The general data protection requirements that have to be met by business enterprises in Germany are laid down in the Federal Data Protection Act. The English versions of the Act can be found on the Federal Data Protection Commissioner’s homepage.
The Federal Data Protection Act provides that companies are allowed to process personal data only if
– processing of the data is permitted under a specific legal provision, or if
– the person whose data are to be processed has given his or her consent.
In addition, there are data protection regulations that apply to specific areas and that are contained in special laws. Those special laws take precedence over general legislation. Examples include the German Banking Act and the Money Laundering (Prevention) Act, the Telecommunications Act and the Regulation on the Supervision of the Telecommunications Sector.