Support Centre

Germany

Summary

Law: Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The Federal Commissioner for Data Protection and Freedom of Information ('BfDI'). Please note that there are also regional laws and regulators.

Summary: Germany is composed of a federation and 16 Länder that have complementary competences in the privacy sector. In addition to the Act, every Land has adopted its own regional data protection law implementing the GDPR, which apply to the public sector and have priority over the Act. Further information on each Land as well as federal activities is available through the jurisdiction dashboard links below.

Insights

The processing of personal data relating to criminal convictions under Article 10 of the General Data Protection Regulation (Regulation (EU) 2016/679 ('GDPR') outlines that the processing of such data is subject to additional restrictions. OneTrust DataGuidance Research breaks down Member State requirements regarding the processing of personal data related to criminal offences for employment purposes in the Czech Republic, Germany, and Spain, featuring insights from Bartoš Vojtěch and Ema Černá, from Havel & Partners s.r.o, Clemens Ganz and Dr. Isabelle Brams, from Latham & Watkins LLP, and Juan Ignacio Alonso Dregi, from Ceca Magán. Part one focuses on Member State requirements in France, Portugal, and Italy.

With an increasing focus on Environmental, Social, and Governance ('ESG') across all sectors, businesses are required, and legally bound, to observe specific human rights and environmental due diligence obligations. This Insight article gives an overview over the German Supply Chain Due Diligence Act ('the Due Diligence Act'), which will enter into force on 1 January 2023, and discusses its scope of application, definitions, and key requirements.

On 4 March 2022, the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') published its frequently asked questions ('FAQs') on cookies and tracking by website operators and smartphone app developers. The FAQs are meant to complement the German Data Protection Conference's ('DSK') guidelines ('the Guidelines') on the new Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG'), published in December 2021.1 Unlike the Guidelines, the FAQs of the LfDI Baden-Württemberg specify the application of the legal requirements in greater detail. The FAQs contain a 16-page list of negative examples for obtaining consent that indicate a very strict interpretation of the requirements of the TTDSG and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Dr Carlo Piltz and Philip Schweers, from Piltz Legal, illustrate and discuss some of these examples, whilst also taking a look at recommendations for the use of cookies without obtaining consent.

In February 2022, the German Data Protection Conference ('DSK') issued a revised guidance on the processing of personal data for direct marketing purposes under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')1 ('the Guidance'). Thorsten Ihler and Melanie Ludolph, from Fieldfisher, summarise the key provisions of the Guidance and the impact it has on companies.

According to the conception of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), data protection officers ('DPOs') play an important role in the protection of personal data. Their activity serves a regulated self-control of the controller or processor, the advantage of which lies not least in the relief of public authorities. Their appointment is mandatory for all public and many private entities. The activity of a DPO requires knowledge of data protection law and includes providing advice on data protection issues. In Germany, however, the provision of legal services is regulated, among other things, by the German Act on Out-of-Court Legal Services1 ('RDG'). It is questionable whether this also imposes special requirements on the DPO. Stefan Hessel, Attorney-at-Law and Co-Head of Digital Business Unit at reuschlaw Legal Consultants, sheds light on the topic.

At the end of last year, the German Federal Network Agency ('Bundesnetzagentur') published its guidance on blockchain technology on its website.1 The guidance is part of a broader information portal set up by the Bundesnetzagentur that provides an overview of possible blockchain applications in the regulated network sectors (such as energy and telecommunications), potential uses in public administration, and opportunities and challenges around the implementation of blockchain technology for small and medium-sized enterprises ('SMEs'). The guidance also includes some information on how far it can make sense to combine blockchain with other digital technologies, such as artificial intelligence ('AI') or the so-called Internet of Things ('IoT').

Daniel Widmann, Lawyer from Pinsent Masons, gives an overview of the key findings identified by the Bundesnetzagentur regarding blockchain use for certain sectors, whilst pointing to recent regulatory developments on an EU level that might affect the combination of blockchain with other digital technologies.

On 20 December 2021, the German Data Protection Conference ('DSK') published the long-awaited guidelines ('the Guidelines') on the new Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG'). The Guidelines consider both the provisions of the TTDSG, which has been applicable since 1 December 2021, and those of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Within the Guidelines, the German authorities provide companies with a clearer picture on the most relevant questions around the usage of cookies and similar technologies. There is currently a public consultation going on and it is likely that there will be some form of additions, specifications, and possibly also small changes to the current version.

