We all know that the General Data Protection Regulation becomes enforceable in the EU on 25 May 2018. Although it is supposed to update and harmonise data protection laws, it allows EU member states to localise certain measures.
A couple of years ago, I asked a German lawyer to dispel common myths about German data laws. The German approach to GDPR has led to more confusion, so I asked Carolin Küll, a lawyer and data protection expert at Kleiner Rechtsanwälte in Düsseldorf to clarify.
Frank Jennings: Carolin, Germany has already passed its new data protection act. What does this mean in practice?
Carolin Küll: Germany was the first EU member state to pass a new general data protection law, the Federal Data Protection Act. The German government rushed the FDPA through before the summer break and the parliamentary elections in September 2017. This meant restricting the scope of the FDPA to the most urgent priorities to ensure it could be adopted in time. It passed other laws at the same time too to bring those in line with GDPR. State data protection laws or sector-specific laws such as the Telemedia Act still await amendment. But, as the new FDPA is the overriding central data protection law, the key principles are clear.
FJ: Many people ask me about the German special approach to data protection. What does FDPA mean for non-German businesses?
CK: The new FDPA takes a broad approach and can apply to businesses not established in Germany. In general, the new FDPA applies if an organisation:
- processes data in Germany
- processes data in the context of an establishment in Germany
- does not have an establishment in the EU/EEA, but falls within the scope of the GDPR.
FJ: So, the FDPA could cover a huge number of organisations outside of Germany?
CK: Yes. That last point covers businesses not based in the EU but which process personal data of German data subjects outside Germany in relation to goods or services or the monitoring of behaviour in Germany.
FJ: Many people are aware of the need to appoint a data protection officer (DPO). What is the threshold?
CK: A business must appoint a DPO in the following circumstances:
- if it employs at least 10 people on a regular basis who process personal data automatically. This is carried over from the present law. As a general rule, an organisation needs a DPO if it has installed at least 10 computer workstations.
- where a data protection impact assessment is obligatory
- if it is processing personal data for the purpose of transfer or anonymised transfer
- if it is processing for market or public opinion polling research.
FJ: What other special rules are there?
CK: Appointing a DPO and involving them in the relevant processes is by far the most important and most demanding obligation. But there are other FDPA rules that modify the general GDPR rules.
For example, GDPR grants a data subject comprehensive information rights about the processing of their data. The FDPA restricts or modifies these rights in certain cases. Also, the obligation to erase data is limited if data cannot be erased or only with disproportionate effort. Furthermore, Germany has clarified rules on automated decisions.
Another example is the rules for the processing of special categories of personal data in the health and social sector. It can be legitimate to process data without consent if the organisation takes sufficient measures to protect the data. An organisation may process even sensitive data without consent for research or statistical purposes if the controller’s interest substantially outweighs the data subject’s rights. Also, data subjects may not use their information and erasure rights where this renders research and statistical analysis impossible provided the controller safeguards the data and anonymises it as soon as possible.
Special rules also apply for employers, where GDPR leaves considerable room for specific national interpretation. For example, the new FDPA says collective agreements can authorise the processing of personal data. Other provisions relate to consent to data processing or to employees’ rights in internal investigations.
Finally, the FDPA has a new criminal sanction. Transferring a large amount of personal data for commercial purposes without justification can mean a three-year prison sentence!
FJ: Those are some significant issues. Do you think the new FDPA is a hurdle for organisations active in Germany?
CK: No, at least not as a whole. If anything, the FDPA isn’t so much about introducing more legal hurdles as providing more legal certainty. In some areas, the FDPA reduces legal obstacles to digitalising your business and this manifests itself in other related areas too. A prominent example, especially for the cloud sector, is the amendment of the German Criminal Code. It used to be difficult to outsource data in a profession with special confidentiality obligations – such as for doctors, tax advisors or lawyers, under the threat of prosecution. Now it is clear that the need to protect professional secrecy does not in principle exclude the use of external service providers. Outsourcing is permitted as long as there is a continuous chain of obligation to secrecy.
FJ: Does that mean concerns have been exaggerated about the so-called “gold-plating” of data protection standards under the new FDPA?
CK: Yes, to some extent. The problem doesn’t stem from the new FDPA. It stems from the fact that GDPR leaves central issues to national legislators. If each member state adopts different measures on those issues, it may pose problems for organisations who trade across the EU or who engage in cross-border transfers. We wait to see how the different national approaches will be compatible.
FJ: So much for harmonisation then. What should organisations do if they operate in the German market?
CK: Although the FDPA is in final form, the courts will clarify and probably restrict the coverage of the national data protection laws. That will likely take months or years. In the meantime, organisations processing data in Germany or of people in Germany should seek legal advice.
If you would like assistance on German data protection laws, email Carolin.