Client Alert
New German Federal Data Protection Act
August 07, 2017
By Dr. Bernd Meyer-Witting & Florian Lechner
I. Introduction
Germany is the first EU Member State to implement the General Data Protection Regulation (“GDPR”) into national law. On 5 July 2017 the new German Federal Data Protection Act (Bundesdatenschutzgesetz (BDSG, “NEW BDSG”) was promulgated and will replace the current BDSG when it enters into force together with the GDPR on 25 May 2018.
The GDPR will be directly binding in Germany and therefore does not require any implementation into national law. Accordingly, the NEW BDSG focuses on areas in which the GDPR offers the possibility of further regulation by national legislation. Consequently, companies offering goods and services to German customers or who monitor their behaviour will have to comply with the already sophisticated framework of the GDPR as well as the complex regulations of the NEW BDSG.
II. Key Changes under the New BDSG and their Deviation from the GDPR
A. Data Protection Officer
Under the GDPR, only entities whose core activities consist of processing operations which, by virtue of their nature, require regular and systematic monitoring of data subjects or processing of special categories of data on a large scale, have to appoint a Data Protection Officer (“DPO”). The NEW BDSG makes use of the ability under the GDPR to set specific thresholds as of when a DPO needs to be appointed and provides that the requirements of the current German data protection regime will be maintained, i.e., generally every company with more than 10 employees working in the automated processing of personal data will also have to appoint a DPO once the GDPR comes into force.
B. Employee Data Protection
The current German employee data protection regime will not be changed significantly by the NEW BDSG.
While consent under the GDPR generally does not have to be in written form, under the NEW BDSG the consent of employees concerning employment-related data processing will generally require written form. The NEW BDSG also introduces a test to establish whether employee consent can be considered to have been freely given, which shall be deemed to be the case if it is sought for the provision of a legal or economic benefit to the employee, or where the employer and the employee pursue similar interests (e.g., cases where employers circulate lists with dates of birth and photos of its employees in order to support the communication amongst the staff, thereby serving interests of the company and the employees).
If works councils process personal data, they will also have to comply with the regulations of the NEW BDSG and the GDPR.
Collective agreements remain a legitimate instrument for the regulation of data processing. Such agreements, however, must fulfill the requirements of the GDPR and the NEW BDSG. Consequently, collective agreements have to provide for specific measures to safeguard the interests and fundamental rights of the employees, with particular regard to the transparency of processing at the work place. Hence, a lot of works council agreements in force may have to be amended.
C. Rights of the Data Subject
The NEW BDSG restricts to some extent the broad rights of data subjects granted by the GDPR, as the German legislator attempts to limit certain rights in favour of a more business-friendly approach.
The obligation to inform data subjects of data processing, for example, may be limited under the NEW BDSG in certain cases where such information could negatively impact the legal defence of the data processor. In addition, the access rights of data subjects may be limited under the NEW BDSG, for example, if non-automated personal data is only kept in accordance with legal retention periods and if it would otherwise be overly burdensome to provide such data to the data subject.
These restrictions have been subject to some criticism in the legal literature. It remains to be seen whether these limitations will indeed have a significant business-friendly effect, as the GDPR will be a directly legally binding act in Germany, which means that in cases of inconsistencies the GDPR would override the NEW BDSG.
D. Credit Report/Scoring
The provisions on the processing of personal data by rating agencies and for scoring purposes in the NEW BDSG essentially reflect the currently applicable German law, which privileges the economic interests in contrast to the strict purpose limitation under the GDPR.
E. Special Categories of Personal Data/Automated Decision Making
The NEW BDSG provides an exemption to the general prohibition of processing sensitive data under the GDPR and covers cases in which the processing of sensitive personal information can be permitted—within certain parameters—without having to obtain specific consent, e.g., for the assessment of the working capacity of an employee or for compliance with social security law obligations.
Furthermore, the NEW BDSG permits automated decision making within insurance relationships and provides that automated decision making may also be based on sensitive data.
F. Secondary Use of Personal Information
The NEW BDSG allows the processing of personal data for a different purpose than for which it was initially collected, if such further processing is necessary to assert, pursue, or defend civil law claims of the controller and the interests of the data subject do not override.
III. Outlook/Recommendation
The NEW BDSG has been subject to some criticism, as the new law appears to contradict some of the standards set by the GDPR including one of the main objectives of the GDPR—to provide for a coherent data protection framework throughout the EU.
Provisions of the NEW BDSG that go beyond the scope of the GDPR may prove to be of limited practical relevance, as German courts and authorities may not apply provisions of the NEW BDSG if they deem them to be contrary to European law. Some voices in German legal literature even argue that these regulations could lead to EU law infringement procedures against Germany.
Where the NEW BDSG limits the rights of data subjects, companies should rely on the stricter rules under the GDPR, as the application of the less restrictive NEW BDSG regime brings only little benefit and may not be upheld by German courts and authorities.