New law passed on the adaptation of German data protection law to the GDPR

Following the amendment of the Federal Data Protection Act ("BDSG") in 2017, on 27 June 2019 the German Bundestag passed a second act to adapt the highly fragmented German data protection law to the requirements of the European General Data Protection Regulation ("GDPR"). The goal is to bring the sector-specific data protection rules in 154 federal laws in line with the requirements of the GDPR, which came into force on 25 May 2018. Also affected are a number of laws that are important for businesses, such as the Fiscal Code, the Banking Act, and the Securities Trading Act. The new provisions primarily focus on special legal bases for data processing, the rights of the data subjects, the obligations for processors, cross-border data transfers to countries outside the EU, and the requirements for technical and organizational measures.1

First amendments to the BDSG

One year into the data protection regime created by the GDPR, the law also brings important changes to the BDSG:

  • Firstly, it changes the mandatory threshold for controllers and processors to designate a data protection officer. The minimum is now 20 (up from ten previously) employees of a company who are permanently engaged in the processing of personal data.2 Further requirements to designate a data protection officer pursuant to Art. 37 of the GDPR remain unaffected.
  • Secondly, the German Bundestag has simplified the requirements for obtaining consent in the context of employment. As employees can give their consent electronically in accordance with the requirements of the GDPR, the BDSG will be amended correspondingly. It will be sufficient in future for the employer to save the consent as an e-mail.3 This change takes place within the framework of the coalition agreement one of the aims of which is to examine all laws for their digital suitability.4

No changes to the Telecommunications Act

Despite this large-scale initiative, no changes to the data protection provisions set out in the Telecommunications Act ("TKG") have been made at this point. Although several members of parliament requested some modifications, they were ultimately rejected.5 The future aim is to implement the requirements of the ePrivacy Directive into the TKG while removing the parts of the TKG that overlap or conflict with the GDPR.6

Outlook

For the most part, the amendments will enter into force on the day following publication in the Federal Law Gazette (Bundesgesetzblatt), the date of which has not yet been determined. Nevertheless, experience shows that this may take place quickly, so it is worth keeping this issue under review in order to be prepared for the upcoming changes.