Logo Bayernportal
Home > Procedures

Data protection; notification of a data breach

The Bavarian data protection supervisory authorities monitor compliance with data protection law in Bavaria.

Online services

Online services

Responsible for you

Bayerischer Landesbeauftragter für den Datenschutz

Street address

Wagmüllerstr. 18
80538 München

Postal address

Postfach 221219

80502 München

Mehr zur Behörde

Bayerisches Landesamt für Datenschutzaufsicht

Street address

Promenade 18
91522 Ansbach

Postal address

Postfach 1349

91504 Ansbach

Mehr zur Behörde

Procedure details

The General Data Protection Regulation, the Bavarian Data Protection Act and the Federal Data Protection Act as well as a large number of special legal regulations aim to protect citizens from having their personal rights impaired by the processing of their personal data.

What is personal data?

Personal data is any information that relates to a natural person. This includes, for example, name, contact details, date and place of birth, school education, profession, hobby, consumer behavior, statements, assessments, pictures of a person, income, creditworthiness, financial circumstances of a person.

The so-called special categories of personal data are particularly protected. This includes information on racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data for the purpose of uniquely identifying a person, health data or data concerning a natural person's sex life or sexual orientation.

When is your data protected?

Your data is always protected if it is processed automatically or non-automatically in a file system (e.g. also in files or folders). Only in the case of public bodies is unsystematically processed data also protected.

Data that is processed exclusively in the context of personal or family activities is not covered by the scope of the General Data Protection Regulation, the Bavarian Data Protection Act and the Federal Data Protection Act. However, the personal or family circle is exceeded if, for example, personal data is published on the Internet.

When is the processing of your data permitted?

Permission may result from a legal provision or your consent.

For example, the General Data Protection Regulation permits the processing of your data in particular in the context of contractual relationships, e.g. employment, insurance or purchase contracts, insofar as the data processing is necessary for this purpose. This also applies to contract-like relationships such as application procedures or club memberships. Your data may also be processed if this is necessary to fulfill legal obligations (e.g. for tax purposes).

If your conflicting interests do not prevail, your data may also be processed if there is a legitimate interest on the part of the controller or a third party, unless this is carried out by a public authority.

If the processing of your data is based on your consent, the controller must be able to prove that you have consented to the processing. You must first be informed in clear and simple language about the purpose and type of processing of your data; further formal requirements arise from the General Data Protection Regulation.

What rights do you have vis-à-vis the controller?

The body that processes your data is referred to as thecontroller in the General Data Protection Regulation. You have the following rights vis-à-vis the controller:

  • You must be fully informed when your data is collected, in particular about the purpose and nature of the intended processing.
  • You have the right to information about your data and the type and circumstances of the processing carried out.
  • You have the right to rectification if your data is stored incorrectly or incompletely.
  • If certain conditions are met, you have the right to have your data erased, in particular if the storage is unlawful.
  • If certain conditions are met, you have the right to restrict the processing of your data.
  • If certain conditions are met, you have the right to object to the further processing of your data.

Who can you contact in the event of data protection violations?

  • To the management of the controller, e.g. a commercial enterprise, a doctor's surgery or an association. They are responsible for compliance with data protection law.
  • The company data protection officer, who also reviews complaints as the internal supervisory body.
  • The works council, which is responsible for employee data protection issues.
  • The data protection supervisory authority, which investigates complaints and inspects the responsible bodies.

The data protection supervisory authority

Citizens can contact the competent supervisory authorities free of charge and confidentially if they have data protection questions or problems and wish to complain about data protection violations. The competent data protection supervisory authority checks compliance with data protection regulations.

The Bavarian State Office for Data Protection Supervision is the supervisory authority responsible throughout Bavaria for the non-public sector, i.e. the private sector, freelancers, associations and societies.

The Bavarian State Commissioner for Data Protection at state level and the Federal Commissioner for Data Protection and Freedom of Information at federal level are responsible for the supervision of authorities and public institutions under data protection law.

In addition, there are areas that are not subject to state data protection supervision. The Catholic and Protestant churches, public broadcasters and the State Agency for New Media, including the private broadcasters it supervises, and press companies have their own sector-specific supervisory authorities. You can find an overview of the responsible data protection supervisory authorities under "Further links".

Status: 11.07.2025
Editorially responsible for prodecure description: Bayerisches Staatsministerium des Innern, für Sport und Integration
Contains machine translated content. Show the original content