c) In light of Art. 19 sec. 4 GG, a proportionate design of surveillance measures further requires that following notification, the affected persons may obtain, in a reasonable manner, judicial review of legality (in this respect see also Arts. 51 and 52 of the
Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties, and the free movement of
such data, loc. cit.).
138
Moreover, proportionate design requires effective sanctions for violations of rights. If
serious violations of the conditions for interference were to ultimately remain without
sanction, resulting in atrophy of the protection of the right to personality due to its intangible nature, this would be contradictory to the duty of the state to effectively protect the development of personality. This could in particular be the case if the unauthorised collection or use of data were to routinely remain without any
counterbalancing satisfaction or compensation for the affected person, due to lack of
material damage. In this regard, however, the legislature has wide legislative discretion (cf. BVerfGE 125, 260 <339 and 340>, with further references).
139
d) Since with regard to covert surveillance measures, the transparency of data collection and data processing as well as the facilitation of the protection of the rights of
individuals can be ensured only to a very limited degree, the guarantee of effective
supervisory control is all the more significant. With regard to surveillance measures
that constitute serious interferences with privacy, the principle of proportionality therefore places more rigorous demands on the effective design of this supervision both at
the level of the law itself and in administrative practice (cf. BVerfGE 133, 277 <369
para. 214>).
140
To begin with, the guarantee of effective supervisory control requires a body vested
with effective powers, such as, under current law, the Federal Data Protection Commissioner (see, fundamentally, BVerfGE 65, 1 <46>). It also requires to fully document the data collection. Technical and organisational measures must ensure that
the data is available to the Federal Data Protection Commissioner in such a way that
it can be evaluated in a practicable manner, and that the documents include sufficient
information to match it with the process being overseen (BVerfGE 133, 277 <370
para. 215>). Since supervisory control has the function of compensating for a weak
protection of the rights of the individual, it is particularly important that it be carried out
regularly. Such supervision must be performed at reasonable intervals, the duration
of which must not exceed a certain maximum of approximately two years. This must
be taken into account with regard to the funding of the supervisory body (cf. BVerfGE
133, 277 <370 and 371 para. 217>). Guaranteeing compliance with the constitutional
requirements for effective supervisory control is the joint responsibility of the legislature and the authorities (cf. BVerfGE 133, 277 <371 para. 218>).
141
e) Finally, to guarantee transparency and oversight, a legal rule on reporting duties
142
22/71