GERMANY

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Datenschutz-Anpassungs und -Umsetzungsgesetz)

Status: Adopted

LAWFULNESS OF PROCESSING (ART 6)

SPECIFYING PROVISIONS:

1. Processing for New Purposes: Non-public controllers can process personal data for purposes other than collection purposes if necessary for the establishment, exercise, or defense of civil claims (§ 24 BDSG-New).

2. Public Controllers: Public controllers who process data for law-enforcement purposes are subject to a separate regime for lawfulness of processing (§§ 45–85 BDSG-New).

CHILD'S CONSENT (ART 8)

No Deviation

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

ADDITIONAL/SPECIFYING PROVISIONS FOR HEALTH DATA:

  1. Processing for Medical Treatment: Sensitive data can be processed without prior consent of the data subject so long as medical personnel—or anyone with equivalent duties of confidentiality—are responsible for the processing for these purposes: (1) preventive medicine; (2) medical diagnosis; (3) providing care or treatment in the health-care or social-services fields; (4) managing systems or services in the health-care or social-services fields; (5) determining employees’ working capacity; or (6) any processing pursuant to a contract between an individual and a health professional.

  2. Health Care Company, Pharma, and Device-Related Processing: Sensitive data can be processed without prior consent of the data subject “to ensure high standards of quality” both “within the health care industry” and “for medicinal products and medical devices.”

  3. Mandatory Security Requirements: In order to process sensitive data without consent under the above, controllers must implement statutorily enumerated information security measures.

(See § 22 BDSG-New).
For more details, see Part 2 of our five-part series, An English-Language Primer on Germany’s GDPR Implementation Statute.

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

ADDITIONAL/SPECIFYING PROVISIONS:

1.  Automated Decisions in the Insurance Context:

(a) Automated decisions can be used without individual consent and appeal mechanisms if the individual receives everything he or she is asking for (e.g., receives the full value of a claim).

(b) For health insurance, no prior consent is necessary for automated decisions based on binding fee-for-service tables for medical procedures — but the insurer must inform the individual (at the time of full or partial denial) that a human appeal mechanism is in place. (See § 37 BDSG-New).

2. Credit Scoring: The German statute maintains Germany’s current regime for generating credit scores used in automated decisions, including: (1) only scientifically recognized statistical methods may be used to calculate scores; (2) scores cannot be based exclusively on address data, and if address data is used to calculate scores, individuals must be notified; and (3) only debts that have been the subject of a judgment, are uncontested, or are seriously delinquent can be included in credit scores. (See § 31 BDSG-New).

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

RESTRICTIONS ON SPECIFIED RIGHTS:

1.  Right to Information (Arts. 13/14 GDPR):

(a) Confidential Information: If companies collect data from sources other than the data subject, they do not have to provide privacy notices to the extent that doing so would reveal information considered confidential under German law (§ 29 BDSG-New).

(b) Follow-on Notices: Companies do not have to provide follow-on notices explaining that they are processing data for a new purpose if doing so would adversely affect the company’s establishment, exercise, or defense of legal claims (§ 33 BDSG-New).

2. Right of Access (Art. 15 GDPR):

(a) Confidential Information: Companies do not have to provide data in response to access requests if doing so would reveal information considered confidential under German law (§ 29 BDSG-New).

(b) Archive or Backup Data: Companies do not have to provide data to backup or archived data (§ 34 BDSG-New).

3. Right of Erasure (Art. 17 GDPR): Companies have a limited exemption to individuals’ deletion rights if data is stored in a non-automated medium, deletion would require disproportionate effort, and the data subject has a comparatively minimal interest in deletion (§ 35 BDSG-New).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

ADDITIONAL REQUIREMENT:

In order to process health and/or medical data without consent, controllers must implement statutorily enumerated “suitable and specific” security safeguards, including: (1) internal policies regulating secondary uses; (2) employee training; (3) appointing a data protection officer (DPO); (4) access controls; (5) logging and monitoring; (6) encryption and/or pseudonymization; (7) backups and rapid-restore procedures; and (8) periodic security self-audits. (See § 22 BDSG-New).

DATA BREACH (ART 33 & 34)

EXEMPTIONS:

1. Confidentiality Exemption for Notifications to Individuals: Companies do not have to provide breach notifications to individuals to the extent that doing so would endanger confidential information. (Art 34 GDPR).

2. Evidentiary Privilege for Breach Notifications: Breach notifications made to DPAs (under Art 33 GDPR) or individuals (under Art 34 GDPR) cannot be used as evidence in fining procedures against the notifying organization without its consent.

DATA PROTECTION OFFICER (ART 37(4))

SPECIFYING PROVISIONS:

1. Controllers & Processors: Both controllers and processors are subject to DPO obligations.

2. Duty to Appoint: Companies must appoint a DPO whenever:

a. They employ at least 10 people whose regular duties include processing personal data;

b. Their usual business includes processing data for purposes of transferring the data (e.g., data brokers), transferring the data anonymously, or market or opinion research; or

c. They conduct processing that requires a Data Protection Impact Assessment (DPIA) under Article 35 GDPR.

