In a late night session on 28 June 2019, the German Parliament (Bundestag) passed the Second GDPR Implementation Act (2. Datenschutz-Anpassungs-und-Umsetzungsgesetz EU – 2. DSAnpUG-EU; the Act). The Act is available online in German here and here. For more information on the First German GDPR Implementation Act read our blog here.
The Act will amend 154 German laws. It includes a list of all laws that will be amended on page 9. The changes mostly include editorial alignments with the GDPR and (sector specific) legal bases for data processing. The Act also includes some changes to the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG; FDPA), most notably increasing the number of employees that are necessary for the designation of a data protection officer (DPO) from 10 to 20.
Main changes to the FDPA
The main changes to the FDPA include:
- New legal basis for processing of special categories of personal data: The Act introduces a new legal basis for the processing of special categories of personal data by public and private organisations – such processing can now be justified if it is absolutely necessary on the grounds of significant public interest (Section 22(1)(d) FDPA).
- Electronic form of consent for employment-related processing: Where the processing of employee data is based on consent, such consent can be given electronically, in addition to in writing (Section 26(2) FDPA).
- Increase in required number of employees for DPO appointment: The required number of employees of a data controller or processor that must constantly deal with the automated processing of personal data for the appointment of a DPO was increased from 10 to 20 (Section 38(1) FDPA).
- New legal basis for processing for purposes of public awards and honours: The new Section 86 FDPA provides that personal data (including special categories of personal data) may be processed by public and private organisations without the knowledge of the data subject for the purpose of granting public honours and awards. The data subject rights in Articles 13-16, 19 and 21 GDPR shall not apply.
The main change under the Act is the amendment of the requirements for DPO appointment in Section 38(1) FDPA. This shall simplify compliance for small and medium-sized enterprises as well as non-profit organisations. However, they must still comply with all other GDPR requirements if the GDPR applies to them. It might, therefore, still be worthwhile for small and medium-sized enterprises to (voluntarily) appoint a DPO.
The new legal basis for processing personal data under Section 22(1)(d) FDPA is very vague and will require interpretation from supervisory authorities and the German courts.
The German legislator has also missed the chance to end the debate around some rather controversial topics that have arisen since the GDPR entered into force. In particular, German courts are currently split on the question of whether competitors are entitled to injunctive relief (cease and desist orders) for GDPR violations under the German Act against Unfair Competition. The German legislator has failed to provide clarification on this matter in the Act.
Further, the German legislator has not included a provision in the Act to reconcile the right to privacy with the right to freedom of expression and information despite being required to do so under Article 85 GDPR.
The Act is still subject to approval by the German Federal Council (Bundesrat).
You can find out more about the implementation laws of all EU member states in our factsheet here.