What does this cover?
The new German Federal Registration Act (Bundesmeldegesetz – BMG) (the Act) entered into force on 1 November 2015 and it has led to a complete reorganisation of the German system of civil registration. At the centre of the Act are requirements which must be observed when requesting and providing civil register information.
Register information plays an important role in daily advertising activities of German companies, in particular in order to be able to keep their own database up to date and to be able to follow up on address changes of customers.
For business as that obtain information from the registers, in particular to keep their customer databases up to date, the new statutory provisions are of major importance. The Act differentiates between three different types of information: the simple information from the civil register, the extended information from the civil register and group information. Of particular relevance to the private sector is simple information. Simple information from the civil register may only be obtained for individuals on a case by case basis which have to be clearly identified in each individual case. The information is limited to the surname, given names, doctoral degree and the current address of the individual.
Under the previous legal framework simple information from the civil register was not tied to the condition of a specific interest of any kind in the information. Also the party requesting the information did not need to explain what purpose the data obtained should serve. For those companies that trade in addresses it was of particular importance that the use of data for other purposes or repeated use of data was not expressly excluded, however, this position changes significantly under the Law. If the data requested is used "for commercial purposes", the requesting party has to disclose this intention in the request. If the data is obtained for advertising purposes or the purpose of address trading, information from the register will only be provided with the prior consent of the person affected (opt-in). Consent to the data being forwarded for advertising purposes may be granted by the individual directly to the registration offices as a general consent for all requests or individually to the respective requesting company. The registration offices shall verify on a random basis, whether the companies requesting the information are in possession of the respective declarations of consent. Violations may be punished with a fine.
In future, companies may only use the data from the civil register for the specific purpose for which the data was transmitted (i.e. it introduces a strict purpose limitation). This means that data obtained may no longer be used again in another context. The intention of the legislator is to protect the citizens against so-called "shadow registers" and address pooling. Address pooling is a highly controversial practice where data obtained as simple information from the civil register is not only used for the purpose stated when requesting the information but is fed into a data pool and then used for additional purposes and made available to other parties interested in the information. Up until now, this very common practice of address traders was not expressly forbidden, however, the Act has now declared this practice to be illegal.
What action could be taken to manage risks that may arise from this development?
As financial services companies are likely to require up to date addresses of their customers, they should take measures in order to take adequate account of the new Act. In particular, it is advisable to carefully assess the contractual relationships with companies that trade in addresses that might have been employed in the past both in economic and legal terms.
Particular attention should be paid to ensure that such companies are placed under adequate contractual obligations in compliance with the Act, in particular with regard to the duty of purpose limitation and the corresponding obligations to delete data. It should also be contractually clarified how to deal with the requirement of consent stipulated in the Act and to find clear contractual arrangements concerning the responsibilities in this regard.
In addition, to mitigate the impact of the Act, financial services companies should consider ensuring the necessary quality of their data by means of additional processes / measures, independent of the civil register procedure. Financial services companies may consider providing for a regular process where customers are directly requested to update their data.
Submitted by Diana Wilfer, Solicitor at Luther Rechtsanwaltsgesellschaft – Frankfurt, Germany in partnership with DAC Beachcroft.