In December 2008, the government issued a bill on the regulation of data protection audits, and on certain amendments to the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”).
Special Protectionotection from Ordinary Dismissal for Internal Data Protection Officer
According to the draft bill, if a data controller has appointed an internal data protection officer (“DPO”), such officer will in the future enjoy special protection from ordinary dismissal. It will only be possible to dismiss the internal DPO based on extraordinary termination without notice for good cause. In addition, the internal DPO will remain protected from ordinary dismissal for one year after his revocation from the position of DPO, except for the already named exception of an extraordinary termination. The data controller will be obliged to enable the DPO to participate in professional training programs at the data controller’s cost.
Since the dismissal protection could only apply to DPOs who are employed by the data controller, one might consider filling this position with an external DPO. The necessary extent of integration of the DPO into the organization will also have to be taken into consideration. This argument could speak against the choice of an external DPO. Further consideration should be given to filling the position of an internal DPO by a person who already falls within the scope of special dismissal protection, such as a member of the works council or the immission control officer. Such amalgamation of functions may help avoid the protection from ordinary dismissals for a number of employees; provided, however, such persons have the required expertise.
Act on the Audit of Data Protection
The provision on data protection audits will be extracted from the BDSG and implemented as a separate act. The draft bill on data protection audits contains provisions regarding the competences and duties of the control sites, the qualification requirements of its personnel, and the supervision by the respective competent authorities. The conduct of a data protection audit will be voluntary.
It will be possible to have data concepts and data processing equipment and programs audited by the control site. In case of a positive evaluation, the data protection concept or the offered IT equipment may carry a data protection audit seal.
In order to achieve a positive evaluation, it is required that:
- The data processing for which the data processing concept or the respective equipment is intended abides by the provisions on the protection of personal data
- Certain guidelines for the improvement of data protection and security that will be implemented are adhered to
- In the case of a supplier with a national registered office, the provisions regarding the organizational position of the DPO are adhered to
- These requirements are controlled in accordance with the intended control mechanisms
The processing and use of personal data for the purposes of address dealing, for advertisement, and for polling and marketing surveys, will be subject to the consent of the data subject. Such consent must unequivocally relate to these purposes, e.g., by specific means such as individual checking of a box, individual signature or other measure.
Only certain personal data that is summarized in a list or other form may be used without consent in exceptional circumstances. Such use will only be permissible if it is necessary for the respective purpose, i.e., data that is not required for the specific purpose may not be processed. Only data regarding the membership of the data subject in a certain group of persons, his/her occupation, industry or business, his/her name, title, academic degree and address, and his/her year of birth, may be used.
Notification Duties in Case of Data Loss
The draft introduces a notification obligation for cases in which third parties illegitimately gain knowledge of personal data. A data controller will have to inform the respective authority and the concerned data subjects without undue delay if certain data stored by the data controller has been transmitted illegitimately, or if third parties have by other means gained knowledge of the data, and material detriments for the rights or interests meriting protection of the data subject are impending. This data includes, inter alia, specific kinds of personal data, such as relating to religion, health, or racial or ethnic origin, but also bank and credit card details.
The data subjects must be notified as soon as the prosecution would no longer be endangered by such notification. However, the data protection authority must be notified immediately. If an individual notification of each data subject would require an unreasonable effort, it may be replaced by a public announcement.
Increase of Fines
The draft bill contains an increase of administrative fines and an expansion of the schedule of fines. The upper limit of the fines has been raised to €50,000 for breaches of formalities, and to €300,000 for material breaches. The fine shall exceed the economic advantage gained through the breach of the data protection provisions. If the named amounts do not suffice to fulfill this purpose, they may be exceeded, even beyond €300,000.
Coming into Force
The changes to the BDSG are scheduled to come into force on July 1, 2009. However, the draft bill allows for a transition period of three years for the data processing for advertisement and address dealing: if the data was collected before July 1, 2009, the new regulation will only apply as of July 1, 2012.
It is an open secret that, at least until now, the consequences of non-compliance with data protection laws in day-to-day business were in most cases of a more theoretical nature. However, within recent months the coverage of data protection mishaps in large-scale enterprises and of proceedings against data controllers initiated by the supervisory authorities has increased. The public perception of non-compliance with data protection regulations has changed, and the legislative actions taken until now are presumably not the last ones. In light of the most recent incidents in large enterprises regarding the comparison of business processes with employee data, this concerns in particular the so-called employee data protection (Beschäftigtendatenschutz).
Some of the German states intend to increase the capacities of their data protection authorities, or have already done so. It is therefore advisable for companies to take data protection more seriously in the future than they have in the past. Companies also have the possibility to cooperate with the supervisory authorities in order to jointly develop legally compliant processes.