 of this Act shall not apply to the authorities and other public
bodies to the extent they process personal data on behalf of others. In such cases the
processing of personal data shall be allowed only as directed by the controller. Any
instructions directed towards any data processing in violation of this Act or any other data
protection legislation must not be executed. The controller and his supervisory authority
shall be informed immediately. The same applies if data are to be processed which in the
opinion of the processor were acquired in violation of law.
(3) For legal persons, companies and other associations of persons under private law,
where the State of Berlin or a state body, institution or foundation under public law holds
the majority of shares or is entitled to the majority of the votes, the provisions of the Part
Four shall apply accordingly, provided that in the cases of paragraph 1 sentence 1 they
become active by order. With regard to the powers granted under section 28 paragraph 1
the fundamental right of inviolability of the home (Article 13 of the Basic Law, Article 19
paragraph 2 sentence 1 of the Berlin Constitution) shall be restricted to operating and
business hours.
(4) Where the provisions of this Act do not apply to the processor, the controller shall
be under the obligation to ensure by contract that the processor complies with the
provisions of this Act and, to the extent data processing is carried out within the scope of
application of this law, submits himself to the control by the Berlin Commissioner for
Data Protection and Freedom of Information. If the data are processed in another federal
state or in a member state of the European Union, it must be ensured that the processor is
subject to data protection control by the responsible institution. The controller shall
inform the Berlin Commissioner for Data Protection and Freedom of Information about
the engagement.
Section 3a
Maintenance
(1) Data processing systems shall be designed in such a way that access to personal
data is not possible during their maintenance. If this is not ensured, the controller shall
take technical and organizational measures to ensure that acess is possible only to those
personal data that are absolutely necessary for maintenance. In particular, the following
requirements shall be met: It shall be ensured that
1. only authorized staff performs the maintenance,
2. any maintenance operation can be performed only, if the storing institution is
aware of the maintenance and wants it to be done.
3. any personal data are prevented from being removed or transferred without
authorization in the course of maintenance,
4. all maintenance operations may be checked while being performed.
5. all maintenance operations may be traced later.
6. during maintenance any program not required for maintenance is prevented from
being started.
7. during maintenance no data processing programs may be changed without
authorization and
8. maintenance is organized and conceived in such a way that it meets the particular
requirements of data protection.
(2) Any maintenance by other institutions beyond the requirements specified in
paragraph 1 shall require written agreements. Such agreements shall include the following
regulations:
1. nature and extent of maintenance,
2. definition of rights and duties between controller and processor,
3. a controller's obligation to log all operations and the processor's obligation to
comply with the customer's instructions for handling the data and to abide by his
instructions,
4. data shall be used exclusively for the purpose of maintenance
5. it shall be ensured that the processor does not transmit any data to other bodies,
6. deletion of data after completion of maintenance work,
7. the technical connection must be established by the controller; where this is not
possible, a mandatory recall procedure shall be established,
8. as far as possible, presence of the system administrator shall be ensured.
9. encryption of personal data during transfer shall comply with the current state of
the art and
10. in the event that a processor operates outside the Member States of the European
Union, the relevant provisions of section 14 regarding the transfer of personal data
to foreign and international bodies shall apply.
All people entrusted with maintenance works shall be bound to data confidentiality.
(3) Where access to data during maintenance works is possible only in encrypted,
pseudonymized and anonymized form, thus ensuring that the institution entrusted with
maintenance cannot re-identify the persons affected, only the measures set out in
paragraph 2, sentences 1 and 3 are required. Any access to data must be linked to a clearly
defined purpose.
(4) For the purposes of this Act,
a)
Maintenance shall mean the totality of measures taken to ensure the availability and
integrity of the hardware and software of data processing systems, including the
installation, maintenance, inspection and correction of software and the verification
and repair or replacement of hardware,
b) Remote maintenance shall mean the maintenance of the hardware and software of
data processing equipment by means of data transfer systems from a location outside
the place where the personal data are processed , and
c)
Encryption shall mean the replacement of plaintext words or characters with others in
a way that the plaintext can be made readable again only with a disproportionate
amount of time, money and manpower.
Section 4
Definitions
(1) For the purposes of this Act, personal data shall mean details about personal or
material circumstances of an identified or identifiable natural person (data subject). The
same applies to data on deceased persons, unless the legitimate concerns of the data
subject can no more be affected.
(2) Data processing shall mean the processing, collection, storage, modification,
transfer, blocking, deletion and use of personal data. For the purposes of the following
provisions
1. data collection shall mean the acquisition of data about the data subject
2. data storage shall mean capturing, recording or storing data on a data storage
medium,
3. modification shall mean changing the contents of stored data, regardless of the
method used to do so,
4. transfer shall mean the disclosure to third parties of data stored or obtained by
processing of obtained data in such a way that the controller submits the data to
such third party or that the third party retrieves the data prepared for retrieval,
5. Blocking shall mean preventing further processing of stored data,
6. Deletion shall mean to eliminate stored data,
7. Use shall mean any other use of personal data.
(3) For the purposes of this Act,
1. controller shall mean any authority or other public body that processes data for use
by itself or has data processed by others; where it fulfils different legal duties, the
one organizational unit to which the task has been assigned shall be deemed to be
the controller,
2. Receiver shall mean any person or body who receives the data,
3. Third party shall mean any person or body outside the controller, except the data
subject or those persons and bodies who in the cases covered by number 1 process
data by order of others under the jurisdiction of the legislation for the protection of
personal data of the Member States of the European Union
4. automated data processing shall mean any data processing performed
automatically using a controlled technical process,
5. data file shall mean a collection of data that can be analysed by automated
procedures (automated file), or a similarly structured collection of data that can be
sorted and analysed according to certain characteristics (non-automated file)
6. file shall mean any other document for official purposes, to the extent it is not a
data file as contemplated by number 5, including images and audio recordings but
not preliminary drafts and notes not supposed to become part of a process,
7. Anonymization shall mean the modification of personal data in such a way that the
details about personal or material circumstances can no longer or only with a
disproportionate amount of time, cost and effort be assigned to an identified or
identifiable natural person,
8. Pseudonymization shall mean replacing the name and other identifying
characteristics with a mark in order to prevent or considerably complicate the
identification of the data subject.
