Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet & Consumer Privacy

On 29 April 2010, the Düsseldorfer Kreis, an informal group of German federal state data protection authorities, published a decision1clarifying some due diligence responsibilities for German companies that export personal data to US companies that have self-certified themselves under the EU-US "Safe Harbour" Agreement.2One of the due diligence requirements is for German companies exporting personal data to the United States to check if the US data importer does indeed comply with the Safe Harbor Framework.3

On December 1, 2010, the Minister of Interior Thomas de Maizière presented a draft law intended to improve data protection and the protection of individual rights from serious infringements in the Internet.4The draft law proposes to introduce regulation of individual profiling for which personal data from online services has been collected and combined for commercial purposes and define a “red line” which would require expressive and informed consent of the person concerned.


Direct marketing issues are addressed by Section 7 of the German Unfair Competition Act.5According to its general clause, it is unfair to annoy market players, e.g., consumers, inappropriately. By default this applies to clearly unwanted advertisements, unsolicited commercial phone calls, marketing methods making use of automated calling machines, fax machines or e-mail (spam) without prior consent, and any direct marketing that cannot be linked back to the senders' identity. Direct marketing via e-mail is not prohibited as spam under the conditions that (1) an organization has received the e-mail address in the context of selling goods or services to the customer; (2) the organization uses the e-mail contact for marketing of very similar products and services; (3) the customer has not opposed the use of his e-mail for further direct marketing; and (4) at the time of the collection and each usage of the e-mail address clearly sets out the right to opt-out from direct marketing via e-mail. Cold calling of consumers is a violation of Unfair Competition Law6and, since 2009, a misdemeanor that is punishable by a fine up to 50.000 EUR.

The Telemedia Act (TMG) was passed in March 2007, and applies toall electronic information and communications services which are not merely concerned with the conveyance of signals.7Telemedia service providers must inform users about the "character, extent and reason" of the collection and processing of user-related data. Service providers are required under the TMG to produce user data, such as user names or addresses, upon request of the German secret services. Further, user data may be demanded if necessary for the enforcement of intellectual property rights.8

Online social networks and virtual communities

Mid 2010, Hamburg’s Data Protection Commissioner has launched an investigation against Facebook and its Friend Finder application which provides for the synchronization of email and mobile phone address books.9In a nutshell, the practice to process entries with personal data of people who don't use the respective social networking site was scrutinized in the light of the applicable German data protection legislation. On January 22, 2011, Facebook made concessions which address the privacy concerns by giving every Facebook member transparent control over the addresses he or she imports into the network and to whom invitations to join the social network will be sent.10It is unclear whether the changes will be introduced only for the German Facebook services or across the platform.

Online youth safety

Children and youth data protection is not separately regulated but the general data protection framework applies. Many initiatives concentrate on awareness raising and empowerment of young Internet users.11Certain social network sites operating in Germany such as Facebook and VZNet have signed the EU Safer Social Networking Principles which aim at enhancing the protection of child users on this platforms.12

Territorial privacy

Workplace Privacy

New employee data protection rules has been discussed since 2008. A first article (§ 32, Beschäftigtendatenschutz, Employee Data Protection Rules) has been added in 2009 to the BDSG. A more detailed draft of the Employee Data Protection Rules has been adopted in August 2010 by the Cabinet of Ministers, but that the Parliament hasnot adopted yet.13

Article 19 of the Genetic Diagnostic Law (Gendiaknostikgesetz) bans the request of genetic examinations or the use of results from genetic examinations before or during employment relationships.14

The Federal Labour Court (Bundesarbeitsgericht) ruled that the use of biometrics at entrance controls of workplaces is subject to compulsory employee participation (Mitbestimmung) and thus only legal after approval of the respective workers’ council or arbitration board.15Importantly, this also applies if the biometric system is placed at the premises of a third party (e.g. the customer of a service company), when the employer instructs his/her employees to use the system.

Health & Genetic Privacy

Health privacy

Since 2005, gematik, a joint venture of doctors’, hospitals, pharmacies’ and health insurances’ associations, is responsible for the development and introduction of the electronic health card (elektronischen Gesundheitskarte, eGK) and supporting infrastructure in Germany.16In November 2009, the Federal Ministry of Health put the roll-out of the electronic health card temporarily on hold out of data security concerns mainly raised by doctors.17The new priorities are a secure patient data management system and a voluntary possibility to store emergency data; other applications have to prove its utility, practicability and security.

Genetic privacy

In April 1998, a law was passed that allows the Bundeskriminalamt (Federal Police) to run a nationwide database of genetic profiles related to criminal investigations and convicted offenders.18

In 2009, the German Parliament passed the Genetic Diagnostic Law (Gendiaknostikgesetz) which covers genetic examinations for medical purposes, clarifications of parentage and descent as well as in the insurance and employment sector.19The law is founded on the principle of informational self-determination which comprises also the right not to know. Article 18 concerns the genetic examinations and the use of its results in the insurance sector which is with a few exceptions unlawful. Article 19 of the law bans the request of genetic examinations or the use of results from genetic examinations before or during employment relationships.

Financial Privacy

In Germany, financial privacy (so called Bankgeheimnis) is not especially codified but acknowledged as customary law. Banks and other financial institutions have a duty of confidentiality about the financial affairs of their customers. In 2002, new legislation imposes an obligation on banks and financial institutions to set up a new database which allows for automated access to customer information by the competent financial supervisory authority Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin).20German authorities have acquired datasets revealing German citizens bank account information abroad, in particular of banks in Lichtenstein and Swizz (so called “Steuersünder-CDs”). According to a decision of the Federal Constitutional Court (Bundesverfassungsgericht) the use of these personal data for law enforcement is permissible even if the acquisition has not been lawful.21