Support Centre

Germany

Summary

Law: Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The Federal Commissioner for Data Protection and Freedom of Information ('BfDI'). Please note that there are also regional laws and regulators.

Summary: Germany is composed of a federation and 16 Länder that have complementary competences in the privacy sector. In addition to the Act, every Land has adopted its own regional data protection law implementing the GDPR, which apply to the public sector and have priority over the Act. Further information on each Land as well as federal activities is available through the jurisdiction dashboard links below.

Insights

The Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia ('TTDSG') will enter into force on the 1 December 2021. The TTDSG centralises the previously separately-regulated Telemedia Act 2007 and Telecommunications Act 1996 into one law. Dr. Carlo Piltz, Salary Partner at reuschlaw Legal Consultants, provides his insight on the scope of the TTDSG, how the TTDSG implements the ePrivacy Directive, as well as information on enforcement of the TTDSG.

The IT Security Act 2.0 ('the Act') amends various German laws (for example, the Act on the Federal Office for Information Security (BSI Act - BSIG) 2009 (as amended) ('BSI Act') and the Telecommunications Act 2004). This means that there is not one new law, but multiple changes in different federal regulations. Dr. Carlo Piltz, Salary Partner at reuschlaw Legal Consultants, provides a short analysis of the Act, as well as highlights some important changes that need to be looked at and explained.

On 10 February 2021, the German Federal Cabinet approved the Law on Data Protection and the Protection of Privacy in Telecommunications and Telemedia1 ('the Draft Law'). The Draft Law will replace the data protection and privacy provisions of the Telemedia Act 2007 ('the Telemedia Act') and the Telecommunications Act 2004 ('the Telecommunications Act'), including the provisions applicable to cookies and similar technologies. As a next step, it will be discussed in the German Federal Parliament. Moritz Hüsch and Anna Sophie Oberschule de Meneses, from Covington & Burling LLP, provide an overview of the provisions included in each of the four sections of the Draft Law, including how the Draft Law addresses the topic of cookies and similar technologies.

In the wake of the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case-311/18) ('the Schrems II Case'), the future of international data transfers hangs in the balance, with EU supervisory authorities playing a crucial role in shaping the case's impact. Dr. Carlo Plitz and Philipp Quiel, Partner and Senior Associate respectively at reuschlaw Legal Consultants, discuss recent guidelines ('the Guidelines') issued by the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg'), covering topics such as additional measures usable when transferring data to the US through Standard Contractual Clauses ('SCCs'), among other things.

The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued, on 24 August 2020, a guide ('the Guide') on international data transfers in light of the Court of Justice of the European Union ('CJEU') ruling of 16 July 2020 in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), including a checklist on privacy compliant data transfers and suggestions for changes in Standard Contractual Clauses ('SCCs'). In particular, the LfDI Baden-Württemberg noted that the CJEU, in its judgment, declared the Privacy Shield to be invalid, highlighting that as a consequence, US companies may no longer process personal data of EU citizens based on this mechanism. While the LfDI Baden-Württemberg agreed that the Privacy Shield did not effectively protect citizens from US secret services, which were able to access EU citizen data from US companies without a specific cause, for an unlimited period of time and without effective purpose limitation, it added that, due to the lack of an adequate alternative and a transitional period, businesses that use service providers in the US would face difficulties. To support businesses to conduct privacy-compliant data transfers, the Guide provides a step-by-step overview on the legal implications of the Schrems II Case and highlights the key findings, who is impacted by the decision and which steps need to be taken, with a particular focus on the legal scope of SCCs. 

Cloud computing is regarded as one of the most important fields of digitisation. With Cloud Computing Compliance Criteria Catalogue ('C5'), the Federal Office for Information Security ('BSI') therefore wants to promote and support cybersecurity in this area with baseline requirements. However, from the BSI's point of view, the document is not only relevant for professional cloud service providers and auditors, but also for their customers. Dr. Carlo Piltz and Stefan Hessel, from reuschlaw Legal Consultants, give a short introduction to the C5 and answer practical questions concerning its requirements for cloud service providers.

The use of video surveillance in the workplace has been a controversial subject in labour law. With the increase in technological possibilities, employee monitoring via video surveillance is becoming ever more important for the employer and appears to be a more practical tool. Although previous case law has outlined key factors and restrictions for the use of video surveillance, its implementation to promote employee safety in a pandemic situation has not been defined. Inka Müller-Seubert, Associate at CMS Hasche Sigle, discusses the legal requirements of video surveillance and what employers need to consider when considering video surveillance in the work place.

Much has already been written about the ruling of the German Federal Court of Justice ('BGH') in the case 'Cookie Consent II' (previously at the Court of Justice of the European Union as Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (C-673/17)) (BGH, judgment of 28 May 2020, file no. I ZR 7/16), even if only the press release has been published so far. The BGH seems to assume in any case that Section 15 of the Telemedia Act 2007 ('Telemedia Act') is a correct implementation of Article 5 of the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'). Dr. Carlo Piltz and Johannes Zwerschke, from reuschlaw Legal Consultants, explore practice-relevant follow-up questions resulting from the judgment of the BGH concerning the competency of supervisory authorities in Germany and the penalties they may impose.

The Federal Government ('Bundesregierung') and the Federal Commissioner for Data Protection and Freedom of Information ('BfDI') announced, on 16 June 2020, the launch of the Corona-Warn-App ('the App').