Are there data localization/data residency or other types of laws that may require the retention and storage of data in the local jurisdiction, or prohibit the transfer of data out of the jurisdiction?
Last review date: 17 December 2024
Yes.
Other laws that may require the retention and storage of personal data (including, for example, where such data is part of another type of record or dataset) in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction:
- tax or financial record laws
- other
For example:
- Companies that qualify as providers of publicly available telecommunication services (Sec. 176 German Telecommunications Act), i.e., providers that offer telecommunications connections generally for an undefined period of time and for an independent use (e.g., providers of publicly available telephone services and providers of publicly available Internet access services), are required to store traffic data that they have locally in Germany. However, while these obligations are in effect, they must not be enforced by the Federal Network Agency because they have been found to violate Union law.
- Sec. 393 Social Security Code V, Sec. 80 Social Security Code X contain restrictions regarding the location and requirements processors need to fulfill in order to process social data and health data.
Does law or regulation impose mandatory requirements to share or make accessible non-personal data?
Last review date: 17 December 2024
- Obligation for public sector organizations to share or make accessible non-personal data
- Obligation for private organizations to share or make accessible data generated by connected or "IoT" devices
- Obligation for private organizations to share or make accessible non-personal health data
- Obligation for private organizations to share or make accessible non-personal financial data
- Obligation for private organizations to share or make accessible other non-personal data
For example:
Various EU level requirements directly applicable also in Germany (e.g. Data Act, European Health Data Space). While they are in effect, several of them include grace periods for the implementation of the requirements, e.g. Data Act.
Law enforcement requirements that cover also non-personal data (e.g. traffic data).
What specific obligations do these data-sharing rules impose on private organizations?
Last review date: 17 December 2024
- Obligation to share data on request
- Obligation to (re)design products or services to facilitate data accessibility
- Obligation to standardize products or services to facilitate data portability or interoperability