German Federal Data Protection Act (BDSG)

What Is Germany’s Federal Data Protection Act?

Germany, like other EU countries, falls under the jurisdiction of the General Data Protection Regulation (GDPR). However, the Regulation’s opening clauses allow member states to develop their own privacy laws, which Germany has taken advantage of. The country’s Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG) includes laws that complement the GDPR, giving citizens an additional layer of protection for the personal data and information shared with organizations and business entities.

Germany’s Federal Data Protection Act (FDPA) was passed in 1977. It protects individual privacy by ensuring personal data is:

• Collected, processed, and stored securely.
• Used only for the intended purpose.
• Accessible only to authorized persons.

The FDPA applies to any and all organizations that process personal data, including public and private companies, healthcare providers, banks and other financial institutions, and educational institutions. It requires organizations to process personal data in a responsible manner, including:

• Obtaining appropriate data subject consent.
• Informing data subjects about data processing activities, including what personal data is being collected, how it is being used, and who it is being shared with.
• Taking security measures, such as limiting access to data, encrypting data, and regularly testing systems.
• Informing data subjects of data breaches.
• Granting individuals the right to receive their personal data in a commonly used, structured, and machine-readable format that they can transmit to another data controller.
• Allowing individuals to access their data, rectify or correct any inaccurate or incomplete personal data, or have their data erased or deleted, such as when it’s no longer necessary for the purpose it was collected.

Additionally, any organization that transfers personal or sensitive data to another country must ensure it is protected at least as well as it is in Germany.

The law also provides for Data Protection Officers (DPOs) who are responsible for ensuring organizations comply with the law.

History of Data Privacy in Germany

Germany has a long, rich history of implementing data protection laws to keep pace with technological advancements in how data is collected, used, and shared. The world’s first national data protection law was passed by Germany shortly after the end of WW II. The FDPA/BDSG was proposed in 1971 and passed into law in January 1978. Along with establishing data protection principles and rights, the BDSG also created the Federal Commissioner for Data Protection, whose DPOs are responsible for enforcing the law.

The 1990s saw several landmark cases in Germany in response to the growing use of technology and the internet, including the Volkszählungsurteil of December 15, 1983. This “census verdict” established self-determination of information, stating that individuals have the power to decide when and to what extent their personal information can be published.

Today, the BDSG runs concurrently with the GDPR and has been renamed BDSG-new to reflect its adherence to the GDPR.

Principles and Components of Germany’s Federal Data Protection Act

Germany believes the right to informational privacy is a fundamental human right. The BDSG-new adheres to six core principles regarding the collection, processing, and use or sharing of personal data:

1. Lawfulness, fairness, and transparency. Personal data must be processed legally, equitably, and clearly.
2. Purpose limitation. Personal data must be collected for specific, explicit, and legitimate purposes.
3. Data minimization. Personal data must be adequate, relevant, and limited to what is only necessary for processing purposes.
4. Accuracy. Personal data must be accurate and kept up-to-date.
5. Storage limitations. Personal data must be maintained in a form that allows individual identification for only as long as necessary.
6. Integrity and privacy. Personal data must be processed in a way that ensures its security and confidentiality.

Together with designating DPOs for certain organizations, the BDSD-new’s key components include protections in employment-related data processing, as well as conditions for scoring and credit checks. It also provides requirements distinct from the GDPR for private companies.

Designating a Data Protection Officer

The BDSG-new requires organizations and businesses that process large quantities of personal data to appoint a DPO who ensures FDPA and other regulatory compliance. The DPO must be independent, report directly to senior management, speak the language of the competent authority and data subjects (i.e., German), and have knowledge and expertise in data privacy laws and practices.

As set out in Article 39 of the GDPR, a DPO’s specific tasks include:

• Informing and advising on compliance with GDPR and other data protection laws.
• Monitoring compliance and an organization’s internal data security policies.
• Advising and monitoring data protection impact assessments where requested.
• Cooperating and acting as a point of contact with supervisory authorities.  

Employment-Related Data Processing

BDSG-new Section 26 allows employee personal data to be processed for employment-related purposes, including entering, performing, or terminating employment or for carrying out a collective agreement. For instance, if there’s sufficient evidence that an employee committed a crime during their employment, an organization may process that individual’s personal data to investigate provided the processing is necessary and reasonable.

Scoring and Credit Checks

BDSG-new Section 31 permits companies to use relevant data to ensure data protection during credit checks and scoring. The score must be based on reliable mathematical-statistical methods, and, if address data is used, the data subject must be informed ahead of time.

Data Protection Authorities (DPAs)

Germany does not have a central supervisory authority for data protection laws. Instead, authorities in each of the country’s 16 federal states (Lander) oversee the laws. Of Germany’s approximately 17 DPAs, one has federal jurisdiction over telecommunications and postal companies. The other 16 preside over private organizations. The large number of DPAs can make compliance challenging. However, a mechanism within the BDSG-new simplifies the compliance process by appointing the main DPA in the state where a company is primarily established.

Altering Data Collection’s Original Purpose

Data collection can be altered to prosecute criminal offenses and support civil proceedings in matters involving public safety, national defense, and criminal prosecution. A controller cannot make any changes until they prove the alteration’s potential consequences outweigh the duty to protect data subjects.

