Support Centre

Germany

Summary

Law: Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The Federal Commissioner for Data Protection and Freedom of Information ('BfDI'). Please note that there are also regional laws and regulators.

Summary: Germany is composed of a federation and 16 Länder that have complementary competences in the privacy sector. In addition to the Act, every Land has adopted its own regional data protection law implementing the GDPR, which apply to the public sector and have priority over the Act. Further information on each Land as well as federal activities is available through the jurisdiction dashboard links below.

Insights

Following the approval of the German Federal Parliament ('Bundestag') and the Federal Council ('Bundesrat'), the Infection Protection Act of 20 July 20001 ('IfSG') was amended, with the new rules coming into effect on 24 November 2021, and some additional regulations on 1 January 2022. The new rules, introduced by the Law Amending the Infection Protection Act and Other Laws on the Occasion of the Repeal of the Determination of the Epidemic Situation of National Scope of 22 November 20212 ('the Law'), will apply nationwide until 19 March 2022, regardless of whether a nationwide epidemic is identified or not. This period can be extended by three months only with a resolution from the Bundestag. In addition, the new rules serve as the legal basis for restrictions on fundamental rights and protective measures. In particular, the newly drafted Section 28(b) of the IfSG introduces the so-called 3G regulation at the workplace, which imposes an obligation on employees to present proof of COVID-19 vaccination, recovery, or test status. In addition, in order to better protect vulnerable groups, employers, employees, and visitors in certain facilities and establishments, such as hospitals, prevention, and rehabilitation facilities, must get tested.

This article is Part 1 of a two-part Insight on the amended IfSG and outlines the newly drafted Section 28(b) of the IfSG, as well as the guidelines and frequently asked questions ('FAQs') provided at the federal level. Part 2 will discuss the guidelines and FAQs by the German State data protection authorities.

The Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG') entered into force on 1 December 2021.1 The TTDSG regulates the protection of confidentiality and privacy when using telecommunications and telemedia services, such as websites, messengers, or smart home devices, and changes the legal framework for the use of cookies and comparable technologies, implementing the requirements of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive') into national law.

OneTrust DataGuidance provides an overview of some frequently asked questions ('FAQs') and answers on the TTDSG, featuring comments by Dr Carlo Piltz and Philipp Quiel, Partner and Counsel respectively at Piltz Legal.

Due to the current COVID-19-related developments in Germany, millions of students, employees, and employers are once again dependent on being able to work, learn, and communicate securely via video conferencing systems. On 27 October 2021, the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') published its recommendations1 intended to define the framework conditions for the practical use of video conferencing systems. In doing so, the LfDI Baden-Württemberg created an overview of the legal and technical data protection requirements with reference to service providers. The LfDI Baden-Württemberg does not make recommendations as to which providers the LfDI Baden-Württemberg would specifically use. However, certain tendencies can be determined from the dynamics of the reference paper and the concrete assessments of the providers. Dr. Carlo Piltz, Partner at Piltz Legal, provides a summary overview of the LfDI Baden-Württemberg's recommendations.

On 1 October 2021, the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') published an updated version1 of its 2020 guidelines2 on data transfers to third countries ('the Guidelines'). The Guidelines enable companies to get a clearer picture of the LfDI Baden-Württemberg's legal opinions on the matter and support them with concrete proposals for supplementary measures for Standard Contractual Clauses ('SCCs'). Philipp Quiel, Counsel at Piltz Legal, summarises the most important changes and provides insights on the views of the LfDI Baden-Württemberg and its advice for companies under its supervision.

With restrictions being lifted across Europe and businesses planning their return to the office, many employers, in an endeavour to prevent the spread of COVID-19, are faced with the dilemma of whether they can require their employees to be vaccinated or to show proof of their vaccination status. Besides the health and safety concerns associated with the introduction of such measures, there are also some key privacy-related considerations. In particular, an individual's vaccination status falls within the scope of health data under Article 4(15) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and is therefore a special category of personal data under Article 9 of the GDPR, meaning processing is generally prohibited, unless an exception applies.

