Comprehensive Guide to German Federal Data Protection Act (BDSG) and Data Privacy Laws

Are you navigating the ever-evolving landscape of German data privacy laws? Feeling overwhelmed by acronyms like BDSG, TTDSG, and GDPR? You're not alone! In this blog post, we'll cut through the legalese and shed light on the German data protection laws.

What are the German data privacy laws?

In 2018, Germany joined the EU-wide effort to strengthen data privacy with the General Data Protection Regulation (GDPR). But the country didn't stop there. It also enacted the Bundesdatenschutzgesetz (BDSG), a national law that fine-tunes the GDPR for the German context.

The BDSG serves two main purposes:

• Filling in the gaps: The GDPR offers Member States some flexibility in interpreting its data processing requirements. The BDSG exercises this flexibility, clarifying and specifying certain aspects of the GDPR for German businesses and individuals.
• Strengthening law enforcement: Part 3 of the BDSG implements the EU's Law Enforcement Directive, ensuring consistent data protection practices in investigations and criminal proceedings across Europe.

But data protection in Germany goes beyond the BDSG. Various sector-specific laws, like those for finance and energy, have their own data protection rules.

And as of December 2021, the Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG) brought much-needed clarity to the telecommunications and telemedia sector. This law addresses a long-standing uncertainty about how existing data protection regulations applied to these areas in light of the GDPR. It also transposes the EU's "cookie consent" requirement into German law, ensuring more transparency and control for users when it comes to cookies and online tracking.

In short, Germany's approach to data protection is comprehensive and multi-layered. The BDSG, TTDSG, and other sector-specific laws work together to create a robust legal framework that empowers individuals and holds organizations accountable for responsible data handling.

What is the Federal Data Protection Act (BDSG)?

The Federal Data Protection Act (BDSG), known as Bundesdatenschutzgesetz in German, is a crucial piece of legislation governing data protection and privacy in Germany. It serves as the national law implementing the provisions of the European Union's General Data Protection Regulation (GDPR) within the country. The BDSG sets out specific regulations and guidelines concerning the collection, processing, and storage of personal data by both public and private entities operating within Germany's jurisdiction.

The BDSG outlines the rights of data subjects, obligations for data controllers and processors, rules for data transfers, and procedures for data protection authorities' oversight and enforcement. It also establishes penalties for non-compliance with its provisions, including fines and other measures aimed at ensuring accountability and safeguarding individuals' rights to privacy and data protection.

Does the federal data protection law apply to me?

Whether the BDSG applies to you depends on a few factors:

1. Location:
   - If you are a resident of Germany, then the BDSG applies to you: This means you have various rights and protections regarding your personal data under the law.
   - If you are not a resident of Germany, then the BDSG generally does not apply to you directly: However, it might still be relevant if:
   a) You are a data controller or processor processing the personal data of German residents: In this case,you would need to comply with the BDSG in addition to any other applicable data protection laws.
2. b) Your activities involve the transfer of personal data from Germany to another country: The BDSG has regulations governing international data transfers that you might need to comply with.
3. Personal data:
   - The BDSG applies to the processing of personal data: This includes any information that can be used to identify an individual, such as their name, address, email address, phone number, IP address, cookies, etc.
   - If you are not processing personal data, then the BDSG does not apply to you.

In addition to the above, it's always recommended to consult with a legal professional for specific advice on whether the BDSG applies to your situation. They can take into account the specifics of your activities and data processing practices to provide accurate and tailored guidance.

What are the data subject rights under BDSG?

1. Right to Information and Access: Data subjects have the right to obtain transparent information about the processing of their personal data. This includes details about the purposes of the processing, the categories of personal data being processed, the recipients or categories of recipients to whom the data is disclosed, and the envisaged retention periods. Additionally, data subjects have the right to request access to their personal data held by data controllers.
2. Right to Rectification: Data subjects have the right to request the rectification of inaccurate or incomplete personal data concerning them. Upon receiving such a request, data controllers must promptly correct any inaccuracies or update incomplete information.
3. Right to Erasure (Right to be Forgotten): Data subjects have the right to request the erasure of their personal data under certain circumstances. This includes situations where the data is no longer necessary for the purposes for which it was collected, the data subject withdraws consent, or the data processing is unlawful.
4. Right to Restriction of Processing: Data subjects have the right to request the restriction of the processing of their personal data in specific situations. This may include situations where the accuracy of the data is contested by the data subject, the processing is unlawful, or the data controller no longer needs the data for its original purpose.
5. Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another data controller without hindrance from the original data controller.
6. Right to Object: Data subjects have the right to object to the processing of their personal data, including processing based on legitimate interests pursued by the data controller or for direct marketing purposes. Upon receiving such an objection, data controllers must cease processing the personal data unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject.
7. Right to Withdraw Consent: Where the processing of personal data is based on consent, data subjects have the right to withdraw their consent at any time. Data controllers must inform data subjects of their right to withdraw consent and provide them with an easy and accessible way to do so.

