Replaces the GDPR the data protection authority
BDSG-new: What does the new Federal Data Protection Act contain?
The most important information about the new BDSG in brief
- The new Federal Data Protection Act (BDSG-new) provides a Specification and supplement to the European General Data Protection Regulation (GDPR) represent.
- This contains a number of so-called Opening clauseswhich enable certain regulations to be specified nationally.
- The special regulations concern, for example, the Data protection in employment and the cases in which there is an obligation to appoint a data protection officer.
New BDSG: What is it all about?
Since May 25, 2018, the EU General Data Protection Regulation (GDPR) has been binding throughout the European Union. At the same time, a new Federal Data Protection Act came into force, the so-called BDSG-new, which was published in the Federal Law Gazette on July 5, 2017.
But what is the purpose of such a new data protection law at national level? The background is that the GDPR is directly applicable law and does not need to be implemented in national law, as was the case with the old EU data protection directive - at first glance, the new BDSG seems to be superfluous.
However, the GDPR also contains numerous opening clauses. This means that the regulations are kept open at these points so that they can be specified at national level. This task is taken over by the BDSG-new.
GDPR and BDSG-new: What is the relationship?
Everything that the GDPR regulates applies immediately. Since it takes precedence over national law, the BDSG-new can only contain provisions which the GDPR omits or deliberately leaves open. The new BDSG explicitly states in Section 1 (5) that its own regulations do not apply if the GDPR already makes directly applicable regulations in the area. This avoids conflicts that could arise when changes to the GDPR are made.
An example of the fact that something has to be re-regulated by the BDSG because the GDPR has no competence in this area are the Penal provisions (§ 42 BDSG-new). At the European level, only regulations on fines can be made.
Who does the new BDSG apply to? The regulations that are made relate - like those of the GDPR - on both public and non-public bodies. The latter include, for example, companies.
BDSG-new: Which changes are included?
Since BDSG-new and DSGVO in one primarily complementary ratio stand, contains the former above all punctual and specific regulations. We want to take a closer look at some of them below. This includes the conditions under which companies have to appoint a data protection officer, data protection in the employment relationship and special regulations relating to scoring and credit reports.
Appointment of a data protection officer
When companies have to appoint a data protection officer, the GDPR regulates in Art. 37. The conditions mentioned there are formulated in such a way that only a few forms of data processing are Obligation to designate subject.
The information that is mainly processed must either belong to the special categories of personal data, i.e. be of high protection, or, in terms of the way it is processed, require extensive monitoring of the respective persons. So these are just cases that are very intervene deeply in the areas of the data subjects that are worthy of protection.
However, Art. 37 Para. 4 explicitly provides that further cases required by national legislation can be. This is done in the German Data Protection Act in its revised version in Section 38. The supplement there also states the following conditions:
- At least ten people are constantly busy with the automated processing of personal data.
- Data processing is carried out that is subject to a data protection impact assessment in accordance with Art. 35 GDPR.
- Business-related personal data are processed for the purpose of (anonymized) Transmission or market or opinion research.
Compared to the old BDSG, there is a change that a regulation regarding non-automated data processing (Obligation to appoint a data protection officer for 20 or more employees) is no longer applicable. Since everything that is done with computers is already considered automated processing, it can be assumed that this is the norm nowadays.
Data protection in employment
Art. 88 GDPR is entitled "Data processing in the context of employment". However, it does not contain any specific regulations on the subject of employee data protection, but merely refers to the fact that the EU member states can enact specific regulations themselves. Only the relevant aspects that can be dealt with are listed.
The implementation of this area, which is kept open by the GDPR, is carried out by § 26 BDSG-new, which has the title "Data processing for the purposes of the employment relationship" wearing. Among other things, regulations on the legal basis of data processing and consents in the work context are made here.
The processing of personal data of employees is permitted if this is necessary:
- for the Decision on the establishment of an employment relationship,
- within the employment relationship for his Execution or termination or
- for exercising or fulfilling those resulting from a law or a collective agreement, a company or service agreement (collective agreement) Rights and duties of advocacy of employees.
Consent in the employment relationship
While according to the old legal situation there were still doubts when consent is actually effective in the employment relationship is because it was not clear whether actually one Voluntariness may exist, this has now been clarified through explicit regulations.
Section 26 (2) of the BDSG-new stipulates that the Dependency of the employment relationship as well as the special circumstances of the grant must be taken into account. Accordingly, consent can be given voluntarily if
- a legal or economic one Advantage for the employee is reached or
- Employer and employee similar interests follow.
In addition, the consent must be in writing and the employee is informed in writing on the one hand about the purpose of the data processing and on the other hand about his right of withdrawal.
Scoring and credit reports
A specific regulation, which the BDSG-new meets in the context of special processing situations, concerns Scoring procedure and credit information. According to Section 31 of the BDSG-new, scoring, i.e. the use of a probability value with regard to specific future behavior, may only be used if data protection law is complied with.
In addition, the calculation of the probability values must be based on the use of a scientifically recognized mathematical-statistical procedure and do not rely solely on address data. But if the latter is the case, the person concerned must before the calculation be informed about the use of the address data.
Credit reports may only be used if the above conditions are met. In addition, may only certain requirements are taken into account be. According to Section 31 (2) BDSG-new, this includes, for example, claims for which a title is available or which the debtor has expressly recognized.
Closely related to the regulations on creditworthiness are the provisions on consumer credit, which are newly stipulated in Section 30 of the BDSG. Accordingly, if such a loan applies rejected on the basis of a credit report obtained becomes that the data subject must be informed of the information received along with the information about the rejection.
Penalty and fine regulations
In addition to the sanctions stipulated in Art. 83 GDPR, which can be imposed by the supervisory authorities in the event of violations, the BDSG-new Sanction regulations made. On the one hand, § 42 makes criminal provisions. As already mentioned, the GDPR is not authorized to do this, which is why this must be done by a national law such as the BDSG-new.
For example, are provided Imprisonment of up to two years or a fineif personal data is processed without authorization or is obtained through false information and there is an intention to damage or enrich it.
A prison sentence of up to three years or a fine must be feared who has personal data of a large number of people transmitted to third parties or otherwise made accessible without authorization. From when such a "large number" is available is not specified in the legal text, so that the courts have to work here to determine such a number in individual cases.
In terms of fines that go beyond those of the GDPR, these two cases in particular are regulated in Section 43 BDSG-new: In the event of violations of Section 30 BDSG-new, i.e. the Consumer credit regulations, the supervisory authorities can impose a fine of up to 50,000 euros. On the other hand, it is stipulated that against authorities and others public authorities did not issue any fines become.
You might also be interested in:
- How is Mono contractually agreed
- Why did Charlie Rose retire
- Why do Christian Egyptians call themselves Coptic?
- How do I get a proper essay
- Is the two-factor authentication overrated?
- What is thin cutting in psychology
- What's your favorite kata
- What is the most visible gender difference
- HF is a strong acid
- European women meet American men
- Googlers also use the Google search engine
- What are some homemade remedies for conjunctivitis
- What were the accomplishments of Miles Davis
- Are memories stored in the body
- Gear oil is the same as gear oil
- Is 5 4 big for a girl
- What are the uses of Velveeta cheese
- What politicians have admitted to political greatness
- What is JMI
- What to know before visiting Versailles
- Which preschool French is good to go with
- Music theory What is a dominant tonality
- Why can't I give up masturbation
- Which word do you find weird?