The new German Privacy Act

1. Background

Currently the German privacy rules and regulations are set in the following privacy laws: 

• The German Privacy Act (Bundesdatenschutzgesetz – BDSG) provides for general rules and requirements for data processing in the public as well as in the private sector. 
• Several German laws provide for specific privacy rules for specific topics, e.g. for tele-media and telecommunications providers as well as certain industries (i.e. banking and energy).

Due to the GDPR that leads to major changes in European privacy law (see article: “EU General Data Protection Regulation – What remains? What changes?”) the current German privacy rules and regulations are also facing changes.

The reason for the changes in national privacy law is that the GDPR contains about 70 opening clauses which allow the EU-Member States to enact national privacy rules to supplement, specify and modify the GDPR. The opening clauses concern, e.g. the lawfulness of processing, commissioned data processing, the obligation to designate a data protection officer (DPO), rules on supervisory authorities and data processing in specific situations like data processing in the context of employment or for journalistic, academic and literary purposes.

The German legislator made use of the opening clauses and drafted the BDSG-new to adapt German privacy law to the requirements of the GDPR and the EU-Privacy Directive for Police and Justice (EU-Directive 2016/680). The BDSG-new will replace the current BDSG on 25 May 2018.

Furthermore the privacy rules for specific topics are currently being revised and shall be adapted to the requirements of the GDPR until May 2018. Currently various amendments are discussed in the German Bundestag, the national Parliament of Germany. Some rules, especially those regarding tele-media will be subject to the EU-ePrivacy Regulation that is currently being drafted by the European legislator.

2. Approach

The new rules are based on a national-centric and business-friendly approach of the German legislator, probably to support new digital developments and to improve Germany as a business location. According to the official justification of the BDSG-new restrictions of the rights of the data subject were included in order to reduce the implementation costs for private companies.

Nevertheless, this approach faced criticism by privacy experts saying that the German legislator may have exceeded its legislative competence by setting rules that are not covered by the opening clauses provided by the GDPR.

This leads to uncertainty for data controllers (data controller is who determines the purposes and means of the processing of personal data, Art. 4 No. 7 GDPR) and processors (data processor is who processes personal data on behalf of the controller, Art. 4 No. 8 GDPR). As an EU-regulation the GDPR is considered a superior rule of law. For this reason, national law must be in line with the GDPR. If a national law is not in line with the GDPR the country violates its obligation of loyalty in Art. 4 EUV, which may lead to an infringement procedure against this country. Furthermore, there is a risk that courts and supervisory authorities will not apply the law as they consider it to be a violation of European law. Currently it is not clear, whether all rules in the BDSG-new are in line with the GDPR and whether controllers and processors can base their privacy related decisions on these rules.

The extensive use of opening clauses by the EU-Member States may result in a variety of national privacy laws that require a higher privacy implementation and compliance effort for international private companies.

3. Relation to other rules

In general the rules of the BDSG-new do not apply if the GDPR is applicable (Sec. 1 V BDSG-new) because the GDPR is considered a superior rule of law. That means that as far as privacy rules are set by the GDPR EU-Member States are not allowed to enact national rules. Only as far as the GDPR provides for opening clauses, is there room for national rules. However, rules of the BDSG-new that range within the opening clauses override the rules of the GDPR.

Privacy rules for specific topics override the general rules of the BDSG-new (Sec. 1 II BDSG-new). However, these rules themselves have to comply with superior EU law.

4. Scope

The BDSG-new applies to public bodies (e.g. public authorities) as well as private bodies (natural and legal persons, other kinds of private companies). Whereas the rules regarding public bodies are comprehensive, the BDSG-new includes only some specific rules for private companies.

For private companies the law provides for the following scope:

Like the GDPR the BDSG-new applies to the processing of personal data as a whole or in parts by automated means (e.g. computer based data processing) and by non-automated means (e.g. manual processing, paper records) if it is intended to be part of a filing system (Sec. 1 I BDSG-new). The law does not apply to data processing in a private context.

Regarding the territorial scope the BDSG-new applies to controllers and processors 

• that process personal data in Germany (territory principle, Sec. 1 IV Nr. 1 BDSG-new),
• that process personal data in the context of the activities of an establishment in Germany (establishment principle, Sce. 1 IV Nr. 2 BDSG-new),
• that do not have an establishment in Germany, but fall within the scope of the GDPR (Sec. 1 IV Nr. 3 BDSG-new).

