On 28 June 2019, the German Bundestag passed the 2nd DSAnpUG which will amongst other things further adapt the German Federal Data Protection Act („BDSG“), the German Federal Registration Act (“BMG”), the German Act on the Federal Office for Security in Information Technology (“BSI-Act”) and the Act on the Establishment of a Federal Institute for Digital Radio of Authorities and Organizations with Security Responsibilities (“BDBOS-Act”) to the provisions of the General Data Protection Regulation („GDPR“). The following post shall introduce the most important changes in said specific laws:
Of particular practical importance is the amendment of § 38 (1) BDSG: The limit from when data controllers and data processors shall appoint a data protection officer increased from 10 persons to 20 persons permanently engaged in the automated processing of personal data.
In the context of data processing in an employment relation, the current version of § 26 BDSG provides for a specific legal basis that inter alia requires that consent granted from employees must be provided in written form. The 2nd DSAnpUG amends such obligation and allows also for electronic provision of the consent.
Also, § 22 BDSG which deals with the processing of special categories of personal data will be amended and now introduces a further provision of permission for the processing of special categories of personal data. In future, non-public bodies will also be allowed to process special categories of personal data if this is “absolutely necessary for reasons of substantial public interest“, a criterion that is subject to interpretation by the competent courts.
The 2nd DSAnpUG also includes a new legal basis in § 86 BDSG for processing of personal data for the purposes of state awards and honours. According to § 86 BDSG processing of personal data including special categories of personal data shall be permitted – without knowledge of the affected data subject – for both public and non-public bodies in order to prepare and implement state procedures for awards and honours. The regulation allows for other exceptions, such as an exemption from the duty to provide information about the modalities of data processing according to Article 13 GDPR.
Apart from that, the currently applicable § 9 BDSG that governs the Federal Commissioner for Data Protection and Freedom of Information’s competences, shall be revised. In future, companies providing commercial telecommunications services will be subject to uniform supervision by the Federal Commissioner for Data Protection and Freedom of Information as far as they process data from natural or legal persons for the professional provision of telecommunication services and such obligation does not already arise from § 115 (4) of the German Telecommunications Act („TKG“).
The BMG shall be amended in such a way that address traders cannot use data from a civil register information for the purposes of advertising or address trading even with the consent of the data subject concerned. The current version of § 44 (3) BMG explicitly provides that data subjects concerned may grant their consent in such data processing.
Further, the BSI-Act shall be amended in a way that will limit certain data subject rights in the context of specific data processing activities. Amongst other things, the obligation to inform data subjects pursuant to Art. 13 GDPR shall not apply if the provision of information would jeopardize the proper fulfilment of the obligations falling within the competence of the Federal Office for Security in Information Technology. Limitations of data subject rights also include certain limitations of the right to object, the right to rectification as well as the right of access to personal data by the data subject.
Finally, a new § 19 (4) will be included in the BDBOS-Act: Processing of traffic data in the context of digital radio (the guiding principle of digital radio is a uniform and powerful radio network for all authorities and organizations with security tasks in Germany) receives its own legal basis and the Federal Institute for Digital Radio of Authorities and Organizations with Security Responsibilities may store that traffic data up to 75 days.
In total, the 2nd DSAnpUG makes changes in 154 specialized German laws. Mostly, changes include the adaptation of definitions and legal bases for data processing as well as regulations on the rights of data subjects. The 2nd DSAnpUG is subject to approval by the German Federal Council which is expected in the near future and will enter into force on the day following its promulgation in the Federal Law Gazette.