An overview of the most important changes to the German Federal Data Protection Act

The General Data Protection Regulation (“GDPR”) aims to harmonise European data protection law and to create a uniform European level of data protection. Nevertheless, the GDPR contains a large number of so-called opening clauses which grant the member states a certain scope for implementation in individual areas of regulation. After the adaption of the Federal Data Protection Act ("BDSG") by the German legislator according to the European requirements and opening clauses, further amendments entered into force on 26 November 2019 with the 2nd Data Protection Adaptation and Implementation Act EU (“2nd DSAnpUG-EU”).

The General Data Protection Regulation (“GDPR”) aims to harmonise European data protection law and to create a uniform European level of data protection. Nevertheless, the GDPR contains a large number of so-called opening clauses which grant the member states a certain scope for implementation in individual areas of regulation. After the adaption of the Federal Data Protection Act ("BDSG") by the German legislator according to the European requirements and opening clauses, further amendments entered into force on 26 November 2019 with the 2nd Data Protection Adaptation and Implementation Act EU (“2nd DSAnpUG-EU”).

In addition to amendments to the GDPR, the 2nd DSAnpUG-EU contains amendments to more than 150 laws, most for editorial purposes. In this context, definitions, references, legal bases, rights of data subjects and specifications on technical and organisational measures are adapted or newly regulated. On the other hand, the amendments to the GDPR are far more relevant to daily data protection practice, especially in medium-sized companies. The new regulations include in particular

  • the competence of the Federal Data Protection Commissioner for data protection and freedom of information (“BfDI”) in § 9 BDSG and corresponding powers in § 16 BDSG,
  • the processing of special categories of personal data according to § 22 BDSG,
  • the abolishment of written form requirement for consents in employment relationships as stated in § 26 BDSG
  • the limit for the compulsory appointment of an operational data protection officer according to § 38 BDSG as well as
  • the processing for purposes of awarding state awards and honours in § 86 BDSG.

In detail:

The amendment of § 9 BDSG relates to the BfDI's competence, which now extends beyond the scope of the German Telecommunications Act (“TKG”) in regard to the processing of personal data by telecommunications companies in general. The clarification of the BfDI's unreserved competence in this area across the federal states was necessary against the background of the scope of application of the TKG, which in future will only contain regulations for the implementation of Directive 2002/58/EC (ePrivacy Directivey) and no longer for the GDPR only (or the repealed Directive 95/46/EC).

The amendments in § 22 BDSG extend the processing competences for non-public bodies – which includes also private companies – with regard to special categories of personal data pursuant to Art. 9 GDPR. Whereas previously the “absolutely necessary” processing “for reasons of considerable public interests” was only reserved for public bodies, it is now granted also to non-public bodies. The official justification of the Act cites examplary the processing of data relating to religion by civil society organisations within the framework of prevention or deradicalisation programmes. Another conceivable application could be to fight pandemics or to support disaster control. The official justification to the Act explicitly points out that this amendment is not intended to extend the processing powers of corresponding data for commercial business models. The fact that the legislator did not specify the public interest is worthy of criticism. However, the legislator obviously did not want to limit itself to the purposes of lit. i, as can be seen from the reference to prevention or deradicalisation programmes. Even before the second amendment of the Act, however, the legal literature warned that implementing provisions based on Art. 9 para. 2 lit. g GDPR should not be limited by only repeating the content of the provision, but that the term public interest should be specified more precisely because of the requirement of legal certainty. The fact that the German legislature did not even rudimentarily follow this warning is even more incomprehensible by the fact that the national implementing provisions should represent a (contextual) specification of the general clauses and are not intended just copying them.

According to § 26 para. 2 S. 3 BDSG the written form requirement in the employment context is abolished. The electronic form is now on an equal alternative to the written form and must no longer be justified by special circumstances. A positive aspect is that the German legislator at least recognised and corrected the lack of practicability of its special approach relatively quickly.

In § 38 para. 1 BDSG the personnel threshold with which the appointment of a company data protection officer becomes mandatory has now been raised from ten to twenty. Only if the data processor generally employs at least twenty persons permanently processing personal data automatically the appointment of a data protection officer is compulsorily. With regard to the other obligations relating to the Data Protection Officer or other formal obligations, such as maintaining Records of processing activities, no change is given.

The newly created provision of § 86 BDSG n.F. contains rules on the processing of personal data for the purposes of state awards and honours. For these purposes, both public and non-public bodies may process personal data of potential candidates for the receipt of special (state) honours without having to inform the persons concerned of the data collection. The waiver of the usual rights of data subjects is understandable, since the data subjects must be judged with regard to their merits and personal integrity without gaining knowledge of the examination.

Consequences practice:

The impact of the changes can be expected as limited for small as well as large enterprises. Due to the narrow scope of application, the practical significance of the adaptation or creation of § 22 BDSG and § 86 BDSG is very limited. However, the most significant impacts will probably caused by the changes to the personnel threshold for the appointment of data protection officers and the abolition of the written form requirement in the employment context, which small companies understandably perceived as exaggerated regulations. It will be interesting to see if companies that no longer need a data protection officer under the new regulation can terminate the contractual relationship, especially in the case of long contract terms.