Germany - Data Breach Guide

Germany

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

The General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) obliges controllers to notify affected individuals and the competent data protection authority in the event of a personal data breach which is likely to result in a risk or high risk to the rights and freedoms of natural persons (Articles 33 and 34 GDPR). In addition to the obligations pursuant to Articles 33 and 34 GDPR, sector specific legislation additionally governs notification obligations, such as for example under telecommunications law for providers of publicly available telecommunications services.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

1.2.1 Obligations under the GDPR

(a) Obligations of controllers

Pursuant to Article 33 (1) GDPR, controllers have to notify every personal data breach to the competent data protection authority unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 4 no. 12 GDPR defines a "personal data breach" as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The GDPR's notification obligations only apply where there is a breach of personal data, however irrespective of the affected type of personal data.

In addition, the controller has to notify affected data subjects when the breach is likely to result in a high risk to the rights and freedoms of natural persons, Article 34 (1) GDPR. A communication to the affected data subjects is not required if any of the following conditions are met:

1. The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
2. The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
3. It would involve disproportionate effect. In such a case, there should instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

When assessing the risks for the rights and freedoms of natural persons, the controller should consider, inter alia, (i) the type of breach, (ii) the nature, sensitivity, and volume of personal data affected, (iii) the ease of identification of individuals, (iv) the severity of consequences for individuals, (v) potential special characteristics of the individual or the controller and (vi) the number of affected individuals.

For example, it is not necessary to notify the authority or the affected individuals of the loss of a securely encrypted mobile device or of the disclosure of data, if the data were already publicly available, and where such disclosure does not put the individual at further risk.

A high risk for the affected individuals exists if the breach may lead to physical, material or non-material damage. For example, such high risk is given in cases of discrimination, identity theft or fraud, or if the breach involves special categories of data, such as e.g. health data.

It should further be considered that pursuant to Article 34 (4) GDPR, the authority may also demand that the controller notifies the affected individuals.

In addition to the notification obligations, controllers are obliged to document breaches pursuant to Article 33 (5) GDPR, including facts relating to the breach, its effects and the remedial action taken.

(b) Obligations of processors

Pursuant to Article 33 (2) GDPR, processors have to notify the controller without undue delay after becoming aware of a personal data breach. The notification obligation also applies irrespective of the affected type of personal data. In addition to its own notification obligation towards the controller, and considering the mandatory conclusion of a data processing agreement between controller and processor, the processor is obliged to assist the controller with its notification obligations towards authorities and affected individuals, according to Article 28 (3) lit. f) GDPR.

1.2.2 Sector specific notification obligations

(a) Providers of publicly available telecommunications services

Pursuant to § 109a (1) German Telecommunications Act (Telekommunikationsgesetz, TKG), providers of publicly available telecommunications services must, in the event of a breach of personal data, immediately notify (i) the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen, BNetzA) and (ii) the Federal Commissioner for Data Protection and Freedom of Information (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI) of the violation. If the breach is likely to seriously impair the rights or interests of subscribers or other persons, the telecommunications services provider must also notify the affected persons.

Within the meaning of the TKG, personal data breach means a breach of data security resulting in loss, unlawful destruction, alteration, storage, disclosure or other unlawful use of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of publicly available telecommunications services, § 3 no. 30a TKG.

In cases in which the provider's security concept has proven that the personal data affected by the breach have been secured by suitable technical measures, in particular by using an encryption method recognised as secure, a notification is not required.

The Commission Regulation (EU) No 611/2013 ("Regulation 611/2013") contains further details on the notification obligation.

(b) Trust service providers

Electronic identification and trust service providers such as e.g. providers of electronic signatures, seals, time stamps and authentication certificates, are subject to notification obligations under the German Trust Services Act (Vertrauensdienstegesetz, VDG) and the German Trust Services Ordinance (Vertrauensdiensteverordnung, VDV). These acts transpose Regulation (EU) no 910/2014 ("eIDAS Regulation") into German law.

Pursuant to Article 19 (2) eIDAS Regulation, a reportable breach is any breach of security or loss of integrity that has a significant impact on a trust service provided or on the personal data maintained therein.

According to § 2 (3) VDG in connection with Article 19 (2) eIDAS Regulation, a breach must be reported to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI).

Where the breach of security or loss of integrity is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the trust service provider shall also notify the natural or legal person of the breach of security or loss of integrity without undue delay, Article 19 (2) eIDAS Regulation.

(c) Operators of essential services and providers of digital services

Pursuant to § 8b (4) of the German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSI-Gesetz, BSIG), operators of essential services, i.e. certain services in the sectors energy, IT and telecommunications, transport and traffic, health, water, food, finance and insurance, must report an incident if one of the following criteria apply to the incident/disruption:

• Disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes, that have led to a failure or significant impairment of the functionality of the critical infrastructure.
• Significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes, which may lead to a failure or significant impairment of the functionality of the critical infrastructures.

