SITTIG LAW Law Firm Blog

Data protection violation in public service

Government employees have access to highly sensitive data – and sometimes misuse it through unauthorized access, disclosure, or negligence. Affected individuals have far-reaching rights: access to information according to Art. 15 GDPR, compensation for damages according to Art. 82 GDPR, and the option to file a criminal complaint. The Sittig law firm supports the enforcement of these claims against public authorities.
Table of Contents

What data protection violations can government employees commit?

When Public Officials Misuse Your Data – Your Rights as an Affected Person. Public authorities store vast amounts of personal data daily: residency registration data, tax information, social welfare records, health data, police intelligence. All of this information is specially protected by data protection law. But what happens when public officials themselves violate data protection regulations? What happens if public employees access, disclose, or use your data for private purposes without authorization? In such situations, you as the affected person often face a powerful adversary. The law firm Sittig supports you in enforcing your rights against authorities and public bodies. The public sector processes sensitive personal data daily. The temptation or even the possibility of misusing this data is diverse. The following violations occur in practice:

Unauthorized access to personal data

Government employees have access to extensive databases as part of their work. However, not all access is lawful. A violation occurs when an employee accesses data for which there is no official necessity for processing, for example, if a case worker at the job center views the file of a person who is not within their area of responsibility, or if a police officer queries license plate and owner addresses for private reasons.

Disclosure of data to unauthorized persons

A particularly serious form of data protection violation is the unauthorized disclosure of personal information to third parties. This includes, for example, when a resident registration office employee passes on a person's new address to an ex-partner, when social data is transmitted to employers or landlords, or when health data from the health office falls into the hands of outsiders.

Use of official knowledge for private purposes

Public officials have access to information through their official capacity that is not available to the general public. If they use this knowledge for personal gain, for example, to harm competitors, favor acquaintances, or pursue their own economic interests, this constitutes a serious breach of data protection and official duties.

Impermissible data queries in registers

Registration records, vehicle registration records, Central Register of Foreigners, social security data – all these registers are accessible to authorities for precisely defined purposes. Accessing data outside of these purposes is unlawful. In the past, cases have become known where police officers conducted register inquiries for private acquaintances or passed them on to journalists.

Data breaches due to negligence

Not every data protection violation is intentional. Negligence can also constitute a breach of personal data protection: unencrypted emails with social data, lost files with sensitive information, or accidental mass mailings to the wrong recipients. Here too, affected individuals have rights and claims.

Denial of access and data subject rights

According to Art. 15 GDPR, you have the right to request information from any authority about what data is stored about you and for what purpose. If this right is denied, delayed, or incompletely fulfilled, this also constitutes a violation of data protection law.

What legal bases are relevant?

In the public sector, a complex interplay of various legal bases applies:
  • GDPR (General Data Protection Regulation): This also applies to the public sector and guarantees data subjects rights such as access, rectification, erasure, and damages.
  • Federal Data Protection Act Supplements the GDPR for the German public sector and contains specific regulations for federal authorities.
  • State data protection laws Each federal state has its own data protection laws for state authorities and municipalities.
  • Sector-Specific Laws Social data protection, tax data protection (§ 30 AO), state police data protection laws.
  • Criminal Law §§ 202a, 203, 353b German Criminal Code (StGB) – Unauthorized access to data and violation of official secrets can constitute criminal offenses.

What can you do as a affected person?

If you suspect or know that government employees have processed your data unlawfully, several avenues are open to you:

Step 1: Request information

First, submit a formal request for information under Article 15 GDPR to the authority concerned. This authority is obliged to inform you within one month which data concerning you is stored, for what purpose, and who the recipients of this data were.

Step 2: Complaint to the Data Protection Authority

You can lodge a complaint with the competent data protection supervisory authority at any time. For federal authorities, the Federal Commissioner for Data Protection and Freedom of Information is responsible; for state authorities, the respective state data protection commissioners are responsible. The authority is obliged to investigate your complaint.

Step 3: Claim damages

Article 82 GDPR grants you a claim for damages against the controller if you have suffered material or immaterial damage due to the data protection breach. Immaterial damages, i.e., compensation for pain and suffering for the loss of trust and control suffered, are increasingly being awarded by German courts.

Step 4: File a criminal complaint

In cases of intentional violations, particularly unauthorized data disclosure or accessing registers for personal purposes, a criminal complaint may be advisable. This is especially true if a public official or employee has deliberately misused your data.

Why Legal Assistance Is Crucial

Data protection violations by authorities are often difficult to prove and even more difficult to enforce. Authorities rarely respond voluntarily to complaints with a full admission of guilt. The law firm Sittig knows the typical defense mechanisms of public bodies and knows how you can still effectively enforce your rights. We will help you with the formulation of information requests and complaints, assessing whether a claim for damages is realistic, preparing and filing lawsuits before administrative and ordinary courts, and with criminal charges in cases of intentional misconduct.
Frequently asked questions
Affected individuals often find out about this by chance, for example, when an ex-partner suddenly knows the new registered address or when someone reveals information to them that only an authority could have known. Through the right of access according to Art. 15 GDPR, you can also demand that the authority inform you who accessed your data and for what purpose. In cases of concrete suspicion, data protection supervisory authorities can also initiate investigations.
Yes. Art. 82 GDPR expressly covers non-material damages. The amount depends on the severity of the violation and varies greatly. A legal assessment on a case-by-case basis is recommended.
Jurisdiction is determined by which authority processed the data. For federal authorities (e.g., Federal Employment Agency, Federal Customs Administration), the Federal Commissioner for Data Protection and Freedom of Information (BfDI) is responsible. For state authorities, municipalities, and municipal institutions, the respective state data protection officer of your federal state is the correct contact.
Depending on the severity of the offense, the employee may face disciplinary consequences up to dismissal from civil service or termination of employment. In cases of intentional action, criminal sanctions may also be considered, including those under Section 353b of the German Criminal Code (breach of official secrecy).
For claims for damages under the GDPR, the prevailing legal opinion is that the regular limitation period of three years under the German Civil Code (BGB) (§ 195 BGB) applies, commencing at the end of the year in which you gained knowledge of the infringement and the infringer.
Yes. Civil servants and public employees are also fully protected by data protection law as private individuals. If your own authority or colleagues process your personal data, health data, or private information without authorization, you have the same rights as any other data subject.
If a request for information under Article 15 GDPR remains unanswered or is unlawfully rejected, you can file a complaint with the competent data protection supervisory authority. Alternatively, you have the option to enforce your right to access in court, before the administrative court (in the case of public authorities) or the ordinary court. The Sittig law firm can assist you with this.
Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form