9. a mobile personal data processing and storage medium shall mean a data storage
medium
a) handed over to the data subject,
b) on which beyond storage personal data may be automatically processed by the
issuing institution or by another institution and
c) where the data subject may influence such processing only by using the
medium.
Section 5
Technical and Organizational Measures
(1) The implementation of the provisions of this Act and other regulations concerning
data protection shall be ensured by technical and organizational measures. The type of
such measures shall be appropriate for the intended purpose of protection and shall
depend on the current state of the art.
(2) If personal data are processed automatically, appropriate measures shall be taken to
ensure that
1. only authorized persons may take notice of the data (confidentiality)
2. personal data remain intact, complete and up to date during processing (integrity),
3. personal data are available on time and may be processed properly (availability),
4. personal data may be related to their origin any time (authenticity),
5. it can be found out, who processed which personal data in what way at what time
(auditability), and
6. the procedures governing the processing of personal data are complete, up to date and
documented in such a manner that they can be understood in a reasonable time
(transparency).
(3) Before making a decision about the use or a significant change in automated data
processing, the technical and organizational measures to be taken shall be determined on
the basis of a risk analysis and a security concept. In procedures where data are processed
that are subject to professional or special official secrecy or have been collected for the
prosecution of crimes and administrative offences this shall include a prior analysis
regarding any risks affecting the right of informational self-determination. According to
technical development such analysis shall be repeated at appropriate intervals. Where
despite feasible security measures there are still any remaining unacceptable risks that
cannot be prevented by the measures referred to in paragraphs 1 and 2, or by any
modification of automated data processing, the processing must not take place.
(4) Where personal data are not processed automatically, the provisions of paragraph 2
numbers 1 to 4 shall apply accordingly.
(5) Automated data processing shall be organized in such a way that it is possible to
separate the data according to each intended purpose and according to the various data
subjects already during processing, particularly during transfer, while taking notice in
performing one's duties and during inspection.
Section 5 a
Data Minimization
Planning, design and selection of information technology products and processes shall
be governed by the aim to process no or as few as possible personal data. In particular, the
possibilities of anonymization and pseudonymization shall be used wherever possible and
provided that costs are in a reasonable relation to the intended purpose of protection.
Part Two
Conditions of Data Processing and Rights of Data Subjects
Section 6
Admissibility of Data Processing
(1) The processing of personal data is only permissible if
1.
either this Act or
2.
a special law permits it or
3.
the data subject has consented.
Processing personal data is permitted under this Act, provided that the nature of the data,
their obviousness or the nature of use does not affect the legitimate concerns of the data
subject. Sentence 1, no. 2 shall apply only if the data protection ensured by the legal
provision is comparable with this Act.
(2) Where personal data are processed because of a legal provision of the Federal
government without processing being regulated in detail, sections 13 to 15 of the Federal
Data Protection Act shall apply.
(3) Where data processing is based on the consent of the data subject, he shall be
informed appropriately about the meaning of his consent, in particular about the intended
use of the data. In case of intended transfers such duty to inform shall also include
information regarding the recipient of the data and the purpose of transfer. The data
subject shall be informed in detail about the legal consequences and the possibility to
refuse to consent.
(4) Consent requires the written form, unless a different form is appropriate in special
circumstances. If consent is to be given together with other statements in writing, this
shall be especially pointed out to the data subject electronically or in writing.
(5) The person's consent is effective only if based on his free decision. Particularly it
shall be ineffective if achieved under threat of unlawful disadvantages or due to lack of
information. As far as special categories of personal data are processed according to
section 6a paragraph 1, the consent shall relate expressly to those data.
(6) Consent may also be given electronically. It must be ensured that the requirements
for establishing the authenticity of the consent are in line with those required for the
underlying administrative action.
Section 6 a
Processing of Special Categories of Personal Data
(1) Personal data as defined in article 8 paragraph 1 of Directive 95/46/EC of the
European Parliament and the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data (OJ
L 281, P. 0031 - 0050) - EC Data Protection Directive - may be processed only if there are
adequate safeguards to protect the right to informational self-determination and provided
that a special legal provision which defines the purpose of processing allows such
processing.
(2) Processing of those data is also permissible if the data subject has expressly
consented or if processing is required in order to protect the vital interests of the data
subject or a third party and provided that for legal or factual reasons the data subject is not
in a position to give his consent.
(3) The provisions of paragraphs 1 and 2 shall not apply if
1. data are processed on the basis of section 2 paragraph 2 and section 30 of this Act or
2. data processing is required for the purpose of preventive health measures, medical
diagnosis, care or treatment or the management of health services and provided that
those data are processed by medical staff or other persons subject to appropriate
confidentiality obligations.
Section 7
Rights of Data Subjects
Everyone has a right under this Act to
1. information, notification and inspection (section 16),
2. rectification, blocking, erasure and objection (section 17);
3. indemnification and injunctive relief (section 18),
4. access to descriptions and registers (section 19 a),
5. appeal to the Berlin Commissioner for Data Protection and Freedom of Information
(section 27).
The data subject may not effectively waive those rights.
Section 8
Data Confidentiality
(1) The personnel of authorities and other public bodies who process data for these
bodies or on behalf of others, is not allowed to process any personal data without
authorization. For the staff of private contractors of public bodies who have official access
to personal data that requirement shall be ensured by contract.
(2) The personnel shall be subjected to the requirements of paragraph 1 upon starting
their job. Their obligations shall persist after the termination of their job.
Section 9
Necessity
(1) Under the following provisions processing of personal data shall be allowed only if
necessary for legitimate fulfilment of the tasks assigned to the data-processing body by
law and for the purpose associated to each case.
(2) Where personal data are connected in files in such a way that separation of
necessary and non-necessary data is impossible even by copying and obliteration or if
such separation is possible only with unreasonable effort, taking notice , forwarding
within the controlling body and transfer of data that are not necessary to fulfil the
corresponding task shall be permitted beyond paragraph 1. To that extent any use of those
data shall be prohibited.
