What is BDSG?
The Bundesdatenschutzgesetz (BDSG) is Germany’s Federal Data Protection Act, implementing and complementing the GDPR. It is the basis for adapting to the GDPR, being the applicable law for both public bodies of the Federation and public bodies of the Länder (Germany’s states), where data protection is not protected by the Land law and where federal law applies or where public bodies act as judicial bodies in matters that don’t include administrative matters.
In effect the BDSG is the national GDPR implementation, with some provisions going beyond the scope of the GDPR, there are not many differences between the two, though some of them provide stricter rules for local businesses in Germany. However, it is important to note that the GDPR is the superior law compared to the BDSG so in most cases it will be the applicable law.
Still, it is relevant for organizations to get acquainted with the provisions of this law, which apply to both the private and the public sectors. Private companies need to be aware that the BDSG applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system unless such processing is conducted by natural persons in the course of a purely personal or domestic activity.”
Regarding territorial scope, the law says that it applies to controllers and processors in the following cases:
- if the controllers/processors perform processing of personal data in Germany;
- if they process personal data “in the context of the activities of an establishment [...] in Germany” or
- if their processing activities fall within the scope of the GDPR, although they don’t have an establishment in Germany.
In other words, if your organization offers goods or services in Germany or monitors German data subjects, you must be BDSG compliant, as your processing activities are covered under Article 3 of the GDPR.
Some of the other topics in which the BDSG stands out from the GDPR are as follows:
1. Video surveillance of public places
Section 4 of the BDSG states that video surveillance of public areas is lawful as long as it is required for the performing of tasks, to determine the right to grant/deny access or to safeguard legitimate interest, as detailed in Article 6 of the GDPR. However, the law also outlines specific provisions regarding the way in which this is to be carried out and for how long.
The provisions state that:
- “the surveillance and the controller’s name and contact details” have to be made “identifiable as early as possible;”
- storing and using the data is only allowed for the purposes mentioned above, unless there is anything “to indicate legitimate overriding interests of the data subjects,”
- further processing can be done only if necessary “to prevent threats to state and public security and to prosecute crimes”
- “if data collected from video surveillance are attributed to a particular person, that person shall be informed of the processing”
- the data collected has to be deleted without delay when it is no longer needed for the initial purposes or if individuals have a legitimate interest in removing the data from storage.
2. Data processing for other purposes, than initially intended
According to Section 24, private bodies are allowed to process personal data for purposes other than the initial ones if this is necessary to prevent a threat against the state or the public security, if it is required in order to prosecute a criminal offense, or for the establishment, exercise, or defense of legal claims.
3. Data processing in the context of employment
Under the GDPR, as a general rule, consent need not be in written form. However, section 26 of the BDSG states that in the case of processing of employee personal data, consent must be recorded in written form. The BDSG also regulates where employee personal data may be processed for employment purposes, to reveal a criminal offense, when consent is freely given, or the processing of special categories of data within an employment context.
4. Data processing related to consumer credits and scoring and credit checks
Section 30 states that personal data processing for the purpose of transfer in the context of consumer loans has to be done according to the same principles both for domestic lenders and other EU Member States lenders. A refusal to conclude a consumer loan contract as a result of information received from a body that has provided personal data about the consumer for the purpose of creditworthiness evaluation must be accompanied by a notification that contains the information received, unless such a notification would endanger public security or order.
In the case of scoring and credit reports, this can be done only if privacy rules are met, the data used is relevant and based on “scientifically recognized mathematic-statistical procedure,” and, if address data is used, the individual is informed beforehand of this.
5. Limitation of rights of the data subject
Sections 32 through 37 of the BDSG limit individuals’ data access rights in favour of organizations. For example, the right of access granted by Article 15 of the GDPR is limited here in cases where, for example, the personal data of the individual is stored in analogue form, providing the individual with the data would be burdensome, and “the interest of the data subject in receiving the information can be regarded as minimal, given the circumstances of the individual case, in particular with regard to the context in which the data were collected.”
Another such example is the obligation to inform individuals of data processing, as stipulated in Article 13 of the GDPR, where the BDSG mandates that this may be limited in cases where informing the individual may result in a negative impact on the data controller’s legal defense.
6. Designation of a DPO
Section 38 of the BDSG adds to Article 37 of the GDPR that the requirement to appoint a Data Protection Officer applies to every company that employs at least 20 persons involved in the automated data processing. In addition, if a data controller or processor undertakes processing that is subject to a DPIA, as regulated by Article 35 of the GDPR, or if the process personal data commercially, for the purposes of transfer, anonymized transfer or market research, they must appoint a DPO, regardless of the number of persons employed in processing.
7. Administrative fines, criminal provisions
Sections 41 through 43 of the German law outline the fines applicable as well as the criminal penalties that are to be enforced following a violation of the regulations. As opposed to the GDPR where the administrative fines go up to €20 million or 4% of the global revenue, depending on which amount is higher, the BDSG imposes fines up to a maximum of €50,000 for very specific cases, such as intentionally or negligently violating the requirement to treat a data subject access request properly.
When referring to the criminal offenses, violations that fall into this category may be punished with a 3 year prison sentence or a fine, for example where personal data is obtained fraudulently and for the purpose of enrichment or of harming someone else.
Last but not least, individuals are granted the right to claim damages for non-pecuniary damage.
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.