Support Centre

Germany - Federal

Summary

Law: The primary pieces of legislation are the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The Federal Commissioner for Data Protection and Freedom of Information ('BfDI')

Summary: The BfDI enforces data protection in the public sector at a federal level and with regards to all telecommunications and postal service providers, while the 16 regional data protection authorities enforce data protection laws in the public and private sectors of their respective state. All supervisory authorities meet regularly at the German Data Protection Conference ('DSK') and have issued detailed guidelines that further develop the privacy landscape in Germany. Important guidelines include guidance on cookie consent, a concept to harmonise the assessment of monetary fines under the GDPR, and a Standard Data Protection Model. Moreover, Germany is one of the first European countries to digitalise its health system, and a special Patient Data Protection Act ('PDSG') (only available in German, here) shall enter into force in 2020.

Insights

The extensive collection and storage of data generated during vehicle use is not a new phenomenon and has already occurred before the era of smart cars. As a result of the technical evolution of vehicles into connected cars, however, data processing has become more complex and opaque. Dr. Stefanie Hellmich and Christian Rabe, from Luther Rechtsanwaltsgesellschaft mbH, look at the current legislation regarding the access to GPS data, as well as the significance of case law in this area.

On January 31, 2023, the German Data Protection Conference (DSK) - the joint body of independent German federal and state data protection authorities (collectively, the German DPAs) - issued a decision on extraterritorial access by public authorities from third countries outside the EEA (only available in German here).

Valentino Halim, Senior Associate from WilmerHale, unpacks the main provisions of the DSK decision, giving insight into its scope and implications.

New regulations on contracts for digital products have been in force in Germany for just over a year. These new regulations transpose the Directive on Certain Aspects Concerning Contracts for the Supply of Digital Content and Digital Services (Directive (EU) 2019/770) ('the Digital Content Directive') into German law. Thorsten Ihler and Melanie Ludolph, from Fieldfisher, discuss the implications of the new provisions under the German Civil Code ('BGB') in terms of data protection, resulting from the transposition of the Digital Content Directive.

In the summer of 2022, the German data protection authorities (collectively, 'the German DPAs') initiated a coordinated audit campaign of the standard contracts of major web hosts. For the campaign, they have developed a checklist for auditing data processing agreements. For companies, this provides valuable guidance for concluding data processing agreements in practice, even outside of ongoing audit procedures.

Valentino Halim, Senior Associate from Wilmer Hale, unpacks the audit campaign of the German DPAs, with a particular focus on the checklist for examining data processing agreements, its scope, limitations, and potential.

The processing of personal data relating to criminal convictions under Article 10 of the General Data Protection Regulation (Regulation (EU) 2016/679 ('GDPR') outlines that the processing of such data is subject to additional restrictions. OneTrust DataGuidance Research breaks down Member State requirements regarding the processing of personal data related to criminal offences for employment purposes in the Czech Republic, Germany, and Spain, featuring insights from Bartoš Vojtěch and Ema Černá, from Havel & Partners s.r.o, Clemens Ganz and Dr. Isabelle Brams, from Latham & Watkins LLP, and Juan Ignacio Alonso Dregi, from Ceca Magán. Part one focuses on Member State requirements in France, Portugal, and Italy.

With an increasing focus on Environmental, Social, and Governance ('ESG') across all sectors, businesses are required, and legally bound, to observe specific human rights and environmental due diligence obligations. This Insight article gives an overview over the German Supply Chain Due Diligence Act in German Lieferkettensorgfalts­pflichtengesetz (LkSG) ('the Due Diligence Act'), which will enter into force on 1 January 2023, and discusses its scope of application, definitions, and key requirements.

In February 2022, the German Data Protection Conference ('DSK') issued a revised guidance on the processing of personal data for direct marketing purposes under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')1 ('the Guidance'). Thorsten Ihler and Melanie Ludolph, from Fieldfisher, summarise the key provisions of the Guidance and the impact it has on companies.

According to the conception of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), data protection officers ('DPOs') play an important role in the protection of personal data. Their activity serves a regulated self-control of the controller or processor, the advantage of which lies not least in the relief of public authorities. Their appointment is mandatory for all public and many private entities. The activity of a DPO requires knowledge of data protection law and includes providing advice on data protection issues. In Germany, however, the provision of legal services is regulated, among other things, by the German Act on Out-of-Court Legal Services1 ('RDG'). It is questionable whether this also imposes special requirements on the DPO. Stefan Hessel, Attorney-at-Law and Co-Head of Digital Business Unit at reuschlaw Legal Consultants, sheds light on the topic.

On 20 December 2021, the German Data Protection Conference ('DSK') published the long-awaited guidelines ('the Guidelines') on the new Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG'). The Guidelines consider both the provisions of the TTDSG, which has been applicable since 1 December 2021, and those of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Within the Guidelines, the German authorities provide companies with a clearer picture on the most relevant questions around the usage of cookies and similar technologies. There is currently a public consultation going on and it is likely that there will be some form of additions, specifications, and possibly also small changes to the current version.

In part two of a two-part series, Philipp Quiel, Counsel at Piltz Legal, provides an overview on the DSK's opinions regarding consent and next steps for companies. Part one covers the scope of applicability, legal basis, explicit requests, and strict necessity under the TTDSG.

On 20 December 2021, the German Data Protection Conference ('DSK') published the long-awaited guidelines ('the Guidelines') on the new Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG'). The Guidelines consider both the provisions of the TTDSG, which has been applicable since 1 December 2021, and those of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Within the Guidelines, the German authorities provide companies with a clearer picture on the most relevant questions around the usage of cookies and similar technologies. There is currently a public consultation going on and it is likely that there will be some form of additions, specifications, and possibly also small changes to the current version.

In part one of a two-part series, Philipp Quiel, Counsel at Piltz Legal, provides an overview on the DSK's opinions regarding the scope of applicability, legal basis, explicit requests, and strict necessity under the TTDSG. Part two covers consent and next steps for companies.

Among the priorities set by the new German government in its Coalition Agreement 2021 - 2025 between the Social Democratic Party ('SPD'), the Green Party, and the Free Democratic Party ('FDP'), titled 'Seeking Continued Process' ('the Coalition Agreement') is the strengthening of the digital rights of German citizens and IT security.1 In this context, the Coalition Agreement announces the introduction of a right of encryption. Strengthening encryption methods and implementing them in a broad-based manner would affect data protection in several ways, and these effects should be kept in mind by controllers, particularly corporate controllers. Against this political backdrop, Stefan Hessel, Attorney-at-Law and Co-Head Digital Business Unit at reuschlaw Legal Consultants, discusses the right of encryption and its impact on data protection.

Feedback