By Florian Thoma

The amendments to the Federal Data Protection Act (FDPA; in German: Bundesdaten-schutzgesetz - BDSG) passed parliament (the Bundestag) on July 3, and on July 10, the second chamber (the Bundesrat - Federal Council) decided not to raise objections. The act now only needs signature by the President and promulgation. It will, with limited exceptions, enter into force on September 1, 2009.

The act is largely a reaction to recent data protection breaches involving a number of high-profile German companies, in particular retailer Lidl, Deutsche Telekom, and Deutsche Bahn (German Railways).

  • The principles of data avoidance and reduced/economic use of personal data is extended from data processing systems to all collection, processing, and use of personal data. Further, personal data is to be anonymized or pseudonymized unless the efforts to do so are disproportionate (sect. 3a).
  • Market research and opinion polling companies are required to register their systems with the Data Protection Authority (DPA) and it is mandatory for such companies to appoint a data protection officer (which is a change only for small companies that, until now, were exempt) (sect. 4d para. 4, sect. 4f para. 1).
  • The role of the data protection officer is supported by a new protection against dismissal during his function and for one year thereafter (unless the employer would have the right to terminate without notice for important reasons) and must have the possibility to attend seminars and the like (paid for by the employer) to keep up-to-date with data protection-related developments (sect. 4f para. 3).
  • Sect. 11 para. 2 was completely changed (last-minute change) and now contains detailed requirements on specific topics to be covered by written agreements between controller and processors. This will be one of the big challenges for companies, as this change also applies to contracts made before September 1. In particular the following topics must be addressed:

          o subject and duration of the services to be provided;
          o the types of data, the type of data subjects, type of collection and processing, and use of data, to which extent, and for which purposes;
          o technical and organizational measures to protect personal data in accordance with sect. 9 of the act;
          o the correction, deletion, and blocking of data;
          o duties of the processor in accordance with the act’s sect. 4, in particular duties to control the services; - if the processor has the right to employ subcontractors;
          o control and audit rights of the controller and the respective cooperation and toleration duties of the processor;
          o data breaches and non-compliance with contractual duties by the processor or his staff;
          o the extent to which the controller has the governance/rights to direction vis-a-vis the processor; and
          o deletion of data and/or the return of media following termination of the processing services.

  • Also, sect. 11 para. 2 now extends the surveillance duties of the controller. Language so far is rather unspecific. Now the act requires that the controller has to verify the processor’s compliance prior to the start of the processing, and then in appropriate intervals thereafter. Those controls need to be documented, and missing documentation is an offense and can be fined by up to 50,000 Euro.
  • The “core” of the reform was very much reduced in the parliamentary debate. Legislators started with the idea to abolish completely the so-called “list privilege,” which allowed the transfer, sale, and use of list data (titles, name and address, year of birth) and replace it with a strict opt-in principle for commercial communications/advertising. However, at the end sect. 28, para. 3 it allows the use of personal data for advertising, marketing, and opinion polling purposes if (a) the data subject has consented in writing or in specific alternative forms as provided for by sect. 3a, or (b) if data lists (limited to names, addresses, titles, job functions, year of birth) are derived from public sources and used for the marketing of one’s own products or third-party products, or transferred to third parties for their advertising; in the latter two cases it must be indicated in the ad from where the data originates (sect. 28 paras 3, 3a). Further, there are a number of formal requirements regarding the right to object and the form of notice 7 consent requirements.
  • The controller may not “bundle” a contract with the data subject’s consent where the data subject does not have an alternative to obtain comparable goods and services elsewhere (sect. 28 para. 3b).
  • There is a full new sect. 30a on market research and opinion polling excluding the use of data for other purposes and requiring anonymization as soon as practical.
  • A new sect. 32 limits the use of employees’ data (including applicant data) to what is required for the decision whether to enter into an employment relationship, to perform the employment (e.g. salaries, tax, and social security requirements, delegations, career development), and to terminate the relationship. Specifically, the use of data to pursue criminal behavior of employees requires documented evidence and the interest of the employer to pursue this must outweigh interests of the suspected employee (adequate relation between means and goals, i.e. no excessive collection and use of data on an employee for minor wrongdoing).
  • Sect. 3 of the FDPA adds a new definition of “employees,” which influences the scope of new sect. 32.
  • Sect. 38 para. 5 extends the rights of the DPA. They were limited to requiring additional technical and organizational measures in the past but now can require changes and amendments to systems and in case of non compliant processing, shut down the whole system in question.
  • Sect. 42a introduces a U.S.-style security breach notification duty for the private sector where sensitive data (special types of data, data related to criminal acts and offenses, data subject to professional secrecy duties, bank account information) has been made accessible or transferred unlawfully to a third party and grave adverse effects impend on the data subjects. The notification must be given to both the DPA and the data subjects without undue delay.
  • Sect. 43 adds some new offences and raises fines (from 25,000 Euro to 50,000 for “smaller” cases and from 250,000 to 300,000 for larger ones). Also, the fines can be higher, where appropriate, to outweigh any economic advantage that results from the non-compliance.
  • Sect. 47 states that, for advertising and marketing, the changes will be implemented from April 1, 2012 onwards, and for market research and opinion polling from April 1, 2010 onwards, but in both cases only to the extent the data has been collected prior to Sept. 1, 2009. All data collected after Sept. 1 is already subject to the new rules.

In addition to this act, the Federal Data Protection Act will change as of April 1, 2010, due to another recent act that is meant to limit the use of scoring techniques (in particular credit scores derived from a higher number of individual values by statistical measures to express creditworthiness of a person, as well as consumer scores), and where scoring is used to increase transparency in the data used for the scores as well as ensure better data subjects’ rights.

Thoma is the chief data protection officer at Siemens AG.
See page 22 for a global review of opt-in versus opt-out requirements for digital marketing initiatives.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»