§ 27 SDSG
Administrative offences and criminal provision
(1)Any person who, contrary to Regulation (EU) 2016/679, this Act or another legal provision on the protection of personal data, without authorisation 1. collects, stores, uses, alters, transmits, makes available for retrieval, establishes a personal reference to, or erases protected personal data that are not publicly known, 2. retrieves such data, obtains them for himself or herself or another person, or, by providing inaccurate or incomplete information, causes their transmission to himself or herself or to others, shall be deemed to have committed an administrative offence.
(2)The administrative offence may be punished with a fine of up to 50,000 euros.
(3)The State Commissioner for Data Protection shall be the administrative authority within the meaning of Section 36(1)(1) of the Act on Administrative Offences in the version of the announcement of 19 February 1987 (BGBl. I p. 602), as last amended by Article 5 of the Act of 27 August 2017 (BGBl. I p. 3295), as amended from time to time.
(4)1Any person who commits one of the acts referred to in paragraph 1 for remuneration or with the intent to enrich themselves or another person or to cause damage to another person shall be punished with imprisonment of up to two years or a fine. 2The attempt shall be punishable. 3The offence shall only be prosecuted upon complaint. 4Those entitled to file a complaint shall be the data subject, the controller, the processor and the State Commissioner for Data Protection. zur Einzelansicht § 27 Achter Abschnitt Schlussvorschriften