Section 10
Data Collection
(1) As a rule, personal data shall be collected only from and with the knowledge of the
data subject under the conditions of section 6 paragraph 1 and section 6a paragraphs 1 and
2.
(2) Where data are collected from and with the knowledge of the data subject, he shall
be given appropriate information regarding the purpose of such data collection. Where
data are intended to be transmitted, the duty of information also shall include disclosure of
the recipient of the data. Where data are collected from the data subject on the basis of
any obligation to provide information based on a legal provision, he shall be informed
about such legal basis. In all other cases the data subject shall be informed that he may
refuse to respond. Where information is required in order to grant any public benefits, the
data subject shall be informed about the possible consequences of non-response.
(3) In individual cases public authorities and other public bodies may collect data
without knowledge of the data subject only, if
1. allowed by a legal provision,
2. the data subject has consented to this form of data collection or
3. timely information of the data subject is not possible and provided that there is no
evidence that the legitimate concerns of the data subject could be affected.
(4) Data may be collected from the data subject or from third parties outside the public
sector without his knowledge only if provided by a legal regulation.
(5) If data are collected without the knowledge of the data subject, he shall be notified
soon as the legitimate performance of the tasks is no longer at risk by doing so. Such
notification shall include the legal basis and the information provided for in paragraph 2,
sentences 1 and 2.
Section 11
Use for Defined Purposes
(1) As a rule, personal data may be processed only for the purpose for which they had
been collected or stored. Personal data which an authority or public body has received
without collecting them may only be used for purposes for which they had been stored
first.
(2) If personal data are to be processed for purposes they had not been acquired or
stored for, processing is permissible only if
1. one of the requirements defined under section 6 paragraph 1 or section 6a
paragraphs 1 or 2 apply,
2. this is required to avoid serious disadvantages for the common welfare or any
other imminent threat to public security or to avert a serious impairment of the
rights of another person or
3. any legitimate evidence for criminal or administrative offences is found while
fulfilling legal tasks and information of the responsible law enforcement
authorities is deemed necessary.
Where the personal data are subject to professional or special official secrecy and
provided that the person sworn to secrecy transmitted them to the controller in
exercising its professional or official duties, sentence 1 no. 2 and 3 do not apply.
(3) Where personal data are connected in files in such a way that separation by
different purposes is impossible even by copying and obliteration or if such separation is
possible only with unreasonable effort, separation shall be replaced by the prohibition of
use as contemplated in paragraph 2 for those data which do not serve the purpose of the
corresponding processing.
(4) Data are not deemed to be processed for other purposes, if processed in exercising
powers of supervision and control, internal auditing, financial auditing or in carrying out
investigations. Access to personal data is permitted only to the extent it is indispensable
for the exercise of those powers. Personal data may be used for education and further
education purposes only, if this is indispensable and provided that it does not conflict with
any legitimate concerns of the data subject; personal data must not be used for testing and
verification purposes.
(5) Personal data stored exclusively for purposes of monitoring data protection, data
security or to ensure the proper operation of a data processing system must not be used for
other purposes.
Section 12
Data Transfer within the Public Sector
(1) The transfer of personal data to authorities and other public bodies is permissible, if
one of the prerequisites of section 11 paragraph 2 sentence 1 no. 1 to 3 is met. If the data
are required by an authority or another public body for the same purpose for which the
data had been collected, the transfer of personal data to authorities and other public bodies
is also permissible, if required for the lawful fulfilment of the task assigned by law to the
transferring body or authority or the receiving public body.
(2) The transfer of personal data to institutions of religious communities incorporated
under public law shall be permissible subject to the rules governing the transfer of data to
authorities and other public bodies and provided that it is ensured that the third party takes
adequate data protection measures.
(3) The decision of whether or not a data transfer is permissible shall be taken by the
transferring institution.
Section 13
Transfer of Data to Institutions outside the Public Sector
The transfer of personal data to persons and other entities outside the public sector as
well to state bodies incorporated under public law that participate in competition shall be
permissible, if allowed by a legal provision or if the data subject has agreed.
Section 14
Data Transfer to Government Bodies outside the Scope of the Basic Law
(1) For the transfer of personal data to authorities or other public bodies within the
scope of application of the laws to protect personal data of the Member States of the
European Union, section 12 paragraph 1 shall apply accordingly.
(2) The transfer of personal data to authorities or other public bodies outside the scope
of application of the legal regulations to protect personal data of the Member States of the
European Union is permissible only to the extent such transfer is expressly regulated by a
law, a legal act of the European Community or an international agreement and provided
that an adequate level of data protection is ensured. The adequacy of the level of data
protection shall be assessed by the transferring institution, taking into account all the
circumstances of the intended data transfer, especially the type of data, their purpose, the
duration of intended processing, the countries of origin and of final destination, the legal
standards, professional rules and security measures the recipient is subject to.
(3) Where in the cases contemplated under paragraph 2 an adequate level of data
protection is not ensured, transfer of personal data shall be permissible, if
1. the data subject has agreed,
2. the transfer is required in order to safeguard an important public interest or to
assert, exercise or defend legal claims in court,
3. the transfer is necessary in order to safeguard the vital interests of the data subject
4. the transfer is made from a register which is intended to inform the public or is
open for inspection to any person who can demonstrate a legitimate interest, as far
as the legal requirements are met in each case or
5. sufficient guarantees regarding the protection of personal rights and the exercise of
related rights are ensured for the transfer or a category of transfers, particularly by
way of a contractual agreement.
The institution to which the data are transferred shall be informed that under section 11
paragraph 1 the transferred data may only be used for a certain purpose.
(4) The Department of Home Affairs of the Berlin Senate, the Berlin Commissioner for
Data Protection and Freedom of Information and the Data Protection Officer must be
informed in good time of any scheduled data transfer in accordance with paragraphs 2 and
3. According to section 19 paragraph 2 it shall be mentioned in the data file description.
(5) Paragraphs 2 to 4 shall not apply to the extent personal data are transferred in the
course of international mutual legal assistance which are not processed automatically and
are not stored or intended to be stored in data files. In such case a transfer of personal data
to authorities or other public bodies outside the scope of application of the legal
regulations to protect personal data of the Member States of the European Union is
permissible if
1. the transfer is expressly regulated in a law, a legal act of the European
Communities or an international agreement or
2. the recipient is subject to equivalent data protection regulations and in case of
transfer to a public body the requirements of sections 9 and 11 are met.
