Norton Rose Fulbright - Data Protection Report blog

On April 27, 2017, the German Federal Parliament voted to approve the new proposed German Federal Data Protection Act (“new FDPA”). The law would adapt the current German data protection law to the EU General Data Protection Regulation (GDPR). The federal chamber of the states, the German Federal Council, is expected to approved the new FDPA in the next month, without major changes.  Once approved by the Federal Council, the new FDPA will become effective on May 25, 2018, the same date as the GDPR.

The new FDPA seeks to enhance privacy protections in areas where the GDPR allows EU Member States to deviate from the Regulation.

Key Provisions

  • Creditworthiness profiling and video surveillance. The new FDPA further clarifies the GDPR’s legitimate interest ground (Art. 6(1)(f) GDPR) for specific cases and identifies the circumstances in which companies may rely on their legitimate interests for creditworthiness profiling and video surveillance.
  • Individuals’ rights. The new FDPA removes restrictions on individuals’ exercise of their rights that were included in prior drafts of the new FDPA, such as restrictions on a data subject’s information right, right to object, and right to have personal information deleted. As a result, the GDPR will govern individuals’ rights in Germany mainly without national limitations to data subjects’ rights.
  • Scientific, historic and statistical research. The new FDPA sets limitations on data subjects’ rights with respect to data processed for research purposes, and the associated data processing.
  • Works councils. The new FDPA imposes unique requirements for certain types of employee data processing, such as legal grounds for internal investigations and further clarification on whether an employee can voluntarily give his or her consent. Under the new FDPA, works council agreements remain a valid legal ground for data processing. The agreements must comply with the new requirements of the GDPR and the new FDPA, such as suitable and specific measures to safeguard the data subject’s legitimate interests and fundamental rights, with particular regard to the transparency of processing. Accordingly, companies will need to amend their existing Works Council agreements.
  • Compliance. Internal investigations can only be conducted subject to strict conditions, such as a documented factual indications and the employee has no overriding interest.
  • Damage claims. Data subjects are entitled to make claims for non-pecuniary damages. Further, such claims can also be initiated by associations.
  • The new FDPA limits fines of German specific rules to € 50.000 per violation. The new FDPA, however, cannot reduce the liability under the GDPR (due to the supremacy of Union law).

Our Take

The new FDPA is already being criticized as overly complex and not in compliance with the relevant provisions of the GDPR. However, as the new FDPA is likely to be approved soon, companies will have to comply with these complex regulations and amend their processes and internal policies accordingly. The specific rules on creditworthiness profiling and video surveillance are, however, quite similar to the current law, so companies operating in compliance with current German law might not face too many requirements in adapting to the new FDPA.

As the GDPR allows member states to deviate from its provisions within certain limitations, comparable domestic laws are expected in all member states of the EU, complementing and/or modifying the basic legal framework as set out in the GDPR.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.