German Data Protection Act 2009

What to do in a case of ...

More strict commissioned data processing requirements
In cases of commissioned data processing, a written contract has to be concluded. The contract has to include and describe in detail method and dimension of the data processing, technical and organizational measures, surveillance and controlling rights, directive authority, and 10 more specifics. Violations may lead to a fine.
Duty to inform in cases of data protection violations subject to report
A company has to inform the data subjects and the supervisory authority without delay, whenever it comes to their attention that sensitive personal data (e.g. bank or credit card data) has been disclosed to third parties without a legal foundation. If a multitude of data subjects is affected, the company is bound to inform the public by publishing the (at least half-page sized) information in at least two nationwide news papers in order to comply with the duty to inform.
The duty to make use of anonymized data is made more strict
Due to the more strict principles of data reduction and data economy, it is required to make use of the possibilities for aliasing and rendering persons anonymous, whenever genuine data is not necessary for the data utilization.
Increase of the scope of fines up to 300’000 Euro/skimming of profits
Fines up to 300'000 Euro can now be imposed. In cases of severe violations of data protection regulations, the skimming of profits is now possible, even if the profit is significantly higher than the fine.

July 2009 RA R. Niedermeier mail@legislator.de