Section 15
Automated Retrieval Procedure
(1) An automated method to retrieve personal data by third parties may be established
by authorities or other public bodies only, if expressly permitted by a law. The rules
governing the permissibility of each retrieval shall remain unaffected.
(2) The Senate shall by ordinance determine the details of the implementation of
automated retrieval procedures. Such ordinance shall identify the data recipient, the type
of data and the purpose of retrieval. It shall include measures to secure and control the
data which shall be reasonably proportionate to the intended level of protection.
(3) Personal data must not be made available for automated retrieval by institutions
outside the public sector; this shall not apply to retrieval by the data subject.
(4) The provisions of paragraphs 1 and 3 shall not apply to databases that are openly
available for use by everyone without or after special permission or publication of which
would be permissible.
(5) The provisions of paragraphs 1, 2 and 4 shall be applied accordingly to the approval
of regular automated data transfers.
Section 15 a
Prohibition of Automated Individual Decisions
Decisions which have any legal consequences for or will significantly affect the data
subject must not be based solely on automated processing of personal data used to
evaluate certain personal aspects. A decision under sentence 1 may be permitted by law,
provided that it ensures the safeguarding of the legitimate interests of the data subject.
Section 16
Information, Notification and Inspection
(1) Where personal data are stored in an automated process or in a data file, the
controller shall, upon request, inform the data subject free of charge about
1. the personal data stored about him,
2. the purpose and legal basis for data processing,
3. the origin of the data and the recipients of data transfers within the last two years,
4. the logical structure of automatic processing of the data relating to him.
(2) Where personal data are processed automatically, the data subject shall be notified
of this fact in writing or electronically. Such notification shall include a reference to the
data description according to section 19 paragraph 2. The notification may be combined
with data collection.
(3) The provisions of paragraphs 1 and 2 shall not apply to personal data that are
exclusively stored for the purpose of data backup.
(4) If personal data are stored in files, the data subject may apply to the controller
asking for inspection of the files. If the files are held under the name of the data subject he
shall identify them. If the files are not held under the name of the data subject, he shall
provide information to enable the retrieval of personal data stored about him with
reasonable effort. Inspection shall not be allowed if the data of the data subject are
connected with data of third parties or confidential non-personal data in such a way that
their separation according to different purposes is not possible even by duplication and
obliteration, or only with disproportionate effort, in which case, the data subject shall be
informed pursuant to paragraph 1. If the data subject agrees, he may also be given
information about his personal data, rather than allowing him to inspect the files.
(5) The provisions of paragraphs 1, 2 and 4 shall not apply if it is found after
consideration that for compelling reasons the rights of the data subject are less important
than the public interest in maintaining secrecy, or a predominant third party-interest in
confidentiality, and the data subject shall be informed about the main reasons. The
decision rests with the head of the controlling institution or his deputy. Where information
or access is not authorized, the data subject shall be advised that he may appeal to the
Berlin Commissioner for Data Protection and Freedom of Information. The controlling
institution shall explain to the Berlin Commissioner for Data Protection and Freedom of
Information the reasons for refusing information or access.
Section 17
Correction, Blocking and Erasure of Data, Right to Object
(1) Personal data shall be corrected, if inaccurate. The data subject shall be heard
before correction.
(2) Personal data shall be blocked, if the data subject disputes their accuracy and as
long as it cannot be determined whether they are accurate or inaccurate. They shall also be
blocked when the controller does no longer need to know them in order to fulfil the tasks
it is responsible for. Blocked data shall be provided with a corresponding note, they may
no longer be processed, in particular they must not be transferred or used otherwise,
except that their use is inevitable for scientific purposes or to remedy a lack of evidence
and provided that the data subject has agreed to such use.
(3) Personal data shall be erased, if the controller does no longer need to know them in
order to legally fulfil the tasks it is responsible for and provided that there is no reason to
assume that such erasure will affect the legitimate interests of the data subject. They shall
be erased, if their storage was unlawful or if the data subject so requires in the cases
contemplated in pragraph 2, sentence 2. In the cases described in sentence 2, 1st
alternative the data subject shall be heard before erasure. The same applies if the data
were collected without the involvement of the data subject and if there had been no
notification pursuant to section 10 paragraph 5.
(4) In cases of paragraph 2, sentence 2 and paragraph 3 sentences 1 and 2, the
controller may hand over the data to an archive that is subject to public law, rather than
blocking or erasing them as contemplated in those paragraphs. In the case of paragraph 3,
sentence 2 this shall require the data subject's consent.
(5) The correction under paragraph 1, the blocking under paragraph 2 and erasure
under paragraph 3 shall be reported in due course to the entities to which the data had
been transferred in the course of regular data transfer.
(6) If personal data are stored in files and cannot be blocked by copying and
obliteration, they shall only be blocked in accordance with paragraph 2 sentence 1, if the
whole file regarding the data subject is no longer required to fulfil the tasks specified
there. In such case the data subject may not claim erasure according to paragraph 3
sentence 1.
(7) If the data subject objects to data processing in writing giving reasons which show
that lawful processing of his data conflicts with a legitimate special personal interest, data
processing shall be permissible only if in that particular case the public interest in
processing the data outweighs the personal interest of the data subject, and the data
subject shall be informed about the result of such consideration in writing.
Section 18
Indemnification and Injunctive Relief
(1) If the data subject's legitimate interests have been affected by any data processing
that is unlawful under this Act or under any other data protection legislation, the authority
or other public body which processed or had processed the data according to section 3
paragraph 1 shall compensate the financial losses incurred. If there are more
infringements of the law to be apprehended, the data subject may claim an injunction. In
severe cases the data subject may also claim reasonable pecuniary compensation for
immaterial damage.
(2) Where several institutions are involved in automated processing and the institution
which stored the data cannot be identified, each of those institutions shall be liable.
(3) Claims for indemnification and injunctive relief on the basis of other regulations
shall remain unaffected.
