Tatjana ZrinskiThe purpose of personal data protection is the safeguarding of a person’s private life and other human right and fundamental freedoms. Data protection is applied during all stages of the the collection, processing and use of personal data. This article will give you an overview of the German Bundesdatenschutzgesetz (BDSG) in relation to the General data protection regulation (GDPR). The new BDSG replaces its national predecessor, which has been in force for the last 40 years.
The new BDSG is the first step toward adapting national German member State law to the provisions of the GDPR.
Historical overview of German personal data protection laws
Why was BDSG adopted?
The EU GDPR is the most important change in data privacy regulation in 20 years. Many European countries are preparing new laws in the area of personal data protection. Germany is among the first country to adopt new laws for personal data protection that are harmonized with the GDPR.
Although one of the main purposes of the GDPR is to harmonise data protection laws across the EU, there are a number of areas in which the GDPR (the so-called opening clauses) that give Member States the opportunity to introduce their own national data protection laws, and further specify the application of the GDPR. German legislators have been the first among the Member States to implement such provisions to supplement the GDPR.
The German Federal Council has now approved a new Federal Data Protection Act (FDPA). The BDSG will replace existing law when the GDPR 2016/679 comes into force in May 2018. The law is significant because Germany is the first Member State to issue its implementing law. An Act implementing the law is considered to be inherently more procedural (templates, procedures, deadlines, etc.), as it is the practical implementation of rules that already exist in the original legislation.
The new BDSG replaces its national predecessor, which has been in force for the last 40 years, and is the first step toward adapting national German member State law to the provisions of the GDPR.
It is important to keep in mind that the GDPR supersedes member State laws and leaves only limited space for national law provisions. It is worth noting that most of the provisions of the BDSG that may arguably go beyond the scope of the GDPR are of limited practical relevance, since German courts and authorities must not apply provisions of the BDSG if they deem them contrary to European law. The law also applies to both the private and the public sectors.
Key elements of the BDSG
A number of distinctive elements of the new BDSG are summarised below.
Data protection officer. The German rules regarding the duty to appoint a data protection officer are stricter than those stipulated by Art. 37 GDPR. According to Sec. 38 BDSG, companies operating in Germany must designate a data protection officer if they constantly employ at least 10 persons dealing with the automated processing of personal data. Moreover, companies must also appoint a data protection officer if they undertake processing that is subject to a data protection impact assessment, pursuant to Art. 35 GDPR, or if they commercially process personal data for the purpose of transfer or anonymous transfer, or for purposes of market or opinion research.
The GDPR provides for a whole array of rights of data subjects in Articles 13 through 22 (duty of disclosure in the event of data collection, right of information, right of rectification and deletion, right to be forgotten, right of objection). Article 23 of the same law gives national legislatures the right to enact exceptions to those rights.
Fines. The GDPR stipulates administrative fines of up to €20 million or 4 per cent of the global revenue – depending on which amount is higher. Violations which solely concern BDSG requirements law will be limited to a maximum fine of €50,000, but this scenario will be rare in practice and only covers very specific cases, such as information duties referring to consumer loans. In all other cases, the high maximum fines stipulated by the GDPR apply.
Non-monetary damages. The new BDSG also defines non-monetary (in legal terms: non-pecuniary) damages. These are damages which are not readily quantified or valued in money, such as proposed compensation for pain and suffering. Data subjects (including employees) may claim damages for non-pecuniary damage. This is a new liability, which can result in substantial economic risks for the companies.
What to expect in the future
In consideration of the additional specificity of the new BDSG with respect to the GDPR, the German Data Protection Authorities are expected to issue future guidance to provide more legal certainty about its interpretation and application. The guidelines should certainly be issued by the European Commission in order to ensure uniform application and interpretation of the provisions of the GDPR.
The assumption is that the other states will also align their national legislation with GDPR as the main objective of GDPR is to align the legal framework for the protection of personal data in Europe.
BDSG continues the German tradition of being the leading nation in personal data protection, but it still remains to be seen after May 25, 2018 exactly how much of it will be relevant.
To learn about the steps in the GDPR implementation, download this free Diagram of the EU GDPR implementation process.