Data protection law Germany

Data Protection Law Germany – The lawyers of our law firm offer you advice and competent support in the field of data protection law.

Topics in our legal advice

• IT Law
• E-commerce law
• Software law
• IT Contracts
• Licence Agreement

Table of contents

1. Data Protection Law Germany: Basics DSGVO
2. Data Protection Law – Principles
3. DSGVO at a glance
4. Data Protection Law in Companies
5. Corona Virus & Data Protection Law – Guidelines for the Home Office
6. Data Protection Law: Processing of Health Data
7. Fever measurement and similar data
8. Restriction on the use of names
9. Commissioned data processing
10. Duty to inform data protection law
11. Storage period
12. Data protection law – own protection & conclusion
13. Legal advice

Data Protection Law Germany – Basics of the GDPR

The framework conditions in data protection law are subject to rapid change. For many companies, the digital world is part of everyday business. Therefore, possible risks due to the incorrect handling of data should be avoided from the very beginning. This is all the more true since the General Data Protection Regulation (GDPR) came into force on 25 May 2018.

Data protection law is derived from the right to informational self-determination. It follows from this that everyone can basically decide for themselves how their personal data is to be handled. This concept of “personal data” plays a central role in data protection law.

Data protection law only applies when data is related to a person. Accordingly, personal data includes, among other things, name, birthday, address, bank details, e-mail address and IP address.

Legal basis of data protection law Germany

The legal basis is the General Data Protection Regulation, which has been in force since 25 May 2018. This is supplemented by the BDSG (Federal Data Protection Act) at national level.

Insofar as the GDPR contains regulations, these are final. Only in the case of so-called opening clauses does the national legislator have leeway for its own regulations. The German legislator has made use of these.

The GDPR replaced the old version of the BDSG. Since 25 May 2018, companies of all sizes must therefore critically review and adapt their existing data protection processes. Violations may result in severe fines of up to 4% of the annual turnover achieved worldwide.

To minimise liability risks, it is advisable to consult a lawyer.

The most important principles in data protection law

Data protection law Germany: The most important principles of data protection law include:

• Prohibition with reservation of permission: Accordingly, data may only be handled if there is a legal basis for doing so or if the data subject has consented.
• Lawful processing in good faith, transparency: The data must be processed in a lawful manner, in good faith and in a way that is comprehensible to the data subject.
• Purpose limitation: Data collected or stored for a specific purpose may only be used for that purpose.
• Data minimisation: According to the principle of data minimisation, personal data must be adequate and relevant to the purpose. The data must be limited to what is necessary for the purpose of the processing.
• Limitation of storage: Once the purpose pursued has been achieved, the data must be deleted.
• Accuracy of the data: The data must be factually correct and up to date.
• Integrity and confidentiality: Thereafter, by means of appropriate technical and organisational measures, personal data must be processed in such a way that the identification of the data subject is possible only for as long as is necessary for the purposes for which the data are processed.
• Accountability: The data controller must be able to demonstrate compliance with the above principles.

Due to the constant change in data protection requirements, it is advisable to seek legal advice.

Data Protection Regulation (GDPR) in force

Due to numerous national laws in the EU member states, the GDPR was intended to create a uniform legal framework for the protection of personal data. In contrast to a directive, a regulation, including the GDPR, has direct effect in the member states of the European Union.

In order to offer the member states a certain amount of leeway, the regulation has left some questions of detail open. The German legislator has made use of these “opening clauses” and implemented them in the new version of the Federal Data Protection Act, which also came into force on 25 May 2018.

Data protection law Germany: Due to the many new obligations, there is a need for action, especially for companies.

Why companies should care about data protection law

There are economic reasons for companies to take care of data protection. Errors in data protection law can damage a company’s reputation in the public eye and also result in possible claims for damages.

Furthermore, mishandling of data can result in fines of up to 20 million euros or four percent of a company’s annual turnover.

Our lawyers advise you on all questions of data protection law Germany.

Among other things, we support you:

• protection against injunctions and warnings
• the correct handling of employee and other data in human resources management
• for the preparation of data protection declarations
• for legally compliant commissioned processing

Relevant innovations to be observed by companies in comparison to the BDSG old.

1. Extension of the scope of application

According to Art. 3 GDPR, the market place principle applies. According to this, the GDPR can also apply to companies located outside the EU. This territorial extension of the GDPR is one of the central innovations in European data protection law.

