Germany’s EU Data Protection Adaptation and Implementation Act addresses issues left open by the General Data Protection Regulation and implements the EU Directive 2016/680 on Data Protection for the Prevention and Prosecution of Criminal Offenses into German law. The new legislation includes a completely new Federal Data Protection Act and provides for various changes to other laws in the security area. While the GDPR is directly applicable in Germany, businesses will need to look to both the GDPR and the Federal Data Protection Act to understand and comply with the legal ramifications for data processing in Germany.
Like the GDPR, the new Federal Data Protection Act (2018 BDSG) came into force on May 25, 2018, and governs—much like the “old” BDSG of 2003—data protection in the public and private sectors. Its 85 sections are divided in four parts: common provisions, provisions implementing the GDPR, provisions implementing the Directive 2016/680, and a special provision for data processing that is subject neither to the GDPR nor to the Directive 2016/680. New criminal law provisions and penalties for data protection breaches are part of the legal package.
The 2018 BDSG applies to the public sector to the extent that processing of personal data by the states is not governed by state data protection law. (Most states have revised their data protection laws in May.) Regardless of legal form, the public sector includes all federal and state authorities and bodies as well as private associations, insofar as they perform public functions, with the exception of public-sector businesses that compete with private businesses.
All other entities belong to the non-public sector. The 2018 BDSG applies to this sector to the extent that the data controller or processor processes personal data in Germany; e.g., in a German branch, or if such data processing occurs outside the European Union, the European Economic Area (EEA), or Switzerland but is covered by the GDPR and has a nexus with Germany. This summary focuses on the non-public sector and the issues that are most relevant in practice in this sector.
Appointment of a Data Protection Officer
Data protection officers have been mandatory for many companies for years and are well established legally in Germany. With Section 38 of the 2018 BDSG, the German legislator has used its authority under Article 37 (4) of the GDPR for introducing specific rules on data protection officers in Germany. As in the 2003 BDSG, a data protection officer remains mandatory for companies and other legal entities if they regularly employ at least 10 persons who are permanently involved in the automated processing of personal data. The latter criterion is interpreted broadly and essentially covers any processing involving IT systems. For example, it may suffice that that 10 employees have personalized company email accounts. A similar obligation applies to controllers and processors if (i) their processing of personal data is subject to a data protection impact assessment pursuant to Article 35 of the GDPR; or (ii) they process personal data commercially for purposes of transfer or anonymous transfer; or (iii) they process personal data for market research or polling purposes. In these cases, the number of employees performing these tasks does not matter.
Processing of Special Categories of Personal Data
Sections 22, 24 (2) of the 2018 BDSG include additional provisions on the processing of special categories of personal data that is otherwise governed by Article 9 of the GDPR. Section 22 (1) lists additional circumstances under which such processing is permitted. For example, it is explicitly permitted to the extent necessary to exercise the rights and obligations under social security and social protection legislation. According to Section 22 (2), appropriate and specific measures (state-of-the-art) must be provided for to safeguard the interests of the data subject. The processing of special categories of personal data for a purpose other than the one for which it was originally collected may be based on Section 24 (2) if the data processing is intended to avert risks to public security or to prosecute criminal offenses or is required for the establishment, exercise, or defense of civil law claims, unless the interests of the data subject in the omission of the processing prevail.
Employee Data Protection
Article 88 of the GDPR authorizes EU member states to issue their own rules on employee data protection that must include suitable and specific measures to protect the dignity, legitimate interests, and fundamental rights of employees. New Section 26 of the 2018 BDSG is largely based on Section 32 of the 2003 BDSG and addresses a number of additional legal issues. Unfortunately, the German legislator did not seize the opportunity to comprehensively reorganize employment data protection, so the new rules remain a patchwork and will require more guidance from the labor courts and the data protection authorities. A few observations:
- The scope of new Section 26 is broad and, in addition to regular employees, explicitly includes agency workers, homeworkers, apprentices, and job applicants
- As in Section 32 of the 2003 BDSG, the processing of personal data in employment is generally permitted, provided that the processing is "required" for the establishment, performance, or termination of the employment relationship. The legislative materials indicate that "necessity" must not be understood as imperative, but results from balancing the employer’s legitimate interests and the employee’s fundamental rights. This is in line with the familiar rules in former Section 32
- The stipulations in former Section 32 governing the processing of personal data for the detection of criminal offenses also remain in place. There is still a need for documented facts establishing the suspicion that a criminal offense was committed in the employment context. The measures to detect the crime must not be disproportionate
- It is also expressly stipulated in new Section 26 that processing may be based on “collective” agreements. While this term includes collective bargaining agreements, it is more common for employers in Germany to enter into agreements with works councils that deal with specific situations of data processing; e.g., in connection with HR information or other IT systems or video surveillance
- What is new in Section 26 is a provision on informed consent in the employment relationship, an issue that gave rise to many disputes under the former law. As in Article 7 of the GDPR, consent is only enforceable if it is given voluntarily. Section 26 (2) acknowledges that consent may in particular be voluntary if the employee gains an advantage through his/her consent or if the interests of the employer and the employee are the same. According to the legislative materials, the personal use of the company’s IT systems or the introduction of occupational health management may constitute such advantage. Employee consent must usually be obtained in writing, unless a different form is appropriate in view of special circumstances. In any case, the purposes of processing must be clearly identified in the consent and the employee must be duly informed about the right to withdraw consent at any time.
