In Germany, the state of Hesse opened data legislation in 1970 with the world’s first data protection law. At federal level, the first version of the Federal Data Protection Act came into force in January 1978. In 1978, a Federal Commissioner for Data Protection and Freedom of Information was also established for the first time. This is an independent supreme federal authority based in Bonn.
The German Federal Data Protection Act (BDSG), together with the data protection laws of the federal states and other area-specific regulations, regulates the handling of personal data that is processed in information and communication systems or manually. It implements the Data Protection Directive, which will be repealed and replaced by the Basic Data Protection Regulation.
In addition, the federal states’ (Länder) data security laws apply on the level of state and municipal authorities. The purpose of the data security laws is to protect “the individual against an infringement of his personal rights through the misuse of his personal data” (§ 1.1BDSG). This right of “information self-determination” is considered, according to a ruling of the Federal Constitutional Court, as a fundamental right of all German citizens. The basic principle of the law is a general ban on the collection, processing and use of person related data, except where explicitly permitted by law or individually approved – usually in writing – by the person concerned. Other important principles of the law include those on “data avoidance” and “data thrift” (e. g. the former Federal film statistics were abolished, in this context). A Federal Representative for Data Security and Access to Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI) and similar officials in the federal states (Länder) are responsible for supervising and guaranteeing these provisions.
On 23rd May 2001, the European directive on data protection, which defines minimum standards for data protection of EU member states, adopted by the European Parliament and by the Council of the European Union in 1995, was transposed into German national law through the amendment of the Federal Data Protection Act (“BDSG”). However, as the Federal Republic of Germany failed to adopt this transposition within three years after the enactment of the European directive, the European Commission initiated an infringement procedure against the Federal Republic of Germany.
Moreover, in 2005 the European Commission criticised the German implementation of the European directivein respect to contents as insufficient since the absolute independence from state interference of data protection supervision is not satisfied. Up to now, the BfDI had been under legal supervision of the Federal Government and administrative supervision of the Federal Ministry of the Interior (BMI)and resorted moreover to the organisational and administrative infrastructure of the latter. Therefore, the European Commission initiated a new infringement procedure. In 2010 the European Court of Justice passed the judgement that the European directive on data protectionhad not been transposed correctly into German national law: The control of data protection in the EU member states may not be subject to any other executive state bodies, as they could possibly have a political interest in the non-compliance of data protection laws.
Since January 2016, the BfDI was restructured into an entirely independent supreme Federal authority. In the course of conversion, the legal supervision of the Federal Government as well as the administrative supervision of the Federal Ministry of the Interior will be abolished and the BfDI will remain subject to parliamentary and juridical control only.
2018, a new version of the Federal Data Protection Act came into force – in response to the goal of fully harominising data protection law within the European Union. The data protection laws of all federal states were also adapted in 2018.
These general data protection laws are complemented and clarified by many other data regulations, e.g. in the social security domain or with regard to church life. However, the BDSG regulations are also relevant in the cultural area, where they have gained relevance e. g. in the marketing work of cultural facilities.
There are also special rules for public service broadcasters. Religious societies under public law are not subject to the Federal Data Protection Act or the data protection laws of the federal states. The Roman Catholic Church has issued an order on church data protection and the Synod of the Protestant Church in Germany has issued the EKD Data Protection Act.