On April 27, 2017, the German Federal Parliament adopted the new German Federal Data Protection Act (Bundesdatenschutzgesetz) (“new BDSG”) to replace the existing Federal Data Protection Act of 2003. The new BDSG is intended to adapt the current German data protection law to the EU General Data Protection Regulation (“GDPR”), which will become effective on May 25, 2018.

The new BDSG includes specific requirements that deviate from the GDPR in some respects, including with respect to the appointment of a Data Protection Officer and the processing of employee personal data. The GDPR allows for certain EU Member State deviations from the text of the GDPR. In addition, the new BDSG imposes specific data processing requirements with respect to video surveillance, and consumer credit, scoring and creditworthiness. In addition to the high fines imposed by the GDPR, the new BDSG imposes fines of up to EUR 50,000 for violations regarding German law exclusively.

The new BDSG must now be approved by the German Federal Council, which is expected to occur in the next couple of weeks, possibly during the May 12, 2017 plenary meeting. Once adopted, the new BDSG will become effective on May 25, 2018, at the same time as the GDPR.

Read the new German Federal Data Protection Act (only available in German).