Scientific Research, Statistics, Archiving
Scientific research plays an increasingly important role in Europe as elsewhere. In this context, (archived) information inventories and statistics that provide significant benefits to science—like medicine or general healthcare—are of great importance. Information repositories and statistics are often based on large amounts of personal data that are subject to data protection. In order to limit restrictions for scientific research imposed by data protection regulations, the GDPR already provides for exemptions in its Article 89 and in its Recitals 156 to 163. The German legislator follows this concept in corresponding exemptions in Sections 27 and 28 of the 2018 BDSG that include certain privileges for data processing serving any of the following purposes:
- Scientific or historical research purposes
- Statistical purposes
- Archival purposes in the public interest
Processing of personal data for research and statistical purposes requires that the processing is necessary and that the interests of the controller significantly outweigh those of the data subject (Section 27 (1)). Processing for such purposes is not allowed otherwise.
In accordance with Article 9 (2) (j) of the GDPR, Sections 27 and 28 stipulate that special categories of personal data (e.g., data on health, religion, race, or ethnicity) may be processed if:
- the processing is necessary for the purposes listed in these sections; and
- if appropriate data protection measures as set out in Section 22 (2) of the 2018 BDSG are put in place, such as technical and organizational measures, pseudonymization, encryption, etc.
Another particularity is that special categories of personal data must be anonymized as early as possible in the process (Section 27 (3)). There is also a more general pseudonymization requirement for these data sets to protect the data subjects. The keys that make persons identifiable must be stored separately. They may only be combined with the individual data sets if the research or statistical purpose so requires.
Also noteworthy in Sections 27 and 28 is that the data subject does not have a data access right if the data is necessary for scientific research and if providing the requested information would require a disproportionate effort.
Video Surveillance of Public Spaces
Historically, video surveillance has been a touchy data protection issue in Germany. Under the new law, the provisions on video surveillance in public areas do not change fundamentally compared to the 2003 BDSG and existing regulatory guidelines. For private individuals and companies, the rule remains that there are two admissible avenues, namely the "maintenance of the house right (protection against trespassers)" and the "exercise of legitimate interests for specific purposes" (which requires balancing the relevant interests). What is new is that Section 4 of the 2018 BDSG explicitly states that the protection of life, health, or freedom of individuals in large public facilities and vehicles of any kind constitutes a particularly important interest in video surveillance. Such facilities include, among others, sports, assembly and entertainment venues, shopping malls, parking lots as well as facilities for rail, ship, and bus traffic. There are also more detailed rules on public surveillance notices. In particular, Section 4 clarifies that this notice must be recognizable at the earliest possible moment; i.e., before the individual enters the area covered by video surveillance.
Restriction of Data Subjects’ Right
Section 29 of the 2018 BDSG limits the information obligations of the data controller to individuals to the extent that the information must be kept confidential, in particular due to prevailing third party interests. Certain professionals, such as lawyers, accountants, and physicians, enjoy special privileges to keep client information secret. They are not obliged to provide privileged information to the individual concerned, unless such individual’s interest in receiving the information prevails.
Section 35 of the 2018 BDSG defines exceptions to the right to demand the deletion of personal data, namely in the case of non-automated data processing where deletion is not possible or would require disproportionate effort and the individual’s interest in the deletion can be regarded as minimal; in this case, a restriction of processing applies instead of the deletion. This exception does not apply if the relevant personal data was processed without legal grounds.
Section 37 of the 2018 BDSG caters to the specific concerns of the insurance industry processing claims. The right under Article 22 of the GDPR not to be subject to automated decision-making (including profiling) does not exist if the decision is rendered in the context of the provision of services under an insurance contract. However, the condition is that (i) the decision either grants the affected individual’s application; or (ii) the decision is based on the application of binding remuneration rules for medical treatment and the data controller takes appropriate steps to safeguard the legitimate interests of the affected individual in the event that its application is not fully granted (namely the right to appeal to a human being).