Understanding Germany’s Federal Data Protection Act

The European Union (EU) passed the General Data Protection Bill (GDPR) in 2016, which came into effect in May 2018. Based on the EU Charter for Fundamental Rights, it ensured all EU residents' personal data and information would remain safe online. Regarded as one of the most comprehensive pieces of legislation, it set the bar for all data protection laws that have followed across the world.

Interestingly, there were provisions in the GDPR that allowed each EU member country to make slight adjustments to their own national interpretation and implementation of the law. Germany's interpretation is the Bundesdatenschutzgesetz (BDSG), the German Federal Data Protection Act. It mirrors the GDPR in all key areas while giving local German regulatory authorities the power to enforce it more efficiently on the national level.

One aspect of GDPR that is open to differences is the age of consent to differentiate between adult and child data subjects. Germany has set the age of consent with regard to data protection at 16 years old.

Understanding the law and its basics can help companies remain compliant with the law's provisions while also gaining a competitive advantage over their competitors within Germany.

Who Needs to Comply with the Law

Germany's interpretation of the GDPR, the Federal Data Protection Act, applies to all personal and sensitive data that the data handler in Germany may have collected. This can include:

• Name
• Voice
• Picture
• Identification number
• Race
• Ethnicity
• Religion
• Sexual preference
• Biometric data
• Criminal record
• Health records
• Geographical location

As far as jurisdiction is concerned, the Federal Data Protection Act applies to:

• Any data handler located in Germany collecting data on users
• Any data handler located outside Germany but offering goods or services to data subjects within Germany
• Any data handler located outside Germany monitoring the digital behavior of users in Germany

Obligations for Organizations Under the Federal Data Protection Act

As per Germany's data protection law, there are certain obligations that all data handlers or organisations have towards their users. These include the following:

1. Lawful Basis Requirements

The law explicitly states that the data handler can only collect data under the following conditions:

• Processing data is necessary to carry out a legal, financial obligation;
• Processing data is necessary for reasons of public interest in the area of public health;
• Processing data is necessary for the purposes of preventative medicine;
• Processing data is necessary for reasons of public interest.

2. Consent Requirements

As per Germany's Federal Data Protection Act, all data handlers that need to process data subjects' data can only proceed to do so after having acquired the necessary consent.

All data subjects must be informed of what data will be collected, how it will be collected, and for how long. Additionally, if any sensitive personal data is to be collected, the data subject must be informed of this separately.

3. Privacy Policy Requirements

The law mandates all data handlers processing data of EU residents to ensure the adherence to the following requirements in their privacy policies:

• Proper contact details of the data handler or the data handler's German representative if the data handler is not based inside Germany.
• Proper contact details of the data handler's Data Protection Officer.
• Legal reasons behind the need to process the data subjects' data.
• How are the data subjects' data stored, processed, protected, and for how long?
• How the data subjects can withdraw consent.
• All of the data subjects' rights such as the right to access, rectification, erasure, data portability, etc.
• Whether the data collected will be used in automated decision-making and profiling.
• Whether the data collected will be shared or sold to any third party.
• The business and financial needs behind collecting the data subjects' data.

4. Security Requirements

The law requires all data handlers to undertake the necessary technical and organisational steps to ensure adequate protection measures are in place for all data being processed.

While the law is ambiguous about the exact measures that need to be taken, data handlers are advised to implement striction encryption across the entire database while ensuring that such data is only accessible to relevant individuals on a need-to basis.

5. Data Breach Requirements

The German law dictates that any organisation subject to a data breach must inform the regulatory body without any undue delay within 72 hours of the incident. If such an incident is not reported appropriately, the data handler may face a fine of up to €500,000 per incident.

Additionally, all affected data subjects must be informed of the breach and what steps are being taken to prevent a future repeat of the incident.

6. Data Protection Officer Requirement

There are specific requirements in Germany's data protection law when appointing a Data Protection Officer (DPO). An organisation that employs at least 20 individuals dealing with data processing is legally required to hire a DPO with the proper credentials and professional experience to be employed in that role.

The organizations themselves can determine the necessary level of expertise and compatibility with the company culture, provided the final candidates meet all the requirements.

7. Data Protection Impact Assessment

Under the law, all data handlers must carry out Data Protection Impact Assessments (DPIA) within their organisation.

Moreover, the DPO should head these efforts and ensure the organisation's data protection mechanisms are up-to-date and remain compliant with the law. A regular record of such assessments must be kept to ensure a consistent degree of compliance within the organisations' data processing activities.

