The Basic Data Protection Regulation, the Bavarian Data Protection Act and the Federal Data Protection Act, as well as a large number of special legal regulations, aim to protect citizens from having their personal rights impaired by the processing of their personal data.
What is personal data?
Personal data is any information that relates to a natural person. This includes, for example, name, contact details, birthday and place of birth, school education, profession, hobby, consumer behavior, statements, assessments, pictures of a person, income, creditworthiness, financial circumstances of a person.
The so-called special categories of personal data are particularly protected. This includes information about racial and ethnic origin, political opinion, religious or ideological beliefs, trade union membership, genetic and biometric data to uniquely identify a person, health data or data about a natural person's sex life or sexual orientation.
When is your data protected?
Your data is always protected if it is processed in an automated or non-automated manner in a file system (i.e., also in card files or folders, for example). Only in the case of public bodies is unsystematically processed data also protected.
Data that is processed exclusively in the context of personal or family activities is not covered by the scope of the General Data Protection Regulation, the Bavarian Data Protection Act and the Federal Data Protection Act. However, the personal or family circle is exceeded if, for example, personal data is published on the Internet.
When is the processing of your data permitted?
Permission may result from a legal provision or your consent.
For example, the General Data Protection Regulation permits processing of your data in particular in the context of contractual relationships, e.g. employment, insurance or purchase contracts, insofar as the data processing is necessary for this purpose. This also applies to relationships similar to contracts, such as application procedures or association memberships. Processing of your data is also permitted if this is necessary to fulfill legal obligations (for example, for tax purposes).
Provided that your conflicting interests do not prevail, processing of your data, if not carried out by a public authority, is also permissible if there is a legitimate interest of the controller or a third party.
If the processing of your data is based on your consent, the controller must be able to prove that you have consented to the processing. Prior to this, you must be informed in clear and simple language of the purpose and nature of the processing of your data; further formal requirements result from the General Data Protection Regulation.
What rights do you have against the controller?
The entity that processes your data is referred to as thecontroller in the General Data Protection Regulation. You have the following rights vis-à-vis this controller:
- You must be fully informed when your data is collected, in particular about the purpose and nature of the intended processing.
- You are entitled to information about your data and the nature and circumstances of the processing carried out.
- You have the right to rectification if your data is stored incorrectly or incompletely.
- You have the right to have your data deleted if certain conditions are met, in particular if the storage is inadmissible.
- You have the right to restrict the processing of your data if certain conditions are met.
- If certain conditions are met, you have the right to object to the further processing of your data.
Who can you contact in the event of data protection violations?
- To the management of the responsible party, e.g. a commercial enterprise, a medical practice or an association. It is responsible for compliance with data protection law.
- The company data protection officer, who is also responsible for investigating complaints.
- To the works council, which is responsible for employee data privacy issues.
- To the data protection supervisory authority, which investigates complaints and monitors responsible bodies.
The data protection supervisory authority
Citizens can contact the relevant supervisory authorities free of charge and confidentially if they wish to complain about data protection issues or problems. The competent data protection supervisory authority checks compliance with data protection regulations.
The Bavarian State Office for Data Protection Supervision is the supervisory authority responsible throughout Bavaria for the non-public sector, i.e. the private sector, freelancers, associations and clubs.
The Bavarian State Commissioner for Data Protection at the state level or the Federal Commissioner for Data Protection and Freedom of Information at the federal level is responsible for monitoring public authorities and public institutions under data protection law.
In addition, there are areas that are not subject to state data protection supervision. In the area of the Catholic and Protestant churches, public broadcasting and the State Agency for New Media, including the private broadcasters it supervises, and for press companies, there are separate, area-specific supervisory authorities. An overview of the responsible data protection supervisory authorities can be found under "Further links".