The German lawmakers give high value to information autonomy and protection of personal data, including the right to process, erase, and rectify, and they have been the forerunners in implementing a law around the same. This is reflected in the EU's General Data Protection Regulation (EU-GDPR) and Police Directive, which was implemented in Germany through the Data Protection Adaptation and Implementation Act (DSAnpUG-EU) focusing on protecting the personal data and privacy of individuals in the European Union, extending to countries in the European Economic Area (EEA).
The existence of the Bundesdatenschutzgesetz can be traced back to as early as 1978. It was replaced on May 25, 2018, with an identically named new version, BDSG-neu. This Act integrates closely with the GDPR principles. The principles of transparency, lawfulness, and purpose limitation mentioned in the early legislation (old BDSG) served as a global model for data protection over the decades. There was an early recognition in Germany around 1983 when the German Federal Constitutional Court recognized data privacy as a fundamental human right and guaranteed the right to "informational self-determination." The German Federal Data Protection Act has undergone successive amendments since then to align with the evolution of data processing. Despite the presence of the wide-reaching EU-GDPR, Germany saw fit to update data privacy protections for its citizens with a revised law, the new BDSG. BDSG-neu serves important purposes beyond the EU-GDPR in enabling organizations to meet Germany's strict data protection compliance standards.
Many of its clauses are influenced by the GDPR. The key aspects governed by it include:
- Restrictions on international data transfers.
- Protocols around employee data processing.
- The appointment of the Federal Commissioner for Data Protection, who helps oversee and enforce the application of this Act as mentioned in Section 14 – Tasks, and also monitors key developments affecting personal data protection, especially in information technologies and commercial practices.
Note: In October 2024, a new draft of the Employee Data Act (Beschäftigtendatengesetz or BeschDG) was published by the Federal Ministry of Labor and Social Affairs and the Federal Ministry of the Interior and Homeland. Once the act is passed in the German Parliament, it will replace Section 26 - Data Processing of Employee-Related Purposes of BDSG and will be referred to for all employee data processing purposes.
Purpose & Scope
The Bundesdatenschutzgesetz applies to the processing of personal data by public bodies at the federal and state levels and private bodies engaged in automated or non-automated processing forming part of a filing system (commonly called record keeping). As per Part 1 Common Provisions, Chapter 1 Scope & Definitions, “Other federal data protection legislation shall take precedence over the provisions of this Act. If such legislation does not govern a matter conclusively or at all which is covered by this Act, then this Act of BDSG shall apply.” Further, this act extends to private bodies processing personal data in Germany, having establishments in Germany, or falling under the scope of EU Regulation 2016/679, even if lacking an establishment in an EU member state or the EEA.
It enforces core data protection tenets for private and public bodies operating in Germany to uphold the rights of citizens. Any organization that offers goods or services in Germany processes information (data) of German citizens called data subjects or processes customers' or employees' personal information must be BDSG compliant.
It provides clear guidelines:
- For lawful data processing in Sections 22-28, Sub-Chapter 1, Chapter 1, Part 2.
- For processing data for employment-related purposes in Part 2, Chapter 1- Sub-Chapter-2, Section 26 (Pages 15-16).
- For data controllers and data processors, under Part 3, Section 64 of Chapter 4, to uphold a certain level of data security to ensure the protection of individuals' privacy rights.
Principles Governing the Processing of Personal Data
The principles stated in Part 3, Chapter 1 of Section 47 ensure the proper handling of personal data and the protection of individual rights as explained below:
- It specifies that the personal data must be processed lawfully, fairly, and for compatible purposes.
- It should be collected only for explicit, specific, and legitimate purposes.
- The information gathered must be adequate, relevant, and reasonable concerning the stated purposes.
- It should be accurate, up to date, and retained only as long as needed for processing.
- Any data inaccuracy should either be promptly erased or rectified.
- Processing activities must guarantee the appropriate security of personal data, employing technical and organizational measures to prevent unauthorized or unlawful processing and accidental loss, destruction, or damage.
Right to Erasure
Like the EU-GDPR, France’s Federal Data Protection Act, or Switzerland’s Federal Act on Data Protection, the Bundesdatenschutzgesetz also emphasizes the rights of data subjects. A core right outlined in this act under Section 58, Chapter 3, Part 3 provides the data subject the Right to Rectification of incorrect or inconsistent data and the Right to Erasure of personal data.
However, instead of erasing data, the controller may restrict processing in some instances, such as if erasure could adversely impact the data subject's legitimate interests, retention is necessary for legal proceedings, or erasure is technically infeasible. When restricting processing, the data can only be processed for a specific purpose that prevents erasure.
The controller is required to inform data recipients about any rectification, erasure, or restriction of processing so recipients can mirror these actions. While controllers can refuse erasure requests in some cases, they must inform the data subject in writing of the reasons for refusal unless this could threaten particular interests. Data processors may have to provide a Certificate of Destruction to showcase that the data subject’s personal information is erased beyond recovery.
The Consequences of Non-Compliance
Section 42, Chapter 5, Part 2 mentions the penal provisions after a complaint is filed by the data subject, Federal Commissioner, the controller, or the supervisory authority. It states that:
- The deliberate and unauthorized processing of sensitive personal data of many people not to be shared with the public for commercial purposes is punishable by up to 3 years imprisonment or a fine.
- The processing of personal data without authorization or fraudulently acquiring it for payment, enrichment, or harm is punishable by imprisonment of up to 2 years or a fine.
Section 43 explains the intentional and negligent engagement activities that are considered administrative offenses. Improper handling of information requests or failure to properly, correctly, completely, and promptly inform consumers warrants penalties of up to €50,000. However, no fine can be imposed on public bodies which include judicial bodies mentioned in Section 2(1).
Staying Compliant
There are several recommendations specified in the Act to protect personal data and special categories of personal data. In addition to the requirement for data controllers and processors to adhere to relevant technical and organizational security measures, measures should be implemented to:
- Maintain the confidentiality, integrity, and availability of information to be processed.
- Prevent unauthorized access, modification, duplication, or erasure of personal data.
- Appoint a Data Protection Officer regardless of whether the organization is public or private.
- Encrypt and pseudonymize personal data.
- Retain data only for the period that is required to process it for the intended purpose.
- Erase or rectify inaccuracies in personal data as early as possible. Secure and certified data erasure software like BitRaser removes data permanently, making it irretrievable. Data controllers and processors can leverage the automatically generated detailed erasure reports and certificates of destruction for use in audits.
- Prevent loss and destruction of records.
- Report all the apparent faults in the system's functioning.
- Recover interrupted installed systems.
Organizations should process personal data without compromising the security of sensitive information of individuals. The data protection principles of BDSG-neu can guide businesses on the lawful, limited, and secure processing of personal data.
+1-844-775-0101
