In December, the government issued a bill on the regulation of data protection audits and on certain amendments of other data protection provisions. The changes to the German Federal Data Protection Act (Bundesdatenschutzgesetz – "BDSG") shall come into force 1st July 2009. The material changes are summarized below.
Special Protection from Ordinary Dismissal for Internal Data Protection Officer
According to the draft bill, if a data controller has appointed an internal data protection officer ("DPO"), such officer will in the future enjoy special protection from ordinary dismissal. It will only be possible to dismiss the internal DPO based on extraordinary termination without notice for good cause. In addition, the internal DPO will remain protected from ordinary dismissal for one year after his revocation from the position of DPO, except for the already named exception of an extraordinary termination without notice for good cause.
The data controller will be obliged to enable the DPO to participate in continuing education and professional training programs at the data controller's cost.
Since the draft provision regarding dismissal protection could only apply to DPOs who are in an employment relationship with the data controller, it will be important in the future to consider whether this position should be filled by an employee, or rather by an external DPO. The extent of integration of the DPO into the organization that is necessary for the expedient fulfilment of the position will also have to be taken into consideration. This argument could speak against the choice of an external DPO. It should further be considered filling the position of internal DPO by a person who already falls within the scope of special dismissal protection such as, e.g., a member of the works council, the immission control officer, the water protection officer, etc. By means of such amalgamation of functions, it may be possible to avoid the protection from ordinary dismissals for a number of employees.
Act on the Audit of Data Protection
The provision on data protection audits will be extracted from the BDSG and implemented as a separate act. The draft bill on data protection audits contains detailed provisions regarding the competences, the duties of the control sites, the qualification requirements of the personnel of the control site, and the supervision of the control site and the data controllers by the respective competent authorities. The conduct of a data protection audit will be voluntary.
According to the new act, data controllers will be able to have their data protection concept audited, and suppliers of data processing equipment and programs can request to have their offered IT equipment audited by the control site. In case of a positive evaluation the data protection concept or the offered IT equipment may carry a data protection audit seal.
In order to achieve a positive evaluation, it is required that:
- The data processing for which the data processing concept or the respective equipment is intended abides by the provisions on the protection of personal data
- Certain guidelines for the improvement of data protection and security that will be implemented are adhered to
- In the case of a supplier with a national registered office, the provisions regarding the organizational position of the DPO are adhered to
- This is controlled in accordance with the intended controls
The draft bill for a Data Protection Audit Act also contains provisions on administrative fines and sanctions. According to the draft, fines in the amount of up to EUR 300,000 can be imposed for certain infringements of the Act. In addition, in case the infringer has an intention for enrichment, a prison sentence of up to two years can be imposed.
The processing and use of personal data for the purposes of address-dealing, for advertisement, and for polling and marketing surveys, will be subject to the consent of the data subject. Such consent must unequivocally relate to these purposes. If it is granted together with additional declarations of consent, the unequivocal relation must be created by specific means, such as individual checking of a box, individual signature or other measure.
Only certain personal data that is summarized in a list or other form may be processed and used without consent in exceptional circumstances. In addition, such processing or use will only be permissible if it is necessary for the respective purpose, e.g., data that is not required for the specific purpose may not be processed or used, such as religious affiliation for non-related advertisement. In addition, only data regarding the membership of the data subject in this group of persons, his/her occupation, industry or business, his/her name, title, academic degree and address, and his/her year of birth, may be used.
Notification Duties in Case of Data Loss
The draft introduces a notification obligation for cases in which third parties gain knowledge of personal data illegitimately. A data controller will have to inform the respective data protection authority and the concerned data subjects without undue delay if certain data stored by the data controller has been transmitted illegitimately, or if third parties have by other means gained knowledge of the data, and that material detriments for the rights or interests meriting protection of the data subject are impending. This specific data includes, inter alia, specific kinds of personal data such as relating to religion, health, or racial or ethnic origin, and also bank and credit card details.
The concerned data subjects must be notified as soon as the prosecution would no longer be endangered by such notification. However, the data protection authority must be notified immediately. If an individual notification of each data subject would require an unreasonable effort, it may be replaced by a public announcement.
Increase of Fines
The draft bill contains an increase of administrative fines and an expansion of the schedule of fines. In the future, concluding a contract for data processing on assignment not in writing will result in a fine in principle. This not only applies to contracts with third party providers, but also to agreements with affiliated companies within the group that provide services to other entities in the group. Accordingly, this will have consequences for data processing in groups where often data processing is centralized in one location. Data processing within a group is generally not privileged, i.e., each company within a group is treated as an independent third party. Although it has previously also been explicitly required by law to conclude such contract in written form, it is only this reform that introduces a fine of up to EUR 50,000 for breaches of this written form provision. The upper limits of the fines have been raised to EUR 50,000 for breaches of formalities, and to EUR 300,000 for material breaches. According to the draft, the fine shall exceed the economic advantage gained through the breach of the data protection provisions. If the named amounts do not suffice to fulfil this purpose, they may be exceeded.
Coming into Force
The changes to the BDSG will come into force on 1st July 2009. However, the draft bill allows for a generous transition period of three years for the data processing for advertisement and address dealing: as far as the data was collected before 1st July 2009, the new regulation will only apply as of 1st July 2012.
It is an open secret that, at least until now, the consequences of non-compliance with data protection laws in day-to-day business were in most cases of a more theoretical nature. However, it is noticeable that within the last months, the coverage of data protection mishaps in large-scale enterprises and of proceedings against data controllers initiated by the supervisory authorities has increased. The public perception of non-compliance with data protection regulations has changed through such precedent cases, and has lead to legislative actions which are presumably not completed with the amendments illustrated above. In light of the most recent incidents in large enterprises regarding the comparison of business processes with employee data, this concerns in particular the so-called employee data protection ("Beschäftigtendatenschutz").
In Germany, the supervision of compliance with data protection provisions falls within the competence of the federal states (the „Bundesländer"). Since the amplification of the German Federal Data Protection Act does not itself sufficiently increase the pressure on the addressees of the Act, some of the federal states already intend to increase the capacities of their supervisory authorities. To some extent this increase has already been implemented. It is therefore advisable for companies to take the subject of data protection more seriously in the future than it has been done in the past. Companies also have the possibility to cooperate with the supervisory authorities in order to jointly develop processes which are legally compliant.