The German Data Protection Amendment Act ("GDPAA") passed on 5 July 2017 and enters into force on 25 May 2018. There was only one section that established the right of DPAs to file an action that took immediate effect on the day after the publication of the GDPAA, i.e. on 6 July 2017.
The Parliaments of both the Bund (federal level) and the German Federal States ('Bundesländer', regional level) are now in the process of adapting further Federal States law and sector specific law to the GDPR. These procedures are mainly still ongoing, but are finalised in some areas.
At the federal level, the so-called Second German Data Protection Amendment and Implementation Act is in the making, which will adapt a very large number of federal laws (including i.a. the German Civil Code, eGovernment Act, BSI-Act, Social Security Codes, etc.) to the GDPR requirements. The draft of this “Omnibus law” is not published yet, and the legislative process will likely not begin before summer 2018.
The Federal States are also in the process of changing their laws to meet the GDPR requirements. Only parts of these lawmaking processes have been finished yet, and many legislative procedures are still ongoing.
In the following Federal States the respective acts have been promulgated:
Almost all opening clauses are used. GDPR-regulated areas are combined with out-of-scope-areas such as law enforcement and national security.
GDPAA passed on 5 July 2017. No estimated deadline for data protection laws of the German Federal States ('Bundesländer') and sector-specific data protection laws.
Areas where Member States must have local laws:
Yes - § 35 of the new German Federal Data Protection Act ('FDPA') exempts the controller from its obligation to erase personal data where the erasure is, in case of non-automatic data processing, impossible, or only possible with disproportionately high effort and the data subject has a minor interest for erasure. § 27(2) FDPA restricts the data subjects' rights subject to certain further requirements.
Yes - § 42 FDPA: Imprisonment or a fine for (1) unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes; (2) unlawful processing of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person; (3) fraudulent obtaining of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person (personal offences based on responsibility).
§ 43 FDPA: Fines for failure to handle an information request appropriately or to inform a consumer or to inform them fully and correctly and to do so within the prescribed time limits.
Areas where Member States may have local laws:
Yes - § 22 FDPA permits the processing of sensitive data if the processing is necessary for the purpose of, for example, preventive medicine, employee working capacity assessments, medical diagnosis, health and social care treatments, management of systems, agreements with health professionals (and their staff) where data is provided under the obligation of professional secrecy, and for reasons of public interest in the area of public health (as required, for example, to ensure high quality and security standards for health services, drugs or medical products). However, such processing is only possible if certain safeguards are taken to protect such data ("suitable and specific" safeguards).
§ 29(2) FDPA restricts the transmitting body's obligation to provide the data subject with information when transmitting data to lawyers etc.; § 29(3) FDPA protects persons subject to professional secrecy obligations and limits DPA access requests; § 13(4) FDPA binds the Federal Commissioner to secrecy.
§ 27 FDPA permits processing of sensitive data without consent:
- for scientific or historical research; and
- for statistical purposes
if the processing is necessary for these purposes and the data controller’s interest to process data significantly outweighs the data subject’s interest.
The data controller must apply certain "suitable and specific" measures.
Provision also restricts data subjects' rights in the context of processing for research and statistical purposes, and sets out requirements for the publication of such data.
§ 32-37 FDPA also contain other (general) restrictions of data subjects' rights on the basis of Art. 23 GDPR.
§ 26 FDPA constitutes a basis for processing of employment data. The new rule keeps more or less the framework of the current rules on processing of HR data. The processing of employee data is generally allowed if necessary for establishing, carrying out or terminating the employment relationship (NB: subject to interpretation based on existing case law and guidance of DPAs). The GDPAA maintains the current restrictions for investigations of criminal conduct and now expressly mentions operating or service agreements (collective agreement) and collective bargaining agreements as possible legal basis for a processing of HR data.
§ 26 FDPA also contains certain justifications for the use of special categories of employee data ("sensitive data") and a definition of the term "employee". The GDPAA further provides clarification on consent, such as the circumstances when such consent is “freely given” in an employer-employee relationship. Legal and economic advantages are considered in this respect and in the reasoning of the GDPAA, for example, refers to the use of IT for private purposes or to receive health benefits. Under certain conditions, § 24(2) FDPA permits a change of purposes for sensitive data in HR context.
Yes - § 22 FDPA stipulates a general framework for the processing of sensitive data, including rules on health data (no explicit restriction to genetic/biometric data). Such processing is, however, only possible if "suitable and specific" safeguards are taken to protect such data. The safequards may include technical and organisational measures, pseudonymisation, encryption, or the appointment of a Data Protection Officer ("DPO") etc.
§ 38 FDPA: A DPO must always be appointed when (1) more than 10 persons regularly take part in processing personal data; or, regardless of the number of persons involved in the processing per personal data, (2) whenever a DPIA has to be carried out; or (3) whenever personal data is processed to be transferred for commercial reasons, anonymised transfer or for purposes of market research and opinion polls.
This means that the threshold for the appointment of a DPO is much lower in Germany than compared to that of the GDPR. The German legislator has more or less kept the previous framework.
Telemedia Act (“Telemediengesetz”, “TMG”)
The TMG contains special data protection regulations for providers of Information Society Services (“Telemedia”) in Germany. According to the public information provided by the Federal Ministry of the Interior (BMI), the Ministry is currently not planning to propose a change of the TMG. This means that it will be subject to legal interpretation (in an individual case) which data protection provisions will be superseded by the GDPR and which will remain applicable. Companies operating on the Internet are strongly recommended to keep an eye on further developments.
Telecommunications Act (“Telekommunikationsgesetz”, “TKG”)
The Federal Ministry of the Interior (BMI) has announced that it will provide a proposal for a law that will adapt the Telecommunications Act to the GDPR, but this proposal is not yet public.
The TKG will likely be changed substantially in its provisions that lay down sector-specific data protection rules for the telecommunications sector (sections 91-107 TKG). These provisions will have to be changed whenever they lay down rules that conflict with GDPR provisions and that cannot be based on the ePrivacy Directive in conjunction with the exception clause of Article 95 GDPR. This means that there will likely be substantial changes of this part of the TKG. Details are not yet published.