Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
The European Union (EU) passed the General Data Protection Bill (GDPR) in 2016, which came into effect in May 2018. Based on the EU Charter for Fundamental Rights, it ensured all EU residents' personal data and information would remain safe online. Regarded as one of the most comprehensive pieces of legislation, it set the bar for all data protection laws that have followed across the world.
Interestingly, there were provisions in the GDPR that allowed each EU member country to make slight adjustments to their own national interpretation and implementation of the law. Germany's interpretation is the Bundesdatenschutzgesetz (BDSG), the German Federal Data Protection Act. It mirrors the GDPR in all key areas while giving local German regulatory authorities the power to enforce it more efficiently on the national level.
One aspect of GDPR that is open to differences is the age of consent to differentiate between adult and child data subjects. Germany has set the age of consent with regard to data protection at 16 years old.
Understanding the law and its basics can help companies remain compliant with the law's provisions while also gaining a competitive advantage over their competitors within Germany.
Germany's interpretation of the GDPR, the Federal Data Protection Act, applies to all personal and sensitive data that the data handler in Germany may have collected. This can include:
As far as jurisdiction is concerned, the Federal Data Protection Act applies to:
As per Germany's data protection law, there are certain obligations that all data handlers or organisations have towards their users. These include the following:
The law explicitly states that the data handler can only collect data under the following conditions:
As per Germany's Federal Data Protection Act, all data handlers that need to process data subjects' data can only proceed to do so after having acquired the necessary consent.
All data subjects must be informed of what data will be collected, how it will be collected, and for how long. Additionally, if any sensitive personal data is to be collected, the data subject must be informed of this separately.
The law mandates all data handlers processing data of EU residents to ensure the adherence to the following requirements in their privacy policies:
The law requires all data handlers to undertake the necessary technical and organisational steps to ensure adequate protection measures are in place for all data being processed.
While the law is ambiguous about the exact measures that need to be taken, data handlers are advised to implement striction encryption across the entire database while ensuring that such data is only accessible to relevant individuals on a need-to basis.
The German law dictates that any organisation subject to a data breach must inform the regulatory body without any undue delay within 72 hours of the incident. If such an incident is not reported appropriately, the data handler may face a fine of up to €500,000 per incident.
Additionally, all affected data subjects must be informed of the breach and what steps are being taken to prevent a future repeat of the incident.
There are specific requirements in Germany's data protection law when appointing a Data Protection Officer (DPO). An organisation that employs at least 20 individuals dealing with data processing is legally required to hire a DPO with the proper credentials and professional experience to be employed in that role.
The organizations themselves can determine the necessary level of expertise and compatibility with the company culture, provided the final candidates meet all the requirements.
Under the law, all data handlers must carry out Data Protection Impact Assessments (DPIA) within their organisation.
Moreover, the DPO should head these efforts and ensure the organisation's data protection mechanisms are up-to-date and remain compliant with the law. A regular record of such assessments must be kept to ensure a consistent degree of compliance within the organisations' data processing activities.
The data handler must keep a detailed record of all data being collected by them. The record must include the following:
As per the Schrems II ruling by the European Court of Justice as well as recommendations by the European Data Protection Board, any form of data collected from users within the EU that has to be transferred outside the EU or the European Economic Area has to have a legal justification behind with the following criteria being met:
Like the GDPR, Germany's national interpretation of the law gives several explicit rights to all data subjects. The most important rights include:
All data subjects have the right to access all data that has been collected on them by the data handler. However, the data subject can be denied this request owing to legal or statutory protections around the data in question or if the data in question poses a risk to Germany's national security.
All data subjects have the right to request information on where and which devices the data collected on them originated. This request can be denied if the data in question is subject to legal protections, interferes in the performance of duties by public bodies, or endangers Germany's national security.
The data subject can object to any further collection of their data. However, this request can be denied if the urgent public interest outweighs the data subject's interests.
All data subjects have the right to request the data handler to erase any data collected on them. This request can be denied if the request conflicts with the retention period requirements of the data handler, would require an excessive dedication of resources, the data in the request is subject to legal protection, or would adversely affect Germany's national interests.
The data subject has the right to request an end to all automated decision-making and profiling based on data collected by the data handler.
The new law established the office of the Federal Commissioner for Data Protection and Freedom of Information, with its headquarters in the city of Bonn. It is led by a Federal Commissioner, elected via a vote by the German Bundestag.
Eligibility criteria include being at least 35 years old, appropriate qualifications in the field of data protection law gained through relevant professional experience. The Commissioner's term is for five years, which can be extended once.
The Commissioner has the responsibility to act as the primary office responsible for enforcing the Federal Data Protection Act within Germany. Some of the office's key responsibilities include:
The GDPR already laid down some stringent penalties for companies that would be found in breach of the law's provisions. More importantly, as opposed to other data protection laws such as the CCPA and CPRA, non-compliance with the law also meant penalties.
Germany's Federal Data Protection Act has a slightly more lenient take in this regard. Suppose a data handler is found to have fraudulently collected data, processed, shared, or sold data without proper consent from the data subjects, not responded or responded with delay to a data subject request, or failed to inform the data subject of a breach properly. In that case, it can be fined up to €50,000.
This is in addition to the GDPR's €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, that any organisation found in breach of the law is subject to.
However, for this fine to be applied, either the data subject, the Federal Commissioner, or the regulatory authority must file an official complaint.
Data handlers processing data inside Germany can remain compliant with the country's data protection law if they fulfill the following conditions:
Data privacy and compliance have become incredibly vital in earning users' trust globally. Most users now expect most businesses to take all the relevant measures to ensure the data they collect is properly stored, protected, and maintained. Data protection laws have made such efforts legally mandatory, with organisations designing the best data protection and privacy compliance mechanisms for themselves.
That is an arduous task. However, AI-driven solutions could hold the key towards striking a balance between efficiency and effectiveness. Securiti is a market leader in offering solutions based on its PrivacyOps framework that can help businesses achieve privacy compliance anywhere in the world at the click of a button.
Request a demo today to learn more about how Securiti can help your business.
See how easy it is to manage privacy compliance with robotic automation.