What progress on the GDPR? The German implementation

This post is also available in: frFrançais (French)

On 27 April 2017, the Bundestag adopted a new law on data protection (Bundesdatenschutz –BDSG) replacing a law that entered into force more than 40 years ago. It aims to adapt the German legislation to the General Data Protection Regulation (GDPR) that enters into force in May 2018. Other more specialised legislations should follow.

Provisions of the new law:

Fines. Violation of the German law carries a fine of up to €50,000. Article 84 of the GDPR provides that Member States have to determine a system of sanctions for violations not provided for in article 83 of the GDPR. Sanctions have to be effective, proportionate and dissuasive. Yet, Article 43 provides that in case of unprocessed request of information, whether intentionally or by negligence, incorrectly processed or over the deadline, a fine of only €50,000 may be imposed to the data controlling responsible, except for public authorities. On those public authorities, no fine can be imposed.

Penal Sanctions. In addition to fines, the German legislation provides penal sanctions in case of violation of data protection of up to 3 years imprisonment.

Compensation. In case of violation, people may receive compensation by means of claim of damages on behalf of the non-material damage suffered by the appellant (article 83 of the BDSG). Customers and organisations will be able to initiate judicial proceedings: these hope to facilitate the claims of the people concerned.

Concerns. In case of processing of personal data for historical, statistical and scientific research purposes, special categories of data may be processed without the consent of the people concerned, provided that it is necessary for the purposes of the data processing ànd on the condition that it is not contrary to the interest of the person concerned. The data controller has to provide appropriate measures to protect the interests of the person concerned, but these measures are not specified: it leaves a considerable margin of interpretation to the Member States. These provisions are at risk of not fulfilling the European requirements as set within the GDPR.

Improvements. The restriction of article 32 of the BDSG relating to an exemption of the obligation to provide information if it “necessitates a disproportionate effort” has been removed by the Bundestag. Numerous jurists doubted the conformity of this exemption with the GDPR.

DPO. Companies with more than 10 employees will be obliged to have a Data Protection Officer when they process data, whereas the GDPR makes this compulsory only for public authorities when processing requires a regular and systematic monitoring (because of the nature or the finality of the processing or when the activity consists of a large-scale processing of special categories of data according to article 37).

Numerous people are concerned by the German approach: the German Legislator has widely used “open and flexible clauses” to keep its national characteristics. If each Member State follows the same strategy, the harmonisation that the GDPR requires, will not be achieved. Furthermore, we can note that some German proposals are very interesting. In this respect, AEDH welcomes the introduction of a provision of compensation and the possibility of legal remedies.