Today, the German legislative body Bundesrat, which represents the sixteen federal states on a national level, approved a new Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG-new), which was already passed by the German parliament (Bundestag) on 27 April 2017 (find the original text here with amendments). The new law will almost certainly be enacted in current form and will enter into force with the General Data Protection Regulation (GDPR) on 25 May 2018.
1. Most important Deviations from GDPR
1.1 Employee Data Protection
Under GDPR, consent generally does not have to be in a written form. According to Sec. 26 para. 2 BDSG-new, employees consent for employment-related data processing requires written form in most cases. However, the current German regulation on employee data protection will not be changed fundamentally by the new law.
1.2 Video Surveillance
According to Sec. 4 BDSG-new, video surveillance of publicly accessible area will be lawful to a greater extent than under the old version of BDSG. Video surveillance had already been allowed to a wider extent in Germany due to a very recent change in law. This legislation is now continued in BDSG-new. The German legislator is giving high priority to video surveillance in light of Art. 6 para. 1 lit. f. GDPR. Many experts doubt that this provision is in accordance with European Law.
1.3 Data Protection Officer
Under Sec. 38 BDSG-new, the obligation to appoint a Data Protection Officer (DPO) has a wider scope of application than under Art. 37 GDPR. Under BDSG-new, every company, as a rule, employing more than 10 persons in the automated processing of personal data, has to appoint a DPO. This is in line with prior German legal requirements. By contrast, the obligation to appoint a DPO under the GDPR only applies to entities whose core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (Art. 37 para. 1 lit. b GDPR) or processing of special categories of data on a large scale (Art. 37 para. 1 lit. c GDPR). In line with the discretion given to Member States in Art. 37 para. 4 GDPR the German legislator kept the existing requirements for DPO appointment in Germany intact.
1.4 Rights of the Data Subject
The GDPR provides a range of rights for the data subject. In addition to the existing rights of access by the data subject, the right of rectification and the right of erasure, the GDPR implements, for instance, a right of data portability (Sec. 20 GDPR).
Within the BDSG-new the German legislator partly limits the rights of the data subjects in favour of more business friendly rules. These limitations have been the subject to some criticism and it remains to be seen how other Member States will use the discretion provided by the GDPR and how these national rules will be judged. However, in the final version of BDSG-new that was passed by both Bundestag and Bundesrat these business friendly rules have been rolled back in comparison to the original proposed text. Examples include the obligation to inform data subjects of data processing (Art. 13 GDPR) which may be limited in certain cases where such information to the data subject could negatively impact legal defence of the Controller.
Also access rights of data subjects according to Art. 15 may be limited under BDSG-new in certain cases. For example, if non-automated personal data is only kept in accordance with legal retention periods and would be overly burdensome to provide, in some cases the data subject’s access right may be limited.
1.5 Obligation to confidentiality
Sec. 29 BDSG-new constitutes exemptions to the obligation of information in Art. 14 GDPR, if there is any data involved that is subject to a confidentiality obligation. According to Sec. 29 para. 2 BDSG-new certain persons who are bound by professional rules of confidentiality (such as doctors or lawyers) are privileged regarding the obligation to information in Art. 13 para. 3 DSGVO.
1.6 Credit report / Scoring
The previous rules of Sec. 28b BDSG-old are adopted nearly unchanged to Sec. 31 BDSG-new. This rule legally privileges economic interests in contrast to the strict rules in the GDPR, especially regarding purpose limitation.
1.7 Special categories of personal data
Regarding Art. 9 para. 2 GDPR, Sec. 22 BDSG-new provides an exemption to the general prohibition of processing sensitive data as stated in Art. 9 para. 1 GDPR. This applies in particular to the processing of health data which is allowed under specific requirements also for companies in the private sector.
1.8 EU-wide coordination of the supervisory authorities
According to Art. 51 para. 3 GDPR, Germany had to name a supervisory authority, that firstly, will organize EU-wide coordination and secondly, will represent Germany in the European Privacy Committee (Art. 68. Para. 4 GDPR). As provided in Sec. 17 BDSG-new the German Federal Commissioner of Data Protection will this take on this role. He/she will be deputised for by one of the Data Protection Authorities of the German Federal States and will coordinate with all DPAs in the German Federal States regarding issues that also concern the State level.
2. Practical Recommendations
To a large extent the German legislator makes to some extent use of discretion given to the Member States by the GDPR. For now it seems unclear, if all provisions of the BDSG-new will last or if the respective limits of discretion were overstepped. The GDPR is, as European Regulation, a directly legally binding act in Germany. In cases of inconsistencies it would override German national law. This means that the GDPR will be the primary source of law. BDSG-new will only apply in some cases where exceptions might apply. It remains to be seen whether these limitations will have a significant business friendly effect.
The passing of BDSG-new may give companies an opportunity to check how they are progressing with the implementation of the GDPR which will come into force on 25 May 2018.