On 27 April 2017 the German Bundestag adopted the Federal Data Protection Act German (the "Bill”) on the adjustment of the Federal Data Protection Act to implement the German provisions of the GDPR.

What does this cover?

The Bill considerably extends the cases when a data protection officer has to be appointed compared to the General Data Protection Regulation ("GDPR"). Currently a company has to appoint a data protection officer if more than ten (10) persons are constantly employed with automated data processing activities. This includes processing activities in human resources, marketing/ sales and IT areas. Companies which perform processing activities which are subject to a data protection impact assessment have to appoint a data protection officer regardless of the number of persons engaged in such activities. This also includes companies which transfer data for market research purposes or for opinion polls. This requirement equally applies to data controllers and data processors. The data protection officer is specifically protected against dismissal in order to warrant that he can exercise his duties properly.

The Bill introduces exemptions from the information, access, deletion and objection rights of data subjects under the GDPR which are mainly based on commercial feasibility and adequacy considerations. Specific provisions for the processing of employee data, for profiling activities as well as for scoring and credit scoring/ rating activities are also introduced. The Bill contains regulations for video surveillance of areas which are open for access by the public. It also specifies the competencies of the German supervisory authorities and criminal sanctions in case of non-compliance with data protection regulations.

The main provisions of the Bill will enter into force parallel to the GDPR on 25 May 2018.

German organisations should be aware that Germany maintains a strong role for the data protection officer.

For German organisations processing employee data should check the legal basis of any processing activities in consideration of the applicable German rules. This applies in particular to work contracts and related documentation, internal guidelines and works council agreements.

A copy of the Bill can be accessed here.

Submitted by Dr. Stefanie Hellmich, LL.M., Counsel in the IP/IT law department of Luther Rechtsanwaltsgesell-schaft - Frankfurt am Main, Germany in partnership with DAC Beachcroft LLP.