Navigation and service

Article Na­tion­al da­ta pro­tec­tion law

The Federal Data Protection Act serves as the foundation for German data protection law.

The European Data Protection Directive (95/46/EC) has been in effect throughout the European Union since 1995. In Germany, it has been implemented with the Federal Data Protection Act (BDSG), the data protection legislation of the federal states (Länder) and numerous data protection provisions in special legislation. However, the EU directive has not been interpreted and enforced uniformly by the member states.

The General Data Protection Regulation (Regulation (EU) 2016/679) adopted on 27 April 2016 is intended to change this, harmonizing and modernizing data protection law within the EU. This regulation will enter into force in all member states on 25 May 2018.

The General Data Protection Regulation requires a major overhaul of German data protection law. As an EU regulation, it applies directly in the member states, but it also allows them some leeway. For example, the member states may introduce a legal basis for data processing by government agencies or limit the rights of data subjects where necessary.

On 1 February 2017, the Federal Government presented a bill to bring federal data protection law into line with the General Data Protection Regulation. In addition, essential parts of Directive (EU) 2016/680, which contains provisions on data processing for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, are being implemented. The main part of the bill is a revision of the Federal Data Protection Act. The bill must be debated in and passed by the German Bundestag and Bundesrat.

Bill amending national data protection law and implementing EU legislation: An overview

The bill amending national data protection law and implementing EU legislation is intended to bring federal data protection law into line with amended EU data protection law.

The main part of the bill is a revision of the Federal Data Protection Act. Like the current Act, the new law will apply to government agencies at federal and state level (unless other state law applies) and to private entities. The amended Act will in future cover those areas where the General Data Protection Regulation gives the member states leeway. The new Act will also implement key parts of Directive (EU) 2016/680, which contains provisions on data processing for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

The future Federal Data Protection Act will be made up of four parts:

Part 1 will contain provisions applicable to data processing regardless of whether it is for the purposes covered by the General Data Protection Regulation or by the Directive on data processing by law enforcement and judicial authorities, or for purposes not covered by either (such as data processing for national security purposes). This part will contain the general legal framework for data processing and video surveillance as well as provisions concerning data protection officials for government agencies; concerning the office, tasks and powers of the Federal Commissioner for Data Protection and Freedom of Information; and concerning German representation on the European Data Protection Board. 

Part 2 will contain additional provisions concerning the General Data Protection Regulation, including provisions on processing special categories of personal data, on further processing for other purposes, on data transfers by government bodies and on special processing situations. It will also contain provisions on the rights of data subjects and fines for violations of the General Data Protection Regulation.

Part 3 will implement Directive 2016/680 on data processing by law enforcement and judicial authorities where it has not already been implemented in specialized law. In addition to general provisions on data processing, this part will also contain provisions on the rights of data subjects, obligations of controllers and data transfers to non-EU countries.

Part 4 of the amended Act and the other articles of the proposed legislation will contain special provisions for data processing which is not covered by the EU regulation or directive.

DoppelfooterAural

Publications

Icon: Publikation

Click here to see the publications

all publications