The German society and lawmakers give high value to information autonomy and protection of personal data, including the right to process, erase, and rectify, and they have been the forerunners in implementing a law around the same. This is reflected in the EU's General Data Protection Regulation (EU-GDPR) and Police Directive, which was implemented in Germany through the Data Protection Adaptation and Implementation Act (DSAnpUG-EU) focusing on protecting the personal data and privacy of individuals in the European Union, extending to EEA (European Economic Area) Countries.
The Federal Data Protection Act Bundesdatenschutzgesetz or BDSG, existence can be traced back to as early as 1978 & was replaced on May 25, 2018 with an identically named new version (BDSG-neu). The BDSG integrates closely with the GDPR principles. The principles of transparency, lawfulness, and purpose limitation mentioned in the early legislation (old BDSG) served as a global model for data protection over the decades. There was an early recognition in Germany around 1983 when the German Federal Constitutional Court recognized data privacy as a fundamental human right and guaranteed the right to "informational self-determination." The German Federal Data Protection Act has undergone successive amendments since then to align with the evolution of data processing. Despite the presence of the wide-reaching EU-GDPR, Germany saw fit to update data privacy protections for its citizens with a revised law, the new BDSG. While undoubtedly complex, this law serves important purposes beyond the EU-GDPR in enabling organizations to meet Germany's strict data protection compliance standards fully.
Many of the clauses in the new BDSG are influenced by the GDPR. The key aspects governed by the current BDSG include:
- Restrictions on international data transfers
- Protocols around employee data processing
- The appointment of the Federal Commissioner for Data Protection who helps oversee and enforce the application of this Act as mentioned in Section 14 under 'Tasks' (Page 7,8) and monitor key developments affecting personal data protection, especially in information technologies and commercial practices.
The fines for violations of BDSG are also at par with EU-GDPR rules on penalties.
With data protection being an enforceable mandate in Germany, this article provides the technical details on why the BDSG law is crucial for organizations in Germany, how they can achieve full compliance, protect customer data by adhering to data erasure guidelines, and sheds light on the penalties they might face in case of BDSG violations.
Purpose & Scope of BDSG
The German Federal Data Protection Act (BDSG) applies to the processing of personal data by public bodies at the federal and state levels and private bodies engaged in automated or non-automated processing forming part of a filing system (commonly called as record keeping). As per BDSG Part 1 Common Provisions, Chapter 1 Scope & Definitions, listed on Page 1 - “Other federal data protection legislation shall take precedence over the provisions of this Act. If such legislation does not govern a matter conclusively or at all which is covered by this Act, then this Act of BDSG shall apply.” Further, this act extends to private bodies processing personal data in Germany, having establishments in Germany, or falling under the scope of EU Regulation 2016/679, even if lacking an establishment in an EU Member State or the European Economic Area.
Let's examine why organizations must abide by this law and who specifically needs to adhere to BDSG.
Importance of BDSG for Organizations
The BDSG enforces core data protection tenets for private and public bodies operating in Germany to uphold the rights of citizens. It is relevant for organizations to familiarize themselves with its provisions. Any organization that offers goods or services in Germany, processes information (data) of German citizens called data subjects, or processes customers' or employees' personal information must be BDSG compliant.
The BDSG law provides clear guidelines:
- For Lawful data processing in Part 2, Chapter 1- Sub-Chapter-1, Section 22- 28 (Pages 12-17).
- For processing data for employment-related purposes in Chapter 1- Sub-Chapter-2, Section 26 (Pages 15-16)
- For obligations w.r.t the controller or the processor within the organizations in Chapter 2- Section 64 (Pages 33-34) to maintain a certain level of data security ensuring that organizations do not violate individuals' privacy rights.
Principles Governing the Processing of Personal Data
The fundamental principles stated in Part 3, Chapter 1, Section 47 (Page -26) ensure the proper handling of personal data and the protection of individual rights. It specifies that the sensitive personal data must be processed lawfully, fairly, and transparently; and collected only for specific, explicit, and legitimate purposes. The information gathered must be adequate, relevant, and reasonable concerning the stated purposes. It should be accurate and up to date and retained only as long as needed for processing. Any data inaccuracy should be promptly rectified. Moreover, processing activities must guarantee the appropriate security of personal data, employing technical and organizational measures to prevent unauthorized or unlawful processing and accidental loss, destruction, or damage.
Right to Erasure – Data Erasure Obligations under BDSG
Like EU-GDPR, India’s Digital Personal Data Protection or Brazil's General Personal Data Protection Law, Germany’s BDSG also emphasizes on the rights of data subjects. A core right outlined in the BDSG under Part 3, Chapter 3, Section 58 (Page 30-31) is the data subject's right to rectification and data erasure of their personal information from the controller without delay if the data processing is unlawful, the data is no longer necessary for the controller's tasks, or erasure is required to comply with a legal obligation.
However, instead of erasing data, the controller may restrict processing in some instances, such as if erasure could adversely impact the data subject's legitimate interests, if retention is necessary for legal proceedings, or if erasure is technically infeasible. When restricting processing, the data can only be processed for a specific purpose that prevents erasure.
The BDSG also outlines requirements for the controller to inform data recipients about any rectification, erasure, or restriction of processing so recipients can mirror these actions. While controllers can refuse erasure requests in some cases, they must inform the data subject in writing of the reasons for refusal unless this could threaten particular interests. Overall, the BDSG establishes a right for data subjects to request data erasure to protect their privacy, with exceptions that allow restricted data processing under defined circumstances. Data processors may have to provide a certificate of destruction to showcase that the data subject’s personal information is erased beyond recovery by them using a secure file erasure software like BitRaser.
The Consequences of Non-Compliance to BDSG
The BDSG outlines several penalties for non-compliance with its data protection regulations. Part 2, Chapter 5, Section 42 (Page 23-24) states that the deliberate and unauthorized processing of sensitive personal data of many people not to be shared with the public for commercial purposes is punishable by up to 3 years imprisonment or a fine. Additionally, processing personal data without authorization or fraudulently acquiring it for payment, enrichment, or harm is punishable by imprisonment of up to two years or a fine per Section 42. Administrative offenses like improperly handling information requests or failing to properly inform consumers also warrant penalties of up to €50,000 under Section 43. However, government agencies cannot be administratively fined. Overall, the BDSG imposes strict criminal and administrative penalties to enforce its data protection regulations.
Staying Compliant with BDSG and EU-GDPR
Data Controllers must seek professional data-wiping software to comply with erasure obligations w.r.t BDSG & EU-GDPR compliance. This is instrumental in securely wiping the sensitive personal data of German citizens from various data-storage devices as required under BDSG data subject rights provisions. Professional data-erasure software can meet the data subject erasure requests and generate tamper-proof erasure reports that serve as audit trails. The organizations can smoothly comply with right-to-erasure requests as per BDSG compliance and avoid stiff penalties when data is wiped using a secure data erasure tool like BitRaser.
+1-844-775-0101
