When the General Data Protection Regulation enters into force on May 25, 2018 it will not replace the German Federal Data Protection Act (BDSG). “Full harmonization” is not envisaged. The General Data Protection Regulation (GDPR) contains opening clauses in many places that allow national legislatures to adopt rules that diverge from the GDPR. How the Federal Ministry of the Interior views the relationship between the EU Regulation and the BDSG can be seen from the 2nd draft bill of the “Law on the Adaptation of the Data Protection Act to Regulation (EU) 2016/679 and the Implementation of Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act, EU DSAnpUG-EU)” dated November 11, 2016. The Cabinet is scheduled to decide on this law before the end of January 2017. Adoption of the new law is anticipated in the second half of 2017.
So companies that need to adapt their procedures by May 2018 to both the GDPR and the revised BDSG have precious little time.
The GDPR includes no provisions on employee privacy. The legal permission granted to employers by the BDSG to process employee data will however continue to apply. Article 88 GDPR permits Member States to adopt more specific provisions to ensure the protection of rights and freedoms with regard to the processing of personal employee data in the employment context. This applies in particular to the hiring process, fulfillment of employment contracts, and the planning and organization of work. Article 32 BDSG already permits the processing of data required for the initiation, execution or termination of employment contracts. This regulation will be adopted largely unchanged in section 24 of the revised BDSG, albeit with an additional definition of what an employee is.
As before, firms retain the right to regulate privacy matters internally with company agreements. Previously adopted company agreements must however be adapted to the new requirements of the GDPR. However, due to the length of time it takes to renegotiate company agreements on IT applications, privacy, and automated conduct and performance checks, this work needs to begin at the earliest opportunity.
Changes of purpose
Also attracting dissent is the regulation on changes of purpose, which has been greatly simplified in the revised BDSG in comparison to its predecessor or the GDPR. The new law envisages that changes of purpose to prevent threats to national security or public safety or to prosecute criminal offenses (Article 23 Para. 2 No. 1 of the revised BDSG), actions to safeguard the legitimate interests of the data controller (No. 2) and the enforcement, exercise or defense of legal claims (No. 3) will no longer require prior assessment.
Data Protection Officer
The obligation to appoint a Data Protection Officer in companies has thus far been a unique feature of the German Data Protection Act. The distinction between automated and non-automated processing is now to be dropped in favor of the more easily manageable designation of “processing.” The obligation to appoint a DPO is in the future to apply to enterprises that generally employ at least ten people on an ongoing basis for the processing of personal data. The obligation likewise applies if the data controller or contracted processor undertakes processing which is subject to a privacy impact assessment pursuant to Article 35 GDPR or if data relating to ordinary business activities, whether anonymized or not, are transmitted for the purpose of market research or opinion polls. All this lends extra significance to the new privacy impact assessment.
Rights of the data subject
The GDPR provides for a whole array of rights of data subjects in Articles 13 through 22 (duty of disclosure in the event of data collection, right of information, right of rectification and deletion, right to be forgotten, right of objection), where Article 23 of the same law confers on national legislatures the right to enact exceptions to those rights. The approach of the Federal Ministry of the Interior is significantly more business-friendly, with the effect that the revised BDSG includes many exceptions for enterprises. Articles 30 through 35 of the revised BDSG go into greater detail concerning the rights of data subjects.
According to Article 83 GDPR, violations of the rights of data subjects and non-compliance with instructions issued by the regulatory authorities can be punished by fines of up to € 20 million or, in the case of companies, of up to 4 percent of the total global turnover of the previous fiscal year.
Moreover, Article 40 of the revised BDSG allows for fines of up to € 300,000 for anyone who intentionally or negligently commits one of the violations stated in Article 83 GDPR in the exercise of their duty for the data controller or a contract processor. A prison sentence of up to two years is provided for in certain cases (Article 83, Para. 5 GDPR) of deliberate violation, committed either in return for payment or for financial gain or with the intention of causing harm. Both points were already regulated in a similar fashion in the BDSG, although the GDPR provides for a greater number of obligations whose breach can be penalized under the law. It is questionable whether the fines provided for by the revised BDSG of up to € 300,000 in addition to the provisions of the GDPR will be “effective, proportionate and dissuasive” as required by Article 84 GDPR, particularly as compared to the fines imposed on companies pursuant to Article 83 GDPR.
The revised BDSG implements an EU Directive, even if only in part. It will apply in addition to the General Data Protection Regulation. From a business perspective, the draft version of the revised BDSG with its numerous exceptions is a step in the right direction. From the perspective of the data subjects, the current situation gives rise to concerns that the standard of German data protection is set to fall. It will also be harder for businesses to apply the GDPR and BDSG in tandem and to meet the requirements of both regulations in the transition to the new privacy regime. The final form of the revised BDSG is in any case not yet even known. But companies should in all cases be urged not to wait until the revised BDSG enters into force.