8. Record of Processing Activities

The data handler must keep a detailed record of all data being collected by them. The record must include the following:

• Contact details of the data handler and the DPO at the time the data was processed;
• Purpose of processing;
• Information on the legal basis for processing;
• How long the data will be maintained;
• What security measures are in place to protect the collected data;
• Categories of personal data and data subjects;

9. Cross border data transfer Requirements

As per the Schrems II ruling by the European Court of Justice as well as recommendations by the European Data Protection Board, any form of data collected from users within the EU that has to be transferred outside the EU or the European Economic Area has to have a legal justification behind with the following criteria being met:

• Whitelisted jurisdiction;
• Approved standard contractual clauses;
• Binding corporate rules;
• Parties involved in cross border transfer have the appropriate data protection;
• certifications;

Data Subject Rights

Like the GDPR, Germany's national interpretation of the law gives several explicit rights to all data subjects. The most important rights include:

a. Right to Access One's Own Data

All data subjects have the right to access all data that has been collected on them by the data handler. However, the data subject can be denied this request owing to legal or statutory protections around the data in question or if the data in question poses a risk to Germany's national security.

b. Right to Know Where Data Is Collected

All data subjects have the right to request information on where and which devices the data collected on them originated. This request can be denied if the data in question is subject to legal protections, interferes in the performance of duties by public bodies, or endangers Germany's national security.

c. Right to To Object

The data subject can object to any further collection of their data. However, this request can be denied if the urgent public interest outweighs the data subject's interests.

d. Right to Request Erasure of One's Own Data

All data subjects have the right to request the data handler to erase any data collected on them. This request can be denied if the request conflicts with the retention period requirements of the data handler, would require an excessive dedication of resources, the data in the request is subject to legal protection, or would adversely affect Germany's national interests.

e. Right to Object to Automated Decision-Making

The data subject has the right to request an end to all automated decision-making and profiling based on data collected by the data handler.

Regulatory Authority

The new law established the office of the ​​Federal Commissioner for Data Protection and Freedom of Information, with its headquarters in the city of Bonn. It is led by a Federal Commissioner, elected via a vote by the German Bundestag.

Eligibility criteria include being at least 35 years old, appropriate qualifications in the field of data protection law gained through relevant professional experience. The Commissioner's term is for five years, which can be extended once.

The Commissioner has the responsibility to act as the primary office responsible for enforcing the Federal Data Protection Act within Germany. Some of the office's key responsibilities include:

• Advising the Bundestag, the Bundesrat, and the Federal Government on administrative and legislative measures related to data protection within the country;
• To oversee and implement both the GDPR and Federal Data Protection Act within Germany;
• To promote awareness within the public related to the risks, rules, safeguards, and rights concerning the processing of personal data;
• To handle all complaints raised by data subjects related to data processing in addition to carrying out investigations to find out if any data handler has breached any provisions of the Act;

Penalties for Non-compliance

The GDPR already laid down some stringent penalties for companies that would be found in breach of the law's provisions. More importantly, as opposed to other data protection laws such as the CCPA and CPRA, non-compliance with the law also meant penalties.

Germany's Federal Data Protection Act has a slightly more lenient take in this regard. Suppose a data handler is found to have fraudulently collected data, processed, shared, or sold data without proper consent from the data subjects, not responded or responded with delay to a data subject request, or failed to inform the data subject of a breach properly. In that case, it can be fined up to €50,000.

This is in addition to the GDPR's €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, that any organisation found in breach of the law is subject to.

However, for this fine to be applied, either the data subject, the Federal Commissioner, or the regulatory authority must file an official complaint.

How an Organization Can Operationalize the Law

Data handlers processing data inside Germany can remain compliant with the country's data protection law if they fulfill the following conditions:

• Have a comprehensive privacy policy that educates all users of their rights and how to contact the relevant personnel within the organisation in case of a query
• Hire a competent Data Protection Officer that understands the GDPR and Federal Data Protection Act thoroughly and can lead compliance efforts within your organisation
• Ensure all the company's employees and staff are acutely aware of their responsibilities under the law
• Conduct regular data protection impact assessments as well as data mapping exercises to ensure maximum efficiency in your compliance efforts
• Notify the relevant authorities of a data breach as soon as possible

How can Securiti Help

Data privacy and compliance have become incredibly vital in earning users' trust globally. Most users now expect most businesses to take all the relevant measures to ensure the data they collect is properly stored, protected, and maintained. Data protection laws have made such efforts legally mandatory, with organisations designing the best data protection and privacy compliance mechanisms for themselves.

That is an arduous task. However, AI-driven solutions could hold the key towards striking a balance between efficiency and effectiveness. Securiti is a market leader in offering solutions based on its PrivacyOps framework that can help businesses achieve privacy compliance anywhere in the world at the click of a button.

Request a demo today to learn more about how Securiti can help your business.