Section 18a
Security Breach Notification
(1) If a controller becomes aware that any personal data stored by him have been
unlawfully transferred or otherwise unlawfully disclosed to any third party and provided
that this may seriously affect the rights or legitimate interests of the data subjects, he shall
inform the data subject and the Berlin Commissioner for Data Protection and Freedom of
Information without delay.
(2) Information of the data subject pursuant to paragraph 1 may be deferred only as
long as the controller first has to take appropriate measures to safeguard the data. If he
does not take such action immediately, notification of the data subject shall not be
delayed. Sentence 1 shall apply accordingly, where immediate information of the data
subject would endanger prosecution. The data subjects shall be informed about the nature
of illegal obtainment of knowledge and the measures taken to mitigate any negative
consequences. Where notification of the data subjects would require a disproportionate
effort, it shall be replaced by reasonable information of the public.
Section 19
Implementation of Data Protection
and Data File Description
(1) The controllers which in the cases of section 4 paragraph 3 no. 1, clause 2 shall
include the respective authorities or other public bodies and the supervision authorities
shall ensure the implementation of this Act and any other legal regulations on data
protection for their area of accountability. They shall in particular ensure the proper
application of data processing programs used to process personal data.
(2) As regards automated data processing, the controller shall specify electronically or
in writing:
1. name and address of the controller,
2. purpose and legal basis of data processing,
3. description of group of data subjects and the related data or data categories
4. recipients or categories of recipients to whom the data are disclosed,
5. origin of regularly received data,
6. authorized persons or groups of people,
7. time limits for blocking and erasure of the data
8. scheduled transfer of personal data to authorities or other public bodies outside the
scope of application of the legal regulations to protect personal data of the Member
States of the European Union,
9. mode of procedure, type of equipment, sites where the equipment is located and the
methods used to transfer, block, erase data and to provide information,
10. description of measures taken to ensure the security of data processing (section 5
paragraph 3 sentence 1),
11. results of preliminary checks (section 19a paragraph 1 sentence 3 No. 1).
(3) Paragraph 2 shall not apply to data files that in case of automated processing are
held temporarily and exclusively for processing purposes.
Section 19a
Data Protection Officer
(1) The authorities and other public bodies shall appoint in writing data protection
officers (of the authority) and one deputy each. Several authorities or other public bodies
may appoint a joint data protection officer. The Data Protection Officers shall in particular
1. in the cases of data processing involving special risks for the rights and freedoms of
data subjects, check the effectiveness of technical and organizational measures
according to section 5 before processing (preliminary check),
2. monitor the proper use of data processing programs used to process personal data,
3. take appropriate measures in order to make the staff processing personal data
familiar with the provisions of this Act and other regulations concerning data
protection, in regard of the particular conditions in this area of accountability and
the resulting special data protection requirements and
4. support the authority or other public body in ensuring data protection, they shall
also support the staff representatives in ensuring data protection, to the extent they
process personal data.
The Data Protection Officer shall maintain the descriptions and lists according to section
19. Those lists may be inspected by any person free of charge. This shall not include the
information required by section 19 paragraph 2 no 9 to 11, as far as it affects the security
of the technical process. This shall not apply to descriptions of tasks of the Office for the
Protection of the Constitution, the preservation of public order and security, prosecution
and law enforcement and tax administration, to the extent the controller in particular cases
declares such inspection to be incompatible with the performance of its duties, nor does it
apply to public bodies participating in competition.
(2) Only such person may be appointed as Data Protection Officer who possesses the
required expertise and trustworthiness to fulfil his tasks and whose appointment does not
result in a conflict of interests with other official duties. He must be in a service or
employment relationship with an authority or other public body of the State of Berlin or a
state body, institution or foundation under public law. His appointment may not be
revoked against his will, unless for good cause in appropriately applying section 626 of
the German Civil Code. The termination of employment of the Data Protection Officer
appointed according to paragraph 1 shall not be permissible, unless there are facts which
entitle the authorities and other public bodies to termination without notice for good
cause. After cancellation of the appointment as Data Protection Officer termination of
employment shall not be permissible within one year after cancellation of appointment,
unless the authorities and other public bodies are entitled to termination without notice for
good cause. In matters of data protection the Data Protection Officer may apply directly to
the head of the appropriate authority or other public body and he shall not be subject to
any directions on data protection matters. He must not be discriminated because of the
performance of his duties. He shall be obliged not to disclose the identity of data subjects
and any circumstances which would allow drawing conclusions on data subjects, unless
the data subject approves such disclosure.
(3) The Data Protection Officer is authorized to process personal data to the extent
necessary to fulfil his tasks. The respective authority or public body shall assist the Data
Protection Officer in performing his duties and in particular make available office space,
facilities, equipment and resources for him as far as required in order to fulfil his tasks. He
shall be informed in good time about projects of automated data processing.
(4) The Data Protection Officer may at any time contact the Berlin Commissioner for
Data Protection and Freedom of Information. In cases of doubt regarding preliminary
checks the Berlin Commissioner for Data Protection and Freedom of Information shall be
consulted.
(5) In order to acquire and maintain the expertise required to perform his duties the
authorities and other public bodies shall enable the Data Protection Officer to participate
in professional training and further education courses and pay the related costs.
Part Three
Data for the Berlin Parliament
and Borough Assemblies
Section 20
(1) The authorities and other public bodies shall provide the Berlin Parliament, its
constitutional institutions and the parliamentary groups of the Berlin Parliament with the
information on data requested in order to fulfil their tasks. Personal data may be disclosed
to those institutions in order to fulfil their tasks, provided that the requirements set out in
section 28 paragraph 1 sentence 1 number 2 or 3 of the Federal Data Protection Act are
met.
(2) The same obligation exists with regard to the borough assemblies, their
constitutional institutions and their parliamentary groups to the extent they request
information on data within their scope of responsibility.
(3) Drafts bills shall include information about the data required in order to implement
the law with data processing systems, and the way in which data are intended to be
processed.
