Replaces the GDPR the data protection authority

BDSG-new: What does the new Federal Data Protection Act contain?

The most important information about the new BDSG in brief

  • The new Federal Data Protection Act (BDSG-new) provides a Specification and supplement to the European General Data Protection Regulation (GDPR) represent.
  • This contains a number of so-called Opening clauseswhich enable certain regulations to be specified nationally.
  • The special regulations concern, for example, the Data protection in employment and the cases in which there is an obligation to appoint a data protection officer.

New BDSG: What is it all about?


Since May 25, 2018, the EU General Data Protection Regulation (GDPR) has been binding throughout the European Union. At the same time, a new Federal Data Protection Act came into force, the so-called BDSG-new, which was published in the Federal Law Gazette on July 5, 2017.

But what is the purpose of such a new data protection law at national level? The background is that the GDPR is directly applicable law and does not need to be implemented in national law, as was the case with the old EU data protection directive - at first glance, the new BDSG seems to be superfluous.

However, the GDPR also contains numerous opening clauses. This means that the regulations are kept open at these points so that they can be specified at national level. This task is taken over by the BDSG-new.

The old Federal Data Protection Act served to implement the EU data protection directive at the time and contained German data protection law. The BDSG in its new version, however, is only one Supplement and specification of the GDPRwhose regulations are directly applicable.

GDPR and BDSG-new: What is the relationship?

Everything that the GDPR regulates applies immediately. Since it takes precedence over national law, the BDSG-new can only contain provisions which the GDPR omits or deliberately leaves open. The new BDSG explicitly states in Section 1 (5) that its own regulations do not apply if the GDPR already makes directly applicable regulations in the area. This avoids conflicts that could arise when changes to the GDPR are made.

An example of the fact that something has to be re-regulated by the BDSG because the GDPR has no competence in this area are the Penal provisions (§ 42 BDSG-new). At the European level, only regulations on fines can be made.

Who does the new BDSG apply to? The regulations that are made relate - like those of the GDPR - on both public and non-public bodies. The latter include, for example, companies.

While part 1 of the BDSG-new contains general provisions and part 2 the details and additions to the GDPR, the third part deals with the implementation of the EU Data Protection Directive for Police and Justice (EU 2016/680). The fourth part is devoted to those provisions that are neither covered by the GDPR nor the Police and Justice Directive.

BDSG-new: Which changes are included?

Since BDSG-new and DSGVO in one primarily complementary ratio stand, contains the former above all punctual and specific regulations. We want to take a closer look at some of them below. This includes the conditions under which companies have to appoint a data protection officer, data protection in the employment relationship and special regulations relating to scoring and credit reports.

Appointment of a data protection officer

When companies have to appoint a data protection officer, the GDPR regulates in Art. 37. The conditions mentioned there are formulated in such a way that only a few forms of data processing are Obligation to designate subject.

The information that is mainly processed must either belong to the special categories of personal data, i.e. be of high protection, or, in terms of the way it is processed, require extensive monitoring of the respective persons. So these are just cases that are very intervene deeply in the areas of the data subjects that are worthy of protection.

However, Art. 37 Para. 4 explicitly provides that further cases required by national legislation can be. This is done in the German Data Protection Act in its revised version in Section 38. The supplement there also states the following conditions:

  • At least ten people are constantly busy with the automated processing of personal data.
  • Data processing is carried out that is subject to a data protection impact assessment in accordance with Art. 35 GDPR.
  • Business-related personal data are processed for the purpose of (anonymized) Transmission or market or opinion research.

Compared to the old BDSG, there is a change that a regulation regarding non-automated data processing (Obligation to appoint a data protection officer for 20 or more employees) is no longer applicable. Since everything that is done with computers is already considered automated processing, it can be assumed that this is the norm nowadays.

Data protection in employment

Art. 88 GDPR is entitled "Data processing in the context of employment". However, it does not contain any specific regulations on the subject of employee data protection, but merely refers to the fact that the EU member states can enact specific regulations themselves. Only the relevant aspects that can be dealt with are listed.

