Data Protection
Introduction
Data protection plays a central role in K9 units, as numerous personal data are processed during operations, training, and daily work. The General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) impose high requirements on the processing, storage, and deletion of data. This guide explains the most important aspects of data protection for K9 units and provides practical recommendations for action.
Legal Foundations
GDPR and BDSG
The General Data Protection Regulation (GDPR) has been directly applicable in all EU member states since May 2018 and regulates the processing of personal data. In Germany, it is supplemented by the Federal Data Protection Act (BDSG). Both laws also apply to K9 units, regardless of whether they are organized under public law or privately.
Personal Data
Personal data are all information relating to an identified or identifiable natural person. In K9 units, this includes:
- Names and contact details of dog handlers
- ID card numbers and service IDs
- Operation reports with personal information
- Photos and videos from operations
- Health data of dogs and dog handlers
- Location data during operations
- Communication data (radio, email, telephone)
Data Processing in K9 Units
Lawful Processing
The processing of personal data is only lawful if at least one of the following legal bases is fulfilled:
- Consent of the data subject - The person has expressly consented
- Contract performance - Processing is necessary for the performance of a contract
- Legal obligation - Processing is required by law
- Vital interests - Protection of vital interests
- Public interest - Performance of public tasks
- Legitimate interests - Legitimate interest of the controller
Special Categories of Personal Data
Special categories of personal data (sensitive data) are subject to stricter regulations:
- Health data - Medical histories, vaccinations, medical findings
- Biometric data - Fingerprints, facial recognition
- Data on criminal offenses - Criminal records, ongoing proceedings
Health data of dog handlers and dogs are particularly protected and may only be processed with express consent or a legal basis.
Data Protection in Various Areas
Operation Reports
Operation reports frequently contain personal data of affected persons, witnesses, or suspects. Documentation must comply with data protection:
- Minimization - Only collect necessary data
- Purpose limitation - Use data only for the documented purpose
- Retention periods - Delete reports after the retention period expires
- Access protection - Store reports securely and restrict access
Photos and Videos
Photos and videos from operations, training, or public relations are subject to special data protection requirements:
- Consent - Obtain consent before publication
- Anonymization - Make persons unrecognizable
- Purpose limitation - Use photos only for the agreed purpose
- Deletion - Delete photos after purpose fulfillment
Important: Photos from operations may only be published with express consent of the persons depicted. Exceptions apply only to public figures or in cases of overriding public interest.
Communication Data
Radio communication, emails, and telephone calls generate communication data that are also subject to data protection:
- Radio logs - Document conversations and store securely
- Email traffic - Transmit emails encrypted and store securely
- Telephone calls - Keep call logs in compliance with data protection
Technical and Organizational Measures (TOM)
Encryption
Sensitive data must be stored and transmitted encrypted:
- Data transmission - SSL/TLS encryption for emails and web connections
- Data storage - Encryption of hard drives and databases
- Mobile devices - Encryption of smartphones and tablets
Access Control
Access to personal data must be controlled and logged:
- User accounts - Individual access for each employee
- Permissions - Role-based access rights
- Logging - Document all access
- Access protection - Physical security of data carriers
Data Backup
Regular backups are essential but must also comply with data protection:
- Encrypted backups - Encrypt backup data
- Secure storage - Store backups in a secure location
- Test restoration - Regularly test restoration
- Deletion of old backups - Delete old backups after period
Rights of Data Subjects
Right of Access
Data subjects have the right to obtain information about their stored data:
- Which data are stored?
- For what purpose are the data processed?
- To whom are the data disclosed?
- How long are the data stored?
Right to Erasure
Data subjects can request the deletion of their data if:
- The data are no longer needed
- Consent has been withdrawn
- The data have been processed unlawfully
- Deletion is required by law
Exceptions to the right to erasure apply in cases of legal retention obligations or overriding legitimate interests.
Right to Object
Data subjects can object to the processing of their data if the processing is based on legitimate interests.
Data Portability
Data subjects have the right to receive their data in a structured, commonly used format.
Data Protection Officer
Appointment Requirement
A data protection officer must be appointed if:
- More than 20 persons are regularly engaged in automated processing
- Special categories of personal data are processed
- A data protection impact assessment is required
Tasks of the Data Protection Officer
- Advice - Advising the organization on data protection issues
- Training - Training employees
- Monitoring - Monitoring compliance with data protection
- Contact point - Contact person for data subjects and supervisory authorities
Data Protection Impact Assessment
A data protection impact assessment (DPIA) is required if a processing is likely to result in a high risk to the rights and freedoms of data subjects:
- Systematic comprehensive assessment - Automated assessment of personal aspects
- Large-scale processing - Extensive processing of special categories
- Systematic monitoring - Extensive systematic monitoring of public areas
Practical Implementation
Privacy Policy
Every K9 unit should have a privacy policy that includes the following points:
- Controller - Name and contact details of the controller
- Purpose of processing - Which data are processed for what purpose?
- Legal basis - On what legal basis is the processing carried out?
- Rights of data subjects - What rights do data subjects have?
- Contact - Contact details of the data protection officer
Consent
Consent must:
- Voluntary - Be given without coercion
- Informed - Be based on complete information
- Specific - Apply to concrete processing operations
- Revocable - Be revocable at any time
- Documented - Be documented in writing or electronically
Training
Regular training of employees is essential:
- Basics - Teach data protection basics
- Practical implementation - Provide concrete instructions
- Updates - Inform about changes
- Documentation - Document training
Tip: Conduct annual data protection training and document the participation of all employees.
Violations and Sanctions
Notification Obligation
In case of data protection violations, there is a notification obligation:
- Within 72 hours - Violations must be reported to the supervisory authority
- Inform data subjects - Data subjects must be informed if there is a high risk
- Documentation - All violations must be documented
Fines
Violations of the GDPR can be punished with high fines:
- Up to 20 million euros or 4% of worldwide annual turnover
- Serious violations - Higher fines for intentional violations
- Reputation damage - In addition to financial damage
Data protection violations can lead to significant financial and legal consequences. Prevention is essential.
Checklist for K9 Units
Ensure that the following points are fulfilled:
- Privacy policy available
- Consent documented
- Access control implemented
- Encryption active
- Retention periods defined
- Training conducted
- Data protection officer appointed (if required)
- Documentation up to date
- Notification obligation known
- Regular review
Last updated: October 21, 2025