Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Datenschutz-Anpassungs und -Umsetzungsgesetz)
1. Processing for New Purposes:
2. Public Controllers:
ADDITIONAL/SPECIFYING PROVISIONS FOR HEALTH DATA:
(See § 22 BDSG-New).
For more details, see Part 2 of our five-part series, An English-Language Primer on Germany’s GDPR Implementation Statute.
1. Automated Decisions in the Insurance Context:
2. Credit Scoring: The German statute maintains Germany’s current regime for generating credit scores used in automated decisions, including: (1) only scientifically recognized statistical methods may be used to calculate scores; (2) scores cannot be based exclusively on address data, and if address data is used to calculate scores, individuals must be notified; and (3) only debts that have been the subject of a judgment, are uncontested, or are seriously delinquent can be included in credit scores. (See § 31 BDSG-New).
RESTRICTIONS ON SPECIFIED RIGHTS:
1. Right to Information (Arts. 13/14 GDPR):
2. Right of Access (Art. 15 GDPR):
3. Right of Erasure (Art. 17 GDPR):
In order to process health and/or medical data without consent, controllers must implement statutorily enumerated “suitable and specific” security safeguards, including: (1) internal policies regulating secondary uses; (2) employee training; (3) appointing a data protection officer (DPO); (4) access controls; (5) logging and monitoring; (6) encryption and/or pseudonymization; (7) backups and rapid-restore procedures; and (8) periodic security self-audits. (See § 22 BDSG-New).
1. Confidentiality Exemption for Notifications to Individuals:
2. Evidentiary Privilege for Breach Notifications:
1. Controllers & Processors: Both controllers and processors are subject to DPO obligations.
2. Duty to Appoint: Companies must appoint a DPO whenever:
a. They employ at least 10 people whose regular duties include processing personal data;
b. Their usual business includes processing data for purposes of transferring the data (e.g., data brokers), transferring the data anonymously, or market or opinion research; or
c. They conduct processing that requires a Data Protection Impact Assessment (DPIA) under Article 35 GDPR.
See § 38 BDSG-New.
3. Protected Employment:
a. DPOs cannot be fired unless employers can show facts that would permit the employee’s immediate termination for cause.
b. Internal DPOs who leave the DPO position maintain protected employment status for one year.
See § 6 BDSG-New.
4. Protected DPO Status:
A DPO cannot be removed from their position of DPO (even if not fired from the organization) unless the employer can show facts analogous to what would permit immediate termination for cause. See § 6 BDSG-New.
2. Tasks: In addition to the tasks listed in the GDPR, the federal data protection commissioner has the following tasks:
(a) To “monitor and enforce the application” of the data protection law.
(c) To advise the German legislature, federal government, and other institutions on “legislative and administrative measures” relating to data protection.
(f) To “handle complaints lodged by a data subject” and investigate the complaint.
(k) To “contribute to the activities of the European Data Protection Board.”
(See § 14 BDSG-New).
3. State DPAs: Note that the powers and tasks of the 16 state-run DPAs are set forth in each state’s data protection statutes.
2. Administrative Actions other than Fines:
Germany’s new data protection statute states that Germany’s Act on Regulatory Offenses (Gesetz über Ordnungswidrigkeiten) governs the imposition of fines under the GDPR. Generally speaking, under the Act, misconduct is only attributed to organizations such that it can serve as a basis for a fine against the organization if the violation of law was committed by an employee/agent within a leadership position or was committed by a subordinate who was negligently supervised by employees in leadership positions.
Penalties are permitted up to the full amounts envisioned by the GDPR. For the assessment of fines under German law, the procedures of Germany’s Regulatory Offenses Act apply. (See § 41 BDSG-New).
1. Employment Relationship as Basis for Processing:
(a) Personal data of employees may be processed for employment-related purposes when necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract.
(b) Sensitive data may also be processed in the HR context “if it is necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data.”
2. Works Council Agreement as Legal Basis for Processing:
(See § 26 BDSG-New).
3. NOTE: Numerous other provisions relating to HR privacy are set forth in other German statutes and decisions of the German labor courts.
1. Sensitive data can be processed for scientific research or statistical purposes without prior consent of the data subjects if “such processing is necessary for these purposes and the interests of the controller in processing substantially outweigh those of the data subject in not processing the data.” However, sensitive data “shall be rendered anonymous as soon as the research or statistical purpose allows, unless this conflicts with legitimate interests of the data subject.”
(See § 27 BDSG-New).
1. Secrecy obligations in German law are set forth in non-data-protection law.
2. German DPAs do not have power to require production or seize data subject to obligations of secrecy when held by privilege-carrying professionals listed in § 203 of the German Criminal Code. This restriction also applies to processors engaged by such privilege-carrying professionals. (See § 29(3) BDSG-New).