What Companies Need to Observe When Implementing the GDPR

The German Ministry of Interior affairs has published an English translation of the new Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). On 27 April 2017 the German Parliament passed the BDSG in order to make use of the opening clause provided for in the EU General Data Protection Regulation (GDPR). This bill has been controversial; see here for an interview with Jan Albrecht, Stefan Brink and Tim Wybitul.

The new BDSG replaces its national predecessor, which has been in force for the last 40 years. The new BDSG is the first step toward adapting national German member State law to the provisions of the GDPR. With an effective date of 25 May 2018, the new BDSG will also form the basis for the adaption of further German data privacy acts to the GDPR. We note that several ministries have already indicated that they are preparing specific data privacy provisions concerning special processing situations like social security data protection, and we expect these provisions to follow the implementation of the BDSG.

This overview summarizes the major implications of the BDSG for companies operating in Germany.

For the practical application of the GDPR and of the BDSG, it is important to keep in mind that the GDPR supersedes member State laws and leaves only limited space for national law provisions.

Companies operating in Germany should analyze the new BDSG requirements and make sure that local operations comply with them. In many GDPR implementation projects, this national GDPR implementation law will affect several work packages. In particular, decision makers should start adopting the new BDSG employee data protection rules. In particular, they should initiate negotiations for respective works council agreements very quickly. Where necessary changes affect data privacy at the work place, they need to be aligned with works councils; this can be a time-consuming process.

It is worth noting that most of the provisions of the BDSG that may arguably go beyond the scope of the GDPR are of limited practical relevance as German courts and authorities must not apply provisions of the BDSG if they deem them as contrary to European law. Where such provisions limit data subject rights, companies should consider the likelihood the provisions may be revised by the European Court of Justice before adhering to the BDSG provisions over the GDPR requirements.

The companies should be aware of the following new key requirements under the BDSG and the GDPR:

• Specific processing situations: The BDSG contains particular provisions for some specific processing situations like data protection at work, video surveillance and profiling.
• Data protection officers: The German rules regarding the duty to appoint a data protection officer are stricter than those stipulated by Art. 37 GDPR. According to Sec. 38 BDSG, companies operating in Germany must designate a data protection officer if they constantly employ at least 10 persons dealing with the automated processing of personal data. Moreover, companies must also appoint a data protection officer if they undertake processing that is subject to a data protection impact assessment pursuant to Art. 35 GDPR or if they commercially process personal data for the purpose of transfer or anonymous transfer or for purposes of market or opinion research.
• Video surveillance: Sec. 4 BDSG, in principle, permits video surveillance of publicly accessible spaces. Controllers must take appropriate measures to make the surveillance and the controllers’ names and contact details identifiable as soon as possible.
• High risks in case of misconduct: The GDPR stipulates administrative fines up to EUR 20 Mio or 4 per cent of the global revenue – depending on which amount is higher. Violations which solely concern BDSG requirements law will be limited to a maximum fine of EUR 50,000, but this scenario will be rare in practice and cover very specific cases only, like information duties referring to consumer loans. In all other cases, the high maximum fines stipulated by the GDPR apply.
• Compensation for personal suffering: Data subjects (including employees) may claim damages for non-pecuniary damage. This is a new liability, which can result in substantial economic risks for the companies. Not only the customers themselves but also associations can initiate court proceedings. It is anticipated that this new recourse mechanism will facilitate the assertion of actual or asserted claims. The German implementation act does not reduce controllers’ exposure to civil claims.
• Burden of proof: The companies have to prove that they comply with the current data protection regulations. For this purpose, the companies must also implement the extensive documentation obligations stated by the GDPR. The comprehensive burden of proof for controllers is not reduced by the BDSG.
• Parts of the previous BDSG remain: The German legislature appears to preserve most of the previous German provisions regarding employees´ data protection in the new BDSG
• Transparency: The extensive notification obligations stated in Secs. 13 et seq. GDPR largely remain. Although the older drafts of the BDSG contained extensive restrictions with regard to the rights of the data subjects, the legislature has eliminated most of these provisions. German data protection authorities  have criticized these restricted information obligations as a violation of mandatory EU law. Compliances should analyze these restrictions and decide whether they intend to rely on these BDSG restrictions. It also needs to be taken into account that specific information structures for individual countries will reduce harmonization effects in global or EU-wide data privacy management structures.
• Aggravated compliance controls: The GDPR also brings along requirements which may considerably affect compliance monitoring. The detection of crimes or other breaches of duty remains admissible. The employer must, however, observe strict requirements, especially with regard to the transparency of the data processing. Secs. 32 et seq. BDSG provide for limitations of data subject rights according to Arts. 12 et seq. GDPR. Some of those member State limitations may possibly be used to facilitate data processing aiming at compliance purposes.
• Documentation: The extensive documentation obligations stated by the GDPR are not limited by the BDSG. In order to defend against regulatory fines and data subjects’ civil claims, companies need to be able to document their general efforts to achieve compliance with the GDPR and the BDSG. Moreover, they must tailor their IT systems and respective documentation in a manner which permits them to prove what personal data pertaining to specific data subjects they process – as well as for what purposes and by what means.
• Works Councils and the new Sec. 26 BDSG: Where works councils process personal data, they must also comply with the regulations of the BDSG and GDPR in the future. This is a considerable change, as previously German works councils did not have to observe specific data protection requirements, but only the far broader rules of German works constitution law and other general employment laws.
• Works Council Agreements: Collective agreements remain a legitimate instrument for the regulation of admissible data processing. These agreements, however, must fulfill the requirements of Sec. 88 para. 2 GDPR and Sec. 26 BDSG. Hence, a lot of works council agreements in force have to be amended individually or by means of a respective framework works council agreement. In particular, respective works council agreements must contain specific provisions which reflect the requirements of Art. 88(2) GDPR as well as those of Art. 5 GDR.

Conclusion: The new BDSG is complex and contains very specific provisions aiming at quite a number of details of data processing. For companies, it is advisable to analyze the BDSG closely and to determine what consequence this national member State data privacy act entails for their specific business model and data processing.