Faults in Telecom­mu­ni­ca­tions Sys­tems and Telecom­mu­ni­ca­tions Ser­vice Fraud

Section 100(1) TKG, Faults in Telecommunications Systems and Telecommunications Service Fraud, in the version applicable from 30 June 2017, states:

1. Where required, the service provider may collect and use the customer data and traffic data of subscribers and users, as well as the control data of an IT protocol for data transmission, which are transmitted irrespective of the content of a communication process or are stored on the servers used in the communication process and are necessary for ensuring communication between the receiver and the sender, in order to detect, locate and eliminate faults and malfunctions in telecommunications systems.
2. The content of communications is not part of the control data of an IT protocol for data transmission.
3. This also applies to faults that may result in a restriction in the continuity of supply of information and communication or in unauthorised access to the users' telecommunications and data processing systems.
4. The data are to be deleted without delay as soon as they are no longer needed for eliminating the fault.
5. Use of the data for any other purposes is not permitted.
6. Where the data are not collected and used automatically, the company data protection officer must be informed without delay of the procedures and circumstances of the measure.
7. The service provider must submit a detailed written report to the company data protection officer, the Bundesnetzagentur and the Federal Commissioner for Data Protection and Freedom of Information at the end of a quarter on the procedures and circumstances of any measures under sentence 6 during the period.
8. The Bundesnetzagentur will forward this information immediately to the Federal Office for Information Security.
9. The party affected is to be informed by the service provider where the party affected can be identified.
10. If control data of an IT protocol for data transmission were also collected and used as part of a measure under sentence 1, the reports must also contain as a minimum information on the scope and necessity of collecting and using the control data of an IT protocol for data transmission.

Companies subject to compliance are hereby reminded of the details in section 100(1) TKG:

Sentences 1 through 5 state what is and what is not permitted.
Sentence 6 contains the obligation to inform the company data protection officer when the data are not collected and used automatically.
Sentence 7 requires the service provider to submit a detailed written report to the company data protection officer, the Bundesnetzagentur and the Federal Commissioner for Data Protection and Freedom of Information at the end of a quarter on the procedures and circumstances of  any measures taken under sentence 6 during that quarter.

Sentence 10 gives the contents of the report that have to be included if control data of an IT protocol for data transmission were also collected and used as part of a measure as per sentence 1. As a minimum, the report has to include information on the scope and need to collect and use the control data of an IT protocol for data transmission. The Bundesnetzagentur expects to receive these reports at the end of every quarter, starting with the third quarter of 2017 and then, following on from that, at the end of every subsequent quarter.