Part Four
Berlin Commissioner for Data Protection
and Freedom of Information
Section 21
Appointment and Dismissal
(1) The Berlin Commissioner for Data Protection and Freedom of Information is elected
by the Berlin Parliament by a vote of a majority of its members and appointed by the
Speaker of the Berlin Parliament. He also assumes the duties of the Commissioner for the
Inspection of Files in accordance with section 18 paragraph 1 of the Berlin Freedom of
Information Act of 15 October 1999 (GVBl. p. 561), as amended by Article XXII of the
Act of 16 July 2001 (GVBl. p. 260) and shall carry the official title "Berlin Commissioner
for Data Protection and Freedom of Information" in its masculine or feminine form.
(2) The Berlin Commissioner for Data Protection and Freedom of Information shall
take the following oath before the Speaker of the Berlin Parliament:
"I swear to perform my duties fairly and impartially, in keeping with the Basic Law,
the Constitution and the laws of Berlin and to put all my efforts into this office, so help
me God."
The oath may also be taken without religious affirmation.
(3) The official term of the Berlin Commissioner for Data Protection and Freedom of
Information shall be five years; after the end of the term he shall remain in office upon
request of the Presiding Committee of the Berlin Parliament until a successor is
appointed. Re-election shall be permissible. Before the expiry of his term the Berlin
Commissioner for Data Protection and Freedom of Information may be dismissed against
his will only if there are reasons that would justify the dismissal of a judge for life.
Section 22
Legal Status
(1) According to this Act the Berlin Commissioner for Data Protection and Freedom of
Information is a public office.
(2) The Berlin Commissioner for Data Protection and Freedom of Information shall be
established as supreme state authority; he shall be independent in performing his duties
and shall only be subject to law. He shall be under the supervision of the Speaker of the
Berlin Parliament to the extent his independence is not compromised.
(3) The Berlin Commissioner for Data Protection and Freedom of Information must not
exercise any other salaried office or trade in addition to his duties and must not belong
neither to the management or the supervisory board or board of directors of any profitoriented company nor to a government or legislative body of the Federal government or a
state. He must not issue out-of-court expert opinions for a consideration. In all other
aspects his status shall be determined by contract.
(4) The Berlin Commissioner for Data Protection and Freedom of Information is
entitled and may be requested by the majority of the Berlin Parliament or any of its
committees to appear and make statements before Parliament or the relevant committee.
Section 23
Duty of Confidentiality
The Berlin Commissioner for Data Protection and Freedom of information shall be
bound to confidentiality with regard to the matters he gets to know officially, even after
the end of his term in office. This does not apply to information received in official
communication or relating to facts that are obvious or not sufficiently important to
warrant confidential treatment. The Berlin Commissioner for Data Protection and
Freedom of Information must not make any statements or declarations about such matters,
neither in court nor out of court, even when he is no longer in office, unless with the
permission of the Speaker of the Berlin Parliament.
Section 24
Functions and Powers
(1) The Berlin Commissioner for Data Protection and Freedom of Information shall
monitor compliance with the provisions of this Act and other regulations concerning data
protection by the authorities and other public bodies. To this end, he may make
recommendations to improve data protection, in particular he may advise the Berlin
government (Senate) and individual members of the Senate as well as the other authorities
and public bodies in matters of data protection. He must be heard before adopting laws,
regulations and administrative provisions, if they refer to the processing of personal data.
The Berlin Commissioner for Data Protection and Freedom of Information must be
involved in the preliminary checks contemplated in section 5 paragraph 3, if they refer to
the intended use of cross-administrative procedures. He shall also have the powers
international or European law has assigned to supervisory authorities and control bodies
responsible for data protection.
(2) Courts shall be exempt from paragraph 1 as far as they are not taking action in
administrative matters. Where courts are using automated data processing systems in
order to fulfil their statutory duties, the regularity and legality of the methods shall be,
without prejudice to judicial independence, controlled by the Berlin Commissioner for
Data Protection and Freedom of Information.
(3) The Berlin Commissioner for Data Protection and Freedom of Information shall
monitor the effects of automated data processing on the working methods and decisionmaking powers of the authorities and other public bodies to see whether they lead to a
restriction of control by the Berlin Parliament or the borough assemblies. He may suggest
protective action against such effects. The Berlin Commissioner for Data Protection and
Freedom of Information shall be informed, when new automation projects and any
significant changes in automated data processing are introduced in the authorities and
other public bodies.
(4) The Berlin Commissioner for Data Protection and Freedom of Information shall
work together with the authorities and other public bodies responsible for monitoring
compliance with the regulations on data protection in federal and state governments and
shall co-operate with the supervisory authorities appointed under section 38 of the Federal
Data Protection Act. He shall be entitled to transfer personal data to those entities, as may
be necessary to monitor compliance with data protection regulations. He shall also be
entitled to inspect compliance with data protection regulations for these bodies upon their
request and shall have the right to acquire personal data in this context and to transmit
them to those bodies; which shall also apply where a private body has been subjected to
his control by contract. He shall provide additional (official) assistance to the supervisory
authorities of other Member States of the European Union upon request.
(5) The Berlin Commissioner for Data Protection and Freedom of Information shall be
entitled to process personal data he gets to know because of complaints, requests,
comments and advice requests, to the extent necessary to fulfil its tasks under this Act and
under the Federal Data Protection Act. Within the scope of inspection measures he may in
individual cases collect personal data also without knowledge of the data subject,
provided that this is the only way to find out, whether or not there is any data protection
issue. The date acquired and processed according to sentences 1 and 2 must not be further
processed for other purposes. To the extent the Berlin Commissioner for Data Protection
and Freedom of Information uses his right to demand a stated penalty under section 32
Paragraph 3 he shall have the power to transfer personal data to the public prosecutor's to
the extent necessary to carry out the investigation.
Section 25
Register of Data Files
(abolished)
Section 26
Notice of Defect
(1) If the Berlin Commissioner for Data Protection and Freedom of Information detects
any infringement of the provisions of this Act or any other data protection regulations or
finds any other irregularities in processing personal data, he shall send a notice of defect
1. in case of authorities and other public bodies of the central administration, to the
relevant member of the Senate, in all other cases to the Speaker of the Berlin
Parliament or the President of the Audit Office,
2. in case of authorities and other public bodies of the borough administrations, to the
borough offices,
3. in case of state bodies, institutions and foundations under public law as well as
associations of such corporations, institutions and foundations, to the board or any
organ otherwise authorized to represent the body
requesting their statement within a period to be determined by him. In the cases covered
by sentence 1 no. 2 and 3 the Berlin Commissioner for Data Protection and Freedom of
Information shall also inform the supervising member of the Senate.
