§ 40 BDSG
Supervisory authorities of the Länder
(1)The authorities competent under Land law shall, within the scope of application of Regulation (EU) 2016/679, supervise non-public bodies with respect to the application of data protection provisions.
(2)Where the controller or processor has several domestic establishments, Article 4 No. 16 of Regulation (EU) 2016/679 shall apply accordingly for the determination of the competent supervisory authority. Where several authorities consider themselves competent or not competent, or where competence is doubtful for other reasons, the supervisory authorities shall take the decision jointly in accordance with the procedure under Section 18 Subsection (2). Section 3 Subsections (3) and (4) of the Administrative Procedures Act shall apply accordingly.
(3)The supervisory authority may only process the data stored by it for the purposes of supervision; in so doing, it may transfer data to other supervisory authorities. Processing for another purpose shall be permissible, in addition to Article 6 Subsection (4) of Regulation (EU) 2016/679, whereWhere the supervisory authority establishes a violation of data protection provisions, it shall be authorised to inform the data subjects thereof, to report the violation to other authorities competent for prosecution or punishment and, in the case of serious violations, to notify the trade supervisory authority for the purpose of taking measures under trade law. Section 13 Subsection (4), fourth to seventh sentences, shall apply accordingly. 1 it is obvious that it is in the interest of the data subject and there is no reason to assume that the data subject would withhold consent in knowledge of the other purpose,; 2 it is necessary to avert substantial disadvantages to the common good or a threat to public security or to safeguard substantial interests of the common good or; 3 it is necessary for the prosecution of criminal offences or administrative offences, for the enforcement or execution of sentences or measures within the meaning of Section 11 Subsection (1) No. 8 of the Criminal Code, or of educational measures or disciplinary measures within the meaning of the Youth Courts Act or for the enforcement of administrative fines.
(4)The bodies subject to supervision and the persons entrusted with their management shall, upon request by a supervisory authority, provide the information necessary for the performance of its tasks. The person obliged to provide information may refuse to provide information on questions the answer to which would expose that person or one of the relatives designated in Section 383 Subsection (1) Nos. 1 to 3 of the Code of Civil Procedure to the risk of criminal prosecution or of proceedings under the Act on Administrative Offences. The person obliged to provide information shall be informed of this.
(5)The persons commissioned by a supervisory authority to monitor compliance with data protection provisions shall be authorised, for the performance of their tasks, to enter the premises and business premises of the body and to gain access to all data processing systems and devices. The body shall be obliged to permit this. Section 16 Subsection (4) shall apply accordingly.
(6)The supervisory authorities shall advise and support the data protection officers with due regard for their typical needs. They may demand the dismissal of the data protection officer where the data protection officer does not possess the professional knowledge necessary for the performance of his or her tasks or where, in the case of Article 38 Subsection (6) of Regulation (EU) 2016/679, a serious conflict of interest exists.
(7)The application of the Industrial Code shall remain unaffected.