The BSI has issued FAQ on the specifics of the notification obligation.

Providers of digital services (i.e. online marketplaces, online search engines and cloud computing providers) must also report any security incident which has a significant impact on the provision of a digital service provided by them within the EU to the BSI, § 8c (3) BSIG. The BSI has issued FAQ on the specifics of the notification obligation.

Personal data does not have to be affected to trigger the notification requirements under the BSIG. However, where an incident involves personal data, the notification requirements under the BSIG and the GDPR apply simultaneously.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

1.3.1 Notification under the GDPR

(a) Content of the notice

Pursuant to Article 33 (3) GDPR, the notification to the data protection authority shall include the following information:

• A description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• The name and contact details of the data protection officer or other contact point where more information ca be obtained;
• The likely consequences of the personal data breach;
• The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible effects.

The notification to data subjects shall include the following information in clear and plain language according to Article 34 (2) GDPR:

• The name and contact details of the data protection officer or other contact point where more information can be obtained;
• The likely consequences of the personal data breach;
• The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible effects.

(b) Time period for the notice

Article 33 (1) GDPR stipulates that the controller must notify the data protection authority without undue delay, not later than 72 hours after having become aware of the data breach. Where the notification to the authority is not made within 72 hours, it shall be accompanied by the reasons for the delay. The controller may also, if it is not possible to provide the information at the same time, provide the information in phases without undue further delay, Article 33 (4) GDPR. In addition, the controller must communicate the data breach to the data subjects without undue delay, Article 34 (1) GDPR.

The processor shall notify the controller of a data breach without undue delay, Article 33 (2) GDPR.

(c) Method of giving notice

There are no mandatory requirements for the method of notifying the data protection authority and the controller can thus notify the authority by email. However, most of the 16 federal states' data protection authorities provide online forms for data breach notifications:

• Baden-Wuerttemberg
• Bavaria
• Berlin
• Bremen
• Hamburg
• Hesse
• Mecklenburg-Western Pomerania
• Lower Saxony
• North Rhine-Westphalia
• Rhineland-Palatinate
• Saarland
• Saxony
• Saxony-Anhalt
• Schleswig-Holstein
• Thuringia

For the notification of the affected individuals, the controller must notify them in clear and plain language. As regards the communication channel, the controller may for example use means of (i) direct messaging (e.g. email or SMS), (ii) prominent website banners, (iii) postal communications or (iv) prominent advertisements in print media.

1.3.2 Notifications under sector specific law

(a) Notification under the TKG

(i) Content of the notice

Pursuant to § 109a (2) TKG, the notification to the affected individuals must at least contain the following details:

1. the type of the breach of personal data,

2. details on points of contact, where more information are available, and

3. recommendations on measures which may mitigate potential negative effects of the breach of personal data.

The notification to the authorities must contain the mentioned information and additionally outline the consequences of the breach of personal data and the envisaged or implemented measures, § 109a (2) s. 2 TKG.

In addition, pursuant to § 109a (3) TKG, providers must keep records of breaches of personal data.

Regulation 611/2013 contains further details on the content of the notification.

(ii) Time period for the notice

Pursuant to § 109a (1) TKG, both the authorities and the affected individuals must be notified without undue delay.

In accordance with Article 2 (3) of Regulation 611/2013 it may be permissible for the provider to make a first notification within 24 hours and a second notification within three days following the initial notification, if not all information are immediately available and further investigation of the breach is necessary.

The notification to the subscribers or affected individuals shall be made without undue delay after the detection of the personal data breach, Article 3 (2) of Regulation 611/2013. Pursuant to Article 3 (5) of Regulation 611/2013, in exceptional circumstances, where the notification to the subscriber or individual may put at risk the proper investigation of the personal data breach, the provider shall be permitted, after having obtained the agreement of the competent national authority, to delay the notification to the subscriber or individual until such time as the competent national authority deems it possible to notify the personal data breach in accordance with Article 3 of Regulation 611/2013.

(iii) Method of giving notice

The provider must notify (i) the BNetzA and (ii) the BfDI. The authorities provide a form which providers can use for the notification of both authorities.

If the notification obligation pursuant to Article 33 GDPR applies to the provider of a publicly available telecommunications service (and the requirements of § 109a TKG are not fulfilled), the provider (only) has to notify the BfDI, § 115 (4) TKG.

Pursuant to Article 3 (6) of Regulation 611/2013, the provider shall notify the subscriber or individual of the personal data breach by means of communication that ensure prompt receipt of information and that are appropriately secured according to the state of the art. The information about the breach shall be dedicated to the breach and not associated with information about another topic. If the provider is unable to identify all individuals who are likely to be adversely affected by the personal data breach, the provider may notify those individuals through advertisements in major national or regional media.

