Tasks and Powers

• Tasks
• Activity reports
• Complaints
• Controls
• Powers
• Cooperation of the Federal Commissioner for Data Protection and Freedom of Information with the Länder supervisory authorities in EU matters

Since 7 January 2019, Prof. Ulrich Kelber is the Federal Commissioner for Data Protection and Freedom of Information. The Federal Commissioner is fully independent in the performance of his duties, and only subject to the law. With regard to the performance of his tasks, the Federal Commissioner, as an autonomous and independent supreme federal authority, is currently supported by around 190 staff members in Bonn and Berlin. The organisation and distribution of tasks can be found in the organisation chart.

By setting up the Federal Commissioner for Data Protection and Freedom of Information, the German Bundestag has established an institution that informs it in an impartial and competent manner about any developments in the field of data protection and points out issues in whose development the Bundestag should intervene through laws or other measures.

In addition, the Federal Commissioner, as supervisory body, has a special role to play in the enforcement of data protection legislation at federal level. The relevant legal provisions can be found in Articles 51 to 59 of the GDPR and in Sections 8 to 19 BDSG.

Tasks

The tasks of the Federal Commissioner for Data Protection and Freedom of Information are specified in detail in Article 57 of the GDPR and in Section 14 BDSG. These are the principle tasks:

• The monitoring and enforcement of the GDPR and the BDSG and other provisions relating to data protection law
• Raising awareness and education of the public concerning the risks, rules, guarantees and rights in connection with the processing of personal data.
• The provision of advice to the German Bundestag and to the Bundesrat, to the Federal Government and other institutions and committees on legislative and administrative data protection measures
• Raising awareness and thus the provision of advice to data controllers in their area of responsibility concerning their obligations arising from the GDPR, the BDSG and other provisions on data protection
• The handling of complaints from data subjects or complaints from data protection associations
• Cooperation with other supervisory authorities in Germany and Europe, the exchange of information and provision of  mutual assistance
• The conduct of investigations and controls
• Contributions to the work of the European Data Protection Board.

The BfDI can also issue opinions to the German Bundestag or to any of its committees, to the Bundesrat, to the Federal Government, to other bodies and agencies and to the public. At the request of the German Bundestag, of one of its committees or of the Federal Government, the BfDI also examines any information about data protection related processes at public authorities of the Federal Government.

Activity reports

From 2018 onwards, the BfDI publishes an annual activity report informing about her work, in particular also about the sanctions and measures she has imposed. Activity reports can be ordered in the Infotheque as well as any other information materials. The activity reports and many other information materials are also available in electronic form in the Infotheque.

Complaints

According to Article 77 of the GDPR or - within the scope of the Law Enforcement Directive - according to Section 60 BDSG, the citizens are entitled to lodge a complaint with the BfDI, if they believe that a body subject to the supervision of the BfDI has violated their rights. The exercising of this right is in principle free of charge.

Controls

It is also essential to control whether the legal provisions on data protection are implemented and complied with in order to ensure that data protection does not exist only on paper which is patient, as the saying goes. The Federal Commissioner controls all public authorities of the Federal Government, i.e. federal ministries, customs offices, the offices of the Federal Police, of the Federal Armed Forces, of the Waterways and Shipping Directorates and certain social security agencies (e.g. the employment agencies), the so-called joint institutions of the  Federal Employment Agency and local authorities (job centres), statutory health insurances, accident insurance funds or the  German Statutory Pension Insurance Scheme (“Deutsche Rentenversicherung Bund”).  In addition, the Federal Commissioner is competent for the supervision of data protection at telecommunications -and postal service companies in so far as they provide telecommunications- and/or postal services.

Powers

The Federal Commissioner for Data Protection and Freedom of Information has extensive investigative powers. All public authorities of the Federal Government, as well as providers of postal- or telecommunications services, are obliged to support him and his staff in the performance of their tasks. In particular, these authorities and providers have to

• answer his questions
• grant her access to all documents and files, in particular to the stored data and the data-processing programmes
• allow him access at all times to all premises

The Federal Commissioner also has access to documents which are subject to special secrecy (see Section 16 (3) BDSG); exceptions can be made on a case-by-case basis for such information which are subject to professional secrecy (cf. Section 29 (3) BDSG). He is entitled to carry out checks at any time, even without any concrete reason, regardless of whether the personal data have been processed in an automated way or in paper files.

The Federal Commissioner has the right of refusal to give testimony, thus he may also remain silent before the court and may withhold his documents from any third party. Citizens can confide in him without having to fear that anything will be disclosed to third parties.

If the Federal Commissioners identifies data breaches, there are a number of ways for him in which these infringements can be brought to an end. He may, among others:

• issue a warning to a controller or processor that intended processing operations are likely to violate data protection law
• admonish a controller or processor
• order the controller or the processor to comply with the data subject’s requests to exercise his/her rights granted under the Data Protection Law
• instruct the controller or the processor to bring processing operations in line with data protection rules
• impose a temporary or permanent limitation on processing, including a prohibition
• order the rectification or erasure of personal data
• impose a fine
• suspend the data transfer to third countries.

The BfDI can also issue binding orders and instructions to authorities and public bodies, so that he has much more effective means of enforcing data protection law when compared with the objections which were possible under the previous law. Of course the controllers may have the measures, which were taken by the BfDI, examined by the Administrative Court.

The BfDI can impose fines only on non-public entities (postal and telecommunications companies) which are subject to his supervision or on competitor companies of the Federal Government (e.g. Deka Bank or KfW Bank).

Cooperation of the Federal Commissioner for Data Protection and Freedom of Information with the Länder supervisory authorities in EU matters

In the cooperation and consistency mechanism as well as in all other EU matters and with regard to the work of the European Data Protection Board, the BfDI shall serve as the joint representative of the German Data Protection Authorities in the European Data Protection Board.

The Bundesrat shall elect the head of the supervisory authority of a Land to serve as the joint representative’s deputy. This means that the federal supervisory structure is well represented in all its facets also in Europe.

In support of the German data protection authorities in communicating with European partners, the BfDI is also the single contact point.  This single contact point serves as a communication office between Germany and Europe and coordinates the joint decision-making process of the German supervisory authorities so that in the area of data protection, Germany is represented in Europe with one single strong voice.