Germany Approves New Federal Data Protection Act

Germany’s Federal Assembly has approved the new Federal Data Protection Act with amendments (in German only), which is set to replace and adapt current German data protection laws to align with the EU General Data Protection Regulation (GDPR). The Act now awaits signature by the German President to become law. Once signed, the Act will go into force on May 25, 2018, the same day as the GDPR.

The GDPR allows member states flexibility in certain areas to further specify the GDPR’s application. As a result, local variations among member states will still exist regardless of the GDPR’s goals for harmonisation. Here are a few of the variations found in Germany’s new Act.

Expanded Scope

The law will apply to the processing of personal information that takes place in Germany, regardless of whether a controller or processor is established in Germany. Interestingly, the Act also attempts to apply to controllers or processor not established in the EU or EEA but who offer goods or services to individuals in the EU or monitors their behavior. In this way, the Act mirrors the GDPR and could create controversy as it attempts to regulate activities taking place in member states other than Germany.

Sensitive Personal Data

Article 22 provides instances in which sensitive personal data (e.g. special categories of data) may be processed. Some of these instances include:

  • When necessary to ensure the rights of social security and social protection;
  • For the purpose of healthcare, assessing the working capacity of an employee, or for medical diagnosis, care or treatment in the health or social sector;
  • For the management of systems and services in the health and social sector or on the basis of a patient relationship with a health professional;
  • For medical personnel to carry out their duties of confidentiality;
  • For reasons of public interest in the field of public health, such as protection against serious cross-border health threats or to ensure high quality of, and safety standards in, healthcare and pharmaceuticals and medical devices;
  • To comply with professional and criminal law requirements for the protection of professional secrecy

Additional Purposes

Article 23 and 24 of the Act expands upon Article 6 of the GDPR by allowing for personal data to be processed for additional purposes that are incompatible with the original purpose, if the additional purpose “is necessary to assert, pursue, or defend civil law claims” of the controller, so long as it is not overridden by the interests of data subjects.


Under Article 4(11) of the GDPR, one of the requirements for consent to be valid is that it be freely given, and due to the unbalanced nature of the employment relationship, it is unclear whether consent can be genuinely freely given in this context. In Article 27 of Germany’s new Act, however, consent may be considered freely given in the employment context in certain circumstances. For example, when the employee achieves some legal or economic advantage, or if the employer and the and employee have the same interests.

Mandatory DPO

Article 37(4) allows for member states to specify instances in which controllers and/or processors must designate a data protection officer (DPO). Article 38 of the new Act takes advantage of this flexibility in the GDPR and requires designation of a DPO in the following circumstances (in addition to the GDPR):

  • When at least ten employees of a controller or processor regularly conduct automated processing of personal data;
  • When engaged in high-risk activities mandating a data protection impact assessment (DPIA) under Article 35 of the GDPR;
  • When engaged in the processing of personal data on a commercial basis for the purposes of market or opinion research


The Act also includes criminal sanctions and increased prison sentences (up to three years) for violations of of certain provisions. For example, for intentionally transferring or making available a large number of personal data, without authorization, to third parties with intent to make a profit.

Final Thoughts

The law has been criticized as interfering with the GDPR’s harmonisation goals, and this could be a point of conflict between Germany and the EU Commission going forward. With the GDPR less than a year away, it will be interesting to see how this potential conflict might be addressed.

Ultimately, companies will need to take note of these local variations, in addition to the GDPR itself, as they ready their compliance efforts. As always, OneTrust will continue to track these developments as they become available.

Update: On 5 July 2017, the new German Federal Data Protection Act has been signed by the German Federal President and published in the Federal Law Gazette.