2. Expansion of the information obligations

According to Art. 14 and 15 of the GDPR, the information obligations of data processors vis-à-vis data subjects have been significantly expanded. According to Art. 15 DPA, data subjects can request information from data controllers about the purposes for which personal data are processed.

3. “Right to be forgotten

Article 17 of the GDPR provides for the so-called “right to be forgotten”. According to this, the data subject can demand that personal data be deleted immediately by the controller for certain reasons.

4. New requirements for consent and handling of consent granted before 25 May 2018

Data protection law Germany: Companies must obtain the explicit consent of their customers to process personal data, Art. 7 GDPR. The consent must be voluntary. Voluntariness is lacking if the performance of a contract is dependent on consent, although this consent is not necessary for performance. Furthermore, Art. 8 GDPR stipulates that consent to the processing of personal data is only possible at the age of 16.

The German legislator has not made use of the opening clause, according to which the age limit can be lowered by the member state to the age limit of 13 years by means of legislation. Consents obtained before 25 May 2018 continue to apply if they meet the requirements of the GDPR. This is usually the case if the consents were obtained in accordance with the BDSG.

5. Immediate obligation to report data breaches

In the event of a personal data breach, the company must report it to the competent supervisory authority without undue delay and, if possible, within 72 hours of becoming aware of the breach, Art. 33(1) GDPR. However, the notification obligation does not apply if the breach is not likely to result in a risk to the rights and freedoms of natural persons.

6. Data Protection Officer

According to the GDPR, the data protection officer now exists throughout the EU. German companies are familiar with the figure of the data protection officer from previous German law.

The German legislator has made use of the opening clause and regulated in Section 38 BDSG n.F. that a data protection officer must be appointed if, as a rule, at least ten persons are permanently employed with the automated processing of personal data. The appointment of a data protection officer must be notified to the supervisory authority and published in accordance with Art. 37 (7) DSGVO.

7. Data protection declaration

Data protection law Germany: Article 13 of the GDPR stipulates the obligation to provide a data protection statement. This serves to create transparency about the processing of data. At the same time, the data protection declaration is also a sign of seriousness in dealing with the user’s sensitive data. The data protection declaration must be adapted to the new requirements resulting from Article 13 of the GDPR. The mandatory information goes beyond the obligations of the previous regulations. Among the innovations are the naming of the legal basis for the data processing, new information obligations with regard to the rights of the data subjects and the right of the data subject to object introduced in Art. 21 DSGVO.

8. Directory of processing activities

Art. 30 GDPR requires that the controller or its representative must keep a “register of processing activities”. Compared to the previous legal situation, additional information, such as contact details and name of the data protection officer and deletion deadlines, must be provided. In addition, the directory must be made available to the supervisory authority upon request.

9. Data protection impact assessment

The data protection impact assessment introduced by Art. 35 GDPR basically corresponds to the obligation for prior checking under the BDSG.

10. Principle of the “One-Stop-Shop

With the newly introduced so-called “One-Stop-Shop”, the supervisory authority at the registered office of the head office is to be the lead competent authority for cross-border data processing within the EU. For companies, the “one-stop shop” offers the advantage that they do not have to deal with several supervisory authorities for the same processing.

11. Commissioned processing

Commissioned processing is also allowed under the GDPR. One of the most important innovations for the processor is the obligation to create a processing directory, Art 30 (2) DSGVO. There is also an innovation in the liability of legal violations. Article 82 (2) of the GDPR provides for joint liability of the processor and the client for damage caused during data processing.

Corona virus & data protection law, guidelines for the home office

Corona virus data protection – The current situation in dealing with SARS-COV-2 or the Corona virus raises new questions in the area of data protection and causes confusion among many entrepreneurs.

Measures such as short-time work and home office are increasingly coming to the fore.  In addition, there is a danger for companies that locations will have to be closed due to Corona virus infections of individual employees.

Data protection law Germany: Companies are already taking safety precautions for this, such as conducting their own health tests on employees, in order to minimise the risk of a quarantine of the company.

In the following article, we would like to guide you once again through the jungle of data protection and provide you with information on what you should now consider in the area of data protection. In particular, we would like to point out already now that data protection must be observed especially now in times of the Corona virus. Those who act obstinately now risk high fines.

Many small and large companies allow their employees to work from home.

As in the company itself, it is important to ensure that the technical and organisational measures required by the GDPR are taken.

