Skip to content
Home » Germany Publishes English Version of National GDPR Implementation Act

Germany Publishes English Version of National GDPR Implementation Act

Germany Publishes English Version of National GDPR Implementation Act

The German Ministry of Interior affairs has published an English translation of the new Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG). On 27 April 2017, the German Parliament passed the BDSG in order to make use of the opening clause provided for in the EU General Data Protection Regulation (GDPR). This bill has been controversial; see here for an interview with Jan Albrecht (former Member of the European Parliament, and a key figure in the GDPRs drafting) who discusses his concerns.

Introduction

Germany, known for its robust privacy laws, has taken a significant step towards clarifying its GDPR implementation by publishing an English version of its national data protection law, the Bundesdatenschutzgesetz (BDSG). This move is particularly noteworthy as Germany was the first EU Member State to pass a GDPR implementation statute, the BDSG-New, which effectively replaced the older version of the BDSG. This new law is a critical piece of legislation for companies with operations in the EU, especially given Germany’s reputation as a serious privacy jurisdiction.

Key Provisions of the BDSG-New

The BDSG-New not only implements the GDPR, but also the EU Law Enforcement Data Sharing Directive (2016/680, or the Law Enforcement Directive), which allows Member States to create laws enabling their law enforcement agencies to share data with other countries. This statute features four parts. Part 1, “General Provisions,” covers general provisions applicable to both GDPR and Law Enforcement Directive implementations. Part 2, “Implementation Provisions for Processing Pursuant to the GDPR,” contains provisions concerning processing principles, secondary uses, Data Protection Officers, HR processing, individual rights, and sanctions, among others. Part 3, “Implementing Provisions for Processing Pursuant to the Law Enforcement Directive,” focuses on the processing of data by public authorities for law enforcement purposes.

Impact on Companies

The BDSG-New’s provisions are likely to have a significant impact on how companies operate and process data in Germany. Companies should carefully review the provisions related to processing principles, secondary uses of data, the role of Data Protection Officers, and the regulations regarding data breaches. The law also expands on the GDPR’s provisions concerning data protection impact assessments, requiring companies to evaluate the potential impact of their data processing activities on individuals. The English version of the BDSG-New will help companies navigate these complex regulations, providing a clearer understanding of their obligations;

The Drafting History of the BDSG-New

The BDSG-New is the result of over a year of intensive drafting, debate, and negotiation within the German government. It is considered a significant amendment to the original BDSG, which was first passed in 1990. The BDSG-New represents a departure from some of the original BDSG’s core provisions, reflecting the direct applicability of the GDPR’s rules. This transition marks a significant shift in German data protection law, underscoring the country’s commitment to aligning its regulations with the evolving European privacy landscape.

Scope of Application

The BDSG-New is a comprehensive data protection law that applies to a wide range of data processing activities within Germany. It regulates both public and private entities, including companies, organizations, and government agencies. The law’s scope extends to both personal data, which is any information relating to an identified or identifiable natural person, and special categories of personal data, such as health data, genetic data, and biometric data. The English translation of the BDSG-New will provide a valuable resource for businesses and organizations operating in Germany, ensuring their understanding of the law’s reach and their obligations under it.

Column 1 Column 2 Column 3
BDSG-New Part 1⁚ General Provisions * Scope of Application Defines the entities and activities covered by the BDSG-New, including both private and public entities.
* Definitions Provides definitions for key terms used throughout the BDSG-New, such as “personal data,” “controller,” “processor,” and “data subject.”
* Federal Data Protection Authority (DPA) Outlines the structure and powers of the German DPA and its relationship with state-level DPAs.
BDSG-New Part 2⁚ Implementation Provisions for Processing Pursuant to the GDPR * Processing Principles Specifies the principles that must be followed when processing personal data, such as lawfulness, fairness, and transparency.
* Data Protection Officer (DPO) Sets out requirements for appointing a DPO, including the criteria for determining whether a DPO is necessary.
* Individual Rights Details the rights of individuals concerning their personal data, such as the right to access, rectification, erasure, and restriction of processing.
BDSG-New Part 3⁚ Implementing Provisions for Processing Pursuant to the Law Enforcement Directive * Processing for Law Enforcement Purposes Provides specific rules for processing personal data by public authorities for law enforcement purposes.
* International Transfers Establishes rules for transferring personal data to other countries, including requirements for ensuring adequate data protection.
* Breach Reporting Outlines obligations for reporting personal data breaches to the DPA and individuals affected.

