FDPA Part 2 - § 40
Supervisory authorities of the Länder
- The authorities pursuant to Land law shall monitor the application by private bodies of data protection legislation within the scope of Regulation (EU) 2016/679.
- 1If the controller or processor has more than one establishment in Germany, Article 4 no. 16 of Regulation (EU) 2016/679 shall apply accordingly in determining which supervisory authority is competent. 2If more than one authority considers itself competent or not competent, or when the competence is unclear for other reasons, the supervisory authorities shall make a joint decision in accordance with Section 18 (2). 3Section 3 (3) and (4) of the Administrative Procedure Act shall apply accordingly.
- 1The supervisory authority may process the data it has stored only for purposes of supervision; to this end, it may transfer data to other supervisory authorities. 2Processing for another purpose shall be permitted in addition to Article 6 (4) of Regulation (EU) 2016/679 if
- it is obviously in the interest of the data subject and there is no reason to assume that the data subject would refuse consent if he or she were aware of the other purpose;
- processing is necessary to prevent substantial harm to the common good or a threat to public security or to safeguard substantial concerns of the common good; or
- processing is necessary to prosecute crimes or administrative offences, to carry out or enforce punishment or measures as referred to in Section 11 (1) no. 8 of the Criminal Code or educational or disciplinary measures as referred to in the Juvenile Court Act or to enforce fines.
3If the supervisory authority determines that data protection legislation has been violated, it shall have the power to inform the data subjects concerned, to report the violation to other bodies responsible for prosecution or punishment and, in the case of serious violations, to notify the trade supervisory authority to take measures under trade and industry law. Section 13 (4), fourth to seventh sentences shall apply accordingly.
- 1The bodies subject to monitoring and the persons responsible for their management shall provide a supervisory authority on request with the information necessary to perform their tasks. 2The person required to provide information may refuse to answer those questions which would expose him- or herself or a relative as referred to in Section 383 (1) nos. 1 to 3 of the Code of Civil Procedure to the risk of criminal prosecution or proceedings under the Administrative Offences Act. 3The person required to provide information shall be informed accordingly.
- 1Persons assigned by the supervisory authority to monitor compliance with data protection legislation shall be authorized, as needed to perform their tasks, to enter the property and premises of the body and to have access to all data processing equipment and means. 2The body shall be obligated to tolerate such access. 3Section 16 (4) shall apply accordingly.
- 1The supervisory authorities shall advise and support the data protection officers to meet their typical needs. 2They may demand the dismissal of a data protection officer if he or she does not have the expert knowledge needed to perform his or her tasks or if there is a serious conflict of interests as referred to in Article 38 (6) of Regulation (EU) 2016/679.
- The application of the Trade Regulation Code shall remain unaffected.