HEUSSEN Rechtsanwaltsgesellschaft mbH

 

What law(s) specifically govern personal data / information?

Germany is subject to the European GDPR and further regulations in the BDSG (Bundesdatenschutzgesetz / Federal Data Protection Law). There are also specific provisions regarding data protection in many sector-specific laws, such as the TTDSG (Data Protection and Privacy in Telecommunications and Telemedia Act) or the SGB V (Social Law V – Statutory Health Insurance).

 

What are the key data protection principles in this jurisdiction?:

Lawful basis for processing

The GDPR provides an exhaustive list of legal bases on which personal data may be processed:

  • consent of the data subject for one or more specific purposes;
  • contractual necessity;
  • compliance with a legal obligation of the controller to perform the relevant processing;
  • protection of the vital interests of the data subject or of another natural person;
  • performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).

The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:

  • explicit consent of the affected data subject;
  • the processing is necessary in the context of employment or social security law; or
  • the processing is necessary for the establishment, exercise or defence of legal claims.

Transparency

Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Purpose limitation

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.

Data minimisation

The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.

Accuracy

Personal data must be accurate and, where necessary, kept up to date

Storage limitation

Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.

Integrity and confidentiality

Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability

The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.

 

What is the supervisory authority / regulator in charge of data protection?

Germany has 18 supervisory authorities in total: One for each of the 16 federal states, with Bavaria having 2, and the Federal Data Protection officer. The state authorities have jurisdiction over entities headquartered in its state; the Federal Data Protection Officer supervises the federal agencies and telecommunication providers. These authorities have also formed a joint board, the DSK (Datenschutzkonferenz / Data Protection Conference) that issues opinions and other statements that the authorities agree on.

 

Is there a requirement to register with a supervisory authority / regulator?

No, a registration of a company is not necessary. However, Germany requires all companies with more than 20 employees tasked with data processing to have a Data Protection Officer, and such a DPO must be registered with the relevant supervisory authority. Only contact details of the company and the DPO have to be provided (this is usually done by the DPO).

 

Is there a requirement to notify the supervisory authority / regulator?

No, a notification to a supervisory authority before executing processing activities is no longer necessary. This used to be the case in Germany under the old BDSG, but registration is no longer a requirement since the GDPR exists.

 

Is it possible to register with / notify the supervisory authority / regulator online?

Not applicable.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Right to information

Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.

Right of access

A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.

Additionally, the data subject may request a copy of the personal data being processed.

Right to rectification of errors

Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.

Right to deletion/right to be forgotten

Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in Article 17 GDPR apply.

Right to restriction of processing

Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.

Right to data portability

Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).

Right to object to processing

Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.

Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.

Right to withdraw consent

A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.

Right to complain to the relevant data protection authority(ies)

Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.

Right not to be subject to automated individual decision-making

Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).

This is a summary only and there are some qualifications and limitations to these rights which may be relevant.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Under the GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:

  • are a public authority or body (except for courts acting in their judicial capacity);
  • whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.

The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Yes; if a type of processing is likely to result in a high risk for the rights and freedoms of natural persons, a data protection impact assessment is required. This is always a given in the following circumstances:

  • Systematic, extensive evaluation of personal aspects (including profiling)
  • Large-scale processing of sensitive categories of data
  • Systematic monitoring of public spaces

The German Supervisory Authorities have determined that a DPIA is necessary in 16 particular use cases. These partially overlap with the circumstances given above, but extend and specify them as well.

In addition, a Data Protection Impact Assessment (DPIA) is necessary whenever nature, scope, context, purpose of the processing or usage of new technologies indicate a high risk for the rights of natural persons.

 

Does this jurisdiction have any specific data breach notification requirements?

Yes. In the event of a data breach, the competent supervisory authority for the federal state needs to be notified within 72 hours. In the event of a data breach that poses severe risks to the rights and interests of the data subject, the data subject must also be notified without undue delay. The content of the notification is specified in Art. 33 section 3 GDPR.

The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications (Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification ).

 

What restrictions apply to the international transfer of personal data / information?

International Data transfers (i.e. jurisdictions outside the European Economic Area (“EEA”)) can only take place if the transfer is subject to an “Adequacy Decision” or the recipient has implemented certain safeguards required by the GDPR:

The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea, Switzerland; and Uruguay. The United Kingdom has been recognised by EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive.

For a data transfer to all other countries the controller is obliged to ensure compliance for international data transfers:

  • The transfer may be based on the consent of the relevant data subject.
  • The transfer may be based on Standard Contractual Clauses (“SCCs”) drafted by the EU Commission. .The SCCs which took effect from 27 June 2021, are available for the following transfers :
    • Module 1: controller to controller
    • Module 2: controller to processor
    • Module 3: processor to processor
    • Module 4: processor to controller
  • The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
  • The transfer may be based on Binding Corporate Rules (“BCRs”), in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
  • The transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Not per se. However, Art. 3 section 2 GDPR declares that a company processing data of persons within the EU are subject to the GDPR if they either offer goods or services to natural persons within the EU or monitor the behaviour of them as far as it takes place within the EU.

 

What rules specifically deal with marketing?

