15. May 2017
On Friday, 12 May 2017, the German legislative body Bundesrat, which represents the sixteen federal states on a national level, approved a new Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG-new), which was already passed by the German parliament (Bundestag) on 27 April 2017 (find the original text here with amendments). The new law will enter into force with General Data Protection Regulation (GDPR) on 25 May 2018.
1. Most important provisions
1.1 Employee Data Protection
Article 88 GDPR provides that Member States may, by law or collective agreements, provide for more specific rules on the processing of employee’s data. To this end, the German legislator more or less copies the existing Section 32 BDSG into Section 26 BDSG-new. In addition, Sec. 26 para. 2 BDSG-new now provides for a written form requirement in case of employees’ consent. In sum, the current German regulation on employee data protection will not be changed fundamentally by the new law.
1.2 Video Surveillance
According to Sec. 4 BDSG-new, video surveillance of publicly accessible areas will be lawful to a greater extent than under the old version of BDSG. Video surveillance had already been allowed to a wider extent in Germany due to a very recent change in law. This legislation is now continued in BDSG-new. The German legislator is giving high priority to video surveillance in light of Art. 6 para. 1 lit. f. GDPR. Some experts doubt that this provision is in accordance with European Law.
1.3 Data Protection Officer
Under Sec. 38 BDSG-new, the obligation to appoint a Data Protection Officer (DPO) has a wider scope of application than under Art. 37 GDPR. Under BDSG-new (as a rule) every company employing more than 10 persons in the automated processing of personal data has to appoint a DPO. This is in line with prior German legal requirements. By contrast, the obligation to appoint a DPO under the GDPR only applies to entities whose core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (Art. 37 para. 1 lit. b GDPR) or processing of special categories of data on a large scale (Art. 37 para. 1 lit. c GDPR). In line with the discretion given to Member States in Art. 37 para. 4 GDPR the German legislator kept the existing requirements for DPO appointment in Germany intact.
1.4 Rights of the Data Subject
The GDPR provides a range of rights for the data subject. For example, the rights to access, rectification, erasure of data, or the new right to data portability (Sec. 20 GDPR).
Within the BDSG-new the German legislator tried to ‘save’ some of the old exemptions provided under the BDSG. These limitations have been subject to some criticism and it remains to be seen how other Member States will use the discretion provided by the GDPR and how these national rules will be evaluated by the courts. However, in the final version of BDSG-new that was passed by both Bundestag and Bundesrat these business friendly rules have been rolled back in comparison to the original proposed text. The suggested limitations concerns, in particular, limitations to the right to access and the right to information. By way of example:
Information in accordance with Article 13 GDPR (i.e. information is collected from the data subject) may be denied in cases where this would endanger the legal defence of the controller; provided that there are no overriding interests of the data subject in such information. Similarly, the right to access may be limited in cases where information (i) is stored solely for purposes of data retention requirements; (ii) to provide such information would be unreasonably burdensome for the controller; and (iii) any processing of the data for other purposes is excluded by technical or organisational measures (e.g. data is blocked from other accesses).
Further limitations to rights of access and information duties may derive from professional secrecy obligations as is provided for by Sec. 29 BDSG-new. This mostly concerns health care providers and lawyers.
1.5 Credit report / Scoring
The legislator also copied the old rules on scoring into the new law and thereby provides guidance on what may constitute a “legitimate interest” according to Art. 6 lit. f GDPR in this context. In particular, Sec. 31 BDSG-new provides that any scoring must (i) comply with applicable data protection laws; (ii) only use generally accepted mathematical-statistical processes; (iii) not rely solely on address data; (iv) inform data subjects in case of use of address data prior to processing.
1.6 Special categories of personal data
Not surprisingly, the national legislator also provides for more specific rules on the processing of special categories of personal data in Sec. 22 BDSG-new. This concerns, in particular, exemptions for social security purposes and the health sector (diagnostics, public health etc.).
1.7 EU-wide coordination of the supervisory authorities
According to Art. 51 subsec. 3 GDPR, Germany had to name a supervisory authority, that firstly, will organize EU-wide coordination and secondly, will represent Germany in the European Privacy Committee (Art. 68. subsec. 4 GDPR). As provided in Sec. 17 BDSG-new the German Federal Commissioner of Data Protection will take on this role. He/she will be deputized for by one of the Data Protection Authorities of the German Federal States and will coordinate with all DPAs in the German Federal States regarding issues that also concern the State level.
2. Practical Recommendations
The German legislator makes to some extent use of discretion given to the Member States by the GDPR. Most of it is not surprising (e.g. employee data, data protection officer, special categories of personal data), however, some provisions have been criticized as pushing it too far (e.g. limitation of information to data subjects). It remains to be seen how other EU Members States will make use of the leeway provided for under the GDPR and whether or not the European Court of Justice agrees that these rules comply with European law. At any rate, it is the GDPR that is directly applied first. Only then is it worthwhile to take a look into national law to see whether this contains specifications of the GDPR that apply to an individual case.
Still, the passing of the BDSG-new should give rise to each company to check on how far they are with their projects on implementing the GDPR. 25 May 2018 sounds far away, but it really is just a year with no grace period to turn to.
For more information in the Workbook General Data Protection Regulation by Dr. Sibylle Gierschmann.