The EU data protection reform package consisting of the General Data Protection Regulation (EU) 2016/679 (in German: Datenschutz-Grundverordnung, DS-GVO) and the Police Directive (EU) 2016/680 (in German: Datenschutzrichtlinie für Polizei und Strafjustiz) will be implemented in Germany essentially by the Data Protection Adaptation and Implementation Act (in German: Datenschutz-Anpassungs- und Umsetzungsgesetz EU, DSAnpUG-EU).

Data Protection Adaptation and Implementation Act (DSAnpUG-EU), English version, German version

The DSAnpUG-EU replaces the existing version of the Federal Data Protection Act (in German: Bundesdatenschutzgesetz, BDSG) with an identically named new act (sometimes referred to as BDSG-neu or BDSG n.F.). In addition, it will also enhance a series of other acts mainly in areas of law enforcement and intelligence services (Articles 2–6). Furthermore, the DSAnpUG-EU amends the new version of the BDSG and suggests a procedure for national data protection authorities how to challenge adequacy decisions of the EU Commission (Article 7). The DSAnpUG-EU (including the new version of the BDSG) will enter into force May 25, 2018, and the existing version of BDSG will expire at the same time (Article 8).

Comparison of the GDPR and the new version of the BDSG, German version

The representation of the new version of the BDSG in Article 1 of the DSAnpUG-EU is divided into the following parts:

Part 1: Contains common provisions irrespective of whether the processing takes place for the purposes of the GDPR or the Police Directive or other purposes not covered by the aforementioned EU legal acts (e.g., processing in the area of national security). In this part, the general legal foundation is laid for data processing and video surveillance, as well as provisions regarding data protection officers of public bodies, including elaboration of the corresponding office, the tasks and powers of the Federal Commissioner for Data Protection and Freedom of Information, and the German representation in the European Data Protection Board.

Part 2: Contains supplementary provisions with regard to the GDPR. These include stipulations for the processing of special categories of personal data, processing for other purposes, transfer of data by public bodies, and special processing situations, such as those related to employment purposes, purposes of scientific or historical research and statistical purposes, archiving purposes in the public interest, secrecy obligations, consumer loans, and scoring and credit reports. Furthermore, this part contains definitions regarding the right of data subjects and penalties in case of violations of the provisions of the GDPR.

Part 3: Serves the purpose of implementing the Police Directive when not already done through relevant domain-specific law. Besides general provisions regarding data processing, this part contains, among others, definitions of the rights of data subjects, duties of the controller, and transfers to third countries.

Part 4: Contains special provisions for processing in the context of activities outside the scope of the GDPR and the Police Directive, like transfers of personal data to perform tasks for urgent reasons of defense or to fulfill supra- or intergovernmental obligations of a public body of the federation in the field of crisis management or conflict prevention or for humanitarian measures.

Wilhelm-chart-GDPL

On April 27, the German Parliament accepted the implementation of the EU data protection reform package represented by the revised proposal DSAnpUG-EU. On May 12, the German Federal Council approved the DSAnpUG-EU, and on July 5, the DSAnpUG-EU was published in the Federal Law Gazette. In this way, the German legislature has reached its target to enact DSAnpUG-EU before the election of the German Parliament in September 2017 and also managed to deliver the first national implementation of the EU Data Protection Reform Package.

However, shortcuts have been taken, clauses from the GDPR have been copied into the new version of the BDSG, and use was made of opening clauses in the GDPR in a way that may keep courts busy in the future. Finally, it should be noted that the legislative process is not complete with the DSAnpUG-EU, and a new version of the BDSG as the data protection laws of the German federal states and domain-specific data protection laws must also be adapted.

photo credit: fdecomite German flag via photopin(license)