This is because working from home entails risks for the confidentiality, integrity and, if applicable, availability of personal data, particularly with regard to technical and organisational measures, which must be excluded or minimised as best as possible.

To this end, you should draw up guidelines for working from home and the associated data protection, which are to be made available to every employee.

Data protection law Germany – Coronavirus: These guidelines should provide the following basic guidance.

• Principles on the handling of personal data in the context of homeworking.
• Principles on the use of the company’s IT systems
• Rules on safeguarding personal data
• Exceptions and reference to sanctions in the event of a breach of duty

Data Protection Law Germany – The Processing of Health Data

The handling of information about the health (health data) of employees, in particular the handling of such information, now raises new questions for many companies in times of Corona virus.

1. Are measures such as the measurement of fever, the query of illnesses or symptoms by means of questionnaires in connection with Corona virus compatible with data protection?
2. Can you inform employees about the illness of colleagues?
3. What about the corresponding data of visitors or guests?

Basically, the processing of health data is only possible to a limited extent. However, in order to contain the Corona pandemic or to protect employees, you can collect, store and use data in a data protection-compliant manner for the following measures.

As part of measures to provide information on the detection of infections. For example, you can record which employees in your organisation have fallen ill and react accordingly.

You can also process such information to determine possible contact with infected persons. For example, if a person in a department has become infected and there has been a meeting with other people in the department during this period.

Furthermore, you can process such information for measures in which you were informed that a person stayed in an area classified as a risk area by the Robert Koch Institute (RKI) during the relevant period.

For hotel operators in particular, it should be noted that the processing of health data of guests can be used in a data protection compliant manner to determine if

• Guests are infected themselves or have been in contact with a demonstrably infected person.
• Guests have stayed in an area classified as a risk area by the Robert Koch Institute (RKI) during the relevant period.

Data protection law: Fever measurement and similar measures to combat corona

Taking a temperature at the entrance to company premises or collecting data by means of self-disclosure or questionnaires provided may be permissible according to the above criteria.

In particular, the provisions of Section 26 (3) BDSG (new) must be observed. According to this, the processing of health data for purposes of the employment relationship is permissible if it is necessary for the exercise of rights or for the fulfilment of obligations under labour law, social security law and social protection law and there is no reason to assume that the data subject’s interest worthy of protection in the exclusion of the processing outweighs this.

Data protection law Germany: Here, employers have a duty of care to ensure the health protection of all their employees. However, such or similar measures should be voluntary. An excessive temperature alone does not mean that there is a case of corona.

Attention: Restriction of “naming”

In addition to the above-mentioned possibilities for processing health data, it is important to note in data protection that disclosure of the identity of infected persons is only lawful in exceptional cases.

In principle, it is sufficient to inform your employees, visitors or guests that there are confirmed cases in order to achieve the purpose of containment, transmission or risk of infection of Corona.

Data protection law Germany – commissioned data processing

If you have the corresponding measures carried out by third parties, you will quickly find yourself in a commissioned data processing and thus already in the next control obligation.

In this case, you as the controller must ensure that the commissioned data processor also offers sufficient guarantees that suitable technical and organisational measures are in place and that the processing is thus carried out in accordance with the General Data Protection Regulation.

Duty to Inform Data Protection Law

Insofar as personal data are collected and processed, the relevant data subjects must be informed about this. You are usually already familiar with such information obligations from your data protection declarations.

Storage period

The issue of the Corona virus and data protection basically pursue a common purpose, namely the containment of the now prevailing pandemic. As soon as this purpose has ceased to exist, the personal health data must also be deleted.

Data Protection Law – Own Protection & Conclusion

The topic of Corona and data protection law is currently preoccupying companies, individual entrepreneurs, associations, lawyers and especially public authorities.

There is currently a lively discussion about permissible measures. It is now also being considered to process mobile phone data, based on the South Korean principle. This will, of course, be anonymised.

However, there is no clear legal position on individual measures. Many questions are still unanswered within the framework of data protection law and the still very young law. It is therefore all the more important that you work and document in a compliant manner. Despite the current situation, the protection of personal data is paramount.

Data protection law Germany: The Corona pandemic has already led to economic losses for a large part of the sector. Don’t also risk incurring heavy fines. Clear data protection-compliant technical and organisational measures are now half the battle.

Legal advice – Data protection law Germany

The lawyers of the Herfurtner law firm will clarify your obligations in the area of data protection with you and support you in determining and implementing the necessary measures in your company.

This will help you avoid costly warnings and fines.