On 20 September 2019, the German Federal Council (Bundesrat) approved the 2nd DSAnpUG. The changes made herein came into effect on 26 November 2019. Legislative amendments to over 150 national acts further integrate and adapt German data protection law to the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR).
Below, we emphasise some of the key changes and provide an overview of the potential ramifications.
What are some of the most important changes?
Of high importance are the changes to the German Federal Data Protection Act (BDSG). In the context of Article 37 GDPR, the 2nd DSAnpUG raises the total amount to be obligated to designate a data protection officer (DPO) from ten to twenty persons dealing with the automated processing of personal data (Section 38 (1) BDSG). Also, for the supervision of data processing in connection with the commercial provision of telecommunication services, the Federal Commissioner for Data Protection and Freedom of Information became competent authority (Section 9 (1) BDSG). Under Section 22 (1) (d) BDSG the processing of special categories of personal data (eg genetic and biometric data, data revealing racial or ethnic origin) is now in addition permitted, if it is vital for reasons of substantial public interest. Furthermore, Section 26 (2) sentence 3 BDSG specifies that data processing for employment-related purposes is now also permissible by means of electronic consent.
The Act on the Federal Office for Information Security (BSIG) was amended. This is particularly relevant for operators of so-called critical infrastructures – including electricity and water supply, finance or nutrition – in Germany (KRITIS). The Federal Office for Information Security is the national cyber security authority in Germany, shaping information security in digitisation through government and business oversight. Thus, a comprehensive legal basis for the processing of personal data in the context of information security oversight was codified (Section 3a BSIG). By contrast, data subject rights (cf. Article 15 ff. GDPR) have been greatly restricted (Section 6 ff. BSIG). This includes restrictions on the obligation to provide information under Article 13 and 14 GDPR (Section 6a BSIG) or the right to erasure (‘right to be forgotten’) under Article 17 GDPR (Section 6d BSIG).
The Act on the Establishment of a Federal Institute for Digital Radio of Authorities and Organizations with Security Responsibilities (BDBOSG) was also adapted. The 2nd DSAnpUG introduces several legal bases for the processing of traffic data by the Federal Institute. The Federal Institute shall, eg have the right to process traffic data to detect, contain or eliminate faults or errors (Section 19 (1) BDBOSG). Furthermore, the Federal Institute may also transmit traffic data to courts and prosecution authorities for prosecution and to the police authorities of the federal and state governments for the purpose of averting danger (Section 21 BDBOSG).
The Stock Exchange Act (BörsG) was amended, creating a new legal basis for data processing insofar as this is necessary for the fulfilment of their statutory duties by, inter alia, the competent Securities and Exchange Commission and Sanctions Committee (Section 22b (1) BörsG). The adaption ensures that data subject rights under Article 15 ff. GDPR apply, but also makes specific exceptions in individual cases.
What are potential ramifications?
The amendment mainly concerns data processing within the framework of state supervisory procedures. In this respect, the regulations are partly very broad and vaguely formulated. It is therefore always necessary to examine the individual case to determine whether the conditions are met.
Because of the amendment of Section 38 (1) BDSG the question arises, whether smaller companies, who were formerly obligated to designate a DPO (above ten persons dealing with the automated processing), can now dismiss their DPO, if they have less than twenty persons dealing with automated processing?
According to the wording of Section 38 (1) BDSG, a company is not obligated to designate a DPO, if less than twenty persons are dealing with automated processing. Thus, the restrictive termination provisions of Section 38 (2) BDSG in conjunction with Section 6 (4) BDSG do not apply, when terminating the employment contract of a DPO.
In contrast, the Hessian State Labor Court recently held (LAG Hessen, Urteil vom 13.02.2019 - 6 Sa 567/18) that a mandatory appointed DPO continues to enjoy special protection against dismissal to carry out his tasks independently, even if the number of persons drops retrospectively below the threshold that obligates to designate a DPO. Otherwise, a DPO would first have to ensure whether he/she is still a bindingly appointed DPO equipped with protection against dismissal before any measure that might be unpleasant for the employer. For the sake of legal clarity and legal certainty, revocation is therefore necessary.
It is unclear though, if the legal reasoning applies to the current data protection law, since the judgment concerns an older legal framework with only partially comparable provisions. In addition, this is a decision of a state court and not of a federal court.
At any rate, companies need to be mindful of the legal risks, when considering a termination of formerly mandatory DPO.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
