31 Jul The new German Federal Data Protection Act to adapt the law to the EU GDPR

Background information / scenario
On 27 April 2017, the German Federal Parliament adopted the new Federal Data Protection Act (Bundesdatenschutzgesetz, hereinafter “new BDSG”). The law, approved by the German Federal Council on 12 May, was officially published in the Federal Law Gazette on 5 July 2017 and will become effective on 25 May 2018, exactly on the same day of the entry into force of the General Data Protection Regulation (hereinafter, “GDPR”). In fact, the new BDSG, which will replace the existing Federal Data Protection Act dated 2003, aims to adapt the German law to the provisions of the GDPR.

Main issue
Although one of the main purposes of the GDPR is to harmonise data protection law across the EU, there are a number of areas in which the GDPR, by means of the so-called opening clauses, leaves the opportunity for Member States to introduce their own national data protection laws to further specify the application of the GDPR. On the one hand, the German legislator has been the first among the Member States to implement such provisions supplementing the GDPR. On the other hand, the new BDSG was not exempt from criticism. In fact, concerns have been raised both by the German Data Protection Authorities and the Federal Ministry of Justice, according to whom the new BDSG sometimes exceeds the scope set by the GDPR.
A number of distinctive elements of the new BDSG are summarised below.
¬ Processing of persona data of employees (Section 26). The new BDSG largely retains the existing rules of the previous German Federal Data Protection Act.
o Employee personal data can be processed for the purposes of establishing, carrying out, or terminating an employment relationship, or for purposes of exercising rights and complying with obligations stemming from a law, union agreement, or work council agreement;
o Consent must be in writing, unless another form is justified due to the circumstances;
o The voluntary nature of the consent is determined by considering the dependency within the employment relationship and the circumstances of the consent (i.e., if the employee gains an advantage from providing consent or the interests of the parties are similar);
o Processing personal data of employees, including “sensitive” data, may be permitted on the basis of collective bargaining agreements (provided the negotiating partners comply with Article 88 GDPR).
¬ Processing of sensitive data. The new BDSG includes as legal basis for the processing of “sensitive” data:
o for scientific or historical research purposes or for statistical purposes (if the processing is necessary and if the interests of the data controller prevail over the interests of the data subject);
o data processing of “sensitive” data is necessary to exercise the rights arising out of the right to social security and social protection.
¬ Video Surveillance. The new BDSG contains specific rules concerning video surveillance of publicly accessible areas.
¬ Wider scope of application of the obligation to appoint a DPO (Section 38). Every company employing more than 10 persons in the automated processing of personal data must appoint a DPO.
¬ Additional national sanctions to those provided in the GDPR. The new BDSG includes:
o fines of up to EUR 50,000 for breaches in the area of consumer credit;
o criminal penalties with up to three years of imprisonment or criminal fines in case of certain intentional unlawful data processing activities.
¬ Restriction to the rights of data subjects in favour of more business-friendly rules (Sections 32 to 35).
o The right of data subjects to be informed if the controller intends to further process personal data for a purpose other than that for which the personal data was collected (Art. 13 GDPR), may be limited if data is stored in an analogue manner, the further processing is compatible with the original purpose and communication with the data subject does not take place digitally;
o Obligations to provide information on the part of the data controller may be restricted in the case of confidentiality obligations (for instance, professional secrecy);
o Access rights of data subjects (Art. 15 GDPR) may be limited if personal data is only kept in accordance with legal retention periods and it would require an unreasonable effort to be provided;
o The right to request erasure and the obligation to erase do not apply if erasure requires an unreasonably high effort due to the specific type of storage.

Practical implications
Companies operating in Germany should analyse the provisions of the new BDSG and make sure that operations involving data processing activities comply with them.

In consideration of the additional specificity of the new BDSG with respect to the GDPR, the German Data Protection Authorities are expected to issue future guidance as to provide more legal certainty about its interpretation and application.

The new BDSG will apply as from 25 May 2018.