Germany FlagOn June 30, 2017, Germany passed its new Federal Data Protection Act (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU), the Act. The Act implements the European General Data Protection Regulation (GDPR) and will enter into force on 25 May 2018. It will replace the former German Data Protection Act (BDSG), which has been in force for nearly four decades. Although the Act is only a supplement to the GDPR, it includes various additional provisions that need to be followed.

  • The appointment of Data Protection Officers (DPOs)
  • Employee data protection
  • Sensitive personal data
  • The rights of data subjects
  • The change of the purpose of processing
  • Video surveillance
  • Fines and sanctions
  • Creditworthiness and scoring

As an EU regulation, the GDPR will be directly applicable and prevail over the Act. The new Act will be the principal legal act for adapting the strongly differentiated German data protection law to the GDPR. More specific national legal acts will also be passed for areas such as personal data in the context of registration, tax or health. The data protection laws of the German Federal States (Bundesländer) will also be adapted. The Act, which contains 85 sections, will always need to be read in relation to the GDPR.

Additional details on the Act may be found by reading our Client Alert.