(2) The Berlin Commissioner for Data Protection and Freedom of Information may do
without notice of defect or statement of the affected body, provided that the defects are
insignificant.
(3) Along with his notice of defect Berlin Commissioner for Data Protection and
Freedom of Information may make proposals to eliminate the shortcomings and to
otherwise improve data protection.
(4) The statement to be made under paragraph 1 sentence 1 shall also include a
description of the measures that have been taken as a result of the notice of defect of the
Berlin Commissioner for Data Protection and Freedom of Information. The bodies
mentioned in paragraph 1 sentence 1 no. 2 and 3 shall send to the supervising member of
the Senate a copy of their statement for the Berlin Commissioner for Data Protection and
Freedom of Information.
Section 27
Appeal
Anyone may appeal to the Berlin Commissioner for Data Protection and Freedom of
Information if he feels that an infringement of the provisions of this Act or other data
protection regulations has occurred or is imminent in the processing of personal data by
public authorities or other public bodies. This shall also apply to service staff of the
authorities and other public bodies, without having to use the official channels.
Section 28
Support
(1) The authorities and other public bodies are obliged to support the Berlin
Commissioner for Data Protection and Freedom of Information and his agents in carrying
out their tasks. They shall particularly
1. provide the requested information and access to all documents and files associated
with the processing of personal data, particularly to stored data and data processing
programs,
2. hand over the documents and files referred to in number 1 as well as copies of
documents, automated data files, the procedures used and the organizational
regulations,
3. grant access to all office rooms and electronic facilities any time.
Sentence 2 shall not apply to the tasks mentioned in section 19a paragraph 1 sentence 7, to
the extent the responsible member of the Senate finds in individual cases that such access
to documents and files may put at risk the security of the Federal government or a federal
state. Upon request of the Berlin Commissioner for Data Protection and Freedom of
Information the Senate administration shall give reasons for this during a secret meeting
of the relevant parliamentary committee. The committee's decision may be published.
(2) The duties of official and professional secrecy shall not relieve anybody from his
duty to provide support.
Section 29
Reports and Expert Opinions
At the request of the Berlin Parliament or the Senate the Berlin Commissioner for Data
Protection and Freedom of Information shall prepare expert opinions and give reports.
He shall submit to the Berlin Parliament and the Senate an annual report on the results
of his activities. The Senate shall regularly submit to the Berlin Parliament its comments
on the report within three months after submission of the report.
At the request of the Berlin Parliament, the Petitions Committee of the Berlin
Parliament or the Senate of the Berlin the Commissioner for Data Protection and Freedom
of Information shall also follow up the information received about matters and procedures
relating to his immediate area of responsibility. The Berlin Commissioner for Data
Protection and Freedom of Information may appeal to the Berlin Parliament any time.
Part Five
Special Data Protection
Section 30
Data processing for scientific purposes
(1) For scientific research purposes and exclusively for specific research works dataprocessing bodies may transfer personal data without the consent of the data subject,
1. provided that because of the nature of the data, their notoriety or the type of the use
his legitimate interests are not caffected or
2. if the public interest in carrying out the research project considerably outweighs the
legitimate concerns of the data subject and provided that the purpose of research
may not be achieved otherwise.
Such transfer shall require the prior consent of the supreme state authority or a body
assigned by it; which not apply to public bodies according to section 2 paragraph 3. Such
consent shall specify the recipient, the type of personal data to be transferred, the group of
data subjects and the research project and shall be communicated to the Berlin
Commissioner for Data Protection and Freedom of Information.
(2) As soon as the research purpose so allows, the characteristics required to relate the
data to the data subject shall be stored separately and such characteristics shall be erased,
as soon as the research purpose is achieved.
(3) Any processing of the data submitted under paragraph 1 for purposes other than
research purposes shall be forbidden. The data transferred according to paragraph 1
sentence 2 must not be transferred further, unless with the consent of the data subject.
(4) To the extent the provisions of this Act do not apply to the recipient, personal data
may be transferred only if the recipient undertakes to comply with the provisions of
paragraphs 2 and 3 and submits to the control of the Berlin Commissioner for Data
Protection and Freedom of Information.
(5) The public bodies performing scientific research may publish personal data only,
provided that
a) the data subject has consented or
b) this is essential for the presentation of research findings on events of contemporary
history.
(6) Under the provisions of paragraph 1 the data-processing institution may process
personal data for the purpose of scientific research without the consent of the data subject
himself.
Section 31
Data Processing by the broadcasting station "Sender Freies Berlin"
(1) Unless Sender Freies Berlin processes any personal data solely for its own literary
or journalistic purposes, § 22 a of the Berlin Press Act of 15 June 1965 (GVBl. p.744),
last amended by article VI of the Act of 30 July 2001 (GVBl. p. 305) and section 41
paragraphs 2 and 3 of the Federal Data Protection Act shall apply accordingly instead of
this Act.
Sender Freies Berlin shall appoint a data protection officer, who oversees the
regulations on data protection in the journalistic and editorial context free from any
directions. To him anyone may appeal who assumes that his rights have been infringed in
the processing of personal data for journalistic or literary purposes. The data protection
officer shall send notices of defect to the director general and simultaneously shall inform
the Broadcasting Council. The administrative supervision is the responsibility of the
Board of Administration.
Section 31 a
Telemetering and Telecontrol Services
(1) Public bodies may carry out remote measurements or observations (telemetry
services) in private homes or offices or trigger any other effects in homes or offices by
means of a transfer device (remote service) only after informing the data subject about the
purpose and nature, the extent and duration of use of the service and after the data subject
has agreed in writing after having been informed. The data subject may revoke his consent
at any time. If in doubt, disabling of a service shall be deemed a revocation of consent.
(2) The establishment of telemetry and telecontrol services is permissible only if the
data subject may find out, when a service is being used, what kind of service it is and
provided that the subscriber may turn off the service at any time, provided that this is
consistent with the purpose of the contract.
