Skip to main content
SpringerLink
Log in

A Study on Corporate Compliance with Transparency Requirements of Data Protection Law

  • Chapter
Data Protection and Privacy: (In)visibilities and Infrastructures

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 36))

  • 2284 Accesses

Abstract

Modern information systems reach a degree of complexity which is inscrutable for citizens. The transparency regulations of data protection law try to counteract this. However, it is unknown how effective these regulations are. To our knowledge, there is no convincing study on the state of corporate compliance with transparency regulations available. We set up a quantitative and qualitative study with a sample of 612 representative companies. We evaluated the transfer of personal data, the compliance with transparency requirements on commercial e-mails, and the compliance with requirements derived from the right of access. In the process, we took advantage of automated analysis with e-mail honeypots but used also individual assessments of information provided by companies. We found out that most companies do not transfer personal data without consent. Requirements on commercial e-mails are fulfilled as well. However, the situation of the right of access is much worse. Most information provided by companies is insufficient.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Christian Schulzki-Haddouti, “Zu kurz gekommen - Deutsche Datenschutzbehörden leiden unter Personalknappheit.” c’t Magazin 17 (2015), 76.

  2. 2.

    Michael Ronellenfitsch, 41. Tätigkeitsbericht des Hessischen Datenschutzbeauftragten, (Wiesbaden: Beiträge zum Datenschutz, 2012), 184.

  3. 3.

    Ronellenfitsch, 41. Tätigkeitsbericht des Hessischen Datenschutzbeauftragten, 186.

  4. 4.

    Edgar Wagner, Datenschutzbericht 2012/2013 des Landesbeauftragten für den Datenschutz Rheinland-Pfalz, RP LT-Drs. 16/3569 (2014), 98.

  5. 5.

    Alexander Dix, Datenschutz und Informationsfreiheit – Bericht 2014, (Berlin: Berliner Beauftragter für Datenschutz und Informationsfreiheit, 2014), 129.

  6. 6.

    Reinhard Kreissl et al., IRISS Deliverable D5: Exercising democratic rights under surveillance regimes – Germany Country Reports. (2014), accessed March 23, 2016, http://irissproject.eu/wp-content/uploads/2014/06/Germany-Composite-Reports-Final1.pdf.

  7. 7.

    XAMIT Bewertungsgesellschaft. Datenschutzbarometer 2015 – Datenschutz vor neuen Aufgaben, (2015), accessed March 23, 2016, http://www.xamit-leistungen.de/downloads/Files.php?f=XamitDatenschutzbarometer2015.pdf

  8. 8.

    Bauer, Silvia. “Datenschutzrechtliche Compliance im Unternehmen,” in Compliance in der Unternehmerpraxis, ed. Gregor Wecker and Bastian Ohl, (Wiesbaden: Springer Fachmedien, 2013), 147–179.

  9. 9.

    Thorsten Behling and Ralf Abel, ed., Praxishandbuch Datenschutz im Unternehmen, (Berlin: Walter de Gruyter, 2014).

  10. 10.

    Thilo Weichert, Tätigkeitsbericht 2015–35. Tätigkeitsbericht des Landesbeauftragten für den Datenschutz Schleswig-Holstein, SH LT-Drs. 18/2730, (2015).

  11. 11.

    Matthew L. Bringer, Christopher A. Chelmecki, and Hiroshi Fujinoki, “A Survey: Recent Advances and Future Trends in Honeypot Research,” in Int. Journal of Computer Network and Information Security 10 (MECS Publisher, 2012), 63–75.

  12. 12.

    Abhishek Mairh et al., “Honeypot in Network Security: A Survey,” in Proc. of the 2011 Int. Conf. on Communication, Computing & Security ICCCS ‘11, (New York: ACM, 2011), 600–605.

  13. 13.

    “Klassifikation der Wirtschaftszweige, (WZ 2008),” Statistisches Bundesamt, accessed March 23, 2016, https://www.klassifikationsserver.de/klassService/index.jsp?variant=wz2008

  14. 14.

    “International Standard Industrial Classification of All Economic Activities (ISIC) Rev.4,” United Nations Statistical Division, accessed March 23, 2016, http://unstats.un.org/unsd/cr/registry/isic-4.asp

  15. 15.

    „Unternehmen mit einer Website nach Beschäftigtengrößenklassen und Wirtschaftszweigen,” Statistisches Bundesamt, accessed March 23, 2016, https://tinyurl.com/destatis-Unternehmen-Internet

  16. 16.

    “Bundesanzeiger”, accessed March 23, 2016, http://www.bundesanzeiger.de

  17. 17.

    The selected groups are the ones with WZ 2008 code 11.0, 18.2, 45.1, 47.9, 55.1, 56.1, 58.1, 58.2, 59.1, 63.1, 63.9, 79.1, 86.9, 90.0, 92.0, 93.1, and 96.0.

  18. 18.

    Peter Gola et al., BDSG Bundesdatenschutzgesetz: Kommentar, (München: C.H. Beck, 2012), § 34 Ref. 5.

  19. 19.

    ECHR, 03.04.2007–62,617/00.

  20. 20.

    ECHR, 02.09.2010–35,623/05.

  21. 21.

    CJEU, 09.11.2010 - Joined Cases C-92/09 and C-93/09.

  22. 22.

    CJEU, 07.05.2009 - C-553/07.

  23. 23.

    BVerfGE 100, 313 (361).

  24. 24.

    BVerfGE 65, 1 (43); BVerfG, NVwZ 2001, 185 (185); BVerfG, NJW 2006, 1116 (1117); BVerfG, NJW 2008, 2099 (2100).

  25. 25.

    BVerfGE 65, 1 (45).

  26. 26.

    Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data, 01248/07/EN WP 136, (2007), 11 ff.

  27. 27.

    HessVGH, RDV 1991, 187 (188); Alexander Dix in: Spiros Simitis, Bundesdatenschutzsgesetz, (Baden-Baden: Nomos 2011), § 34 Ref. 17; Gola, BDSG, § 34 Ref. 9; Mallmann in: Simits, Bundesdatenschutzsgesetz, § 19 Ref. 21.

  28. 28.

    Dammann in: Simits, Bundesdatenschutzsgesetz, § 2 Ref. 15.

  29. 29.

    Gola, BDSG, § 34 Ref. 2.

  30. 30.

    Dix in Simitis, Bundesdatenschutzsgesetz: § 34 Ref. 23; Gola, BDSG, § 19 Ref. 6.

  31. 31.

    See Art. 6 (1) (b) and (c) of the directive 95/46/EC.

  32. 32.

    Such as Sect. 4 (1a) Irish Data Protection Act, 1988: Not more than 40 days after compliance.

  33. 33.

    Gola, BDSG, § 34 Ref. 16.

  34. 34.

    CJEU, 07.05.2009 - C-553/07.

  35. 35.

    Ibid.

References

  • Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data. 01248/07/EN WP 136, 2007.

    Google Scholar 

  • Bauer, Silvia. “Datenschutzrechtliche Compliance im Unternehmen.” In Compliance in der Unternehmerpraxis, edited by Gregor Wecker and Bastian Ohl,147–179. Wiesbaden: Springer Fachmedien, 2013.

    Google Scholar 

  • Behling, Thorsten, and Ralf Abel, eds. Praxishandbuch Datenschutz im Unternehmen. Berlin: Walter de Gruyter, 2014.

    Google Scholar 

  • Bringer, Matthew L., Christopher A. Chelmecki, and Hiroshi Fujinoki. “A Survey: Recent Advances and Future Trends in Honeypot Research.” In: Int. Journal of Computer Network and Information Security, 63–75, MECS Publisher, vol. 10, 2012.

    Google Scholar 

  • Dix, Alexander. Datenschutz und Informationsfreiheit – Bericht 2014. Berlin: Berliner Beauftragter für Datenschutz und Informationsfreiheit, 2014.

    Google Scholar 

  • Gola, Peter, Rudolf Schomerus, Barbara Körffer and Christoph Klug, eds. BDSG Bundesdatenschutzgesetz: Kommentar. München: C.H. Beck, 2012.

    Google Scholar 

  • Kreissl, Reinhard, Clive Norris, Xavier L’Hoiry, and Nils Zurawski. IRISS Deliverable D5: Exercising democratic rights under surveillance regimes – Germany Country Reports, 2014. Accessed March 23, 2016. http://irissproject.eu/wp-content/uploads/2014/06/Germany-Composite-Reports-Final1.pdf.

    Google Scholar 

  • Mairh, Abhishek, Debabrat Barik, Kanchan Verma, and Debasish Jena. “Honeypot in Network Security: A Survey.” In Proceedings of the 2011 Inter-national Conference on Communication, Computing & Security ICCCS ‘11, 600–605. New York, NY, USA: ACM, 2011.

    Google Scholar 

  • Ronellenfitsch, Michael. 41. Tätigkeitsbericht des Hessischen Datenschutzbeauftragten. Wiesbaden: Beiträge zum Datenschutz, 2012.

    Google Scholar 

  • Schulzki-Haddouti, Christian. “Zu kurz gekommen - Deutsche Datenschutzbehörden leiden unter Personalknappheit.” c’t Magazin 17 (2015): 76–78.

    Google Scholar 

  • Simitis, Spiros, ed. Bundesdatenschutzsgesetz. Baden-Baden: Nomos, 2011.

    Google Scholar 

  • Statistisches Bundesamt. “Klassifikation der Wirtschaftszweige, (WZ 2008).” Accessed March 23, 2016. https://www.klassifikationsserver.de/klassService/index.jsp?variant=wz2008.

  • United Nations Statistical Division “International Standard Industrial Classification of All Economic Activities (ISIC) Rev.4.” Accessed March 23, 2016. http://unstats.un.org/unsd/cr/registry/isic-4.asp.

  • Wagner, Edgar. Datenschutzbericht 2012/2013 des Landesbeauftragten für den Datenschutz Rheinland-Pfalz. RP LT-Drs. 16/3569, 2014.

    Google Scholar 

  • Weichert, Thilo. Tätigkeitsbericht 2015–35. Tätigkeitsbericht des Landesbeauftragten für den Datenschutz Schleswig-Holstein. SH LT-Drs. 18/2730, 2015.

    Google Scholar 

  • XAMIT Bewertungsgesellschaft. Datenschutzbarometer 2015 – Datenschutz vor neuen Aufgaben. 2015. Accessed March 23, 2016. http://www.xamit-leistungen.de/downloads/Files.php?f=XamitDatenschutzbarometer2015.pdf.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fraunhofer Institute of Optronics, System Technologies and Image Exploitation IOSB, Karlsruhe, Germany

    Christoph Bier, Simon Kömpf & Jürgen Beyerer

Authors
  1. Christoph Bier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon Kömpf
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jürgen Beyerer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christoph Bier .

Editor information

Editors and Affiliations

  1. Tilburg Institute for Law, Technology, & Society, Tilburg University, Tilburg, The Netherlands

    Ronald Leenes

  2. Law, Science, Technology, & Society (LSTS), Vrije Universiteit Brussel (VUB), Brussels, Belgium

    Rosamunde van Brakel , Serge Gutwirth  & Paul De Hert ,  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Bier, C., Kömpf, S., Beyerer, J. (2017). A Study on Corporate Compliance with Transparency Requirements of Data Protection Law. In: Leenes, R., van Brakel, R., Gutwirth, S., De Hert, P. (eds) Data Protection and Privacy: (In)visibilities and Infrastructures. Law, Governance and Technology Series(), vol 36. Springer, Cham. https://doi.org/10.1007/978-3-319-50796-5_10

Download citation

Publish with us

Policies and ethics

Search

Navigation