Lawfulness of processing under BDSG

Determining the lawfulness of processing under the BDSG involves navigating its complexities and understanding how it interacts with the GDPR. Here are some key points to consider:

General Principles

• Lawfulness, fairness, and transparency: All processing of personal data must be lawful, fair, and transparent.
• Purpose limitation: Data can only be collected and processed for specific, explicit, and legitimate purposes.
• Data minimization: Only the minimum amount of personal data necessary for the intended purpose can be collected and processed.
• Accuracy: Personal data must be accurate and, where necessary, kept up to date.
• Storage limitation: Personal data should not be stored for longer than necessary for the purposes for which it was processed.
• Integrity and confidentiality: Appropriate technical and organizational measures must be implemented to protect personal data from unauthorized access, disclosure, alteration, or destruction.
• Accountability: The data controller is responsible for ensuring compliance with the lawfulness of processing principles.

Legal Bases for Processing

The BDSG, similar to the GDPR, identifies six legal bases for processing personal data:

1. Consent: The data subject freely and specifically gives informed consent for the processing.
2. Contract performance: Processing is necessary for the performance of a contract with the data subject.
3. Legal obligation: Processing is necessary to comply with a legal obligation.
4. Vital interests: Processing is necessary to protect the vital interests of the data subject or another person.
5. Public interest: Processing is necessary for the performance of a task carried out in the public interest.
6. Legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the datasubject.

BDSG-Specific Conditions

• Video surveillance: Processing personal data through video surveillance requires additional justification and notification requirements.
• Genetic testing: Genetic testing can only be conducted with informed consent and under specific conditions.
• Profiling: Profiling with potential for automated decision-making requires transparency and the right to object.

Does the BDSG require a Data Protection Officer (DPO)?

Yes, the BDSG can require a Data Protection Officer (DPO) in certain situations, similar to the GDPR, but with some additional stipulations specific to Germany.

Whether the BDSG requires a DPO depends on two factors: the number of employees involved in data processing and the nature of the processing activities.

Number of employees

• Generally, the BDSG requires a DPO if a controller or processor continuously employs at least 20 people dealing with the automated processing of personal data. This applies regardless of the nature of the processing activities.
• However, even if you have fewer than 20 employees, you may still be required to appoint a DPO if your processing activities involve:
  - High-risk processing, such as large-scale monitoring of individuals or processing of sensitive data like health information.
  - Regular and systematic processing of special categories of personal data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of unique identification, or data concerning a person's sex life or sexual orientation.

Nature of processing activities

• The BDSG also considers the nature of the processing activities when determining whether a DPO is required. This means that even if you have 20 or more employees, you may not need a DPO if your processing activities are considered low-risk.
• For example, if your business only collects and processes basic personal data for administrative purposes, you may not be required to appoint a DPO.
• However, if your business engages in high-risk processing activities, such as those mentioned above, you are more likely to be required to appoint a DPO, regardless of the number of employees you have.

Additional factors

• The BDSG allows for flexibility in the appointment of a DPO. You can appoint an internal employee, an external service provider, or a group of people to act as your DPO.
• The DPO must be independent and have the necessary expertise and qualifications. They must not be subject to any instructions that could interfere with their duties.

The BDSG does not have a blanket requirement for all businesses to appoint a DPO. The requirement depends on the number of employees involved in data processing and the nature of the processing activities. If you are unsure whether you need to appoint a DPO, it is recommended to consult with a legal professional specializing in data protection law.

How to handle data transfers under BDSG?

Transferring personal data outside of Germany under the BDSG requires careful consideration and compliance with specific regulations. Here's a breakdown of how to handle data transfers responsibly:

1. Assess the transfer: Determine the data being transferred, the country receiving the data, and the legal basis for the transfer.
2. Identify applicable legal framework: The BDSG and the GDPR both play a role, and additional sector-specific rules might apply.
3. Choose a transfer mechanism: Several mechanisms are available under the GDPR and BDSG, each with its own requirements and suitability. Here are some key options:
   - Adequacy decision: Choose a country deemed by the European Commission to provide adequate data protection (currently none apply to Germany).
   - Standard contractual clauses (SCCs): Use pre-approved contracts between the sender and recipient that guarantee adequate data protection.
   - Binding corporate rules (BCRs): Applicable for multinational companies with internal data protection rules approved by data protection authorities.
   - Derogations: In limited cases, exceptions like explicit consent or vital interests of individuals might allow transferring data to countries without adequate safeguards.
4. Implement additional safeguards: Depending on the mechanism chosen and risk assessment, additional technical and organizational measures might be necessary to ensure data protection.
5. Document and inform: Document the transfer, including the legal basis, safeguards, and contact information of the recipient. Inform data subjects about the transfer and their rights.

