The Federal Council (‘Bundesrat’) announced, on 20 September 2019, that it had approved several amendments (‘the Amendments’) to the draft law (‘the Draft Law’) on the adaptation of data protection legislation in relation to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) (‘the Law Enforcement Directive’). The Amendments outline, among other things, that the obligation to appoint a data protection officer (‘DPO’) will apply to companies with at least 20 employees, and that employees’ consent to data processing will have to be provided in writing or electronically. The Draft Law will now pass to the President of the Federal Government for signing, and will come into force the day after its promulgation.
Paul Voigt, Partner at Taylor Wessing LLP, told OneTrust DataGuidance, “The legislative bodies have agreed on numerous adaptations to German data protection regulations accompanying the GDPR. One of the major amendments relates to the requirement to appoint a DPO. Germany is much stricter than most other EU Member States. In practice, the change [in the DPO threshold from ten employees to 20] may mean that existing DPOs in smaller companies [will] lose their (very strong) protection against dismissal. However, companies will need to find someone else to take care of data protection in case they decide to dismiss their DPO, since all privacy requirements of the GDPR and German data protection laws will apply, with or without a DPO.”
The factual changes that come with the Draft Law are, for the vast majority of companies, only minor
The Draft Law is the second GDPR implementation law in Germany. Prior to its approval by the Bundesrat, the Federal Government adopted the Draft Law on 5 September 2018. The Draft Law seeks to amend 154 laws in Germany in order to adapt to the definitions of the GDPR and the Law Enforcement Directive, provide for lawful bases for data processing, facilitate the exercise of data subject rights and introduce further technical and organisational measures. Moreover, the Amendments include, among other things, changes in terminology to Articles 16, 21, 42, 49 and 89 of the Draft Law.
Dr. Carlo Piltz, Salary Partner at reuschlaw Legal Consultants, outlined, “There is a change in [Article] 26(2) [of the Draft Law] to the conditions under which consent can be obtained in the employment [context]. According to [the] previous law, the Federal Data Protection Act of 30 June 2017 (implementing the GDPR), consent must be given in writing unless another form is appropriate due to [an existing] special circumstance. Under the Draft Law, consent must be given in writing or electronically, thus paper documents are no longer required. Consent can also be stored electronically, for example as an email, whereby [use of] a [secure] file is recommended. This change was necessary since the German requirement of written consent was violating European law […] The Draft Law is very extensive overall, [due to the fact] that approximately 150 individual laws were amended. [However,] the factual changes that come with the Draft Law are, for the vast majority of companies, only minor. I think it will take some time before we see further push on the legislative level to amend national laws to this extent.”
Petra Molnar Privacy Analyst