T 2.167 Lack of or inadequate prior checking

If processing personal data is characterised by specific risks for the rights and freedoms of the persons concerned, e.g. the processing of specific types of data (information about racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, health, or sex life) or if the personal data is to be used to assess the personality of the person concerned, including his/her skills, performance, or behaviour, a prior check must be performed before starting processing (§ 4d Para. 5 BDSG). However, this is not applicable if a statutory obligation or a consent of the person concerned is present or if the collection, processing, or use serves for the purposes of a contractual relationship or quasi-contractual trust relationship with the person concerned. Some state data protection acts specify general prior checks for all procedures used by public agencies in order to process personal data. The prerequisites for the aforementioned may deviate from the regulations specified by the Federal Government.

If a specified prior check is not implemented at all or only insufficiently, this may cause risks for the informational right of self-determination.

Examples:

© Federal Office for Information Security. All rights reserved.