Germany - New law adopted to implement the GDPR
The German Federal Council has now approved a new Federal Data Protection Act (“new FDPA”) which will replace its existing law when the General Data Protection Regulation 2016/679 (“GDPR”) comes into force in May 2018. We consider why this law is needed and the implications for data protection compliance in Germany and across the EU.
Why do you need national law?
The GDPR heralds the biggest shake up to European data protection laws for twenty years. One of its main aims is to harmonise data protection laws across the EU; hence the choice of a Regulation.
As a Regulation, the majority of its provisions will apply directly in each Member State without the need for national law. However, some national variations are allowed (for example, to expand the situations in which a data protection officer will be needed) and some parts of the law still require national implementing legislation (such as the appointment and powers of a national regulator).
This means that national laws remain an important part of this new regime. They will have a significant effect on the enforcement of this law in practice and influence the extent to which the GDPR creates a genuinely harmonised single market for data processing.
Germany’s new data protection law
The first draft of the new FDPA was withdrawn due to strong criticism of the Federal Ministry of Justice and the Federal Data Protection Commissioner.
However, a revised draft of the new FDPA was adopted by the German parliament on 27 April 2017 and has now been approved by the Federal Council (Bundesrat). It will come into force as of 25 May 2018, the same day as the GDPR, and will completely replace the existing German data protection act. It will also implement the Data Protection Directive for the police and criminal justice sector (EU) 2016/680.
The law is significant because Germany is the first Member State to issue its implementing law. As such, it may well act as a template for many other Member States.
The most important provisions are summarised below. Please note there are a number of other changes that will apply to public bodies. These changes are not included in this summary.
The new FDPA applies where:
- the controller or processor processes personal data in Germany;
- the processing of personal data occurs in the context of activities of a German establishment of the controller or processor; or
- where a European establishment does not exist, the processing occurs within the territorial scope of the GDPR (Section 1 new FDPA)
In the event of contradictions between the new FDPA and the GDPR, the GDPR prevails (Section 1 para. 5).
Processing personal data of employees
Most importantly, the new FDPA contains extensive provisions on the processing of personal data of employees (Section 26). The GDPR allows Member States to implement more specific rules to protect personal data about employees. In this respect, the new FDPA inter alia provides for personal data to be processed where necessary for the employer to fulfil its rights and obligations in accordance with works council agreements.
Agreements with the works council are therefore expected to be used more extensively in the future as a means to justify the processing of employee personal data.
The new FDPA also permits an employee to consent to its employer processing personal data but only if there is no imbalance of powers (which would arise where the employee has a legal or commercial benefit when providing consent).
Furthermore, the new FDPA states that processing personal data of employees, including sensitive data, may be permitted on basis of collective bargaining agreements provided the negotiating partners comply with Article 88 GDPR, i.e. they will include specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights.
Additional grounds to process sensitive personal data
The new FDPA contains additional legal grounds for the processing of personal data, e.g. to carry out video-surveillance and profiling (Section 4 and Section 37).
Furthermore, extensive provisions on the processing of sensitive data without consent are included such as the processing of sensitive data for purposes of scientific or historical research or purposes of statistics (Section 27 and Section 28).
Broad obligation to appoint DPOs remains in place
The broad obligations in the current data protection law are retained. In addition to the requirement to appoint a data protection officer in the GDPR, a controller or processor regularly employing at least ten employees is obliged to appoint a data protection officer (Section 38).
Additional national sanctions
Besides the very significant fines which may be imposed on controllers or processors under the GDPR (up to EUR 20m or 4% of the annual turnover), the new FDPA includes fines of up to EUR 50,000 for breaches in the area of consumer credit (Section 30 and Section 41), such as not handling a request for information with regard to consumer credit properly, or not notifying the data subject correctly where there is a refusal of a consumer credit due to information received from a credit agency.
The new FDPA must be read and applied in parallel to the GDPR and therefore leaves room for interpretation in various respects. Future guidance issued by German data protection authorities should hopefully provide more legal certainty.
On a side note, whilst supporting the adoption of the new FDPA, the Federal Data Protection Commissioner Andrea Voßhoff has criticised the limited investigations competences granted to her office as being in breach of EU laws and the German Constitution.
By Dr Daniel Pauly and Dr Ingemar Kartheuser, Frankfurt, and Dr Konrad Berger, Munich