GDPR – Draft of the German Implementation Act
At the end of February the governmental draft bill of a new Federal Data Protection Act (“BDSG-neu”) by the German federal cabinet was published in fulfilment of the need for legislative amendments arising from the requirements of the EU General Data Protection Regulation (GDPR), which will apply with binding effect to all enterprises as of 25 May 2018. The governmental draft bill was preceded by a ministerial draft bill by the Federal Ministry of the Interior [Bundesministerium des Inneren, BMI] in November 2016, which already in August had been leaked in a provisional working version of the BMI and been withdrawn shortly thereafter.
Irrespective of the full harmonisation fundamentally striven, for various regulatory areas the GDPR envisages opening clauses which will enable the Member States to concretise, supplement or amend the provisions of the GDPR through national provisions. Opening clauses exist, for example, for practice-relevant employee data protection (cf. Art. 88 GDPR), for the question of the binding appointment of a company data protection officer (Art. 37 Sec. 4 GDPR), for the information to be provided by enterprises to data subjects or for the amount of fines to be imposed upon natural persons (Art. 84 GDPR).
The revisions of relevance to enterprises include, inter alia, the following aspects:
- Employee data protection: Sec. 26 BDSG-neu, which regulates the handling of the personal data of employees, essentially corresponds to the previously applicable provision on employee data protection (Sec. 32 BDSG). It also clarifies that data protection provisions in the context of employment can still be agreed by shop agreements. Whether the provision as a whole will bear up to the requirements of the GDPR, however, remains to be seen.
- Data subjects’ rights to information: the GDPR envisages extended rights of data subjects with regard to notifications and information by enterprises vis-à-vis the previous legal situation. In its Secs. 32 et seq., in contrast, the BDSG-neu restricts these rights in that it releases enterprises from their notification obligation vis-à-vis the data subjects if, for example, the provision of the information requires “disproportionate effort” or would seriously jeopardise the generally recognised business purposes of the controller. Here as well, it is questionable whether the new provision will have legal validity under the GDPR or whether it will be declared invalid by the courts.
- Company data protection officer: finally, Sec. 38 BDSG-neu stipulates that enterprises are obliged, as before, to appoint a company data protection officer [betrieblicher Datenschutzbeauftragter, bDSB] if they have ten or more employees processing personal data by automatic means on a constant basis. The same applies inter alia for enterprises which conduct data processing requiring a data protection impact assessment (Art. 35 GDPR).
On the whole, the governmental draft bill which, from the industry’s perspective, at first glance seems predominantly positive for enterprises, will not be without its problems. This is because enterprises will have to decide during the implementation period, which is short to begin with, whether they will take as the basis for their internal corporate planning and implementation of the new European data protection law until May 2018 the lower – yet in the light of its possible invalidity under the GDPR – less legally secure, standards of the BDSG-neu as opposed to the higher – yet more legally secure – standards of the GDPR. This causes more than insignificant legal uncertainty. However, it remains to be seen whether the governmental draft bill will be adopted without amendment in its current version and will therewith become law.