The implementation of this area, which is kept open by the GDPR, is carried out by § 26 BDSG-new, which has the title "Data processing for the purposes of the employment relationship" wearing. Among other things, regulations on the legal basis of data processing and consents in the work context are made here.

The processing of personal data of employees is permitted if this is necessary:

  • for the Decision on the establishment of an employment relationship,
  • within the employment relationship for his Execution or termination or
  • for exercising or fulfilling those resulting from a law or a collective agreement, a company or service agreement (collective agreement) Rights and duties of advocacy of employees.
Section 26 (8) of the BDSG-new also defines who is to be understood as an employee within the meaning of this law. In addition to regular employees, this also includes trainees, volunteers and civil servants. Also Applicants and former employees are considered employees according to the law.

Consent in the employment relationship

While according to the old legal situation there were still doubts when consent is actually effective in the employment relationship is because it was not clear whether actually one Voluntariness may exist, this has now been clarified through explicit regulations.

Section 26 (2) of the BDSG-new stipulates that the Dependency of the employment relationship as well as the special circumstances of the grant must be taken into account. Accordingly, consent can be given voluntarily if

  • a legal or economic one Advantage for the employee is reached or
  • Employer and employee similar interests follow.

In addition, the consent must be in writing and the employee is informed in writing on the one hand about the purpose of the data processing and on the other hand about his right of withdrawal.

Scoring and credit reports

A specific regulation, which the BDSG-new meets in the context of special processing situations, concerns Scoring procedure and credit information. According to Section 31 of the BDSG-new, scoring, i.e. the use of a probability value with regard to specific future behavior, may only be used if data protection law is complied with.

In addition, the calculation of the probability values ​​must be based on the use of a scientifically recognized mathematical-statistical procedure and do not rely solely on address data. But if the latter is the case, the person concerned must before the calculation be informed about the use of the address data.

Credit reports may only be used if the above conditions are met. In addition, may only certain requirements are taken into account be. According to Section 31 (2) BDSG-new, this includes, for example, claims for which a title is available or which the debtor has expressly recognized.

Consumer credit

Closely related to the regulations on creditworthiness are the provisions on consumer credit, which are newly stipulated in Section 30 of the BDSG. Accordingly, if such a loan applies rejected on the basis of a credit report obtained becomes that the data subject must be informed of the information received along with the information about the rejection.

Penalty and fine regulations

In addition to the sanctions stipulated in Art. 83 GDPR, which can be imposed by the supervisory authorities in the event of violations, the BDSG-new Sanction regulations made. On the one hand, § 42 makes criminal provisions. As already mentioned, the GDPR is not authorized to do this, which is why this must be done by a national law such as the BDSG-new.

For example, are provided Imprisonment of up to two years or a fineif personal data is processed without authorization or is obtained through false information and there is an intention to damage or enrich it.

A prison sentence of up to three years or a fine must be feared who has personal data of a large number of people transmitted to third parties or otherwise made accessible without authorization. From when such a "large number" is available is not specified in the legal text, so that the courts have to work here to determine such a number in individual cases.

In terms of fines that go beyond those of the GDPR, these two cases in particular are regulated in Section 43 BDSG-new: In the event of violations of Section 30 BDSG-new, i.e. the Consumer credit regulations, the supervisory authorities can impose a fine of up to 50,000 euros. On the other hand, it is stipulated that against authorities and others public authorities did not issue any fines become.

Overall, it can be said that the BDSG-new is different from its predecessor no independent and comprehensive law represents, but the data protection law, which the EU-GDPR specifies, supplements and concretises at the necessary points. Therefore it cannot do it alone, but always only considered in connection with the GDPR become.
(39 Ratings, average: 4,23 of 5)
BDSG-new: What does the new Federal Data Protection Act contain?
4.23539Loading ...

You might also be interested in: