SecurePrivacy Logo

Hamburg Data Protection Act (HmbDSG)

View Law Text
Maximum Fine
€20M or 4%
Scope
State
Regulator
HmbBfDI
Framework
GDPR

Need Help with Hamburg Data Protection Act (HmbDSG) Compliance?

Get expert guidance on implementing Hamburg's data protection requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Hamburg Data Protection Act (HmbDSG) implements and supplements the GDPR in Hamburg, establishing specific requirements for public authorities and other organizations in Hamburg.

Key Facts

  • Enacted in 2018 to align with GDPR
  • Enforced by Hamburg Commissioner for Data Protection
  • Focus on public sector requirements

Key Principles

Public Sector Data Processing

Specific rules for processing personal data by Hamburg public authorities.

Requirements

  • Legal basis verification
  • Purpose limitation
  • Data minimization
  • Security measures
  • Documentation requirements

Examples

  • Processing records
  • Legal basis documentation
  • Security concepts
  • Purpose registers

Transparency Requirements

Enhanced transparency obligations for Hamburg public bodies.

Requirements

  • Information provision
  • Processing documentation
  • Public registers
  • Access procedures
  • Regular updates

Examples

  • Privacy notices
  • Public registers
  • Access request procedures
  • Documentation systems

Data Security Measures

Specific security requirements for Hamburg public authorities.

Requirements

  • Risk assessment
  • Technical measures
  • Organizational measures
  • Staff training
  • Regular audits

Examples

  • Security policies
  • Training programs
  • Audit procedures
  • Risk assessments

Compliance Requirements

Public Sector Requirements

Specific requirements for Hamburg public authorities processing personal data.

Implementation Steps

  • Identify legal basis
  • Document processing activities
  • Implement safeguards
  • Train staff
  • Regular reviews

Required Documentation

  • Processing records
  • Legal basis documentation
  • Security measures
  • Training records
  • Review logs

Data Protection Officer

Requirements for appointing and maintaining a DPO in Hamburg public bodies.

Implementation Steps

  • Assess DPO requirement
  • Appoint qualified DPO
  • Notify HmbBfDI
  • Ensure independence
  • Document activities

Required Documentation

  • DPO appointment letter
  • Qualification records
  • Notification records
  • Independence documentation
  • Activity logs

Special Processing Operations

Additional requirements for specific types of data processing by Hamburg authorities.

Implementation Steps

  • Conduct prior consultation
  • Implement special safeguards
  • Document measures
  • Regular assessments
  • Monitor compliance

Required Documentation

  • Consultation records
  • Safeguard documentation
  • Assessment reports
  • Monitoring logs
  • Compliance records

Enforcement & Penalties

Administrative Penalties

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) can impose significant administrative fines.

Penalty Categories

Severe Violations
Up to €20M or 4% of global revenue
For violations of basic principles or data subject rights
Standard Violations
Up to €10M or 2% of global revenue
For violations of technical and organizational measures
Public Sector
Corrective Measures
Special enforcement regime for public authorities

Example Cases

H&M
€35.3 million
2020 - Excessive employee surveillance and data collection
Public Authority
Corrective Order
2022 - Required implementation of security measures

Additional Measures

The HmbBfDI can impose various corrective measures beyond monetary penalties.

Penalty Categories

Processing Bans
Temporary or Permanent
Prohibition of specific processing activities
Corrective Orders
Mandatory Changes
Orders to bring processing into compliance
Public Warnings
Publication
Public disclosure of violations

Example Cases

Social Media Platform
Processing Ban
2023 - Ordered to cease illegal data collection
Municipal Office
Corrective Order
2023 - Required to implement privacy by design
---