Germany adopts security breach notification obligation and other amendments to the German Data Protection Act

As of 1 September 2009 the German Data Protection Act will be amended so as to include the introduction of a security breach notification obligation, as well as increased fines for violations of data protection law provisions. Also, changes are made to marketing rules and additional protection for employee data is applied.

Security Breach Notification

With the amendments to the German Data Protection Act, a security breach notification obligation is introduced into German data protection law. In case of an unlawful data transfer or unauthorised access by third parties of certain specific types of data, both the data subject and the data protection authorities should be actively notified of such breach. This obligation concerns (i) sensitive data, (ii) criminal records, (iii) bank or credit card account details, (iv) personal data that is subject to a legal privilege (such as data held by lawyers and doctors), and (v) customer data or traffic/usage data held by telecommunication operators, and electronic information and communication services providers. The data subjects and the data protection authorities should be notified if the data loss is likely to have a "serious impact" on the rights of the individual concerned (whereby a "serious impact" is determined by both the type of data concerned and the possible consequences of the breach). The authorities and the data subject(s) should be notified immediately after measures have been taken to contain the data breach and as soon as notification no longer impedes law enforcement. If the breach concerns a large public, notification may take place through an announcement in at least two national newspapers.

Increased Fines

Fines for failure to comply with the data protection obligations will be increased from EUR 25,000 to EUR 50,000 per violation and from EUR 250,000 to EUR 300,000 for more serious violations. If commercial benefits were achieved as a result of the failure to comply, even higher fines may be imposed (which may be proportionally related to the amount of commercial benefit realized).

Change in marketing rules

The amendments also change the marketing rules under German law. The 'list privilege' - which is the privilege of trading contact details amongst marketeers without consent of the data subject - will be abolished. All processing of personal data for marketing purposes (including the sale thereof) will require an 'opt-in' from the data subject. The requirement of the data subject's prior consent may only be exchanged for an 'opt-out' in certain exceptional cases, such as (i) if the personal data is used for own products of the data controller and the data was obtained from the data subject himself or from a public directory (phone book, etc.), (ii) for advertising in relation to business-to-business transactions or (iii) for charitable purposes. If the data is transferred for marketing purposes, the original source of the data has to be named. Furthermore, the data may be used for the direct marketing of third party products only if the advertisement states the identity of the data controller responsible for the data. These new requirements apply to all personal data collected after 1 September 2009. Personal data collected prior to 1 September 2009 may be used under the old privilege until the end of the transition period, which is 31 August 2012. After this date, opt-in will retro-actively apply to all personal data for direct marketing purposes, including to data collected prior to 1 September 2009. Companies will therefore have to review the basis upon which personal data for direct marketing was obtained before the 31 August 2012 compliance deadline.

Provisions regarding protection of employee data

As of 1 September 2009, new provisions regarding employee data apply. The apparent intention of the German legislator was to only codify the rules that already applied to the processing of employee data. However, the relevant provisions seem to be more restrictive in certain respects. The main rule is that employee data may only be processed if this is necessary for decision-making purposes when establishing, maintaining or terminating an employment relationship. In relation to the detection of criminal offences, employee data may only be processed if certain specific conditions are met. The new provision states that for the purpose of detecting criminal offences, employee data may only be processed if there is a concrete suspicion with regard to the employee affected and there is documented evidence to support this suspicion. Pursuant to this requirement an employer would only be allowed to conduct an internal investigation when he already has documented evidence of a criminal offence committed by the employee. This is stricter than the present requirements and would have a significant impact on internal compliance programmes aimed at preventing criminal offences. The first reaction in the German legal community is that this is a slip of the pen of the legislator and will be corrected within the near future.

Other Amendments

Other amendments to the German Data Protection Act that will be effected as of 1 September 2009 include additional protection for corporate data protection officers, additional powers for data protection authorities, new regulations for scoring, and a wider use of the principles of data avoidance and data minimization.