- Any person who processes personal data must not unlawfully breach the data subjects' personality rights.
- A breach of personality rights arises in particular if:
- a. personal data are processed contrary to the principles of Articles 6 and 8;
- b. personal data are processed contrary to the express wishes of the data subject;
- c. sensitive personal data are disclosed to third parties.
- In general no breach of personality rights arises if the data subject makes the personal data generally accessible and has not explicitly prohibited any processing.
Chapter 5 (Art. 30 - 32) — Special Provisions on Data Processing by Private Persons
- A breach of personality rights is unlawful unless it is justified by the consent of the data subject, by an overriding private or public interest, or by the law.
- The controller may have an overriding interest in the following cases in particular:
- a. The controller processes personal data relating to a contracting party in direct connection with the conclusion or the performance of a contract.
- b. The controller is or intends to be in commercial competition with another person and for this purpose processes personal data that are not disclosed to third parties; legal entities that belong to the same group of companies as the controller are not regarded as third parties for the purposes of this provision.
- c. The controller processes personal data to verify the creditworthiness of the data subject, provided the following requirements are satisfied:
- The matter involves neither sensitive personal data nor high-risk profiling.
- The data are only disclosed to third parties if the third parties require the data for the conclusion or the performance of a contract with the data subject.
- The data are no more than ten years old.
- The data subject has attained the age of majority.
- d. The controller processes the personal data professionally and exclusively for publication in the editorial section of a periodically published medium or the controller uses the data, if they are not published, as an aid to their own personal work.
- e. The controller processes the personal data for purposes not related to specific persons, in particular for research, planning or statistics, provided the following requirements are satisfied:
- The controller anonymises the data as soon as the purpose of processing permits; if anonymity is impossible or if it requires disproportionate effort, the controller shall take appropriate measures to prevent the identification of the data subject.
- If the matter involves sensitive personal data, the controller shall disclose such data to third parties in such a manner that the data subject is not identifiable; if this is not possible, it must be guaranteed that the third parties only process the data for purposes unrelated to the data subject's person.
- The results are published in such a manner that data subjects are not identifiable.
- f. The controller collects personal data relating to a public figure that relate to that person's public activities.
- The data subject may request that incorrect personal data be corrected unless:
- a. a statutory provision prohibits the correction;
- b. the personal data are processed for archiving purposes that are in the public interest.
- Actions to protect the personality are governed by the Articles 28, 28a and 28g–28l of the Civil Code. The applicant may in particular request that:
- a. a specific data processing activity be prohibited;
- b. a specific disclosure of personal data to third parties be prohibited;
- c. personal data be deleted or destroyed.
- If neither the accuracy nor the inaccuracy of the relevant personal data can be established, the applicant may request that the data be marked as being disputed.
- The applicant may also request that any correction, deletion or destruction, prohibition of processing or disclosure to third parties, marking as disputed or judgment be communicated to third parties or be published.