The GDPR limits many marketing practices based on the usage of personal data, such as creating personalised advertising profiles, in various ways, e.g. by usually requiring consent for this usage. In addition, the German § 7 UWG (Law against Unfair Competitive Practices) forbids marketing calls to consumers without explicit consent given, digital advertising messages sent without explicit consent and any other marketing practices considered to be unreasonable harassment of the consumer.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

Yes, the protections of consumers are significantly stronger. e.g., data protection laws for the most part only apply to personal data, not business data. However, the GDPR can still be relevant in B2B-dealings (the E-Mail address of a contact person in a different company is still personal data of that person).

In German law, it is also possible for competitors or consumer protection agency to sue to cease and desist marketing measures that are not compliant with the law. A recent CJEU ruling did state that the GDPR does not prevent consumer protection organisations using these means to sue for data protection compliance, but has left the question open regarding competitors. The German courts are still split on the issue. A court case regarding this question is still pending before the Federal Court of Germany (the highest national court).

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

Yes, see above. German law considers all forms of marketing by electronic messaging (whether E-Mail, WhatsApp or Push-Messages) to be equivalent and requires consent (with narrow exceptions for implied consent) for them. Online ads can be shown without consent, but personalization will often require consent, depending on how data is gathered and used.

 

What rules specifically deal with cookies?

Finally, Germany has adopted the provisions on cookies from European law (Directive 2002/58 or EU ePrivacy Directive) in the TTDSG (Data Protection and Privacy in Telecommunications and Telemedia Act), which mirror the former in light of the GDPR. The new regulation is roughly a copy of Art 5 of the Cookie Directive:

  • Storage of information in the end-user's terminal equipment or access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information.
  • The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679.

Consent under paragraph 1 shall not be required,

  1. if the sole purpose of storing information in the end-user's terminal equipment or the sole purpose of accessing information already stored in the end-user's terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
  2. where the storage of information in the end-user's terminal equipment or the access to information already stored in the end-user's terminal equipment is strictly necessary to enable the provider of a telemedia service to provide a telemedia service explicitly requested by the user.

Pursuant to legal prerequisites established by the CJEU (Planet49, C-673/17), consent to the use of cookies containing personal data as described has to be by explicit opt-in consent. This decision is confirmed by the German Federal Court of Justice and has now become law in the form of the TTDSG.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

The legal ceiling for fines for noncompliance with data protection laws is unusually high (up to 4 % of the annual revenue of a company found to be noncompliant). In practice, the publicly known fees for large actors typically reach a range of 1-2 million Euros, with the largest fines reaching 10 million Euros. It should be noted that the German courts have lowered every fine reaching these heights to a fraction whenever the subject company litigated.

Smaller entities typically face fines in the range of 1.000 – 100.000 Euros.

Overall, the fine depends on the size of the company and the severity of the noncompliance.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

The German Supervisory Authorities are, compared to many other Supervisory Authorities, unusually active and take an aggressive stance against companies they perceive as noncompliant.

Since the 18 different Supervisory Authorities have significantly diverging opinions on some matters, multinationals expanding into Germany should take care about which state they want to settle in and pay particular attention to the competent authorities' issued opinions.

Multinationals should also be aware that if employee data is processed in a way that may be used as a monitoring system (such as in performance analytics software), the Works Council (obligatory employee representation) has a right to audit the processing and may block its implementation.

Controllers and processors who are not established in the EEA are generally required under Article 27 GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.

 

What upcoming data protection developments should multinational organisations be aware of?

As of November 2022, private actors have started to pursue minor damage claims related to the GDPR, particularly against users of Google Fonts. The claims are dubious, but they emphasise the need for data protection compliance.

The president of the USA has recently issued an Executive Order meant to make an Adequacy Decision possible, which would make data transfers between the USA and the EU much easier. However, various stakeholders have already declared doubts whether such a decision would be compliant with the relevant case law. There are substantial issues, casting doubt on whether a new Adequacy Decision would satisfy the requirements of the CJEU.

New ePrivacy-regulation is still in development on an EU-level. A draft has been issued, but it is still not clear when the final version will become law. As of now, a 24-month transition period is still expected, meaning this regulation will not take effect before 2024 at the earliest.

The current government of Germany has expressed a desire to improve the availability of data, especially for start-ups and small or medium-sized companies, and to standardise formats. In particular, the German parliament is currently developing a law regarding the usage of data for research and development. It is not clear when it will be published. This law is supposed to reduce legal hurdles in this area. There are also plans to create a central, public database for traffic-related data and one for the usage of vehicle data.

More and more, the Right of Access is used in labour law cases by the employee in order to exercise pressure on their former employer. Fulfilling it can often require substantial amounts of work. In addition, as the courts have thus far not clearly defined its scope, it is unclear how much information has to be provided, creating a legal risk. This should be anticipated when settling labour disputes.

 

Search by:

Need more information?
Contact a member firm:
Mark Münch
HEUSSEN Rechtsanwaltsgesellschaft mbH
Germany


Marcel Schieß
HEUSSEN Rechtsanwaltsgesellschaft mbH
Germany