Data protection law: new minimum requirements for companies


The patron saint of Germans must be called “St.Bürokratius”. A president of the Steinbeiß Foundation put it in a nutshell during a speech: “Germans have an almost erotic relationship with forms”.

The legislator has placed further burdens on companies, some of which are merely formal.

According to the “Article 1 of the First Law for the Reduction of Bureaucratic Obstacles, especially in the Medium-Sized Economy (BGBl. I S. 1970) of 22.08.2006”, additional burdens have been imposed on small and medium-sized enterprises since a few days.

In many companies, the regulations have not yet been implemented, even in their own electronic data processing (EDP). This may result, for example, in a fine and a warning with costs under the Unfair Competition Act (UWG).


Public register of procedures – more bureaucracy?

Already since 23.05.2004 the obligation applies to all entrepreneurs after the Federal Law for Data Protection (BDSG) to possess a public procedure listing. Every freelancer is also affected by this obligation, § 4 e BDSG.


Contents of the list of proceedings:

In particular, the directory of procedures sets out which data is collected for which purposes, to whom the data is transmitted, and when the data is deleted again. Example: According to a ruling of the Gießen Administrative Court of 16.07.2004 (Ref. 22 L 2286/04), the deletion of data can be demanded if the procedural directory has not been drawn up or has not been drawn up properly, because then the EDP is unlawful.


Legal Principle:

Notification to the supervisory authority prior to the use of EDP Pursuant to § 4d para. 1 BDSG, there is, in principle, a duty to notify the supervisory authority for “procedures of automated processing of data”, i.e. the use of an EDP system.

The notification to the supervisory authority has the practical consequence that the authority will urge the entrepreneur to appoint a data protection officer (DPO). This is because the authority will want to continue to pursue only the “problem cases” for capacity reasons.

Exceptions to the obligation to notify The obligation to notify may be waived pursuant to Section 4 d III BDSG if

(a) data are processed only with the consent of the data subject; or

b) the processing is only successful for contractual purposes, § 28 I 1 BDSG.

If neither of these alternatives applies to all data, a DPO should be appointed as a rule from the first person who automatically processes personal data. Otherwise, a DPO must be appointed only if there are more than nine persons.

If a bDSB has been appointed, the notification obligation does not apply, § 4d II BDSG. However, business performance cannot be appointed as the bDSB. A standard employment contract is not sufficient for the appointment as a BDSB. Often a so-called external bDSB is appointed.


Duty to provide information to everyone:

Everybody can apply to the bDSB for the so-called procedure directory to be handed over to him, §§ 4e S.1 No. 1 to 8, 4g II S.2 BDSG. If no DPO has been appointed, this duty is incumbent on the company itself. However, if the public procedure directory is stored on the homepage of the entrepreneur for inspection, reference can be made to it.


Data protection officer is missing:

At the latest as soon as more than nine persons (including freelancers, trainees, part-time employees, company owners or managers) process personal data on a regular basis (i.e. not occasionally, e.g. as a substitute in the event of illness), a data protection officer must be appointed or the data processing must be reported to the supervisory authority before the IT system is put into operation. Otherwise the solution of unauthorized data storage can be required, § 35 BDSG.


Competition law

There are opinions according to which it constitutes unfair competition if the appointment of a DPO has not taken place, although such a DPO should be appointed according to the law. The unfair competitive advantage consists in the fact that, by violating the law, one gains an advantage over entrepreneurs who comply with the law.

Information rights, criminal data disclosure, data blocking and correction: If, for example, a debtor is unjustifiably threatened with a “Schufa” entry, this may constitute attempted coercion (§§ 240, 22 StGB) or extortion (§§ 253, 22 StGB).

After a request, credit and credit rating agencies must also disclose to whom which data has been transmitted. Exceptionally, a trade secret may take precedence here, § 34 I S.1. BDSG. Incorrect data must be blocked, corrected and, if necessary, deleted (judgement of 16.05.2002 of the LG Munich I).

Doctors and tax consultants are not allowed to obtain credit information about their patients or clients without permission. The mere fact of a business relationship is subject to the duty of confidentiality, § 3 para. 9 BDSG, § 203 para. 1 No. 1 StGB.


Hostile takeovers and “communities of interest” (IG)

Occasionally, “communities of interest” or legal advisors get in touch with serial letters, for example with shareholders, financial service providers, apartment owners, limited partners of investment companies. The IG then pursues as objectives, for example, the hostile takeover of companies with proxy voting rights, the replacement of key positions on the board of directors, supervisory board or WEG advisory board, as well as its own procurement of orders.

The unauthorized disclosure of data, such as in particular the sale of data by former employees, is punishable under German law, §§ 44 I in conjunction with 43 II No. 3 BDSG.
The processing and use of personal data collected through data theft (e.g. of shareholders, members, limited partners) is regularly inadmissible, § 4 para. 1 BDSG. The data subjects have a claim against the IG for information about the stored data, also about the origin (§ 34 I 1 sentence 1 no. 1 BDSG), and additionally a claim for deletion according to § 35 II 2 nos. 1 and 3 BDSG.

Possible actions for those affected: An exemplary procedure for dealing with spam with sample texts can be found at A first measure can also be to report the breach of law to the “Wettbewerbszentrale”. It can then check whether it is sending out a warning because, for example, there is no public register of procedures. These efforts are then put in writing, served, and a bill of costs attached.

There may also be a fine of up to 250,000 euros, § 43 III BDSG. The Federal and State Data Protection Commissioners will examine this matter after notification.§4d Typical cases which a data protection officer will question are serial letters and e-mails to investors in liability cases, or when file inspections are used to obtain targeted new data for an acquisition.

Some companies have recognised that the provision of a public procedure directory can be combined with other information as part of a professional public relations campaign to promote trust.


by Dr. Johannes Fiala


by courtesy of (posted 10/02/2006)


Confectionery production (issue 17/2006)

and (Article from 27.09.2006)


and (published in gunsmith.knife & scissors, issue 2/2007, page 6)

and (published 09-2006)

Our office in Munich

You will find our office at Fasolt-Strasse 7 in Munich, very close to Schloss Nymphenburg. Our team consists of highly motivated attorneys who are available for all the needs of our clients. In special cases, our law firm cooperates with selected experts to represent your interests in the best possible way.

About the author

Dr. Johannes Fiala Dr. Johannes Fiala

Dr. Johannes Fiala has been working for more than 25 years as a lawyer and attorney with his own law firm in Munich. He is intensively involved in real estate, financial law, tax and insurance law. The numerous stages of his professional career enable him to provide his clients with comprehensive advice and to act as a lawyer in the event of disputes.
»More about Dr. Johannes Fiala

On these pages, Dr. Fiala provides information on current legal and economic topics as well as on current political changes that are of social and/or corporate relevance.

Arrange your personal appointment with us.

Make an appointment / call back service

You are already receiving legal advice and would like a second opinion? In this case please contact Dr. Fiala directly via the following link.

Obtain a second legal opinion

The first telephone call about your request is free of charge.