Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

Germany Federal Data Protection Act

Published January 25, 2022

The European Union (EU) passed the General Data Protection Bill (GDPR) in 2016, which came into effect in May 2018. Based on the EU Charter for Fundamental Rights, it ensured all EU residents' personal data and information would remain safe online. Regarded as one of the most comprehensive pieces of legislation, it set the bar for all data protection laws that have followed across the world.

Interestingly, there were provisions in the GDPR that allowed each EU member country to make slight adjustments to their own national interpretation and implementation of the law. Germany's interpretation is the Bundesdatenschutzgesetz (BDSG), the German Federal Data Protection Act. It mirrors the GDPR in all key areas while giving local German regulatory authorities the power to enforce it more efficiently on the national level.

One aspect of GDPR that is open to differences is the age of consent to differentiate between adult and child data subjects. Germany has set the age of consent with regard to data protection at 16 years old.

Understanding the law and its basics can help companies remain compliant with the law's provisions while also gaining a competitive advantage over their competitors within Germany.

Who Needs to Comply with the Law

Germany's interpretation of the GDPR, the Federal Data Protection Act, applies to all personal and sensitive data that the data handler in Germany may have collected. This can include:

Name
Voice
Picture
Identification number
Race
Ethnicity
Religion
Sexual preference
Biometric data
Criminal record
Health records
Geographical location

As far as jurisdiction is concerned, the Federal Data Protection Act applies to:

Any data handler located in Germany collecting data on users
Any data handler located outside Germany but offering goods or services to data subjects within Germany
Any data handler located outside Germany monitoring the digital behavior of users in Germany

Obligations for Organizations Under the Federal Data Protection Act

As per Germany's data protection law, there are certain obligations that all data handlers or organisations have towards their users. These include the following:

Lawful Basis Requirements

The law explicitly states that the data handler can only collect data under the following conditions:

Processing data is necessary to carry out a legal, financial obligation;
Processing data is necessary for reasons of public interest in the area of public health;
Processing data is necessary for the purposes of preventative medicine;
Processing data is necessary for reasons of public interest.

As per Germany's Federal Data Protection Act, all data handlers that need to process data subjects' data can only proceed to do so after having acquired the necessary consent.

All data subjects must be informed of what data will be collected, how it will be collected, and for how long. Additionally, if any sensitive personal data is to be collected, the data subject must be informed of this separately.

Privacy Policy Requirements

The law mandates all data handlers processing data of EU residents to ensure the adherence to the following requirements in their privacy policies:

Proper contact details of the data handler or the data handler's German representative if the data handler is not based inside Germany.
Proper contact details of the data handler's Data Protection Officer.
Legal reasons behind the need to process the data subjects' data.
How are the data subjects' data stored, processed, protected, and for how long?
How the data subjects can withdraw consent.
All of the data subjects' rights such as the right to access, rectification, erasure, data portability, etc.
Whether the data collected will be used in automated decision-making and profiling.
Whether the data collected will be shared or sold to any third party.
The business and financial needs behind collecting the data subjects' data.

Security Requirements

The law requires all data handlers to undertake the necessary technical and organisational steps to ensure adequate protection measures are in place for all data being processed.

While the law is ambiguous about the exact measures that need to be taken, data handlers are advised to implement striction encryption across the entire database while ensuring that such data is only accessible to relevant individuals on a need-to basis.

Data Breach Requirements

The German law dictates that any organisation subject to a data breach must inform the regulatory body without any undue delay within 72 hours of the incident. If such an incident is not reported appropriately, the data handler may face a fine of up to €500,000 per incident.

Additionally, all affected data subjects must be informed of the breach and what steps are being taken to prevent a future repeat of the incident.

Data Protection Officer Requirement

There are specific requirements in Germany's data protection law when appointing a Data Protection Officer (DPO). An organisation that employs at least 20 individuals dealing with data processing is legally required to hire a DPO with the proper credentials and professional experience to be employed in that role.

The organizations themselves can determine the necessary level of expertise and compatibility with the company culture, provided the final candidates meet all the requirements.

Data Protection Impact Assessment

Under the law, all data handlers must carry out Data Protection Impact Assessments (DPIA) within their organisation.

Moreover, the DPO should head these efforts and ensure the organisation's data protection mechanisms are up-to-date and remain compliant with the law. A regular record of such assessments must be kept to ensure a consistent degree of compliance within the organisations' data processing activities.

