German Parliament and the Federal Council have given consent to a new Federal Data Protection Act. The objective behind the draft is to align German data protection law to the European General Data Protection Regulation (“GDPR”), which will be applicable as of May 25, 2018. The new law is intended to replace the existing Federal Data Protection Act with an identically named new act.
On the whole, German legislator preserves the Germany’s existing Federal Data Protection Act further; FDP is also making ample use of the GDPR opening clauses. The draft contains specific provisions on the following key topics (amongst others):
- Processing of employee data. The draft mainly reflects the currently applicable provisions on the processing of employee data. In addition, it states that employee consent is under certain circumstances a valid option. However, such consent must in principle be obtained in written form.
- Automated decision making. The draft permits automated decision making in insurance relationships and provides that automated decision making may also be based on sensitive personal data.
- Rating agencies and scoring. The draft contains provisions on the processing of personal data by rating agencies and for scoring purposes, essentially reflecting the currently applicable law.
- Data subject rights. Importantly (and controversially), the draft restricts the broad rights of a data subject granted by the GDPR (eg, the broad information obligations and rights for deletion).
- Data protection officer: The draft contains provisions basically requiring every data controller to appoint a data protection officer (similar to the current position in Germany).