5 Things CIOs Need to Know About BDSG-new
- Maor Cohen
- 4 minute read
Germany has been at the forefront of data protection for decades. In 1970, the state of Hessen, in Germany, introduced the idea of data protection enforcement through legislation. The Hessian Data Protection Act known locally as Datenschutzgesetzgebung was the world's first data protection law.
A federal version of the act followed 7-years later, with the German Federal Data Protection Act, aka the Bundesdatenschutzgesetz – BDSG. This was early days for the concept of data protection and, as such, ground-breaking work.
In the following decades, the BDSG was amended. In 1990, the act adopted a new data protection law based on the decision of the German Constitutional Court. In 2001, the BDSG implemented the provisions within the 1995, EU Data Protection Directive 95/46/EC. Further updates and amendments were made in the intervening years to BDSG until the latest updates to reflect the privacy requirements of the EU’s General Data Protection Regulation (GDPR). On 25 May 2018, to coincide with the enactment of GDPR into law, the German legislator drafted the “BDSG-new”. This new law replaces the older BDSG and has provisions for both the GDPR and to reflect the EU-Privacy Directive for Police and Justice (EU-Directive 2016/680).
BDSG-new is a result of the need to harmonize with the GDPR whilst ensuring provisions to supplement the GDPR for a German audience.
The new version of BDSG has come about to encourage a more privacy-respectful but business-friendly approach to data protection.
Need to Know 1: The Differences between GDPR and BDSG-new
The GDPR makes provision for an EU country to enact national legislation that restricts or expands the scope of the GDPR’s requirements. Whilst the BDSG-new aligns with GDPR for the most part, it does amend some of the GDPR requirements for local use.
The main areas of amendment in the BDSG-new are in the areas covering:
Appointment of data protection officers (DPO)
BDSG-new has stricter regulations on the appointment of a DPO than the GDPR. Under BDSG-new, companies employing more than 10 people to handle automated processing of personal data, MUST appoint a DPO.
Employee data protection
BDSG-new requires that employees give written consent for employment-related data processing (in most cases). This is in contrast to GDPR which, generally, does not require consent to be in written form.
Processing of special categories of personal data
BDSG-new provides an exemption to the general prohibition of processing sensitive data as described in Article 9 of the GDPR. This particularly applies to the processing of health data for companies in the private sector.
Limiting the scope of data subjects
This is limited under BDSG-new in favor of business-friendly rules. An example is the data subject right to be informed of data processing (Article 13 of GDPR). This may be limited in cases where this information given to a data subject could have a negative impact on a legal defense by a data controller.
Other amendments to GDPR in BDSG-new include:
● Processing personal data for scientific or historical research purposes and for statistical purposes.
● Processing personal data in the employment context.
● Imposing administrative fines and criminal sanctions.
● Processing criminal conviction or offense data.
● Processing personal data for secondary purposes.
The GDPR is considered a ‘superior law’ and so BDSG-new does not apply if the GDPR is applicable - see Section 1 (5) of BDSG-new “The provisions of this Act shall not apply where the law of the European Union, in particular Regulation (EU) 2016/679 in the applicable version, directly applies.”
Details of each provision amendment can be found in the BDSG, Bundestag, Drucksache 18/11325.
Need to Know 2. Requirements under BDSG-new
The BDSG is split into four parts:
Part 1: General Provisions
Part 2: Implementation Provisions for Processing Pursuant to the GDPR.
Part 3: Implementing Provisions for Processing Pursuant to the Law Enforcement Directive.
Part 4: Processing in the Context of Activities that Do Not Fall within the scope of the GDPR or the Law Enforcement Directive.
Who it applies to?
The BDSG-new impacts both private and federal-public institutions and public authorities of the federal states. BDSG-new also applies to non-public places, provided that the controller or processor processes personal data in Germany.
Within the rules of the BDSG-new are some specific requirements for private companies:
- In line with the GDPR, BDSG-new is applied to the processing of personal data by automated means (even if only in part) and by non-automated means (e.g. manual processing) if it is intended to be part of a filing system (Section 1 BDSG-new). The law does not apply to data processing in a private context.
- In terms of territorial scope, the BDSG-new applies to controllers and processors that process personal data in Germany or that process personal data in the context of the activities of a German organization or that are not based in Germany, but fall under the scope of the GDPR, e.g., offer goods and services to data subjects in Germany (see Section 1).
Need to Know 3. Potential Fines and Penalties
Article 83 of the BDSG states that:
“If a controller has caused damage to a data subject by processing personal data that was unlawful under this Act or other regulations applicable to its processing, he or his legal entity is obliged to compensate the data subject.”
Section 40 of the BDSG limits penalties for violations of the regulations contained in Article. 83 to Euro 300.000. Fines can be issued for “Anyone who acts willfully or negligently acts in an improper manner” Prison sentences of up to two years can also be set if there is evidence of deliberate violation.
Need to Know 4: How BDSG-new Affects Companies that Store Data in the Cloud
Under BDSG-new (and GDPR) the data controller, i.e., the party that gathers and processes data on behalf of a data subject (e.g., customer) is responsible for ensuring that personal data is processed in compliance with the regulation.
The BDSG-new is about protecting personal data, no matter where it resides. If you have cloud-based data, you will need to comply with the BDSG to ensure that data is protected at all times throughout the lifecycle of the data.
Whilst BDSG-new does not mandate any particular security measure, it does state that an organization must use “appropriate and specific measures...to safeguard the interests of the data subject”. One of the suggested measures under this statement is:
“the encryption of personal data”
The legislation also strongly suggests under “Section 64: Requirements for the security of data processing” using
Zero Trust Encryption is a best-of-breed solution that ensures the security of data throughout its lifecycle and can be used to help comply with BDSG-new.
Need to Know 5: Companies with IT Centers/Servers Exclusively in Germany
If an organization has an IT Centers/Servers within Germany it will still need to ensure that, as a data controller, the organization must use the appropriate measures to protect personal data, e.g., a Zero Trust Encryption solution.
BDSG-new falls into line with the GDPR on many counts. However, it expands some of the requirements, particularly in regard to employing the services of a Data Protection Officer (DPO) to oversee enforcement. The protection of data in the cloud can be challenging as it moves between apps and resides in cloud repositories that may seem out of the control of your organization. However, by using a Zero Trust Encryption approach you can maintain control over your data, throughout its lifecycle.
For more information on a zero trust architecture click here