Key Provisions Description
Data Protection Officer (DPO) The BDSG-New clarifies the appointment of Data Protection Officers (DPOs) and defines when a DPO is required for certain data processing activities. This provision aligns with the GDPR’s requirements and provides clarity on the responsibilities of DPOs in Germany.
Secondary Uses of Data The BDSG-New emphasizes the importance of obtaining consent before processing personal data for purposes other than those for which it was originally collected. This provision focuses on protecting individuals’ privacy by ensuring their data is not used for purposes they have not consented to.
Data Protection Impact Assessments (DPIAs) The BDSG-New expands upon the GDPR’s provisions concerning DPIAs, requiring companies to conduct these assessments for high-risk processing activities. DPIAs are essential for identifying and mitigating risks to individuals’ privacy and ensuring compliance with data protection laws.
Individual Rights The BDSG-New outlines a comprehensive set of rights for individuals concerning their personal data, including the right to access, rectify, erase, and restrict processing. This provision emphasizes the importance of empowering individuals to control their personal data.
Processing for Scientific and Research Purposes The BDSG-New specifies regulations for processing personal data for scientific and research purposes. It includes provisions for ensuring the ethical and legal use of data in such contexts.
Sanctions The BDSG-New establishes a framework for enforcing data protection laws in Germany, outlining penalties for violations of these laws. These sanctions can include fines and other corrective measures.
Key Provisions Description
Processing for Law Enforcement Purposes The BDSG-New defines the specific legal framework for processing personal data by public authorities for law enforcement purposes. It outlines the legal basis for such processing, sets out the scope of data processing activities, and establishes clear rules for sharing data between different law enforcement agencies. This part of the law focuses on balancing public safety with individual privacy rights.
International Transfers The BDSG-New addresses the transfer of personal data to countries outside the European Economic Area (EEA). It outlines the requirements for ensuring adequate data protection in the recipient country, focusing on the use of approved mechanisms like Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs) to protect the transfer of personal data.
Breach Reporting The BDSG-New clarifies the obligations for reporting personal data breaches. It establishes a framework for reporting breaches to the DPA and individuals affected, emphasizing the importance of prompt disclosure in case of data breaches. This provision promotes transparency and accountability in data protection.
Data Protection Impact Assessments (DPIAs) The BDSG-New expands on the GDPR’s provisions on DPIAs, requiring companies to conduct these assessments for high-risk processing activities. DPIAs are a critical tool for identifying and mitigating risks to individuals’ privacy and ensuring compliance with data protection laws.

Relevant Solutions and Services from GDPR.Associates

GDPR.Associates understands the complexities of navigating the GDPR and national implementations like the BDSG-New. Our team of experienced data protection professionals offers a range of solutions to help businesses achieve compliance and mitigate risks. We provide expert guidance and practical solutions, including⁚

  • GDPR and BDSG-New Compliance Audits⁚ Comprehensive assessments to identify gaps and areas for improvement in your data protection practices.
  • Data Protection Policies and Procedures⁚ Development and implementation of tailored data protection policies and procedures aligned with the GDPR and BDSG-New.
  • Data Protection Training⁚ Engaging training programs for employees at all levels to enhance awareness and understanding of data protection principles and obligations.
  • Data Protection Impact Assessments (DPIAs)⁚ Thorough assessments to identify and mitigate risks associated with high-risk data processing activities.
  • Data Breach Response Plans⁚ Development and implementation of comprehensive data breach response plans to ensure prompt and effective action in case of a breach.
  • Data Subject Access Request (DSAR) Management⁚ Efficient processes for handling and responding to data subject access requests in accordance with the GDPR and BDSG-New.
  • Cross-border Data Transfer Solutions⁚ Guidance on transferring personal data outside the EEA, including the use of Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

Contact GDPR.Associates today to learn more about our solutions and how we can help you achieve and maintain GDPR and BDSG-New compliance.

FAQ

Q⁚ What is the significance of the English translation of the BDSG-New?

A⁚ The English translation of the BDSG-New is significant for several reasons. Firstly, it provides a clearer understanding of the law for companies with operations in Germany, many of which are based outside the country. Secondly, it facilitates collaboration between German and international businesses on data protection matters. Lastly, it demonstrates Germany’s commitment to global transparency and accessibility in data protection.

Q⁚ Does the BDSG-New replace the GDPR?

A⁚ No, the BDSG-New does not replace the GDPR. It is a national implementation law that complements the GDPR. It provides specific rules and clarifications regarding the GDPR’s application in Germany.

Q⁚ What are the main areas of focus in the BDSG-New?

A⁚ The BDSG-New focuses on several key areas, including data protection principles, individual rights, data protection impact assessments, international data transfers, and law enforcement data processing. It also addresses the role of Data Protection Officers and provides a framework for enforcement and sanctions.

Q⁚ How can companies ensure they are compliant with the BDSG-New?

A⁚ Companies should consult with experts in data protection law to understand their specific obligations under the BDSG-New. This includes conducting thorough assessments of their data processing activities, implementing appropriate technical and organizational measures, and providing adequate training for employees.

Q⁚ What are the penalties for violating the BDSG-New?

A⁚ Penalties for violating the BDSG-New can be significant and may include fines, corrective actions, and legal action. Companies should consult with legal counsel to understand the potential risks and consequences of non-compliance.

The publication of an English version of the BDSG-New is a positive development for companies operating in Germany and internationally. It provides greater transparency and clarity for businesses, especially those based outside of Germany, helping them to better understand their obligations under German data protection law. Companies should use this opportunity to review their data protection practices and ensure they are in compliance with the BDSG-New. This includes⁚ conducting a thorough data protection audit, implementing appropriate technical and organizational security measures, training employees on data protection principles, and developing robust data breach response plans. By taking these steps, companies can minimize the risks of non-compliance and protect their businesses while ensuring the protection of individuals’ privacy.

10 thoughts on “Germany Publishes English Version of National GDPR Implementation Act”

  1. This is a very informative article about the new German data protection law. It provides a clear and concise overview of the key provisions of the BDSG-New, and it is particularly helpful to have the English translation available. I believe this will be a valuable resource for businesses operating in the EU.

  2. I found the article to be well-written and informative. It provides a clear and concise explanation of the BDSG-New and its key provisions.

  3. This article is a great resource for understanding the key provisions of the BDSG-New. The breakdown of the four parts of the statute is particularly helpful, and the mention of the Law Enforcement Directive is important to note.

  4. This article provides a valuable overview of the BDSG-New and its implications for businesses. The inclusion of the interview with Jan Albrecht adds further context and insight into the law

Leave a Reply

Your email address will not be published. Required fields are marked *