Tasks and powers
The institution of the Federal Commissioner for Data Protection and Freedom of Information was established in 1978. On a proposal from the German Federal Government, the Federal Commissioner for Data Protection and Freedom of Information is elected without debate by the German Bundestag with more than half of the legal number of its members for a five-year term, renewable once.
As of 7 January 2019, Professor Ulrich Kelber is the Federal Commissioner for Data Protection and Freedom of Information. The Federal Commissioner is fully independent in the performance of his duties, and only subject to the law. With regard to the performance of his tasks, the Federal Commissioner, as an autonomous and independent supreme federal authority, is currently supported by around 270 staff members in Bonn and Berlin. The organisation and distribution of tasks can be found in the organisation chart.
As a supervisory authority at federal level, the Federal Commissioner has a special role to play in the enforcement of data protection law. The relevant statutory provisions can be found in Articles 51 to 59 of the GDPR (General Data Protection Regulation) and in Sections 8 to 19 of the BDSG (Federal Data Protection Act).
The tasks of the Federal Commissioner for Data Protection and Freedom of Information are specified in detail in Article 57 of the GDPR (General Data Protection Regulation) and in Section 14 of the BDSG (Federal Data Protection Act). These are the principle tasks:
- The monitoring and enforcement of the GDPR (General Data Protection Regulation) and the BDSG (Federal Data Protection Act) and other provisions relating to data protection law
- Raising awareness and education of the public concerning risks, rules, guarantees and rights in connection with the processing of personal data.
- The provision of advice to the German Bundestag and to the Bundesrat, to the Federal Government and other institutions and committees on legislative and administrative data protection measures
- Raising awareness and thus the provision of advice to data controllers in their area of responsibility concerning their obligations arising from the GDPR (General Data Protection Regulation), the BDSG (Federal Data Protection Act) and other provisions on data protection
- The handling of complaints from data subjects or complaints from data protection associations
- Cooperation with other supervisory authorities in Germany and Europe, the exchange of information and provision of mutual assistance
- The conduct of investigations and controls
- Contributions to the work of the European Data Protection Board
The BfDI (The Federal Commissioner for Data Protection and Freedom of Information) can also issue opinions to the German Bundestag or to any of its committees, to the Bundesrat, to the Federal Government, to other bodies and agencies and to the public. At the request of the German Bundestag, of one of its committees or of the Federal Government, the BfDI also examines any information about data protection related processes at public authorities of the Federal Government.
From 2018 onwards, the BfDI publishes an annual activity report informing about his work, in particular also about the sanctions and measures he has imposed. Activity reports - as well as any other information materials - can be ordered under publications. The activity reports and many other information materials are also available in electronic form.
According to Article 77 of the GDPR and/or - within the scope of the Data Protection Directive for Police and Criminal Justice Authorities - according to Section 60 of the BDSG, the citizens are entitled to lodge a complaint with the BfDI, if they believe that a body subject to the supervision of the BfDI has violated their rights. The exercising of this right is in principle free of charge.
It is also essential to control whether the legal provisions on data protection are implemented and complied with in order to ensure that data protection does not exist only on paper which is patient, as the saying goes. The Federal Commissioner controls all public authorities of the Federal Government, i.e. federal ministries, customs offices, the offices of the Federal Police, of the Federal Armed Forces, of the Waterways and Shipping Directorates and certain social security agencies (e.g. the employment agencies), the so-called joint institutions of the Federal Employment Agency and local authorities (Job Center), statutory health insurances, accident insurance funds or the German Statutory Pension Insurance Scheme (“Deutsche Rentenversicherung Bund”). In addition, the Federal Commissioner is competent for the supervision of data protection at telecommunications -and postal service companies in so far as they provide telecommunications- and/or postal services.
The Federal Commissioner for Data Protection and Freedom of Information has extensive investigative powers. All public authorities of the Federal Government, as well as providers of postal- or telecommunications services, are obliged to support him and his staff in the performance of their tasks. In particular, these authorities and providers have to
- answer his questions
- grant him access to all documents and files, in particular to stored data and data-processing programmes
- allow him access at all times to all premises
The Federal Commissioner also has access to documents which are subject to special secrecy (see Section 16 (3) BDSG); exceptions can be made on a case-by-case basis for such information which are subject to professional secrecy (cf. Section 29 (3) BDSG). He is entitled to carry out checks at any time, even without any concrete reason, regardless of whether the personal data have been processed in an automated way or in paper files.
The Federal Commissioner has the right of refusal to give testimony, thus he may also remain silent before the court and may withhold his documents from any third party. Citizens can confide in him without having to fear that anything will be disclosed to third parties.
If the Federal Commissioners identifies data breaches, there are a number of ways for him in which these infringements can be brought to an end. He may, among others:
- issue a warning to a controller or processor that intended processing operations are likely to violate data protection law
- admonish a controller or processor
- order the controller or the processor to comply with the data subject’s requests to exercise his/her rights granted under the data protection law
- instruct the controller or the processor to bring processing operations in line with data protection rules
- impose a temporary or permanent limitation on processing, including a prohibition
- order the rectification or erasure of personal data
- impose a fine
- suspend the data transfer to third countries
Within the scope of application of the GDPR, the Federal Commissioner can also issue binding orders and instructions to authorities and public bodies, so that he has significantly more effective means of enforcing data protection law when compared with the objections which were possible under the previous law. Of course the controllers may have the measures, which were taken by the BfDI, examined by the Administrative Court.
The BfDI can impose fines only on non-public entities (postal and telecommunications companies) which are subject to his supervision or on competitor companies of the Federal Government (e.g. Deka Bank or KfW Bank).
Cooperation of the Federal Commissioner for Data Protection and Freedom of Information with the Länder supervisory authorities in EU matters
In the cooperation and consistency mechanism as well as in all other EU matters and with regard to the work of the European Data Protection Board, the Federal Commissioner shall serve as the joint representative of the German Data Protection Authorities in the European Data Protection Board.
The Bundesrat shall elect the head of the supervisory authority of a Land to serve as the joint representative’s deputy. This means that the federal supervisory structure is well represented in all its facets also in Europe.
In support of the German data protection authorities in communicating with European partners, the Federal Commissioner is also the single contact point. This single contact point serves as a communication office between Germany and Europe and coordinates the joint decision-making process of the German supervisory authorities so that in the area of data protection, Germany is represented in Europe with one single strong voice.