CALL US 1-888-553-2256

EU GDPR Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

EU GDPR vs. German Bundesdatenschutzgesetz – Similarities and Differences

BDSG vs GDPR and what to expect in the future

The purpose of personal data protection is the safeguarding of a person’s private life and other human right and fundamental freedoms. Data protection is applied during all stages of the the collection, processing and use of personal data. This article will give you an overview of the German Bundesdatenschutzgesetz (BDSG) in relation to the General data protection regulation (GDPR). The new BDSG replaces its national predecessor, which has been in force for the last 40 years.

Historical overview of German personal data protection laws

YearThe name of the ActDescription of the act
1970DatenschutzgesetzgebungThe first law on data protection in the world (Hessen, Germany).
1977Bundesdatenschutzgesetz BDSG / Federal Data Protection ActThe first German federal data protection act.
1983Judgment of the German Constitutional CourtThe court derived the fundamental right to information self-determination from the general right to respect for personality.
1990BDSGThe legislature adopted a new data protection law based on the decision of the German Constitutional Court.
2001Amendments to BDSGWith these amendments of the Federal Data Protection Act (BDSG), the provisions of the EU Data Protection Directive 95/46/EC of October 1995 were finally been implemented into national law. The Act contains a number of changes, in particular with regards to business activities.
2009Amendments to BDSGThere were three amendments to the BDSG as a result of criticism from consumer advocates and numerous privacy scandals.

Why was BDSG adopted?

The EU GDPR is the most important change in data privacy regulation in 20 years. Many European countries are preparing new laws in the area of personal data protection. Germany is among the first country to adopt new laws for personal data protection that are harmonized with the GDPR.

Although one of the main purposes of the GDPR is to harmonise data protection laws across the EU, there are a number of areas in which the GDPR (the so-called opening clauses) that give Member States the opportunity to introduce their own national data protection laws, and further specify the application of the GDPR. German legislators have been the first among the Member States to implement such provisions to supplement the GDPR.

The German Federal Council has now approved a new Federal Data Protection Act (FDPA). The BDSG will replace existing law when the GDPR 2016/679 comes into force in May 2018.  The law is significant because Germany is the first Member State to issue its implementing law. An Act implementing the law is considered to be inherently more procedural (templates, procedures, deadlines, etc.), as it is the practical implementation of rules that already exist in the original legislation.

The new BDSG replaces its national predecessor, which has been in force for the last 40 years, and is the first step toward adapting national German member State law to the provisions of the GDPR.

It is important to keep in mind that the GDPR supersedes member State laws and leaves only limited space for national law provisions. It is worth noting that most of the provisions of the BDSG that may arguably go beyond the scope of the GDPR are of limited practical relevance, since German courts and authorities must not apply provisions of the BDSG if they deem them contrary to European law. The law also applies to both the private and the public sectors.

Key elements of the BDSG

A number of distinctive elements of the new BDSG are summarised below.

Data protection officer. The German rules regarding the duty to appoint a data protection officer are stricter than those stipulated by Art. 37 GDPR. According to Sec. 38 BDSG, companies operating in Germany must designate a data protection officer if they constantly employ at least 10 persons dealing with the automated processing of personal data. Moreover, companies must also appoint a data protection officer if they undertake processing that is subject to a data protection impact assessment, pursuant to Art. 35 GDPR, or if they commercially process personal data for the purpose of transfer or anonymous transfer, or for purposes of market or opinion research.

The GDPR provides for a whole array of rights of data subjects in Articles 13 through 22 (duty of disclosure in the event of data collection, right of information, right of rectification and deletion, right to be forgotten, right of objection). Article 23 of the same law gives national legislatures the right to enact exceptions to those rights.

Fines. The GDPR stipulates administrative fines of up to €20 million or 4 per cent of the global revenue – depending on which amount is higher. Violations which solely concern BDSG requirements law will be limited to a maximum fine of €50,000, but this scenario will be rare in practice and only covers very specific cases, such as information duties referring to consumer loans. In all other cases, the high maximum fines stipulated by the GDPR apply.

Non-monetary damages. The new BDSG also defines non-monetary (in legal terms: non-pecuniary) damages. These are damages which are not readily quantified or valued in money, such as proposed compensation for pain and suffering. Data subjects (including employees) may claim damages for non-pecuniary damage. This is a new liability, which can result in substantial economic risks for the companies.

What to expect in the future

In consideration of the additional specificity of the new BDSG with respect to the GDPR, the German Data Protection Authorities are expected to issue future guidance to provide more legal certainty about its interpretation and application. The guidelines should certainly be issued by the European Commission in order to ensure uniform application and interpretation of the provisions of the GDPR.

The assumption is that the other states will also align their national legislation with GDPR as the main objective of GDPR is to align the legal framework for the protection of personal data in Europe.

BDSG continues the German tradition of being the leading nation in personal data protection, but it still remains to be seen after May 25, 2018 exactly how much of it will be relevant.

To learn about the steps in the GDPR implementation, download this free Diagram of the EU GDPR implementation process.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on EU GDPR regulations.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

FREE EU GDPR CONSULTATION
Andrei Hanganu
Lead EU GDPR Expert
Advisera

GET FREE ADVICE

Upcoming free webinar
How to integrate GDPR with ISO 27001
Wednesday – September 25, 2019

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.