Mastering the German Federal Data Protection Act (BDSG-New): A Deep Dive

On May 25, 2018, Germany entered a new era of data protection. On that day, the GDPR as well as the German BDSG-new went into effect. This marked a significant milestone, shaping global data privacy and setting the stage for enhanced regulations within Germany.

The BDSG-new, with its 70+ opening clauses, allows Germany to modify and complement GDPR while adhering to its core principles. But what does this mean for data subjects, and how can they enforce their privacy rights? Which organizations must comply, and how can one avoid infringing German data protection laws? This blog post will dive into these questions, providing all the essential details.

German Data Privacy Laws

Germany’s data protection laws revolve around three main legislations:

1. The General Data Protection Regulation (GDPR): Adopted by the EU in 2018, it replaced the Data Protection Directive and imposed stricter requirements for data controllers and processors.
2. The New Federal Data Protection Act (BDSG-new): Replacing its predecessor on May 25, 2018, it aligns German privacy laws with GDPR and the EU-Privacy Directive.
3. The TTDSG: Introduced on December 1, 2021, addresses sector-specific data protection regulations, particularly for electronic communications and Telemedia providers.

History of data privacy in Germany

Germany’s journey in data protection dates back to post-World War II, with Hesse passing the world’s first national data protection law. The Federal Data Protection Act of 1978 laid the foundation for principles and established the Federal Commissioner for Data Protection role. Landmark cases in the 1990s and the GDPR’s rollout in 2018 shaped Germany’s evolving data protection landscape.

Scope of Application for Germany’s Data Protection Laws

Understanding the territorial and legal scope of Germany’s data protection laws is crucial. The BDSG-new applies not only to public bodies but also private entities. Compliance is essential for businesses within or outside the EU, especially if data processing activities are traceable to Germany.

Key components of Germany’s BDSG-New

The BDSG-new introduces unique requirements, such as the mandatory appointment of data protection officers for organizations processing personal data with the involvement of at least twenty individuals. It also provides added protection for data subjects in employment and sets conditions for scoring and credit checks.

Notable Provisions with a Focus on Non-Public Sector:

Data Protection Officer (DPO):

The Act broadens the scope of DPOs. Companies engaging at least 10 individuals in automated processing must appoint a DPO. A DPO is mandatory for specific purposes like data transfer, anonymized transfer, or research, regardless of employee numbers. Employees serving as DPOs are safeguarded against dismissal for a year post-term, barring exceptional reasons.

Employee Data:

The Act necessitates written consent for employee data processing unless circumstances justify oral or electronic consent. Consent is obligatory for exceptions, such as using an employee’s photo in marketing materials, potentially requiring amendments to works agreements.

Data Subjects Rights:

The Act mirrors GDPR-introduced data subject rights, including rectification, erasure, and data portability. Access to personal data is restricted if stored based on retention provisions or solely for security/control reasons, with further limitations if access requires unreasonable efforts.

Processing Special Categories of Personal Data:

The Act permits the processing of special categories of personal data without consent for specific purposes, subject to predefined conditions. Staff handling such data must adhere to confidentiality agreements and comprehend associated risks.

Employee Data Protection:

Section 26 of the 2018 BDSG, derived from Article 88 of the GDPR, addresses employee data protection. While the rules remain patchy, Section 26 covers a broad scope, including agency workers, homeworkers, apprentices, and job applicants. It permits the processing of personal data in employment if required to establish, perform, or terminate the employment relationship.

German Federal Data Protection Law vs. GDPR

While the GDPR supersedes the BDSG-new in many instances, the 70+ opening clauses grant exceptions. In cases where GDPR allows, the BDSG-new takes precedence, offering more specific regulations.

Data Protection Officers (DPOs):

• The GDPR (Article 37) determines whether a Data Protection Officer (DPO) must be appointed. Authorities are mandated to appoint a DPO.
• For private companies, the German BDSG (Section 38) specifies that a DPO must be appointed if, as a rule, at least 20 persons in a company are permanently involved in the automated processing of personal data. This requirement is in addition to the provisions of the GDPR.

Authorization to Process (Legal Basis):

• Legal permissions for processing personal data are detailed in Article 6 of the GDPR.
• Section 26 of the BDSG outlines specific legal permission applicable to employment. The personal data of employees may be processed for employment-related purposes.

Impact Assessment:

• The GDPR (Article 35) outlines a data protection impact assessment requirement under certain conditions.
• The German BDSG (Section 26) imposes specific impact assessment obligations, notably in the context of microtargeting.

Profiling, Automated Decision-Making, Big Data Analysis, and AI:

• These advanced processing methods are recognized as posing a higher risk to the rights and freedoms of data subjects.
• The GDPR requires an impact assessment for profiling operations.
• Article 21 of the GDPR restricts automated individual decision-making with legal effects.
• Section 37 of the BDSG introduces further permits for automated decision-making.

Data Protection Enforcement and Fines in Germany

Data protection laws are now more than just guidelines, with enforcement actions carrying significant consequences. German Data Protection Authorities (DPAs) regulate compliance and can impose fines based on the severity of violations. 

In Germany, the framework for data protection supervision adheres to a federal model. The highest authority in this structure is the Federal Commissioner for Data Protection, entrusted with the oversight of federal authorities and telecommunications entities—a central figure in the data protection landscape.

Moreover, each of Germany’s 16 Federal States (Bundesländer) has its own dedicated data protection authority. These authorities play a crucial role in overseeing and regulating data processing activities conducted by public and private entities, focusing on companies operating within the respective Federal State. This decentralized structure ensures that data protection measures are effectively enforced at the regional level, tailoring oversight to the specific needs and contexts of each Federal State. 

Of paramount importance is the autonomy vested in each data protection authority. Mandated by the GDPR (Article 52(2)), this independence was a focal point of discourse in German data protection law discussions pre-GDPR. This autonomy ensures an unbiased and rigorous approach to data protection matters.

What’s obvious is that the country’s regulatory framework reflects a commitment to robust data protection and data collection in Germany. Through collaborative initiatives and independent supervisory bodies, the system strives for a harmonized and effective enforcement approach, ensuring data protection measures’ integrity.

General Overview of the BDSG-New Components

In Sections 1–44 of the BDSG, additional regulations are outlined to provide a more detailed framework for data controllers’ rights and responsibilities under the GDPR. These sections define the practical aspects of data protection in specific situations.

Moving on to Sections 45–85 of the BDSG, the focus shifts to implementing the EU Directive 2016/680 provisions. This directive concerns authorities’ processing of personal data, specifically addressing its use for crime prevention and prosecution. These sections of the BDSG work to translate the broader principles of the EU directive into actionable measures within the German legal context, ensuring a comprehensive approach to handling personal data in the context of law enforcement activities.

How to comply with Germany’s data protection laws

Navigating Germany’s data protection landscape requires a comprehensive understanding of relevant laws and a proactive approach to compliance. Stay informed, implement necessary measures, and respect user privacy to reap the benefits of a lawful and responsible data processing environment.