As we had previously announced in our newsletter, the German Federal Data Protection Act (the “Act”) is currently undergoing significant changes. The reformed Act was ratified at the beginning of July 2009 and the changes went into effect September 1, 2009. The amending legislation was not passed as originally intended, and the most important changes are outlined below.
Use of personal data for advertisement
The requirements regarding data collection, processing and use for purposes of advertisement have undergone a principal change from opt-out to opt-in. However, this material change has been softened by numerous exceptions.
If the personal data is collected for other purposes and then collated in a list or similar manner, and if the data is restricted to information that the data subject is a member of such group, and the data subject’s job/industry/business title, name, title, academic degree, address and year of birth, the following exceptions apply to the processing and use of the data:
Existing customers: Processing and use of personal data of existing customers for advertisement for own products or services is permissible without consent. New data may be added to the already stored data of these customers.
Public indices: Data from generally available public address, phone number, business or other similar indices may also be used for advertisement of one’s own offers. This also includes the storage of additional data to these publicly available data.
B2B: Personal data of the individual contact person in business relationships may be processed and used for advertisement from business to business without consent.
Donations: Personal data may also be processed and used for advertisement for donations if the donations are tax-exempt under German law.
Transparent transfer: The merged personal data may also be transferred without consent if the transferor stores the origin of the data and the recipient for at least two years after transfer and, upon request, provides information on this to the data subject; in this case, each advertisement must clearly identify the person or entity that originally collected the data. This last requirement may be burdensome on enterprises, in particular in a chain of transfers where it is not always easy for the ultimate recipient of the data to determine who had originally collected the data. Enterprises should therefore ensure that such information is provided to them when obtaining personal data for advertising purposes. Regardless of whether the personal data is merged in a list of any shape, the following uses are permissible without consent:
Transparent Use: Use of personal data for third-party offers is permissible without consent if the advertisement clearly identifies the data controller that is responsible for this use of the personal data.
The same exceptions apply to the collection, processing and use of personal data that, from its outset, was intended to be used for purposes of transfer for advertisement, for scoring agencies, and for address-dealing.
Use of personal data in employment relationships
The reform also introduces a provision on data protection within employment relationships. According to this new provision, within an employment relationship, personal data may only be collected, processed and used if this is necessary for the decision on the establishment of the employment relationship or, after it has commenced, for its execution or termination. For purposes of uncovering criminal activities, personal data may only be used if there are factual indications that the data subject has committed a criminal act, and the data subject has no outweighing interest in the exclusion of the collection, processing and use, in particular taking into consideration that the manner and scope of such collection, processing and use must not be unreasonable compared with the alleged act.
Data protection officer
The internal data protection officer will in the future enjoy special dismissal protection. Termination of his employment will only be possible in case of termination without notice for good cause. He will also enjoy a statutory right to professional training at the employer’s costs.
Agreements on data processing on assignment must contain specific details on certain topics like security measures and audit rights of the data controller and similar provision. In addition, failure to conclude this agreement in written form may result in an administrative fine in the amount of up to €50,000.
The reform also introduces a breach notification duty into German law. Companies have to inform the data protection authorities and the data subjects if case sensitive data, data subject to professional confidentiality, bank and credit card data, or data relating to criminal activities is lost, illegitimately transferred or compromised.