The new Federal Data Protection Act ("BDSG-new") will enter into force on 25 May 2018 and bring substantial changes to the current Federal Data Protection Act ("BDSG") in order to align national data protection law with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and make use of the opening clauses in the GDPR and the Directive (EU) 2016/680 on data protection in criminal justice.

Data processing for employment purposes

As under the current BDSG, the processing of an employee's personal data is permitted as necessary for the hiring process of a new employee, during employment and to terminate the employment contract.

The BDSG-new also continues to allow for the processing of employees' personal data for the detection of criminal offences (if there is documented reason to believe that the employee in question has committed a crime and the data processing is not disproportionate). Additionally, it explicitly mentions the collective agreement, the operating agreement or service agreement (collective agreement) as a possible legal basis for processing employment data. Further, the act also allows employers to process employee's data of special categories and the term “employee” is defined now by listing groups of employees for whom the law applies.

The BDSG-new makes clear that works agreements can continue to be the legal basis for employee privacy schemes. However, in future, these works agreements will have to take appropriate and specific measures to safeguard the dignity, legitimate interests and fundamental rights of the data subject. They must also give particular regard to the transparency of processing and only transfer personal data within a group of companies or a group of undertakings that have a common interest to carry out economic activity and contain the right monitoring systems.

Therefore, it is advisable to review already concluded works agreements for their compatibility with the BDSG-new and to consider the new requirements for new company agreements.

Sanctions

As well as the fines provided for in the GDPR, the BDSG-new provides for an additional administrative fine of up to EUR 50,000 for any person who intentionally or negligently does not properly handle a request for information, does not inform a consumer correctly, in full or in good time, or acts in an irregular manner.

In more serious criminal cases, the act can impose criminal penalties with up to three years imprisonment. For example, if someone knowingly accesses non-publicly available personal data of a large number of persons, without being entitled to do so, and submits those to a third party or otherwise.