Personal rights

Privacy in the digital age

In the last years the number of subtle and professional hacking attacks on websites all over the world increased enormously. As a result of these attacks, millions of data records with personal data of citizen were stolen and in some parts even published to expose the victims. Privacy scandals in this dimension show how important data protection really is - also in public interest. In many cases insufficient security arrangements of organisations are the crucial factor for such incidents. Almost certainly is the fact that every person was already concerned of such a data theft, because leading telecommunication provider, social networks, auction sites or online-gaming plattforms have been some targets. Against overwhelming odds the affected persons were informed, as the companies mostly never inform their customers about such incidents oder they do not even recognize hacking attacks.

Everyone should be aware of the fact that there is a threat for our personal data and our digital identity every day - although we can't see, hear or feel it. Responsible dealing with own personal data is important - but also important is to take time to get familiar with the basics of data protection. Privacy statements and texts of consent are nearly everywhere - e.g. at the doctor, in the online-shop or during the installation of a mobile app. But only the one who is reading and understanding these information texts can know at all, what's happing with his or her personal data while using a service. Therefore we provide a short summary of the most essential rules of the General Data Protection Act of Germany (BDSG) in the following sections. Detailed information can be found in our info sheet Data protection in the private sector - an overview.

Right to obtain information

Each citizen has the right to be informed from entities of the private sector on stored data concerning him or her and the origin of this data. Furthermore he or she shall be provided with information on the recipients or the categories of recipients to whom the data concerning him or her are transmitted and the purpose of storage. This right is defined in § 34 of the German Federal Data Protection Act unless there are specific rules (e.g. for specific social data).

You can use the following templates from the BayLDA to assert your right to be informed:

Correction, blocking and erasure of data

Incorrect personal data shall be corrected. Personal data are to be erased if their storage is inadmissible or knowledge is no longer required for the performance of the controllers duties. Instead of erasure personal data shall be blocked as far as retention periods prescribed by law, statues or contracts rule out any erasure, there is reason to assume that erasure would impair legitimate interests of the data subject or erasure is not possible or is only possible with disproportionate effort due to the specific type of storage. Furthermore personal data shall be blocked if neither their correctness nor their incorrectness is detectable. Blocked data must not be used or transmitted disregarding a few exceptional cases.

The rights of correcting, blocking and erasure are defined in § 35 of the German Federal Data Protection Act.

Prior consenting

In data protection law as a basic principal a proscription with reservation of authorisation is necessary. That means that the German Federal Data Protection Act proscribes every collection, treatment and use of personal data unless it is permitted or disposed by the German Federal Data Protection Act or another law or the data subject has consented to it.

The prior consenting generally requires written form. The entity processing the personal data has to give information about the purpose of collection, treatment and use of the personal data before the data subject consents to it.

Right of rescission and objection

An once issued prior consenting may be cancelled at any time. In the scope of application of German Teleservices Act the user has to be informed about his right of rescission before consenting in processing his data. You can often find those terms on websites when you sign in for a service or for newsletters. There's also a right of rescission and objection in terms of advertising. Personal advertising is legal with a prior consenting of the recipient. This prior consenting may be cancelled at any time. Furthermore personal advertising is legal without a prior consenting within the scope of a business relationship in compliance with law. In case of objection advertising is no longer legal. In the info sheet "Advertising - use of data for personal advertising" you can find further information about legitimacy of personal advertising.

You can use the following template to object advertising:


If it seems you're infringed on your right by collecting, treating or using your personal data you can complain to the responsible Data Protection Authority. It will go into the matter and will give you information about the result of the complaint. For privacy complaints about Bavarian entities the Bavarian State Authority of Data Protection enables you to file your complaint with an online from.

Where do you get help in case of a data protection violation?

  • You can reach out to the management of the controller, by contacting the company, the doctor's office or the association, etc. The management is responsible for applying data protection laws.
  • You can contact the data protection officer of the controller. As the so called data protection official this person is responsible for controlling data processing and for dealing with complaints.
  • You can get in touch with the works council. This organization is representing workers and it is dealing with employment data protection.
  • Furthermore, you can contact the Data Protection Authority. This authority is handling complaints and it is supervising controllers.