KNOWLEDGE BASE Data Protection Regulations In Germany

 

Data Protection Regulations In Germany

 

In the business world today, the collection, use, and disclosure of personal data by a company is an integral part of its functioning and success. Data collection, use, and disclosure activities have many risks for both consumers and companies. For consumers, the unauthorized access and use of their personal data could mean identity theft, which can affect every aspect of their lives for many years. For companies, big, medium, and small, a data breach can be ruinous. For a security breach, companies face criminal prosecution, civil penalties, audit, lawsuit liability, extreme expense to notify customers, to investigate the breach, to compensation customers, and update the system to prevent another such breach, and a loss of profits from a decrease in consumer confidence and a negative reputation.

 

What laws and regulations apply?

 

Data Protection Act

 

German data protection and privacy is governed by both Federal and State laws. The main Federal law is the Data Protection Act (Bundesdatenschutzgesetz (BDSG)—available in English). The Data Protection Act implements the EU Data Protection Directive. The Data Protection Act is regulated by the Federal Commission for Data Protection and Freedom of Information. Laws at the State level seek to protect personal data processed by State public officials, so they tend to be of less practical importance to businesses.

 

To whom and what does the Data Protection Act apply?

The Data Protection Act applies to the processing of personal data by a data controller in Germany or, when the data controller is not located in the European Union, but uses equipment located in Germany to process personal data.

 

What are the important terms to understand?

Personal data is any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject).

 

Sensitive personal data is any information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and health or sex life.

 

Data processing means the storage, modification, transfer, blocking, or deleting of personal data.

 

How do I comply with the Data Protection Act?

 

Registration

Under the Data Protection Act, all companies that process personal data using automated means must notify the appropriate supervisory authority, unless the company has appointed a data protection officer. You are required to appoint a data protection officer if your company has more than nine people regularly involved in automated data processing or when sensitive personal data is being processed. You data protection officer can be someone from within your company or hired from outside your organization. Your registration must include the following information:

  • the name or title of your company;

  • the name(s) of the owners, managing board members, managing directors, or other lawfully or constitutionally appointed managers and the person(s) placed in charge of your data processing;

  • the address of the data controller;

  • the business purposes of your company and of your data processing;

  • a description of the category or categories of the data of your data subjects and of the data or categories of data relating to your data subjects;

  • the recipients or categories of recipients to whom the data might be disclosed or shared with;

  • your standard data retention periods;

  • any plans you have to transfer the data to other countries; and

  • a general description, allowing a preliminary assessment to be made of the appropriateness of your technical and organizational measures taken to ensure security of the processing.

 

Data Collection

Personal data may be collected if:

  • it is necessary to create, execute, or terminate a legal obligation with the data subject;

  • it is necessary to safeguard the legitimate interests of your company (the data controller) and there is no reason to believe that the data subject has an overriding, legitimate interest in preventing the processing; or

  • the personal data is available to the public or your (the data controller) would be allowed to publish the data, unless the data subject has a clear and overriding interest.

 

Sensitive personal data may be collected if:

  • it is allowed by law or urgently required for reasons of important public interest;

  • the data subject has given his consent;

  • it is necessary to protect the vital interests of the data subject or of another person when the data subject is physically or legally incapable of giving his consent;

  • the data involved are that which the data subject manifestly made public;

  • it is necessary to prevent a significant threat to the public security;

  • it is urgently required to prevent significant disadvantages to the common good or to preserve significant concerns of the common good;

  • it is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and when the data are processed by health professionals or other persons subject to the obligation of professional secrecy;

  • it is necessary for the purposes of scientific research, when the scientific interest in carrying out the research project significantly outweighs the data subject’s interest in preventing the collection and the purpose of the research cannot be achieved in any other way or would require disproportionate effort;

  • it is required for compelling reasons of defense or to fulfill supranational or intergovernmental obligations of a public body of the Federation in the field of crisis management, conflict prevention or for humanitarian measures.

 

Data Processing

If you do not have the consent of the data subject, you can only process his personal data in the course of business for commercial purposes if the processing is:

  • necessary to create, execute, or terminate legal obligation with the data subject;

  • necessary to safeguard your (the data controller) legitimate interest and there is no reason to believe that the data subject has an overriding, legitimate interest in preventing the processing; or

  • the personal data is available to the public or you (the data controller) would be allowed to publish the data, unless the data subject has a clear and overriding interest.

 

Sensitive personal data may only be processed with the data subject’s consent, unless:

  • it is necessary to protect the vital interests of the data subject or of another person when the data subject is physically or legally incapable of giving his consent;

  • it is necessary to assert, exercise, or defend legal claims and there is no reason to assume that the data subject has an overriding interest in preventing the collection, processing, or use of the data;

  • the data subject has manifestly made the data public; or

  • it is necessary for the purposes of scientific research, when the scientific interest in carrying out the research project significantly outweighs the data subject’s interest in preventing the collection and the purpose of the research cannot be achieved in any other way or would require disproportionate effort.

 

Data Transfer

A processor can only process personal data pursuant to the data controller’s instructions. The following, among other things, must be specified in the contract between the processor and the data controller:

  • the data subject and the duration of the work required;

  • the type, extent, and purpose of the processing of the data, the type of data, and the category of data subjects;

  • the rectification, deletion, and blocking of data;

  • the processor’s obligations, particularly regarding any right to issue subcontracts;

  • the data controller’s rights over the processor and the processor’s obligation to cooperate; and

  • the return of the storage device and deletion of data.

