On 5 July 2017, the new German Data Protection Act (BDSG-new) was officially published in the Federal Gazette. BDSG-new will fully replace the current German Federal Data Protection Act (BDSG) and is intended to adjust the German legal framework to the new European General Data Protection Regulation (GDPR). Both BDSG-new and the GDPR will become effective 25 May 2018.
Some of the most important provisions of BDSG-new relate to sensitive data, employee data protection, the obligation to appoint a data processing officer and the use of scoring data.
Special Categories of Personal Data (Sensitive Data)
BDSG-new imposes a highly sophisticated regime for so-called special categories of personal data (sensitive data). These are personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation. Under GDPR, it is generally prohibited to process such data unless specific exceptions apply. BDSG-new widens the scope of these exceptions and clarifies, for example, that sensitive data may be processed if necessary in order to provide health care services. In this case, BDSG-new requires that proper and specific measures are taken to safeguard the patient's interests. These measures may include the encryption of personal data, the performance of awareness-raising training for personnel involved in the data processing activities and the implementation of technical and organizational data security measures.
Employee Data Protection
GDPR does not extend to employee data protection which, accordingly, is still an area to be governed by national laws. Although this had been discussed for many years, the German legislature eventually decided against implementing a comprehensive reform of the regulatory regime for the processing of employee data. Instead, the employee data protection rules under BDSG-new widely correspond to the existing rules under BDSG. Accordingly, the processing of employee data will remain possible if it is necessary for setting up, performing, or terminating an employment relationship. There are, however, also some important changes. Collective agreements, for example, that are concluded between a company and its works council and which allow the company to process employee data, will in the future also have to comply with the GDPR obligation to ensure that the employee's human dignity, legitimate interests, and fundamental rights are properly safeguarded.
Data Protection Officer
BDSG-new imposes the obligation to appoint a data protection officer upon companies which have 10 or more employees permanently engaged in the automated processing of personal data. The regulation restates the respective provisions under the current German data protection legislation and is based on an option under the GDPR which allows EU member states to introduce their own national requirements for the appointment of data protection officers.
BDSG-new imposes numerous conditions that must be met before scoring data can be used to decide whether or not to enter into, perform, or terminate a contract with an individual. This includes the requirement that the factual basis, on which the credit rating of an individual is calculated, may not be limited to the individual's address data. In addition, BDSG-new also clarifies that information about outstanding claims against an individual may only be shared with credit agencies if the claims are uncontested or confirmed by a court.
Now that the details of Germany's new data protection law have officially been published and will enter into effect (together with the GDPR as such) already in less than a year, companies which are doing, or are planning to do, business in Germany should soon start analyzing whether they are compliant not only with GDPR but also with the requirements set forth under BSDG-new.