(b) Notification under the VDG

(i) Content of the notice

The VDG does not set out any requirements for the breach notification. However, the breach notification should include at least the following information:

• a description of the incident;
• how long the incident lasted for;
• what percentage of subscribers were / are affected; and
• the point in time it took place.

(ii)Time period for the notice

The notification must be submitted without undue delay but in any event within 24 hours, Article 19 (2) eIDAS Regulation.

(iii) Method of giving notice

There is no specific eIDAS breach notification form. The BSI as the competent authority can be notified by email.

(c) Notification under the BSIG

(i) Content of the notice

Pursuant to §§ 8b (4), 8c (3) BSIG, the notification shall contain information on the incident, possible cross-border effects and the technical environment, in particular the presumed or actual cause, the information technology involved, the type of facility or installation concerned, the critical service provided and the effects of the incident on that service. The operator shall only be required to be named if the malfunction has actually led to a failure or impairment of the critical infrastructure.

(ii) Time period for the notice

The notifications must be made without undue delay, §§ 8b (4), 8c (3) BSIG.

(iii) Method of giving notice

The BSI provides a form for the notification by operators of essential services, in accordance with § 8b (4) BSIG. For digital service providers who have to report a breach pursuant to § 8c (3) BSIG, the BSI provides a form as well.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

1.4.1 Fines and risks under the GDPR

The data protection authorities may levy administrative fines of up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83 (4) lit. a) GDPR). According to Article 58 (2) GDPR, the authorities may additionally impose other sanctions such as for example a ban of processing. Both controller and processor may be fined in the event that they violate their notification obligations.

In addition, affected data subjects may claim compensation for material or non-material damages because of the data breach, in accordance with Article 82 (1) GDPR.

1.4.2 Fines and risks under sector specific law

(a) Fines under the TKG

The authority may levy a fine of up to EUR 100,000 pursuant to § 149 (1) no. 21b., (2) no. 4 TKG, if the provider does not issue a notification at all, not correctly, not entirely, or not in time.

(b) Fines under the VDG

In case a trust service provider fails to notify the BSI or an affected individual of a breach in accordance with the eIDAS Regulation and the VDG, either by not issuing a notification at all, not issuing the notification correctly or not issuing the notification in time, the supervisory authorities may impose a fine of up to EUR 20,000, pursuant to § 19 (2) and (3) VDG.

(c) Fines under the BSIG

Pursuant to § 14 (1) no. 4, no. 6, and (2) BSIG, any provider who fails to notify the authority or fails to do so correctly, completely or in a timely manner, may be subject to a fine of up to EUR 50,000.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Not applicable.

1.6 What are the applicable (data protection) laws or guidelines within your country?

• General Data Protection Regulation (Regulation (EU) 2016/679, GDPR)
• Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), as last amended by Article 12 of the Second Act to Adapt the Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 of 20 November 2019 (Zweites Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU – 2. DSAnpUG-EU))
• Each German federal state has its own data protection law for the processing of personal data by the authorities of the German federal states (Landesdatenschutzgesetze, LDSG)
• German Telecommunications Act (Telekommunikationsgesetz, TKG)
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, ePrivacy Directive)
• Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (Regulation 611/2013)
• Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation)
• German Trust Service Act (Vertrauensdienstegesetz, VDG)
• German Trust Service Ordinance (Vertrauensdiensteverordnung, VDV)
• Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSIG)
• Regulation on the determination of critical infrastructures according to the BSIG (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSIG, BSI-KritisV)
• Article 29 Data Protection Working Party, WP 250,"Guidelines on Personal data breach notification under Regulation 2016/679", adopted on 3 October 2017, as last revised and adopted on 6 February 2018.
• Guidelines of the German data protection conference (Datenschutzkonferenz, DSK) on "Risk to the rights and freedoms of natural persons".

1.7 Contact information for the local Data Protection Authority:

1.7.1 Data Protection Authorities

Each German federal state has a data protection authority which is responsible for the enforcement of data protection laws for the non-public sector. The competent authority has to be determined on a case-by-case basis considering the place of business of the respective company.

Please find the contact details for all 16 federal states' data protection authorities here:

• Baden-Wuerttemberg
• Bavaria
• Berlin
• Brandenburg
• Bremen
• Hamburg
• Hesse
• Mecklenburg-Western Pomerania
• Lower Saxony
• North Rhine-Westphalia
• Rhineland-Palatinate
• Saarland
• Saxony
• Saxony-Anhalt
• Schleswig-Holstein
• Thuringia

In addition, the Federal Commissioner for Data Protection and Freedom of Information (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI) monitors and enforces the GDPR, the BDSG and other provisions relating to data protection law. It is the competent authority for certain private sector industries (see above):

1.7.2 The competent information security authority is the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI):

1.1.1 For sector specific notification obligations, such as the telecommunications sector, the competent authority is the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen, BNetzA):

For more information, contact: