Last year, Germany became the first EU member state to pass legislation implementing the EU’s General Data Protection Regulation (GDPR). For companies, national GDPR implementing legislation can be significant. Among other aims, the GDPR permits member states to pass national rules for:
- Human resources (HR) / employee privacy
- Secondary data uses
- Data protection officers
- Privacy class action litigation
- Health and medical data
- Automated and/or algorithmic decision-making
- Research and statistical processing
- Evidentiary and other privileges
Additionally, member states currently have a number of restrictions on individuals’ privacy rights of information, access, erasure, and objection, and may attempt to retain these under the GDPR.
Germany’s GDPR implementation statute – the “Data Protection Amendments and Implementation Act” – repeals Germany’s venerated Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG) and replaces it with an entirely new BDSG, aptly called the “BDSG-New.” The BDSG-New is a result of more than a year of drafting, debate, and public deliberations. Germany’s passage of the BDSG-New as the EU’s first GDPR implementation statute is in keeping with the country’s longstanding reputation as a leading privacy jurisdiction. Its approach to GDPR implementation is already influencing other member states’ national implementation legislation.
Alston & Bird offers a five-part series on Germany’s GDPR implementation legislation. The series addresses the BDSG-New provisions likely to be significant to companies.
- Part 1: Overview, Drafting History, and Scope of Application – The first installment summarizes the fascinating drafting history of the BDSG-New, which involved more debate and controversy than many observers may have expected from Germany. It also provides an overview of the BDSG-New and an analysis of its scope provisions, which now reach across borders to apply extraterritorially to companies outside Germany.
- Part 2: Reusing Data – Secondary Uses, New Regime for Health Data, and Research and Statistical Processing – The second installment introduces Germany’s new regime for health data. The BDSG-New permits companies to make a number of new and significant uses of health data without having to obtain individuals’ consent. This installment also discusses secondary data uses permitted by the BDSG-New, which will primarily be relevant in litigation and investigation e-discovery compliance. Lastly, the discussion of statistical uses may be relevant for any companies considering using German data for analytics.
- Part 3: Inside the Company – Data Protection Officers and Employee Data Rules – The third installment focuses on internal organizational obligations, specifically data protection officers (DPOs) and HR privacy rules. Germany is maintaining its tradition of requiring DPOs in almost every company doing business within its borders. Additionally, this installment contains an extended discussion of HR privacy rules under the BDSG-New, including employment-related legal bases for processing employee data, rules for works council agreements, and new statutory examples of when employee consent may be considered valid.
- Part 4: Individual Rights – Germany’s current privacy law contains a number of exemptions from information, access, erasure, and objection rights. The fourth installment summarizes the more significant exemptions that will survive under the BDSG-New. Significant carve-outs relate to data considered “confidential” under German law, archived or backup data, and disclosures made in data breaches.
- Part 5: DPA Oversight, Sanctions, and Lawsuits – The final installment provides an overview of what data protection authority (DPA) oversight and litigation may look like under the GDPR and the BDSG-New. The BDSG-New introduces an intra-Germany “one-stop shop” mechanism for clarifying a “lead DPA” among Germany’s 16 state-run DPAs. This installment also provides an overview of Germany’s two-track system for imposing and reviewing DPA actions – such as fines and injunctions – as well as recent case examples. There is also discussion of particular German civil and corporate law rules often unfamiliar to common-law attorneys, which may play a role in future fining practice.
For more information on Alston & Bird’s Privacy & Data Security Team, visit www.alstonprivacy.com or contact David Keating, Jim Harvey or Daniel Felz.