 

International Data Transfer

The transfer of personal data within the European Economic Area (EEA) is not subject to additional requirements, exception the need for a legitimate reason. To transfer personal data outside the EEA, your data subjects must not have a legitimate interest in preventing the transfer and the recipient must ensure an adequate level of data protection. An adequate level of data protection can be achieved by:

  • transferring the data to a country that the European Commission (EC) has recognized as having an adequate level of protection in accordance with the 1995 European Data Directive 95/46/EC;

  • entering into binding corporate rules; or

  • entering into a data protection agreement based on the EU model clauses of the EC.

 

The US-EU Safe Harbor Framework was invalidated by the European Court of Justice on October 6, 2015. This means US companies can no longer legally transfer data from the EU to the US on the basis of their compliance with the Safe Harbor Framework. The EU and the US are currenting negotiating a new framework. Until an agreement is reached, you must find alternative means of legally transferring data from the EU to the US.

 

Even if you cannot ensure an adequate level of protection, a transfer can still be made if:

  • the data subject has given his consent;

  • the transfer is necessary:

    • for the performance of a contract with the data subject;

    • for the performance of a contract, which has been or will be concluded in the interest of the data subject between you (the data controller) and a third party; or

    • to protect the vital interests of the data subject;

  • the transfer is legally required for an important public interest; or

  • the transfer is made from a register that is already publically available.

 

Data Security

You are required to provide an adequate level of security against the unlawful processing of personal data. The level of protection must be proportionate to the harm that could result from such unlawful processing and must be appropriate to the nature of the personal data.

 

Breach Notification Requirements

You are required to report any illegal transfer or illegal access to a data subject’s:

  • sensitive personal data;

  • personal data that are subject to professional confidentiality obligations;

  • personal data regarding criminal acts or administrative offenses; or

  • personal data regarding bank accounts or credit card accounts.

Breach notification requirements apply if the illegal transfer or access would lead to severe adverse effects on the rights or legitimate interests of the data subject. You should notify data subjects as soon as appropriate of the measures that have been implemented to safeguard the data, as long as the notification would not endanger any criminal prosecution.

 

What are the risks of noncompliance?

A violation of German data protection laws can result in fines of up to €300,000 per violation. The fine should exceed the financial benefit to the perpetrator, so if that amount exceeds the statutory limits, the limits may be disregarded. If the violation is done willfully or in exchange for a financial benefit (a criminal offense), imprisonment of up to two years can be imposed in addition to a fine.

 

Cookie Regulation

 

What is a cookie? Cookies, also known as browser cookies or tracking cookies, are small, often encrypted, text files that are downloaded onto the ‘terminal equipment’ (e.g., a computer or smartphone) when a user accesses a website. Cookies allow a website to recognize a user’s device and store information about the user’s preferences and past actions. Cookies are not just created by the website the user is browsing, often called first party cookies, but also, by other websites that run ads, widgets, or other elements being loaded on the page, often called third party cookies. Cookies can expire at the end of a session or they can be stored for longer. Session cookies expire after a browser session. Session cookies can be used to remember what a user has put in a cart or shopping basket or for security reasons when accessing internet banking or webmail. Persistent cookies are stored on a user's’ device in between browsing sessions and can be used to remember a user’s preferences and choices or for targeted advertising.

 

What laws and regulations apply?

Germany has not implemented the EU Cookie Directive (EU Directive 2009/136/EC), which requires the consent of users to use cookies, because the federal government believes that existing law, specifically, the Telemedia Act (Telemediengesetz) already encompasses the EU Directive. The German Federal States have criticized the German federal government for not implementing the EU Directive, but it seems unlikely any amendment to current legislation will be made. There is no central regulatory body for cookie regulations in Germany, rather, state regulators from the 16 German states are responsible.

 

How do I comply with the the Telemedia Act?

Telemedia Act requires that users be informed about the use of cookies and that a provider may use traffic data (generally collected through cookies) only

  1. for the delivery of services, or

  2. otherwise (for advertising purposes) only without personal data and subject to a user’s opt-out right, or

  3. with consent as required for other purposes based on Section 12 of the Telemedia Act.

 

Essentially, if you want to set/use cookies, you should:

  • tell people that cookies are being used

  • tell people what the cookies are doing

  • obtain consent to store cookies on a user’s device

 

It is currently unclear whether you must obtain explicit consent or whether implied consent is sufficient. Explicit consent is the most cautious approach, but could seriously impair your user’s experience. Explicit consent can be obtained through a pop-up or banner that requires the user to click an acceptance or agreement (to the setting and use of cookies) to continue to use your website. Implied consent can be obtained by using a pop-up to inform your user that cookies are being used and that the continued use of your website will be deemed consent. With the exception of the cookies necessary for the use of your goods or services, you must provide your users with the option to opt-out of the setting/use of cookies and clear instructions to do so.

 

 

Globig Resources

Data Protection Act

Federal Data Protection Officer (Bundesbeauftragter für Datenschutz und Informationsfreiheit)

1995 European Data Directive 95/46/EC

binding corporate rules

model clauses

EU Cookie Directive

Telemedia Act (Telemediengesetz)

 

KNOWLEDGE BASE Data Protection Regulations In Germany