Criminal Offenses

BDSG-new Section 42 identifies some data protection infringements as criminal offenses, including illegally transferring personal data to third parties, obtaining personal data through fraud, and making personal data accessible on a large scale for commercial purposes. Each infringement is punishable with a fine or up to three years in jail.

Scope of Application for Germany’s Data Protection Laws

The FDPA applies to German public and private organizations that collect, process, store, or use any type of personal data, including paper-based and electronic. It regulates how organizations must handle information and defines the rights of individuals whose data is collected and stored. Personal data includes:

• Names
• Addresses
• Dates of birth
• Employer or customer numbers

Organizations must also implement appropriate technical and organizational measures to protect the data from unauthorized access.

Having an accessible website in the EU doesn’t necessarily subject an organization to GDPR. Rather, the law regulates entities with an online presence in the EU that process or control personal data with the clear intention of monitoring behavior or offering goods and services. “Processing” applies equally to traditional, manual processing of paper records and processing using advanced technologies.

From a legal standpoint, the BDSG-new includes specialized rules for private companies in Germany, with the regulation applying to all non-public bodies that process personal data in Germany and whose data processing activities are traceable to the German branch of an international organization. That makes it critical for businesses in or outside the EU to stay compliant in protecting EU residents’ personal data.

GDPR vs. Germany’s Federal Data Protection Act

More than 70 opening clauses contained in the BDSG-new expand on the GDPR, modifying, clarifying, and providing further stipulations per the German Bundestag or Parliament. While both laws are designed to protect individual personal data and give citizens control over how their data is used, stored, and shared, they contain varying terms and definitions and have different obligations and rights.

For instance, the GDPR has a single set of rules that apply to all EU countries and their citizens, regardless of where they reside. The more comprehensive BDSG-new includes certain exemptions and additional requirements that are specific to Germany and German citizens. It’s important to note that the opening clauses provision of the GDPR allows the expanded laws of the BDSG-new to take precedence over GDPR laws.

Another example is that, under GDPR, organizations must notify individuals when they collect their data and how they intend to use it. Companies must also obtain permission to use the data, establish procedures that ensure data security, and provide individuals with access and other data rights, such as the right to be forgotten. The BDSG-new also requires companies to provide individuals with information about how their data will be used but adds the requirement of providing additional information about the data processing’s purpose, data categories, data recipients, and the length of time they will store the data.

Compliance With the German Federal Data Protection Act

All organizations based in Germany or processing data on German individuals must comply with Germany’s Federal Data Protection Act, which sets out requirements for how personal data must be collected, processed, and stored in a secure manner. It also defines the different responsibilities of data controllers and processors.

• Data controllers must ensure the quality and accuracy of the data collected.
• Data processors are responsible for implementing technical and organizational measures to ensure personal data security and protection.

To maintain compliance, organizations must adhere to best practice methods that include:

• Privacy impact assessments.
• Internal policies and procedures.
• Data minimization measures.
• Ensuring external service providers have sufficient security measures in place.
• Ensuring individuals are informed of their rights, including the rights to data portability and opting out of marketing communications.

While compliance can be complex, these best practices can minimize non-compliance risks and ensure data is secure.

State data protection agencies in Germany enforce data privacy compliance for non-public corporations and state-based entities. States with Freedom of Information Acts are regulated by DPAs who apportion penalties in accord with a violation’s severity.

There’s also a financial incentive for staying compliant, as fines for non-compliance can be hefty, totaling €20 million or 4% of global annual turnover, whichever is higher, in matters of:

• Breach of basic principles for data processing, including conditions for seeking consent.
• Data subject rights.
• International transfer restrictions.
• Special cases like employee data processing obligations under Member State law.
• Supervisory authority orders.

Lower fines are assigned to matters regarding compliance responsibilities, oversight duties, and controller and processor obligations relating to breach and security notifications. However, if a data controller fails to report a breach to supervisory authorities within 72 hours, a fine of up to €10 million for non-compliance can be imposed.

Cookie Compliance

Until recently, the rules regarding cookie use in Germany were unclear regarding consent requirements. That said, German DPAs have long maintained that personal data captured with cookies for tracking and analytical purposes (especially if third parties collect data subject personal information as joint controllers), requires consent.

Since December 2021, Article 5(3) of the ePrivacy Directive specifically requires cookie consent, especially ones used for analytical and tracking purposes. Consent requirements are based on the GDPR, which mandates consent be obtained via explicit, affirmative action, not implied consent methods like continued browsing or scrolling. Cookie consent is not required if the cookie’s purpose is:

• To provide Telemedia services at a data subject’s request.
• To transmit communications over a public telecommunication network.

Germany’s Federal Data Protection Act is a vital and comprehensive law that sets out the rights and responsibilities of organizations and companies that handle personal information, including all entities that process, collect, and store information about German citizens. The law provides robust protections for German citizens’ data, whether processed electronically or through more traditional methods.

To remain compliant, companies in Germany must take steps to protect any confidential data shared and sent into, within, and outside the organization. These steps can include siloing communication channels, like email, file sharing and transfer, and using a Private Content Network to unify, track, control, and secure sensitive information.