Act on the Protection of Personal Data Used in Teleservices (Gesetz über den Datenschutz bei Telediensten)
Federal Law Gazette (Bundesgesetzblatt) 1997 I 1871
Note: The Teleservices Data Protection Act was enacted as Art. 2 of the Information and Communication Services Act (Informations- und Kommunikationsdienstegesetz), Bundesgesetzblatt 1997 I 1870.
Table of Contents
- § 1 Scope
§ 2 Definitions
§ 3 Principles for the processing of personal data
§ 4 Obligations of the provider
§ 5 Contractual data
§ 6 Utilization and accounting data
§ 7 User’s right to information
§ 8 Control
(1) The following provisions shall apply to the protection of personal data used in teleservices within the meaning of the Teleservices Act.
(2) Unless otherwise provided in this Act, the relevant provisions concerning the protection of personal data shall be applicable even if the data are not processed or used in data files.
For the purposes of this Act
1. the term “providers” means natural or legal persons or associations of persons who make available teleservices or who provide access to the use of teleservices,
2. the term “users” means natural or legal persons or associations of persons requesting teleservices.
(1) Personal data may be collected, processed and used by providers for performing teleservices only if permitted by this Act or some other regulation or if the user has given his consent.
(2) The provider may use the data collected for performing teleservices for other purposes only if permitted by this Act or some other regulation or if the user has given his consent.
(3) The provider shall not make the rendering of teleservices conditional upon the consent of the user to the effect that his data may be processed or used for other purposes if other access to these teleservices is not or not reasonably provided to the user.
(4) The design and selection of technical devices to be used for teleservices shall be oriented to the goal of collecting, processing and using either no personal data at all or as few data as possible.
(5) The user shall be informed about the type, scope, place and purposes of collection, processing and use of his personal data. In case of automated processing, which permits subsequent identification of the user and which prepares the collection, processing or use of personal data, the user shall be informed prior to the beginning of the procedure. The content of such information shall be accessible to the user at any time. The user may waive such information. A record shall be made of the information and the waiver. The waiver shall not constitute consent within the meaning of § 3 (1) and (2).
(6) Before giving his consent, the user shall be informed about his right to withdraw his consent at any time with effect for the future. Sentence 3 of § 3 (5) shall apply mutatis mutandis.
(7) Consent can also be declared electronically if the provider ensures that
1. such consent can be given only through an unambigious and deliberate act by the user,
2. consent cannot be modified without detection,
3. the creator can be identified,
4. the consent is recorded and
5. the text of the consent can be obtained by the user on request at any time.
(1) The provider shall offer the user anonymous use and payment of teleservices or use and payment under a pseudonym to the extent technically feasible and reasonable. The user shall be informed about these options.
(2) The provider shall take technical and organizational precautions to ensure that
1. the user can break off his connection with the provider at any time,
2. the personal data generated in connection with the process of requesting, accessing or otherwise using teleservices are erased immediately upon conclusion of the procedure unless further storage is required for accounting purposes,
3. the user is protected against third parties obtaining knowledge of his use of teleservices,
4. personal data relating to the use of several teleservices by one user are processed separately; a combination of such data is not permitted unless it is necessary for accounting purposes.
(3) The user shall be notified of any reforwarding to another provider.
(4) User profiles are permissible under the condition that pseudonyms are used. Profiles retrievable under pseudonyms shall not be combined with data relating to the bearer of the pseudonym.
(1) The provider may collect, process and use the personal data of a user to the extent necessary the data are required for concluding with him a contract on the use of teleservices and for determining or modifying the terms of such contract (contractual data).
(2) Processing and use of contractual data for the purpose of advising, advertising, market research or for the demand-oriented design of the teleservices is only permissible if the user has given his explicit consent.
(1) The provider may collect, process and use personal data concerning the use of teleservices only to the extent necessary
1. to enable the user to utilize teleservices (utilization data) or
2. to charge the user for the use of teleservices (accounting data).
(2) The provider shall erase
1. utilization data as soon as possible, at the latest immediately after the end of each utilization, except those that are at the same time accounting data,
2. accounting data as soon as they are no longer required for accounting purposes; user-related accounting data stored by the provider for the establishment of detailed records concerning the use of particular services at the user’s request in accordance with § 6 (4) below, shall be erased not later than 80 days from the date of dispatching the detailed records unless the request for payment is disputed within this period or the invoice has not been paid despite a demand for payment.
(3) Utilization or accounting data shall not be transmitted to other providers or third parties. This shall not affect the powers of criminal prosecution agencies. The provider offering access to the use of teleservices must not transmit to other providers whose teleservices have been used by the user any data other than
1. anonymised utilization data for the purposes of their market research,
2. accounting data to the extent necessary for collecting a claim.
(4) If the provider has concluded a contract with a third party concerning the provision of accounting services, he may transmit to the third party accounting data necessary for rendering such services. The third party shall be obligated to comply with telecommunications secrecy.
(5) The invoice concerning the use of teleservices must not reveal the provider, time, duration, type, content and frequency of use of any particular teleservices used unless the user requests such detailed records.
The user shall be entitled at any time to inspect, free of charge, stored data concerning his person or his pseudonym at the provider’s. The information shall be given electronically if so requested by the user. If data are stored only for a short period in accordance with § 33 (2) Nr. 5 of the Federal Data Protection Act [Bundesdatenschutzgesetz], the user’s right to information shall not be excluded by § 34 (4) of the Federal Data Protection Act.
(1) § 38 of the Federal Data Protection Act shall be applicable with the proviso that an examination may be carried out even if there are no grounds to suppose that data protection provisions have been violated.
(2) The Federal Commissioner for Data Protection shall observe the development of data protection as applied to the provision and utilization of teleservices and shall make relevant comments in the activity report he has to submit pursuant to § 26 (1) of the Federal Data Protection Act.