This article outlines the local requirements in the UK, Germany, the Netherlands, France, and Italy.

Both at the regulatory and legal level, the topics of data protection and cybersecurity in Germany have recently come further into focus, with the automotive sector being an area of particular interest. Dr. Carlo Piltz, Partner at Piltz Legal, discusses this topic and its nuances.

Artificial intelligence ('AI') is driving progress and prosperity in many areas of life. In this context, innovation through AI can also be beneficial in the area of state administration, for example in digitising official procedures through e-governance. While the benefits of new technologies are obvious in some areas, the use of AI in law enforcement is highly sensitive and heavily debated. Dr. Carlo Piltz, Partner at Piltz Legal, provides an overview of the debate on the use of AI in law enforcement, as well as the Federal Commissioner for Data Protection and Freedom of Information's ('BfDI') public consultation1 process on the same.

The Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia ('TTDSG') will enter into force on the 1 December 2021. The TTDSG centralises the previously separately-regulated Telemedia Act 2007 and Telecommunications Act 1996 into one law. Dr. Carlo Piltz, Salary Partner at reuschlaw Legal Consultants, provides his insight on the scope of the TTDSG, how the TTDSG implements the ePrivacy Directive, as well as information on enforcement of the TTDSG.

The IT Security Act 2.0 ('the Act') amends various German laws (for example, the Act on the Federal Office for Information Security (BSI Act - BSIG) 2009 (as amended) ('BSI Act') and the Telecommunications Act 2004). This means that there is not one new law, but multiple changes in different federal regulations. Dr. Carlo Piltz, Salary Partner at reuschlaw Legal Consultants, provides a short analysis of the Act, as well as highlights some important changes that need to be looked at and explained.

On 10 February 2021, the German Federal Cabinet approved the Law on Data Protection and the Protection of Privacy in Telecommunications and Telemedia1 ('the Draft Law'). The Draft Law will replace the data protection and privacy provisions of the Telemedia Act 2007 ('the Telemedia Act') and the Telecommunications Act 2004 ('the Telecommunications Act'), including the provisions applicable to cookies and similar technologies. As a next step, it will be discussed in the German Federal Parliament. Moritz Hüsch and Anna Sophie Oberschule de Meneses, from Covington & Burling LLP, provide an overview of the provisions included in each of the four sections of the Draft Law, including how the Draft Law addresses the topic of cookies and similar technologies.

In the wake of the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case-311/18) ('the Schrems II Case'), the future of international data transfers hangs in the balance, with EU supervisory authorities playing a crucial role in shaping the case's impact. Dr. Carlo Plitz and Philipp Quiel, Partner and Senior Associate respectively at reuschlaw Legal Consultants, discuss recent guidelines ('the Guidelines') issued by the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg'), covering topics such as additional measures usable when transferring data to the US through Standard Contractual Clauses ('SCCs'), among other things.

The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued, on 24 August 2020, a guide ('the Guide') on international data transfers in light of the Court of Justice of the European Union ('CJEU') ruling of 16 July 2020 in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), including a checklist on privacy compliant data transfers and suggestions for changes in Standard Contractual Clauses ('SCCs'). In particular, the LfDI Baden-Württemberg noted that the CJEU, in its judgment, declared the Privacy Shield to be invalid, highlighting that as a consequence, US companies may no longer process personal data of EU citizens based on this mechanism. While the LfDI Baden-Württemberg agreed that the Privacy Shield did not effectively protect citizens from US secret services, which were able to access EU citizen data from US companies without a specific cause, for an unlimited period of time and without effective purpose limitation, it added that, due to the lack of an adequate alternative and a transitional period, businesses that use service providers in the US would face difficulties. To support businesses to conduct privacy-compliant data transfers, the Guide provides a step-by-step overview on the legal implications of the Schrems II Case and highlights the key findings, who is impacted by the decision and which steps need to be taken, with a particular focus on the legal scope of SCCs.