Germany

Overview

Stage of legislative progress 
Eg. pre-consultation, in consultation

German Data Protection Amendment Act ("GDPAA") passed on 5 July 2017 and enters into force on 25 May 2018. There was only one section that established the right of DPAs to file an action took immediate effect on the day after the publication of the GDPAA, i.e. on 6 July 2017.

The data protection laws of the German Federal States ('Bundesländer') and sector-specific data protection laws will need to be adapted.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

GDPR is treated like a Directive. Almost all opening clauses are used. GDPR-regulated areas are combined with out-of-scope-areas such as law enforcement and national security.

Timescale for implementation 
Eg. pre-consultation, in consultation

GDPAA passed on 5 July 2017. No estimated deadline for data protection laws of the German Federal States ('Bundesländer') and sector-specific data protection laws.


Areas where Member States must have local laws:

Personal data and freedom of expression 

Yes - § 35 exempts the controller from its obligation to erase pesonal data where the erasure is, in case of non-automatic data processing, impossible, or only possible with disproportionately high effort and the data subject has a minor interest for erasure. § 27(2) restricts the data subjects' rights subject to certain further requirements.

Penalties

Yes - § 42: Imprisonment or a fine for (1) unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes; (2) unlawful processing of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person; (3) fraudulent obtaining of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person (personal offences based on responsibility).

§ 43: Fines for failure to handle an information request appropriately or to inform a consumer or to inform them fully and correctly and to do so within the prescribed time limits.


Areas where Member States may have local laws:

Professional secrecy 

Yes - § 22 permits the processing of sensitive data if the processing is necessary for the purpose of, for example, preventive medicine, employee working capacity assessments, medical diagnosis, health and social care treatments, management of systems, agreements with health professionals (and their staff) where data is provided under the obligation of professional secrecy, and for reasons of public interest in the area of public health (as required, for example, to ensure high quality and security standards for health services, drugs or medical products). However, such processing is only possible if certain safeguards are taken to protect such data ("suitable and specific" safeguards).

§ 29(2) restricts the transmitting body's obligation to provide the data subject with information when transmitting data to lawyers etc.; § 29(3) protects persons subject to professional secrecy obligations and limits DPA access requests; § 13(4) binds the Federal Commissioner to secrecy.

Scientific, historical or statistical purposes 

Yes - § 27 permits processing of sensitive data without consent for scientific or historical research and for statistical purposes if the processing is necessary for these purposes and the data controller’s interest to process that data significantly outweighs the data subject’s interest. To safeguard the interests of the data subject, the data controller must apply certain "suitable and specific" measures. The provision also contains additional restrictions of the data subjects' rights in the context of a processing for research and statistical purposes, setting out the requirements for the publication of such data.

§§ 32-37 also contain other (general) restrictions of data subjects' rights on the basis of Art. 23 GDPR.

Employment 

Yes - § 26 constitutes a basis for processing of employment data. The new rule keeps more or less the framework of the current rules on processing of HR data. As under the current German Federal Data Protection Act, the processing of employee data is generally allowed if necessary for establishing, carrying out or terminating the employment relationship (NB: subject to interpretation based on existing case law and guidance of DPAs). The GDPAA maintains the current restrictions for investigations of criminal conduct and now expressly mentions operating or service agreements (collective agreement) and collective bargaining agreements as possible legal basis for a processing of HR data.

§ 26 also contains certain justifications for the use of special categories of employee data ("sensitive data") and a definition of the term "employee". The GDPAA further provides clarification on consent, such as the circumstances when such consent is “freely given” in an employer-employee relationship. Legal and economic advantages are considered in this respect and in the reasoning of the GDPAA, for example, refers to the use of IT for private purposes or to receive health benefits. Under certain conditions, § 24(2) permits a change of purposes for sensitive data in HR context.

Personal data of deceased persons 

No

Children online

No

Special rules for special categories of data
§ 22 stipulates a general framework for the processing of sensitive data, including rules on health data.

Genetic, biometric or health data

Yes - § 22 stipulates a general framework for the processing of sensitive data, including rules on health data (no explicit restriction to genetic/biometric data). Such processing is, however, only possible if "suitable and specific" safeguards are taken to protect such data. The safequards may include technical and organisational measures, pseudonymisation, encryption, or the appointment of a Data Protection Officer ("DPO") etc.

Designation of a Data Protection Officer

Yes - § 38: A DPO must always be appointed when (1) more than 10 persons regularly take part in processing personal data; or, regardless of the number of persons involved in the processing per personal data, (2) whenever a DPIA has to be carried out; or (3) whenever personal data is processed to be transferred for commercial reasons, anonymised transfer or for purposes of market research and opinion polls.

This means that the threshold for the appointment of a DPO is much lower in Germany than compared to that of the GDPR. The German legislator has more or less kept the current framework.

National identification numbers/any other identifier of general application

No


Other:

Any other areas under discussion
n/a