The BDSG can impose stricter conditions for transferring data to certain countries compared to the GDPR, especially to those deemed insufficiently protective. German data protection authorities emphasize transparency and public awareness when it comes to data transfers. Businesses should be prepared to answer questions and address concerns regarding data moving outside the country.

Data Protection Impact Assessments (DPIAs) under BDSG

Data Protection Impact Assessments (DPIAs) are a crucial element of compliance with the BDSG, just like they are under the GDPR. However, there are some nuances specific to the German law that you should be aware of:

When is a DPIA required under the BDSG?

Similar to the GDPR, the BDSG requires a DPIA for any processing of personal data that is likely to result in a high risk to the rights and freedoms of individuals. This includes situations where the processing involves:

• Extensive evaluation of personal aspects, particularly those based on automated processing and profiling.
• Large-scale monitoring of public areas.
• Processing of sensitive data (e.g., health data, political opinions, religious beliefs).
• Combining different data sources to create detailed profiles of individuals.

Additionally, the BDSG introduces specific triggers for conducting a DPIA, regardless of the level of risk, such as:

• Processing of personal data for purposes of scoring or creditworthiness assessment.
• Use of new technologies that pose significant risks to data subjects (e.g., facial recognition).
• Transferring personal data to countries outside the EU that are deemed inadequate for data protection.

What should be included in a DPIA under the BDSG?

A DPIA under the BDSG should follow a similar structure to one conducted under the GDPR, but with some specific emphasis on German legal requirements. It should include:

• A description of the processing operations: This includes the types of personal data being processed, the purposes of the processing, and the data subjects involved.
• An assessment of the risks to data subjects: This should identify the potential risks and their likelihood and severity, considering the nature of the processing, the context, and the safeguards in place.
• Evaluation of the necessity and proportionality of the processing: You need to demonstrate that the processing is necessary for achieving the intended purpose and that it is not excessive or intrusive.
• Identification of appropriate measures to mitigate the risks: This could involve technical and organizational measures, such as data anonymization, encryption, and access controls.
• Consultation with data protection authorities: In some cases, you may be required to consult with the relevant data protection authority before conducting a DPIA or after implementing the planned processing.

How is data breach notification handled under BDSG?

Data breach notification under the BDSG follows similar principles to the GDPR but also includes some specific elements unique to German law. Here's a breakdown:

General requirements

• Reportable breaches: You must notify the relevant data protection authority if a personal data breach is likely to result in "a high risk to the rights and freedoms of individuals." This includes risks like identity theft, financial loss, discrimination, or reputational damage.
• Notification timeframe: You must notify the authority without undue delay, and ideally within 72 hours of becoming aware of the breach.
• Information required: The notification should include details like the nature of the breach, the categories of affected data and data subjects, the potential consequences, and the measures taken to address the breach and mitigate the risk.

BDSG-specific elements

• Additional criteria for notification: The BDSG introduces additional criteria for when a breach must be reported, even if it doesn't meet the "high risk" threshold. This includes breaches involving certain sensitive data types like health data or financial information.
• Notification to affected individuals: If the breach likely results in a high risk to individuals, you must also notify them directly. This notification should contain similar information to the one sent to the authorities, along with advice on how to protect themselves.
• Documentation: Document the breach, including the discovery, notification process, and remedial measures taken. This documentation might be crucial in case of investigations by data protection authorities.

What are the penalties for non-compliance with the BDSG?

The BDSG empowers authorities to impose substantial fines. Breaches that result in high risks for individuals could lead to penalties reaching EUR 20 million or 4% of your annual global turnover, whichever is higher. This alone underscores the urgency of ensuring robust data protection compliance.

It's essential for organizations subject to the BDSG to understand their obligations under the law and take appropriate measures to ensure compliance to avoid these penalties. Additionally, the specific penalties and enforcement mechanisms may vary depending on updates to the law and regulatory practices. Therefore, it's advisable to consult legal experts or relevant authorities for the most up-to-date information on penalties for non-compliance with the BDSG.

