German Federal DPA

Updated by Christian Brown on Oct 06, 2016
Article Code: kb/361

German Federal DPA

![German Flag](/knowledge-base/images/german flag.png)

Among EU member states, Germany has one of the strictest of policies. Each EU member state is required to have its own comprehensive privacy laws protecting individual rights against information collection and processing by the government and private entities.

The Bundesdatenschutzgesetz or BDSG, is Germany’s Federal Data Protection Act. Enacted in 1970 and later amended in 1990 and 2009 as the use of information technology grew, the need for a regulatory framework was created and expanded to protect and safe guard the use of personal data.

Lumen maintains a standard operating MSA and Annex clearly identifying scope, responsibilities and obligations enabling Lumen cloud customers remain in BDSG compliance. Lumen ensures the required technical and organizational measures are adhered to for protection of personal data against misuse and loss in accordance with the requirements of the BDSG.

Customers contracting with Lumen, who are either a German company or a German branch of a multi-national company, must acknowledge and agree that, as the data controller, it is solely responsible for the lawfulness of the data processing and compliance with mandatory provisions of the German Data Protection Act.

As the data controller, customers are required to execute a Data Protection Agreement. The DPA can be downloaded here. Once complete, return an executed copy to Lumen. Customers must include an email or address that Lumen can return a counter-signed copy back to the customer.


To whom do the laws apply?

The Federal Data Protection Act (BDSG) addresses the processing of personal data by public authorities and private bodies. State data protection laws apply to data processing carried out by public authorities or state-level public bodies.

German data protection law distinguishes between the:

  • Data controller - This is any person or body collecting, processing or using personal data on his or its own behalf, or commissioning others to do so. The data controller is responsible for data protection compliance.

  • Data processor - This is any person or body processing the data on behalf of the data controller. However, responsibility for compliance with data protection provisions remains with the data controller.

What data is regulated?

The Federal Data Protection Act (BDSG) applies to the processing of personal data. Personal data is defined as "any information concerning the personal or material circumstances of an identified or identifiable individual".

What acts are regulated?

The Federal Data Protection Act (BDSG) applies to any collection, use or processing of personal data.

  • "Collection" means the acquisition of data on the data subject.

  • "Processing" means the storage, modification, transfer, blocking, and erasure of personal data.

  • "Use" means any utilization of personal data other than processing.

What is the jurisdictional scope of the rules?

The Federal Data Protection Act (BDSG) covers cases where:

  • The data controller is located in Germany and the processing is carried out in Germany or within the EU.

  • The data controller is located in another EU member state but the collection, processing, or use of personal data is carried out by a branch in Germany.

  • The data controller is not located in an EU member state but collects, processes or uses personal data in Germany.

What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Under the Federal Data Protection Act (BDSG), the data processor can collect, process, or use data only as instructed by the data controller. The responsibility for compliance with data protection provisions remains with the data controller.

Commissioned data processing must be made in writing, specifying the collection, processing, and use of the data, the technical and organizational measures and any right of the processor to issue subcontracts.

The data controller must verify compliance with any technical and organizational measures undertaken by the processor before the data processing begins and regularly afterwards. The results must be documented.