German Parliament Passes New Federal Data Protection Act in Preparation for GDPR

The German Parliament has passed a new Federal Data Protection Act (FDPA) intended to adapt current German data protection laws to align with the EU General Data Protection Regulation (GDPR).

Under the GDPR, Member States have some flexibility in passing local laws to further specify the GDPR’s application. Germany is the first to do so, and more EU Member States are expected to follow in their footsteps soon.

Key Provisions:
The FDPA seeks to preserve certain aspects of its predecessor (which has been in place for over 40 years) regarding the protection of employee data. Key provisions include:

  • Clarification of the GDPR’s legal bases for processing, identifying specific circumstances in which companies may rely on legitimate interests of the controller for purposes of creditworthiness profiling and video surveillance;
  • The removal of certain restrictions placed by the GDPR on how individuals can exercise their rights to be informed, to object, and to be forgotten;
  • Limitations on data subjects’ rights regarding data processed for research purposes;
  • Special requirements on certain types of processing of employee data, including legal grounds for internal investigations, and clarification on whether an employee is able to give voluntary consent;
  • The provision for works council agreements to remain a valid legal basis for processing, so long as the agreements are amended to comply with the GDPR and the FDPA;
  • Providing for strict conditions on when and how internal investigations can be conducted, including a requirement to document factual indications and ensuring that the employee has no overriding interest;
  • Entitlement of data subjects to make claims for non-pecuniary damages; and
  • Limitations on fines for violations of German specific rules to € 50.000 per violation.

Next Steps:
Some authorities, and other outlets, have criticized the law as exceeding the scope of the GDPR and the goals of harmonization. It is therefore possible that the EU Commission could pursue possible infringement proceedings, but this remains speculation at this point.

The FDPA will be subject to approval by the German Federal Council, before final adoption. If approved, it will come into force the same day as the GDPR—25 May 2018. It is quickly becoming apparent that while harmonization is the goal of the GDPR, there are still going to be some local variations among Member States. Therefore, companies will need to focus not only on the GDPR itself, but also on national law, as they prepare their compliance efforts.