(3) A service, the conclusion or execution of a contractual relationship must not be
made dependent on the data subject's consent pursuant to paragraph 1 sentence 1. If he
refuses or withdraws his consent, he must not suffer any disadvantages beyond the
immediate subsequential costs.
(4) Where personal data are collected in the course of telemetric and telecontrol
services, they may only be processed for the agreed purposes. They shall be erased as
soon as they are no longer required in order to fulfil those purposes.
Section 31b
Surveillance of publicly accessible areas using optical and electronic devices
(1) The Surveillance of publicly accessible areas using optical and electronic devices
(video surveillance) is permissible only, if the use of video surveillance is required to
perform one's tasks or to make use of householder's rights and provided that there are no
indications that such measures might be outweighed by the legitimate interests of the data
subjects.
(2) The fact of surveillance and the data-processing institution shall be made visible by
suitable measures.
(3) Processing of data collected under paragraph 1 shall be permissible if required in
order to achieve the pursued purpose and provided that there are no indications that the
measures might be outweighed by the legitimate interests of the data subjects. They may
be processed for another purpose only to the extent necessary to prevent security threats to
the state and the public and in order to prosecute crimes.
(3a) For data acquired in accordance with paragraph 1 in publicly accessible places of
public local transport or stored in accordance with paragraph 3 sentence 1 it shall apply
instead of paragraph 3, sentence 2 that
1. they may be processed for another purpose only to the extent necessary to prevent
or prosecute criminal offences and
2. provided that for this purpose they may exclusively be transferred to the Berlin
chief of police and to the criminal prosecution authorities.
Records, storage of which is not required neither for the prevention nor for the
prosecution of criminal offences shall be erased not later than after 48 hours. This shall be
ensured by a security concept agreed with the Berlin Chief of Police.
(4) Where data acquired by video surveillance are assigned to a particular person, he
shall be informed about processing, the identity of the processing institution as well as the
purpose of processing. The data subject shall also be informed about the recipients or
categories of recipients of data, unless he may expect them to receive the data. Where
transfer is intended, information shall take place not later than upon the first transfer.
There shall be no duty to inform the data subject, if
1. it results from considerations that for compelling reasons the public confidentiality
interest outweighs the data subject's right to be notified
2. the data subject has otherwise obtained knowledge of data storage or transfer,
3. notification of the data subject involves a disproportionate effort or
4. storage or transfer of personal data is expressly provided by law.
The responsible body shall determine in writing or electronically, under which conditions
a notification according to paragraph 3 or 4 shall not be made.
(5) The data shall be erased without delay, as soon as they are no longer required to
achieve the purpose or where the legitimate interests of the data subjects conflict with
further storage.
Section 31
Mobile Personal Storage and Processing Media
(1) The institution issuing a mobile person-related storage and processing medium or a
method for automated processing of personal data which fully or partly runs on such a
medium or writes, changes or provides data on the medium shall inform the data subject
1. about its identity and address,
2. in an intelligible form about how the medium works, including the nature of the
personal data to be processed,
3. about how he may exercise his rights under sections 16 and 17, and
4. about the measures to be taken in case of loss or destruction of the medium,
as far as the individual has not already obtained such information.
(2) The institution responsible under paragraph 1 shall ensure that the devices or
facilities required in order to exercise the right to information are available in a reasonable
amount for use free of charge.
(3) The communication processes triggering data processing on the medium shall be
clearly recognizable to the data subject.
Part Six
Final Provisions
Section 32
Criminal Offences
(1) He who
1. transfers or changes or
2. retrieves non-obvious personal data or obtains files from locked containers without
authorization
shall be punished with imprisonment of up to one year or a fine.
(2) If the offender acts for remuneration or with the intention to enrich himself or
another person or to harm another person, the punishment shall be imprisonment for up to
two years or a fine.
(3) The offence shall be prosecuted only upon request. The person eligible to demand
prosecution shall be the data subject. Prosecution may also be demanded by the Berlin
Commissioner for Data Protection and Freedom of Information. The Berlin Commissioner
for Data Protection and Freedom of Information may demand prosecution even against
the will of the data subject.
Section 33
Supervisory Authority Under the Federal Data Protection Act
(1) The supervisory authority under the Federal Data Protection Act for data processing
by private institutions and public corporations who take part in competition shall be the
Berlin Commissioner for Data Protection and Freedom of Information. He fulfils the
assigned tasks independently and shall exclusively be subject to law. Section 22 paragraph
4 and section 29 paragraph 1 shall apply accordingly.
(2) The trade licensing offices shall submit to the supervisory authority copies of
registrations or deregistrations of companies which according to the state of information
of the trade licensing offices are subject to reporting under section 4 d of the Federal Data
Protection Act. If the supervisory authority in performing its legitimate duties becomes
aware of any facts suggesting any unreliability under commercial law, it may
communicate those facts to the trade licensing offices.
(3) The supervisory authority is entitled to process the personal data it gets to know in
the context of complaints and inquiries to the extent necessary to fulfil its responsibilities
under the Federal Data Protection Act. In individual cases it may acquire personal data as
part of control measures without the knowledge of the data subject, if this is the only way
to find out, whether or not there is a data protection issue. The data processed under
sentences 1 and 2 may not be further processed for other purposes.
Section 34
Special Regulations
Notwithstanding section 13 the data subject's consent shall not be required for the
transfer of personal data from advertisements of traders according to sections 14 and 55 c
of the Industrial Code, as far as such transfer is required in order to fulfil the duties the
transferring institution is responsible for and provided that the third party shows probable
cause that it has a legitimate interest in getting to know the data to be transmitted.
Section 35
Amendmend of the Act
on the Procedures of the Berlin Administration
(Obsolete)
Section 35 a
Transitional Arrangements
For the processing and use of data acquired or stored before 1 September 2009 section
28 of the Federal Data Protection Act as of 31 August 2009 shall continue to apply for the
purposes of advertising until 31 August 2012.
Section 36
Entry into Force, Abrogation
This Act shall take effect the day after its publication in the Official Gazette for Berlin.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz