Switch navigation



Disclosure for a non-individual-specific purpose

Disclosures for a non-individual-specific purpose have certain similarities and differences to disclosures for an individual-specific purpose.

Until now, we have been looking at disclosure of personal data for an individual-specific purpose as per § 21 IDG: this means that the data are being disclosed for processing in relation to a specific person, for example a patient, a specific taxpayer or a specific welfare benefit recipient.

Now we turn to disclosures of personal data for a non-individual-specific purpose as per § 22 IDG. Here, the disclosure no longer serves the purpose of gaining an insight into the specific person concerned; rather, the purpose is to gain a general insight. The aim here is therefore to gain new general insights by processing the personal data of many data subjects, insights which are of interest not only to the individual, specific person, but to all or many people.

So what we are talking about is the case where a public body passes on personal data which it is permitted to process for an individual-specific purpose to a different public body or private individual for a non-individual-specific purpose. Application cases include, for example, disclosure of personal data for research, statistical or planning purposes.

§ 22 IDG is the general legal basis for data disclosures for a non-individual-specific purpose. If a public body is allowed to process personal data for an individual-specific purpose, then it is also allowed to pass on these data for a non-individual-specific purpose. Before making such a data disclosure, however, the discloser should check whether it is precluded due to a specific confidentiality provision, for example a professional confidentiality stipulation or a special official secrecy provision. Furthermore, there may also be special statutory provisions governing the disclosure of personal data for a non-individual-specific purpose. The best-known example of application is the Federal Act on Research involving Human Beings, or Human Research Act.

The principle of proportionality as per § 9 para. 3 IDG applies here as it does to all data processing: the only personal data that may be passed on are those that are appropriate and necessary for achieving the purpose and the disclosure of which can be deemed acceptable to the data subject. This means, for example: if no identifying personal data are necessary for the non-individual-specific purpose, then the personal data may not be disclosed in a form which allows individuals to be identified, but rather only in anonymized or, at the outside, pseudonymized form. The public body may thus only release personal data if the data still have to be in an identifying form in order to achieve the purpose. If, for example, these data need to be combined with other data from other sources, then of course anonymized data will not work; however, pseudonymized data could be used if need be.

The legislation also prescribes that when public bodies disclose personal data, the recipients are required to anonymize or at least pseudonymize the data as soon as the processing purpose allows. They are only permitted to publish analyses of the data in such a form that it is no longer possible to draw any conclusions as to the people involved. If the data are passed on to private recipients, then a purpose limitation must also be imposed in addition to the previously mentioned restrictions. Personal data may only be passed on to private individuals for research purposes; that is, not for planning and statistical purposes. In addition, the private recipients must undertake not to process the personal data for other purposes, not to pass the data on to third parties and to guarantee the security of the information.

If public bodies are receiving personal data for a non-individual-specific purpose, these restrictions do not need to be mentioned separately, as they already apply by law.