Germany

Privacy Culture

When it comes to data protection & privacy, Germany can be considered as a leading jurisdiction. Citizens of this country are particularly attuned to the importance of privacy, possibly due to the still living memory of the activities of one of the most hated and feared institutions in former East Germany - the Stasi. In that context, history has proved that, under certain circumstances, the processing of personal data may have grave consequences for an individual. Germans are well aware of the potential harms that result from the processing of personal information. Consequently, German data privacy and protection laws are among the strictest in the world. 

According to the EuroBarometer Survey on Data Protection issued by the European Commission 45% of Germans feel they have no control over their information provided online, compared to only 33% in other EU countries. An overwhelming majority of Germans claim to be concerned about their personal data being used for a different purpose than the one it was collected for.

Legal History

Germany has long traditions in data protection. The world's very first Data Protection Act came from the State of Hesse, in 1970. At federal level, a similar act was enacted in 1977. Nowadays, the basic act regulating data protection and privacy in Germany is the German Federal Data Protection Act (Bundesdatenschutzgesetz) (the 'FDPA') that implements the provisions of the EU Data Protection Directive into German law. The FDPA was subject to major amendments in 2009 by the Federal Data Protection Act Amendment Law (Novelle des Bundesdatenschutzgesetzes). In certain industries sector-specific legislation applies. In addition, all of the 16 German states have their own specific data protection laws pertaining to the same areas.

Other notable acts governing data protection & privacy in Germany: 

the German Telemedia Act (Telemediengesetz) – governs privacy in online services;
the Telecommunications Act (Telekommunikationsgesetz) - applies to providers of telecommunication services;
the Criminal Act (Strafgesetzbuch) - certain provisions apply to grave breaches of data protection law;
Social Security Code I, II; IV, V and X- applies to health and personal data in connection with medical and social security services.

Enforcement and Court Action

Germany has a regional rather than a federal system of data protection enforcement, where each German State appoints its own data protection regulator. As a result, there are sixteen state data protection authorities, loosely coordinated by a Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit or BfDI). The Federal Commissioner enforces the federal data security and the information freedom law in Germany and exercises direct supervision over all telecommunication companies. All other private companies are supervised by the data protection authority of the state of their residence. 

In general, procedures applied by state data protection authorities are not made public and enforcement cases are rarely reported unless they are matters of public interest. Nevertheless, each year the data protection authorities publish a report on their activities.

The supervisory authorities have the power to:

Order an audit;
Impose measures to remedy contraventions of the FDPA;
Fine organisations (only administrative fines); 
In the event of serious infringements, ban certain procedures.

Generally, contraventions of German data protection laws are actively enforced. Data controllers may be subject to a maximum fine of 300.000,00 EUR per breach. Supervisory authorities also have the power to confiscate profits or benefits derived from violations of data protection laws. In certain circumstances, a violation of data protection law may constitute a criminal offence and be punishable with up to two years of imprisonment or a monetary penalty. 

Corporate Risk

In 2013-2014 the highest fines were issued in Bremen (15.000,00 EUR) and Schleswig-Holstein (18.000,00 EUR). In the federal state of Bavaria, 20 fine notices were issued, resulting in 200.000,00 EUR in fines. Berlin's data protection authority issued 25 fine notices amounting in total to 88.205,00 EUR. Hesse issued only 2 fine notices with the total amount fines of 3.500,00 EUR. 

Additionally, companies that contravene the privacy law are under a threat of serious financial penalties that can be imposed by the German courts of law. In 2014, a health insurance firm settled a case by paying a fine of 1.900.000,00 EUR for privacy law violations committed over a period of several years. The company unlawfully acquired addresses of public service employees in order to sell private health insurance contracts to them.
In January 2015, the Berlin and Bremen German data protection authorities were among the first DPAs to express their reservations at the reliability of the Safe Harbor scheme, which regulated the flow of personal data between some 4,400 US companies and data controllers in the EU. The Safe Harbor scheme was finally and formally declared invalid by the Court of Justice of the European Union in October 2015. 

Future Outlook - Germany and GDPR

The present German requirements are often deemed some of the strictest in the EU by businesses. But Germany is continuously working on strengthening its data protection legal framework. Before the official publication of the new General Data Protection Regulation the German legislator was working on a reform of employee data protection law. The reform seeks to clarify the current regime and regulate all important aspects of employee data protection such as prior medical check-ups.

Due to the strict data protection requirement it was deemed that Germany will not have to adapt much to the new GDPR. For example, Germany was the only country to mandate the role of Data Protection Officer from 2001 onwards. But the GDPR will affect the German privacy and data protection legislation. It will increase the responsibilities of data processors (e.g. the processor will have to assist the controller in determining which security measures are appropriate) and impose a prior written consent obligation for sub-contracting. The current German requirement to sign data processor agreements in writing will be amended so that such contracts can be concluded in electronic form from 2018 onwards. The GDPR could also reduce the amount of unnecessary paperwork with regard to EC Model Clauses in Germany and it will expand the certification as means of compliance.

Sources

1. Patrick O’Kane, German data protection authorities intervene on Safe Harbor, 20/02/2015
http://www.corderycompliance.com/german-data-protection-authorities-intervene-on-safe-harbor/ 

2. Data Guidance, Germany: Pressure increases on Safe Harbor Framework, 05/02/2015
http://www.dataguidance.com/dataguidance_privacy_this_week.asp?id=3201 

3. Pricewaterhouse Coopers Legal LLP, Privacy and Security Enforcement Tracker, March 2015
http://pwc.blogs.com/data_protection/2015/03/enforcement-tracker-download-here.html 

4. Daniel Pauly, Konrad Berger, Data Protected. Germany, 07/2015
https://clientsites.linklaters.com/Clients/dataprotected/Pages/Germany.aspx#nra

5. DataGuidance, Global Privacy Enforcement Report 2015 [Cecile Park Publishing Ltd.]

6. European Commission, EROBAROMETER Survey on Data Protection, 28/02/2015 – 09/03/2015 http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_fact_de_en.pdf

7. Taylor Wessing, Controller to processor issues in Germany under the GDPR, http://www.lexology.com/library/detail.aspx?g=fceb7630-3f43-4cc9-b288-a6e04cd4cb76 

8. David Meyer, What will mandatory DPOs look like under the GDPR? Germany could tell you, https://iapp.org/news/a/what-will-mandatory-dpos-look-like-under-the-gdpr-germany-could-tell-you/ 



Data Privacy Recruitment Ltd. 

All rights reserved. All opinions expressed to be treated strictly as guidance and not as legal advice. 

September 2016
London, United Kingdom