In other words: the BDSG-new also applies to private companies that neither have an establishment in Germany nor process personal data in Germany, but e.g. offer goods or services in Germany or monitor the behavior of data subjects in Germany (marketplace principle, Art. 3 GDPR).

To ensure the international enforcement of the German and European privacy rules Art. 50 GDPR requires supervisory authorities and the EU-Commission to take measures in order to develop the international cooperation, to provide international mutual assistance, engage relevant stakeholders in discussions and activities and to promote the exchange and documentation of privacy legislation and practice.

Part II: Main provisions of the BDSG-new

For private companies the BDSG-new sets rules, e.g. for:

• video surveillance of public places (Sec.4 BDSG-new),
• data processing for other purposes, than initially intended (Sec. 24 BDSG-new),
• data processing in the context of employment (Sec. 26 BDSG-new),
• data processing related to consumer credits (Sec. 30 BDSG-new),
  • scoring and credit checks (Sec. 31 BDSG-new),
• limitation of rights of the data subject (Sec. 32-37 BDSG-new),
• designation of a DPO (Sec. 38 BDSG-new),
• administrative fines, criminal provisions (Sec. 41 - 43 BDSG-new),
• procedural rules for private and public lawsuits (Sec. 20, 44 BDSG-new).

The most important rules include:

1. The designation of a DPO

The BDSG-new provides for stricter rules for the designation of a DPO. According to Sec. 38 BDSG-new, data processors and controllers have to designate a DPO if at least 10 persons are regularly engaged in the processing of personal data as a whole or in parts by automated means.

2. Data processing in the context of employment

The BDSG-new also provides for specific rules for data processing in the context of employment:

According to sec. 26 BDSG-new, personal data of employees may be processed for employment purposes, e.g. if the processing is necessary to enter into, perform and terminate an employment relationship or to perform of a collective agreement. Personal employee data may also be processed to reveal a criminal offense if there are sufficient, documented indications that the employee has commited a crime during the employment relationship, if the data processing is necessary to reveal the crime and if it is not unreasonable.

Sec. 26 BDSG-new also provides for rules on when a consent of an employee is freely given and valid and on the processing of special categories of data in an employment context.

3. Scoring and credit checks

According to Sec. 31 BDSG, the use of scoring and credit checks underlies certain requirements. It may only be used if privacy rules are met, if relevant data are used and if the score is based on acknowledged, reliable mathematical-statistical methods. It is not allowed to determine a score solely based on address data. If address data are used the law requires a previous information of the data subject.

4. Criminal law provisions

According to Sec. 42 BDSG-new certain data protection infringements are considered criminal offences and can be sentenced with up to three years in prison or a fine, e.g. if personal data is transferred illegally to third parties or otherwise made accessible on a large scale and for commercial purposes or if personal data is obtained by fraud for the purpose of enrichment or to harm others.

1. Find out, if you are affected

The BDSG-new does not only apply to German companies (see Part I 4.). Companies that do not have an establishment in Germany should evaluate whether they fall within the scope of the BDSG-new and may have to meet its requirements.

2. Determine which rules have to be met

The rules of the BDSG-new that restrict the rights of the data subject (Sec. 32-37 BDSG-new) and allow the processing of special categories of personal data (Sec. 22, 24, 27 BDSG-new) are subject to criticism by privacy experts (see Part I, 2.). These rules should be considered less reliable as they might be affected by future regulatory developments. On the other hand the rules that complement and specify the GDPR, e.g. rules on data processing in the context of employment (Sec. 26 BDSG-new) and the designation of a DPO (Sec. 38 BDSG-new) are likely to be more reliable.

Additionally – depending on the business-model – it may be necessary to implement specific rules of the BDSG-new, e.g. regarding data processing in the context of scoring, credit checks and consumer credits (Sec. 30, 31 BDSG-new), data processing for scientific research or statistic purposes (Sec. 27 BDSG-new) and the video surveillance of public places (Sec. 4 BDSG-new).

3. Combine the implementation

The GDPR sets out the main privacy rules. As the GDPR and the BDSG-new will apply on 25 May 2018 the time schedule for the implementation is the same for both.

We recommend to combine the implementation of the GDPR and the relevant rules of the BDSG-new.

4. Keep your eyes open

With the GDPR and the BDSG-new the main rules that will be relevant in the area of privacy in the future are set. However, private companies should be prepared for further amendments and specifications of European as well as German Privacy Law, in particular, regarding the technical and organizational privacy measures.

Therefore, we recommend to keep an eye on the upcoming legal developments while implementing the new privacy requirements.

Published: November 2017