In part two of a two-part series, Philipp Quiel, Counsel at Piltz Legal, provides an overview on the DSK's opinions regarding consent and next steps for companies. Part one covers the scope of applicability, legal basis, explicit requests, and strict necessity under the TTDSG.

On 10 June 2021, the German Electronic Securities Act ('eWpG') came into force. Since then, issuers have been able to launch securities electronically, e.g. using blockchain or distributed ledger technology. The eWpG facilitates the issuance of bonds and investment fund shares certificates by waiving the previously required securities certificate and allowing their registration in an electronic securities register. In order to specify the general requirements of the eWpG with regard to the maintenance of electronic securities registers, an ordinance on requirements for electronic securities registers ('eWpRV') is to be issued by the German Federal Ministry of Finance and the German Federal Ministry of Justice. Based on Sections 15 and 23 of the eWpG, a second draft of the eWpRV was published on 14 January 2022. Andreas Wiencke and Manuel Poncza, from Heuking Kühn Lüer Wojtek PartGmbB, discuss the revised draft of the eWpRV and its regulatory content.

Among the priorities set by the new German government in its Coalition Agreement 2021 - 2025 between the Social Democratic Party ('SPD'), the Green Party, and the Free Democratic Party ('FDP'), titled 'Seeking Continued Process' ('the Coalition Agreement') is the strengthening of the digital rights of German citizens and IT security.1 In this context, the Coalition Agreement announces the introduction of a right of encryption. Strengthening encryption methods and implementing them in a broad-based manner would affect data protection in several ways, and these effects should be kept in mind by controllers, particularly corporate controllers. Against this political backdrop, Stefan Hessel, Attorney-at-Law and Co-Head Digital Business Unit at reuschlaw Legal Consultants, discusses the right of encryption and its impact on data protection.

Following the approval of the German Federal Parliament ('Bundestag') and the Federal Council ('Bundesrat'), the Infection Protection Act of 20 July 20001 ('IfSG') was amended, with the new rules coming into effect on 24 November 2021, and some additional regulations on 1 January 2022. The new rules, introduced by the Law Amending the Infection Protection Act and Other Laws on the Occasion of the Repeal of the Determination of the Epidemic Situation of National Scope of 22 November 20212 ('the Law'), will apply nationwide until 19 March 2022, regardless of whether a nationwide epidemic is identified or not. This period can be extended by three months only with a resolution from the Bundestag. In addition, the new rules serve as the legal basis for restrictions on fundamental rights and protective measures.

This article is Part two of a two-part Insight on the amended IfSG and outlines the guidelines and frequently asked questions ('FAQs') provided by the German Data Protection Conference ('DSK') and the German state data protection authorities ('the German DPAs'). Part one outlined the newly drafted Section 28(b) of the IfSG, as well as the guidelines and FAQs provided at the federal level.

Following the approval of the German Federal Parliament ('Bundestag') and the Federal Council ('Bundesrat'), the Infection Protection Act of 20 July 20001 ('IfSG') was amended, with the new rules coming into effect on 24 November 2021, and some additional regulations on 1 January 2022. The new rules, introduced by the Law Amending the Infection Protection Act and Other Laws on the Occasion of the Repeal of the Determination of the Epidemic Situation of National Scope of 22 November 20212 ('the Law'), will apply nationwide until 19 March 2022, regardless of whether a nationwide epidemic is identified or not. This period can be extended by three months only with a resolution from the Bundestag. In addition, the new rules serve as the legal basis for restrictions on fundamental rights and protective measures. In particular, the newly drafted Section 28(b) of the IfSG introduces the so-called 3G regulation at the workplace, which imposes an obligation on employees to present proof of COVID-19 vaccination, recovery, or test status. In addition, in order to better protect vulnerable groups, employers, employees, and visitors in certain facilities and establishments, such as hospitals, prevention, and rehabilitation facilities, must get tested.

This article is Part one of a two-part Insight on the amended IfSG and outlines the newly drafted Section 28(b) of the IfSG, as well as the guidelines and frequently asked questions ('FAQs') provided at the federal level. Part two will discuss the guidelines and FAQs by the German State data protection authorities.

The Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG') entered into force on 1 December 2021.1 The TTDSG regulates the protection of confidentiality and privacy when using telecommunications and telemedia services, such as websites, messengers, or smart home devices, and changes the legal framework for the use of cookies and comparable technologies, implementing the requirements of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive') into national law.

OneTrust DataGuidance provides an overview of some frequently asked questions ('FAQs') and answers on the TTDSG, featuring comments by Dr Carlo Piltz and Philipp Quiel, Partner and Counsel respectively at Piltz Legal.