Germany Publishes English Version of its National GDPR Implementation Act

by Hogan Lovells
Contact

What Companies Need to Observe When Implementing the GDPR

The German Ministry of Interior affairs has published an English translation of the new Federal Data Protection Act (BundesdatenschutzgesetzBDSG). On 27 April 2017 the German Parliament passed the BDSG in order to make use of the opening clause provided for in the EU General Data Protection Regulation (GDPR). This bill has been controversial; see here for an interview with Jan Albrecht, Stefan Brink and Tim Wybitul.

The new BDSG replaces its national predecessor, which has been in force for the last 40 years. The new BDSG is the first step toward adapting national German member State law to the provisions of the GDPR. With an effective date of 25 May 2018, the new BDSG will also form the basis for the adaption of further German data privacy acts to the GDPR. We note that several ministries have already indicated that they are preparing specific data privacy provisions concerning special processing situations like social security data protection, and we expect these provisions to follow the implementation of the BDSG.

This overview summarizes the major implications of the BDSG for companies operating in Germany.

For the practical application of the GDPR and of the BDSG, it is important to keep in mind that the GDPR supersedes member State laws and leaves only limited space for national law provisions.

Companies operating in Germany should analyze the new BDSG requirements and make sure that local operations comply with them. In many GDPR implementation projects, this national GDPR implementation law will affect several work packages. In particular, decision makers should start adopting the new BDSG employee data protection rules. In particular, they should initiate negotiations for respective works council agreements very quickly. Where necessary changes affect data privacy at the work place, they need to be aligned with works councils; this can be a time-consuming process.

It is worth noting that most of the provisions of the BDSG that may arguably go beyond the scope of the GDPR are of limited practical relevance as German courts and authorities must not apply provisions of the BDSG if they deem them as contrary to European law. Where such provisions limit data subject rights, companies should consider the likelihood the provisions may be revised by the European Court of Justice before adhering to the BDSG provisions over the GDPR requirements.

The companies should be aware of the following new key requirements under the BDSG and the GDPR:

  • Specific processing situations: The BDSG contains particular provisions for some specific processing situations like data protection at work, video surveillance and profiling.
  • Data protection officers: The German rules regarding the duty to appoint a data protection officer are stricter than those stipulated by Art. 37 GDPR. According to Sec. 38 BDSG, companies operating in Germany must designate a data protection officer if they constantly employ at least 10 persons dealing with the automated processing of personal data. Moreover, companies must also appoint a data protection officer if they undertake processing that is subject to a data protection impact assessment pursuant to Art. 35 GDPR or if they commercially process personal data for the purpose of transfer or anonymous transfer or for purposes of market or opinion research.
  • Video surveillance: Sec. 4 BDSG, in principle, permits video surveillance of publicly accessible spaces. Controllers must take appropriate measures to make the surveillance and the controllers’ names and contact details identifiable as soon as possible.
  • High risks in case of misconduct: The GDPR stipulates administrative fines up to EUR 20 Mio or 4 per cent of the global revenue – depending on which amount is higher. Violations which solely concern BDSG requirements law will be limited to a maximum fine of EUR 50,000, but this scenario will be rare in practice and cover very specific cases only, like information duties referring to consumer loans. In all other cases, the high maximum fines stipulated by the GDPR apply.
  • Compensation for personal suffering: Data subjects (including employees) may claim damages for non-pecuniary damage. This is a new liability, which can result in substantial economic risks for the companies. Not only the customers themselves but also associations can initiate court proceedings. It is anticipated that this new recourse mechanism will facilitate the assertion of actual or asserted claims. The German implementation act does not reduce controllers’ exposure to civil claims.
  • Burden of proof: The companies have to prove that they comply with the current data protection regulations. For this purpose, the companies must also implement the extensive documentation obligations stated by the GDPR. The comprehensive burden of proof for controllers is not reduced by the BDSG.
  • Parts of the previous BDSG remain: The German legislature appears to preserve most of the previous German provisions regarding employees´ data protection in the new BDSG
  • Transparency: The extensive notification obligations stated in Secs. 13 et seq. GDPR largely remain. Although the older drafts of the BDSG contained extensive restrictions with regard to the rights of the data subjects, the legislature has eliminated most of these provisions. German data protection authorities  have criticized these restricted information obligations as a violation of mandatory EU law. Compliances should analyze these restrictions and decide whether they intend to rely on these BDSG restrictions. It also needs to be taken into account that specific information structures for individual countries will reduce harmonization effects in global or EU-wide data privacy management structures.
  • Aggravated compliance controls: The GDPR also brings along requirements which may considerably affect compliance monitoring. The detection of crimes or other breaches of duty remains admissible. The employer must, however, observe strict requirements, especially with regard to the transparency of the data processing. Secs. 32 et seq. BDSG provide for limitations of data subject rights according to Arts. 12 et seq. GDPR. Some of those member State limitations may possibly be used to facilitate data processing aiming at compliance purposes.
  • Documentation: The extensive documentation obligations stated by the GDPR are not limited by the BDSG. In order to defend against regulatory fines and data subjects’ civil claims, companies need to be able to document their general efforts to achieve compliance with the GDPR and the BDSG. Moreover, they must tailor their IT systems and respective documentation in a manner which permits them to prove what personal data pertaining to specific data subjects they process – as well as for what purposes and by what means.
  • Works Councils and the new Sec. 26 BDSG: Where works councils process personal data, they must also comply with the regulations of the BDSG and GDPR in the future. This is a considerable change, as previously German works councils did not have to observe specific data protection requirements, but only the far broader rules of German works constitution law and other general employment laws.
  • Works Council Agreements: Collective agreements remain a legitimate instrument for the regulation of admissible data processing. These agreements, however, must fulfill the requirements of Sec. 88 para. 2 GDPR and Sec. 26 BDSG. Hence, a lot of works council agreements in force have to be amended individually or by means of a respective framework works council agreement. In particular, respective works council agreements must contain specific provisions which reflect the requirements of Art. 88(2) GDPR as well as those of Art. 5 GDR.

Conclusion: The new BDSG is complex and contains very specific provisions aiming at quite a number of details of data processing. For companies, it is advisable to analyze the BDSG closely and to determine what consequence this national member State data privacy act entails for their specific business model and data processing.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Contact
more
less

Hogan Lovells on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.