The legislator has placed further burdens on companies, some of which are merely formal.<\/p>\n
According to the “Article 1 of the First Law for the Reduction of Bureaucratic Obstacles, especially in the Medium-Sized Economy (BGBl. I S. 1970) of 22.08.2006”, additional burdens have been imposed on small and medium-sized enterprises since a few days.<\/p>\n
In many companies, the regulations have not yet been implemented, even in their own electronic data processing (EDP). This may result, for example, in a fine and a warning with costs under the Unfair Competition Act (UWG).<\/p>\n\n
Already since 23.05.2004 the obligation applies to all entrepreneurs after the Federal Law for Data Protection (BDSG) to possess a public procedure listing. Every freelancer is also affected by this obligation, \u00a7 4 e BDSG<\/a>.<\/p>\n\n In particular, the directory of procedures sets out which data is collected for which purposes, to whom the data is transmitted, and when the data is deleted again. Example: https:\/\/www.fiala.de\/cms\/index.php\/datenschutzinformation\/777\/0\/<\/a> According to a ruling of the Gie\u00dfen Administrative Court of 16.07.2004 (Ref. 22 L 2286\/04<\/a>), the deletion of data can be demanded if the procedural directory has not been drawn up or has not been drawn up properly, because then the EDP is unlawful.<\/p>\n\n Notification to the supervisory authority prior to the use of EDP Pursuant to \u00a7 4d para. 1 BDSG, there is, in principle, a duty to notify the supervisory authority for “procedures of automated processing of data”, i.e. the use of an EDP system.<\/p>\n The notification to the supervisory authority has the practical consequence that the authority will urge the entrepreneur to appoint a data protection officer (DPO). This is because the authority will want to continue to pursue only the “problem cases” for capacity reasons.<\/p>\n Exceptions to the obligation to notify The obligation to notify may be waived pursuant to Section 4 d III BDSG if<\/p>\n (a) data are processed only with the consent of the data subject; or<\/p>\n b) the processing is only successful for contractual purposes, \u00a7 28 I 1 BDSG<\/a>.<\/p>\n \n If neither of these alternatives applies to all data, a DPO should be appointed as a rule from the first person who automatically processes personal data. Otherwise, a DPO must be appointed only if there are more than nine persons.<\/p>\n If a bDSB has been appointed, the notification obligation does not apply, \u00a7 4d II BDSG<\/a>. However, business performance cannot be appointed as the bDSB. A standard employment contract is not sufficient for the appointment as a BDSB. Often a so-called external bDSB is appointed.<\/p>\n\n Everybody can apply to the bDSB for the so-called procedure directory to be handed over to him, \u00a7\u00a7 4e S.1<\/a> No. 1 to 8, 4g<\/a> II S.2 BDSG. If no DPO has been appointed, this duty is incumbent on the company itself. However, if the public procedure directory is stored on the homepage of the entrepreneur for inspection, reference can be made to it.<\/p>\n\n At the latest as soon as more than nine persons (including freelancers, trainees, part-time employees, company owners or managers) process personal data on a regular basis (i.e. not occasionally, e.g. as a substitute in the event of illness), a data protection officer must be appointed or the data processing must be reported to the supervisory authority before the IT system is put into operation. Otherwise the solution of unauthorized data storage can be required, \u00a7 35 BDSG<\/a>.<\/p>\n\n There are opinions according to which it constitutes unfair competition if the appointment of a DPO has not taken place, although such a DPO should be appointed according to the law. The unfair competitive advantage consists in the fact that, by violating the law, one gains an advantage over entrepreneurs who comply with the law.<\/p>\n Information rights, criminal data disclosure, data blocking and correction: If, for example, a debtor is unjustifiably threatened with a “Schufa” entry, this may constitute attempted coercion (\u00a7\u00a7 240<\/a>, 22 StGB<\/a>) or extortion (\u00a7\u00a7 253<\/a>, 22 StGB<\/a>).<\/p>\n After a request, credit and credit rating agencies must also disclose to whom which data has been transmitted. Exceptionally, a trade secret may take precedence here, \u00a7 34 I S.1. BDSG<\/a>. Incorrect data must be blocked, corrected and, if necessary, deleted (judgement of 16.05.2002 of the LG Munich I).<\/p>\n Doctors and tax consultants are not allowed to obtain credit information about their patients or clients without permission. The mere fact of a business relationship is subject to the duty of confidentiality, \u00a7 3 para. 9 BDSG, \u00a7 203 para. 1 No. 1 StGB.<\/p>\n\n Occasionally, “communities of interest” or legal advisors get in touch with serial letters, for example with shareholders, financial service providers, apartment owners, limited partners of investment companies. The IG then pursues as objectives, for example, the hostile takeover of companies with proxy voting rights, the replacement of key positions on the board of directors, supervisory board or WEG advisory board, as well as its own procurement of orders.<\/p>\n The unauthorized disclosure of data, such as in particular the sale of data by former employees, is punishable under German law, \u00a7\u00a7 44 I in conjunction with 43 II No. 3 BDSG. Possible actions for those affected: An exemplary procedure for dealing with spam with sample texts can be found at https:\/\/www.safer-networking.org\/de\/articles\/spamandthelaw.html.<\/a> A first measure can also be to report the breach of law to the “Wettbewerbszentrale”. It can then check whether it is sending out a warning because, for example, there is no public register of procedures. These efforts are then put in writing, served, and a bill of costs attached.<\/p>\n There may also be a fine of up to 250,000 euros, \u00a7 43 III BDSG<\/a>. The Federal and State Data Protection Commissioners will examine this matter after notification. https:\/\/www.datenschutz-berlin.de\/recht\/de\/bdsg\/bdsg01.htm#<\/a>\u00a74d Typical cases which a data protection officer will question are serial letters and e-mails to investors in liability cases, or when file inspections are used to obtain targeted new data for an acquisition.<\/p>\n Some companies have recognised that the provision of a public procedure directory can be combined with other information as part of a professional public relations campaign to promote trust.<\/p>\n\n by Dr. Johannes Fiala<\/p>\n\n by courtesy of<\/p>\n www.channelpartner.de<\/a> (posted 10\/02\/2006)<\/p>\n and<\/p>\n Confectionery production (issue 17\/2006)<\/p>\n and<\/p>\n www.experten.de<\/a> (Article from 27.09.2006)<\/p>\n and<\/p>\n www.bvd-cedi.de<\/a><\/p>\n and<\/p>\n www.venatus.de <\/a>(published in gunsmith.knife & scissors, issue 2\/2007, page 6)<\/p>\n and<\/p>\nContents of the list of proceedings:<\/h3>\n
Legal Principle:<\/h3>\n
Duty to provide information to everyone:<\/h3>\n
Data protection officer is missing:<\/h3>\n
Competition law<\/h3>\n
Hostile takeovers and “communities of interest” (IG)<\/h3>\n
\nThe processing and use of personal data collected through data theft (e.g. of shareholders, members, limited partners) is regularly inadmissible, \u00a7 4 para. 1 BDSG. The data subjects have a claim against the IG for information about the stored data, also about the origin (\u00a7 34 I 1 sentence 1 no. 1 BDSG), and additionally a claim for deletion according to \u00a7 35 II 2 nos. 1 and 3 BDSG<\/a>.<\/p>\n