On 27 April 2017 the German Parliament passed an entirely new Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The new BDSG replaces the old BDSG, which has been in force for the last 40 years. The new BDSG shall adapt the German law to the provisions of the EU General Data Protection Regulation (GDPR). The new BDSG will now form the basis for the adaption of German acts to the GDPR. Further acts concerning special processing situations like social security data protection are likely to follow.
Companies operating in Germany should analyze the BDSG requirements and make sure that German operations comply with them. In many GDPR implementation projects, this national GDPR implementation law will affect several work packages. In particular, decision makers should start adopting the new BDSG employee data protection rules. Where necessary changes need to be aligned with works councils, this can be a time-consuming process. It is worth noting that the provisions that go beyond the scope of the GDPR are of limited practical relevance as German courts and authorities must not apply provisions of the BDSG if they deem them as contrary to European law. Where they limit data subject rights, companies should stick to the GDPR requirements instead and not rely on clauses which bring little benefit and may be revised by the European Court of Justice.
The companies should be aware of the following new provisions:
- High risks in case of misconduct: Administrative fines up to EUR 20 Mio or 4 per cent of the global revenue – depending on which amount is higher. Violations which solely concern German law will be limited to a maximal fine of EUR 50,000, but this scenario will be rare in practice.
- Compensation for personal suffering: Data subjects (including employees) may claim damages for non-pecuniary damage. This is a new threat, which can result in substantial economic risks for the companies. Not only the customers themselves but also associations can initiate court proceedings. This is likely to facilitate the assertion of actual or asserted claims. The German implementation act does not reduce controllers’ exposure to civil claims.
- Burden of proof: The companies have to proof that they comply with the current data protection regulations. For this purpose, the companies must also implement the extensive documentation obligations stated by the GDPR.
- Specific processing situations: The BDSG contains particular provisions for some specific processing situations like data protection at work, video surveillance or profiling.
- Parts of the previous BDSG remain: The German legislator apparently tries to preserve most of the previous German provisions regarding employees´ data protection.
- Aggravated compliance controls: The detection of crimes or other breaches of duty remains admissible. The employer must, however, observe strict requirements, especially with regard to the transparency of the data processing.
- Transparency: The extensive notification obligations stated in sec. 13 et seq. GDPR largely remain. The older drafts of the BDSG contained extensive restrictions with regard to the rights of the data subjects. The legislator, however, has taken back most of these provisions.
- Documentation: The extensive documentation obligations stated by the GDPR are not limited by the BDSG either.
- Works Councils and the new sec. 26 BDSG: If works councils process personal data, they must also comply with the regulations of the BDSG and GDPR in the future.
- Works Council Agreements: Collective agreements remain a legitimate instrument for the regulation of admissible data processing. These agreements, however, must fulfill the requirements of sec. 88 para. 2 GDPR and sec. 26 BDSG. Hence, a lot of works council agreements in force have to be amended individually or by means of a respective framework works council agreement.
Conclusion: The new BDSG is very complex and difficult to understand. Substantial consequential problems are likely to be the result. Acts which few people understand are not likely to be implemented correctly or even enacted completely in practice. The German government wants to exploit the scope of action which has been granted by Brussels as far as possible. According to the German data protection authorities, however, the new BDSG exceeds the scope set by the GDPR. Therefore, the EU commission may initiate infringement procedures against Germany. What is more, German courts and authorities must not apply provisions of the BDSG if they deem them as contrary to European law. This may lead to substantial legal uncertainty – especially with regard to implementation projects to the GDPR. It is also unlikely that the German Federal Council will stop the act once it has passed. Following the last negotiations, it must be deemed certain that the Federal Council will give its consent to the new act.
If you have further questions, we are pleased to answer them personally.
Special thanks to Dr. Lukas Ströbel and Isabelle Brams in our Frankfurt office for their assistance in preparing this entry.