Germany’s BDSG, Privacy Requirements, New Penalties

Germany’s Bundesdatenschutzgesetz or BDSG is a recently amended comprehensive data privacy law geared towards protecting the data privacy rights of German citizens. Originally passed in 1978, the law has been amended and changed several times in accordance with the rise of online communication in the last 20 years. While Germany is currently a part of the EU and subsequently falls under the jurisdiction of the General Data Protection Regulation or GDPR, the opening clauses of the GDPR allow for member states to develop their own privacy laws in addition to the GDPR. As such, the BDSG will complement the GDPR, essentially giving German citizens two layers of protection in terms of the protection of the personal data and information that they share with business entities and organizations.

To give additional context concerning the passing of the BDSG, Germany’s Datenschutzgesetzgebung was the first data privacy policy to ever be passed in the world. As such, much of the writing and enforcement of the current GDPR was based upon the approach that German legislators had taken regarding the protection of privacy in previous decades. With Germany’s history regarding data protection and privacy and the subsequent impact that this history has had on the passing of legislation such as the GDPR, it is only fitting that Germany establishes itself as the first EU member state to implement provisions aimed at complimenting the GDPR.

What types of business entities and organizations fall under the jurisdiction of the BDSG?

The BDSG applies to both “public and private bodies” that process the personal information and data of German citizens. What’s more, the law does not solely apply to entities operating within the country of Germany, as any country that processes the personal information of German citizens must comply with both the GDPR and BDSG in concert. More specifically, the BDSG protects the “processing of personal data as a whole or in parts by automated means (e.g. computer-based data processing) and by non-automated means (e.g. manual processing, paper records)”.

To this end, controllers and processors of personal data and information under the BDSG can fall into any of the three following categories:

• Entities or individuals that process personal data within the country of Germany.
• Entities or individuals that process personal data in the context of the activities or operations of an establishment within the country of Germany.
• Entities and individuals that do not have an establishment within the country of Germany, but otherwise fall within the scope of the General Data Protection Regulation.

Due to specific provisions within the GDPR, Art. 50 of the law mandates that both supervisory authorities, as well as the EU commission, take specific measures relating to the BDSG to ensure international cooperation, the provision of international mutual assistance, the engagement of relevant stakeholders in activities and discussions, and the promotion and exchange of documentation regarding privacy legislation and the practice of said legislation.

What are the requirements for business entities and organizations under the BDSG?

While the BDSG applies to both the private and public sectors within Germany, there are specific provisions that private companies must comply with under the BDSG. These provisions are as follows:

• The provision of video surveillance for public places.
• Specific rules that regulate any data processing for purposes other than those initially intended.
• Specific rules for data processing in the context of employment. For example, a German citizen’s data may be processed if said processing is related to a documented crime that took place during the employment relationship.
• Specific rules for data processing in the context of consumer credit scoring and credit checks. For instance, the address of a particular German citizen cannot be used to adversely affect their credit score.
• The limitation of rights for data subjects.
• Designation of a data privacy officer or DPO. Under the BDSG, a DPO must be designated “if at least 10 persons are regularly engaged in the processing of personal data as a whole or in parts by automated means”.
• Procedural rules for private and public lawsuits relating to violations of the BDSG.
• Administrative fines and criminal provisions for violating the BDSG.

What are the penalties for violating the BDSG?

As Germany is an EU state and in turn under the jurisdiction of the General Data Protection Regulation, most business entities and organizations who violate the data privacy rights of German citizens will be fined in accordance with the provisions of the GDPR. The fines include monetary penalties of €20 million or 4% of a business entity’s global revenue, depending on which amount is higher. While violators of the BDSG can be given a monetary penalty of up to €50,000, such instances are predicted to be rare in nature. Alternatively, the BDSG also has provisions for non-pecuniary damages, such as compensation for an individual’s pain and suffering. Under the BDSG, both data subjects and employees of German businesses maintain the right to claim compensation and damages for non-pecuniary damages.

While the GDPR was influential in many data privacy laws that have been passed around the world in recent years, the BDSG and previous German privacy laws very much influenced the GDPR. In becoming the first EU state to take advantage of provisions within the GDPR that allows for EU member states to create their own data protection laws, this influence that Germany has had in regard to European data protection law is sure to continue in the future. As such, both German residents and other Europeans can rest assured that data protection remains a priority on the continent.