Record of Processing Activities

The data handler must keep a detailed record of all data being collected by them. The record must include the following:

Contact details of the data handler and the DPO at the time the data was processed;
Purpose of processing;
Information on the legal basis for processing;
How long the data will be maintained;
What security measures are in place to protect the collected data;
Categories of personal data and data subjects;

Cross border data transfer Requirements

As per the Schrems II ruling by the European Court of Justice as well as recommendations by the European Data Protection Board, any form of data collected from users within the EU that has to be transferred outside the EU or the European Economic Area has to have a legal justification behind with the following criteria being met:

Whitelisted jurisdiction;
Approved standard contractual clauses;
Binding corporate rules;
Parties involved in cross border transfer have the appropriate data protection;
certifications;

Data Subject Rights

Like the GDPR, Germany's national interpretation of the law gives several explicit rights to all data subjects. The most important rights include:

Right to Access One's Own Data

All data subjects have the right to access all data that has been collected on them by the data handler. However, the data subject can be denied this request owing to legal or statutory protections around the data in question or if the data in question poses a risk to Germany's national security.

Right to Know Where Data Is Collected

All data subjects have the right to request information on where and which devices the data collected on them originated. This request can be denied if the data in question is subject to legal protections, interferes in the performance of duties by public bodies, or endangers Germany's national security.

Right to Object

The data subject can object to any further collection of their data. However, this request can be denied if the urgent public interest outweighs the data subject's interests.

Right to Request Erasure of One's Own Data

All data subjects have the right to request the data handler to erase any data collected on them. This request can be denied if the request conflicts with the retention period requirements of the data handler, would require an excessive dedication of resources, the data in the request is subject to legal protection, or would adversely affect Germany's national interests.

Right to Object to Automated Decision-Making

The data subject has the right to request an end to all automated decision-making and profiling based on data collected by the data handler.

Regulatory Authority

The new law established the office of the Federal Commissioner for Data Protection and Freedom of Information, with its headquarters in the city of Bonn. It is led by a Federal Commissioner, elected via a vote by the German Bundestag.

Eligibility criteria include being at least 35 years old, appropriate qualifications in the field of data protection law gained through relevant professional experience. The Commissioner's term is for five years, which can be extended once.

The Commissioner has the responsibility to act as the primary office responsible for enforcing the Federal Data Protection Act within Germany. Some of the office's key responsibilities include:

Advising the Bundestag, the Bundesrat, and the Federal Government on administrative and legislative measures related to data protection within the country;
To oversee and implement both the GDPR and Federal Data Protection Act within Germany;
To promote awareness within the public related to the risks, rules, safeguards, and rights concerning the processing of personal data;
To handle all complaints raised by data subjects related to data processing in addition to carrying out investigations to find out if any data handler has breached any provisions of the Act;

Penalties for Non-compliance

The GDPR already laid down some stringent penalties for companies that would be found in breach of the law's provisions. More importantly, as opposed to other data protection laws such as the CCPA and CPRA, non-compliance with the law also meant penalties.

Germany's Federal Data Protection Act has a slightly more lenient take in this regard. Suppose a data handler is found to have fraudulently collected data, processed, shared, or sold data without proper consent from the data subjects, not responded or responded with delay to a data subject request, or failed to inform the data subject of a breach properly. In that case, it can be fined up to €50,000.

This is in addition to the GDPR's €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, that any organisation found in breach of the law is subject to.

However, for this fine to be applied, either the data subject, the Federal Commissioner, or the regulatory authority must file an official complaint.

How an Organization Can Operationalize the Law

Data handlers processing data inside Germany can remain compliant with the country's data protection law if they fulfill the following conditions:

Have a comprehensive privacy policy that educates all users of their rights and how to contact the relevant personnel within the organisation in case of a query
Hire a competent Data Protection Officer that understands the GDPR and Federal Data Protection Act thoroughly and can lead compliance efforts within your organisation
Ensure all the company's employees and staff are acutely aware of their responsibilities under the law
Conduct regular data protection impact assessments as well as data mapping exercises to ensure maximum efficiency in your compliance efforts
Notify the relevant authorities of a data breach as soon as possible

How can Securiti Help

Data privacy and compliance have become incredibly vital in earning users' trust globally. Most users now expect most businesses to take all the relevant measures to ensure the data they collect is properly stored, protected, and maintained. Data protection laws have made such efforts legally mandatory, with organisations designing the best data protection and privacy compliance mechanisms for themselves.

That is an arduous task. However, AI-driven solutions could hold the key towards striking a balance between efficiency and effectiveness. Securiti is a market leader in offering solutions based on its PrivacyOps framework that can help businesses achieve privacy compliance anywhere in the world at the click of a button.

Request a demo today to learn more about how Securiti can help your business.

The Federal Data Protection Act of Germany is a data protection law that regulates the processing of personal data within Germany. It supplements and aligns with the requirements of the EU GDPR.

Yes, Germany is covered by GDPR (General Data Protection Regulation). GDPR is a regulation that applies uniformly across all EU member states, including Germany.

The Federal Data Protection Act established the office of the Federal Commissioner for Data Protection and Freedom of Information, with its headquarters in the city of Bonn. It is led by a Federal Commissioner, elected via a vote by the German Bundestag.

Germany's interpretation is the Bundesdatenschutzgesetz (BDSG), the German Federal Data Protection Act. It mirrors the GDPR in all key areas while giving local German regulatory authorities the power to enforce it more efficiently nationally.