See § 38 BDSG-New.

3. Protected Employment:

a. DPOs cannot be fired unless employers can show facts that would permit the employee’s immediate termination for cause.

b. Internal DPOs who leave the DPO position maintain protected employment status for one year.

See § 6 BDSG-New.

4. Protected DPO Status:

A DPO cannot be removed from their position of DPO (even if not fired from the organization) unless the employer can show facts analogous to what would permit immediate termination for cause.  See § 6 BDSG-New.

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

ADDITIONAL PROVISIONS:

1. Powers: The federal data protection commissioner has “the powers referred to in Article 58 of [the GDPR].” (§ 15 BDSG-New).

2. Tasks: In addition to the tasks listed in the GDPR, the federal data protection commissioner has the following tasks:

(a) To “monitor and enforce the application” of the data protection law.

(b) To “promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data.”

(c) To advise the German legislature, federal government, and other institutions on “legislative and administrative measures” relating to data protection.

(d) To “promote the awareness of controllers and processors of their obligations” under the German privacy law.

(e) Upon request, to “provide information to any data subject concerning the exercise of their rights under … data protection legislation,” and to “cooperate with the supervisory authorities in other Member States to that end.”

(f) To “handle complaints lodged by a data subject” and investigate the complaint.

(g) To “cooperate with … and provide mutual assistance to other supervisory authorities, to ensure the consistency of application and enforcement of … data protection legislation.”

(h) To “conduct investigations on the application of … data protection legislation.”

(i) To “monitor relevant developments, … in particular the development of information and communication technologies and commercial practices.”

(j) To provide advice when law enforcement agencies request prior consultation.

(k) To “contribute to the activities of the European Data Protection Board.”

(See § 14 BDSG-New).

3. State DPAs: Note that the powers and tasks of the 16 state-run DPAs are set forth in each state’s data protection statutes.

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

SPECIFYING PROVISIONS:

1. Fines: For the assessment of fines under German law, the procedures of Germany’s Regulatory Offenses Act apply. Summarized briefly, German DPAs can issue a fine notice against companies. The company can object to the fine, after which it is forwarded via the public prosecutor to the local magistrate court for review. However, if a fine is more than €100,000, the local district court reviews the fine. (See § 41 BDSG-New).

2. Administrative Actions other than Fines: Administrative actions other than fines (e.g., injunctions, suspensions of transfers) are governed under Germany’s administrative procedure rules. These measures are appealable to German administrative courts.

RESTRICTION PROVISIONS:

Germany’s new data protection statute states that Germany’s Act on Regulatory Offenses (Gesetz über Ordnungswidrigkeiten) governs the imposition of fines under the GDPR. Generally speaking, under the Act, misconduct is only attributed to organizations such that it can serve as a basis for a fine against the organization if the violation of law was committed by an employee/agent within a leadership position or was committed by a subordinate who was negligently supervised by employees in leadership positions.

PENALTIES (ART 84)

SPECIFYING PROVISIONS:

Penalties are permitted up to the full amounts envisioned by the GDPR. For the assessment of fines under German law, the procedures of Germany’s Regulatory Offenses Act apply. (See § 41 BDSG-New).

HR PROCESSING (ART 88)

SPECIFYING PROVISIONS:

1. Employment Relationship as Basis for Processing:

(a) Personal data of employees may be processed for employment-related purposes when necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract.

(b) Sensitive data may also be processed in the HR context “if it is necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data.”

2. Works Council Agreement as Legal Basis for Processing: The processing of personal data, including special categories of personal data of employees for employment-related purposes, shall be permitted on the basis of collective agreements—but Works Council Agreements must satisfy Art 88(2) GDPR.

(See § 26 BDSG-New).

3. NOTE: Numerous other provisions relating to HR privacy are set forth in other German statutes and decisions of the German labor courts.

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

DEROGATING PROVISION:

1. Sensitive data can be processed for scientific research or statistical purposes without prior consent of the data subjects if “such processing is necessary for these purposes and the interests of the controller in processing substantially outweigh those of the data subject in not processing the data.” However, sensitive data “shall be rendered anonymous as soon as the research or statistical purpose allows, unless this conflicts with legitimate interests of the data subject.”

2. Data subject rights of access, correction, restriction, and objection are restricted “to the extent that these rights are likely to render impossible or seriously impair the achievement of the research or statistical purposes, and such limits are necessary for the fulfilment of the research or statistical purposes.”

(See § 27 BDSG-New).

OBLIGATIONS OF SECRECY (ART 90)

SPECIFYING PROVISIONS:

1. Secrecy obligations in German law are set forth in non-data-protection law.

2. German DPAs do not have power to require production or seize data subject to obligations of secrecy when held by privilege-carrying professionals listed in § 203 of the German Criminal Code. This restriction also applies to processors engaged by such privilege-carrying professionals. (See § 29(3) BDSG-New).