IITR Datenschutz Paragliding


For many corporate managers, data protection law has so far largely been merely a marginal issue in which lawmakers have more or less imposed burdensome regulations on companies. But companies overlook the strategic relevance of data protection regulations.

It is one of the basic mechanisms of the German Federal Data Protection Act (‘‘FDPA’’) to require a statutory permission or a declaration of consent for the collection, processing (which includes storing and transferring) and use of personal data. No permission is needed, however, for exchanging personal data with a data processor in Germany, the European Union or the European Economic Area (‘‘EU/EEA’’) and for having it carry out processing operations, it being understood that the parent company, a company of the same group of companies or an external service provider can be used as data processors. Should such a data processor be located outside the EU/EEA, the FDPA qualifies the exchange of personal data with the processor as a ‘‘normal’’ data transfer and the aforementioned rule applies again.

If a company has to appoint a company Data Protection Officer, then the question becomes who will be suitable to carry out the office? Apart from the question of whether an Internal Data Protection Officer or an External Data Protection Officer is more suitable for the company, this article will explain which employees in the company can perform the tasks of the Data Protection Officer and when difficulties may arise when determining the officer.

International groups of companies need international employee data transfers. The principles of the European Data Protection Directive of October 24, 1995 (95/46/EC) as implemented in the various Member States’ privacy acts, such as the German Federal Data Protection Act (“FDPA”), require that any data transfer must pass a two-step test.

In June 2009 the Article 29 Data Protection Working Party, an independent European advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC (“WP-29”), rendered an opinion on privacy law implications of social networking (“WP-163”). In its WP-163, the WP-29 defines a social network service as “online communication platform which enables individuals to join or create networks of like-minded users” and categorises them as being information society services, as defined in Article 1 paragraph 2 of Directive 98/34/EC as amended by Directive 98/48/EC. The WP-163 stresses that the key phenomenon of social networks lies in the fact that users are asked to provide sufficient information about themselves in order to create a thorough personality profile or description and that moreover such information can easily be distributed to others.

It could be regarded as a consequence of the current economic crisis that more and more companies intend to introduce mechanisms of measuring the performance of their employees. There is the possibility of counting the hours an employee is present at work, the number of calls made for example by a call centre agent, the number of pieces of work produced by an industry worker or the number of new clients and the turnover produced by a sales employee.

According to the prevailing opinion in Germany, an employer allowing or tolerating the private use of the company’s e-mail system is treated as provider of telecommunication services. In this capacity the employer is inter alia obliged to respect the secrecy (cf. Sec. 88 German Telecommunication Act) and integrity of telecommunication with regard to his employees’ private e-mails. Non-compliance with these obligations can even be subject to criminal sanctions according to Sec. 206 German Criminal Code.

As part of its obligation to orderly manage the company (cf. for example Sec. 43 Limited Liability Company Act) the company´s management is responsible for the initial implementation and the continued maintenance of an adequate IT-security within the company especially in order to prevent new risks for the company´s operational reliability.

The so-called “Düsseldorf Group” made a decision this April regarding the legality of data transfers from Germany to companies in the U.S. that have agreed to the Safe Harbor Principles. This article will explain the consequences that this decision will have on the practice of data transfers.

The free trade agreement planned between the USA and Europe is at peril of falling apart amidst acute political displeasure and resentment, and looming disputes surrounding the global enforceability of future European data privacy mandates.


Datenschutz-Kit Screen

Privacy Kit

the affordable complete solution

Learn more

Screen eLearning


the comprehensive tool for EU GDPR

Learn more

Stay up to date.

Subscribe to our free newsletter and get
the latest news on data protection.