What are the main differences between the German BDSG and the EU General Data Protection Regulation?

While the BDSG and the GDPR share many foundational principles, there are some key differences to consider:

Scope and Applicability:

• BDSG: Applies specifically to Germany, complementing and clarifying the GDPR within the German context.
• GDPR: Applies to all EU member states and their businesses, regardless of where the data is processed.

Specificity and Additional Provisions:

• BDSG: Offers more detailed and specific rules on certain aspects of the GDPR, like defining personal data, notification requirements for video surveillance, and data transfer restrictions.
• GDPR: Provides a broader framework, leaving some leeway for member states to interpret and implement specific provisions through national laws like the BDSG.

Strengthening Data Subject Rights:

• BDSG: Grants additional data subject rights, such as the right to object to profiling and enhanced transparency requirements for data processing.
• GDPR: Establishes the core data subject rights, which the BDSG builds upon and expands.

Fines and Penalties:

• BDSG: Imposes stricter maximum fines compared to the GDPR, reaching €20 million or 4% of global turnover for serious breaches.
• GDPR: Sets maximum fines of €20 million or 4% of global turnover, but the BDSG allows for higher penalties in specific cases.

Sector-Specific Rules:

• BDSG: Includes additional regulations for specific sectors like telecommunications and healthcare, going beyond the GDPR's general framework.
• GDPR: Provides a general framework, and some sectors might have their own specific regulations in addition to the GDPR and national laws like the BDSG.

Public Awareness:

• BDSG: Emphasizes public awareness and transparency around data transfers, requiring businesses to be more forthcoming about data movement outside of Germany.
• GDPR: Does not explicitly require public awareness, but transparency remains crucial for building trust with data subjects.

The BDSG builds upon the GDPR, providing more specific rules, additional rights for data subjects, and stricter penalties for non-compliance in the German context. Businesses operating in Germany need to be familiar with both the GDPR and the BDSG to ensure full compliance and avoid potential risks.

What are some of the sector-specific data protection rules in Germany?

In addition to the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), Germany has several sector-specific rules and regulations governing data protection. These additional rules provide further detail and clarification on how personal data should be handled within specific industries. Here are some of the key sector-specific data protection rules in Germany:

Telecommunications and Telemedia

• Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG): This law regulates data protection in the telecommunications and telemedia sector. It covers topics like cookie consent, online tracking, and the use of location data. For example, TTDSG mandates clear and easily accessible opt-in mechanisms for cookies and similar technologies.
• Gesetz zur Regelung der Fernmeldeüberwachung und anderer verdeckter Ermittlungsmaßnahmen und zur Änderung des Telekommunikationsgesetzes (G10): This law governs data collection and surveillance practices by law enforcement agencies in the telecommunications sector. It sets strict boundaries for accessing and utilizing telecommunications data for investigative purposes.

Healthcare

• Bundesdatenschutzgesetz für den Bereich der Krankenversicherung (BSG: This law specifically regulates data protection in the healthcare sector. It governs the collection, storage, and use of patient data by healthcare providers, insurance companies, and other actors involved in patient care. BSG emphasizes the need for informed consent and strict confidentiality protections for sensitive health data.
• Patientenrechtegesetz (PatRG): This law grants patients various rights regarding their medical records and how their data is handled. This includes the right to access, rectify, and restrict the processing of their medical data.

Other sectors

• Finanzdatenschutzgesetz (FDG): This law regulates data protection in the financial services sector. It covers the collection, use, and sharing of customer data by banks, insurance companies, and other financial institutions. FDG emphasizes the need for robust security measures to protect financial data from unauthorized access and disclosure.
• Schuldatenschutzgesetz (SchDSG): This law governs data protection in schools. It sets limits on the collection and use of student data by schools and educational institutions. SchDSG prioritizes the protection of children's privacy and restricts the sharing of student data with third parties without parental consent.

Complying with BDSG with Secure Privacy

At Secure Privacy, we recognize the paramount importance of ensuring robust data protection and compliance with the Bundesdatenschutzgesetz (BDSG) for businesses operating in Germany. Our comprehensive privacy management platform is designed to empower organizations in meeting the stringent requirements of German data protection laws effectively.

By choosing Secure Privacy, businesses can streamline their BDSG compliance efforts, mitigate risks, and demonstrate a steadfast commitment to upholding the highest standards of data protection and privacy. Our platform is your trusted ally in navigating the complexities of German data privacy laws effectively.

Learn more about how Secure Privacy can elevate your organization's data protection practices at secureprivacy.ai.