In April the German Parliament passed the new Federal Data Protection Act. Being an EU member state, the country sought to replace the old BDSG regulations that have been in existence for the last 40 years.
The FDPA is intended to adapt the country’s legal framework to the provisions of the European Union’s GDPR. The German authorities recognized the complexity of the FDPA. As a result, provisions that would seem to surpass GDPR’s scope would be accorded limited practical relevance because the country’s judiciary will not apply clauses that contradict the EU law. Parliamentary approval of the FDPA and GDPAA marked a significant milestone towards preparing the country for the new data protection era.
The new FDPA has several key provisions that set out specific conditions and guide organizations on how they should conduct their businesses. In addition, it is worth mentioning that the organizations currently in compliance with the regulations may likely find it easy with the new changes. They may not necessarily encounter significant challenges as they amend their processes and internal policies since some of the provisions are retained in their current formats.
The prior drafts of the FDPA had put restrictions on the freedom to exercise individual rights. The good news is that the new FDPA removed all the restrictions. Consequently, GDPR will apply to the German people without unnecessary limitations to the rights of the data subjects. Some of the limited rights in the earlier version of the draft included a restriction on the right to object, right to data erasure and right to access information. All of these restrictions were eliminated in the new FDPA.
GDPR allows processors to process sensitive data without consent for statistical reasons and historical research if the controller’s interest substantially outweighs that of the data subject. However, the data controller must employ appropriate and specific measures to protect the data subject’s interest. According to the new German law, sensitive data processed under statistical purpose or historical research must be anonymized. There are additional restrictions contained in the provision regarding the right of a data subject. These restrictions delineate publication requirements for such data.
Works Councils Agreement
The new FDPA sets out special requirements for processing certain types of employee data. Under these rules, organizations will be forced to adjust their Works Council agreements. Although such agreements form a lawful basis for data processing, they must conform to the GDPR requirements as well as the new FDPA. The requirements include appropriate measures to protect the legitimate interests of the data subjects.
The Investigative Powers of DPA
The new FDPA puts some restrictions on the investigative capacities of the DPA particularly with regard to professional secrecy obligations. The restrictions extend to data in the custody of controllers. Examples of such professionals include psychologists, medical professionals and lawyers.
The new FDPA states that an administrative crime is committed when a person fails to manage an information request appropriately either intentionally or by negligence. The same offense is considered to have occurred if someone fails to inform a user or provides partial information. Besides the fines stipulated by the GDPR, the new FDPA penalizes the offender with a fine of up to EUR 50,000.
The new FDPA has provisions that relate to the video surveillance of public areas. The country maintains its current regulations on this matter. However, it adds regulations that control the extent of CCTV footage use, storage, retention period and how people should be informed. The new German law also contains provisions that give guidance on the appointment of DPOs. One crucial aspect concerning this exercise is the fact that the new regulation sets a low threshold for the appointment of the DPO compared to the standards under GDPR.
Parliament could introduce amendments in future because specific issues still need to be revisited such as lowering the age limit of 16 years for parental consent obligation.