By Florian Thoma
The amendments to the Federal Data Protection Act (FDPA; in German: Bundesdaten-schutzgesetz - BDSG) passed parliament (the Bundestag) on July 3, and on July 10, the second chamber (the Bundesrat - Federal Council) decided not to raise objections. The act now only needs signature by the President and promulgation. It will, with limited exceptions, enter into force on September 1, 2009.
The act is largely a reaction to recent data protection breaches involving a number of high-profile German companies, in particular retailer Lidl, Deutsche Telekom, and Deutsche Bahn (German Railways).
- The principles of data avoidance and reduced/economic use of personal data is extended from data processing systems to all collection, processing, and use of personal data. Further, personal data is to be anonymized or pseudonymized unless the efforts to do so are disproportionate (sect. 3a).
- Market research and opinion polling companies are required to register their systems with the Data Protection Authority (DPA) and it is mandatory for such companies to appoint a data protection officer (which is a change only for small companies that, until now, were exempt) (sect. 4d para. 4, sect. 4f para. 1).
- The role of the data protection officer is supported by a new protection against dismissal during his function and for one year thereafter (unless the employer would have the right to terminate without notice for important reasons) and must have the possibility to attend seminars and the like (paid for by the employer) to keep up-to-date with data protection-related developments (sect. 4f para. 3).
- Sect. 11 para. 2 was completely changed (last-minute change) and now contains detailed requirements on specific topics to be covered by written agreements between controller and processors. This will be one of the big challenges for companies, as this change also applies to contracts made before September 1. In particular the following topics must be addressed:
o subject and duration of the services to be provided;
o the types of data, the type of data subjects, type of collection and processing, and use of data, to which extent, and for which purposes;
o technical and organizational measures to protect personal data in accordance with sect. 9 of the act;
o the correction, deletion, and blocking of data;
o duties of the processor in accordance with the act’s sect. 4, in particular duties to control the services; - if the processor has the right to employ subcontractors;
o control and audit rights of the controller and the respective cooperation and toleration duties of the processor;
o data breaches and non-compliance with contractual duties by the processor or his staff;
o the extent to which the controller has the governance/rights to direction vis-a-vis the processor; and
o deletion of data and/or the return of media following termination of the processing services.
- Also, sect. 11 para. 2 now extends the surveillance duties of the controller. Language so far is rather unspecific. Now the act requires that the controller has to verify the processor’s compliance prior to the start of the processing, and then in appropriate intervals thereafter. Those controls need to be documented, and missing documentation is an offense and can be fined by up to 50,000 Euro.
- The “core” of the reform was very much reduced in the parliamentary debate. Legislators started with the idea to abolish completely the so-called “list privilege,” which allowed the transfer, sale, and use of list data (titles, name and address, year of birth) and replace it with a strict opt-in principle for commercial communications/advertising. However, at the end sect. 28, para. 3 it allows the use of personal data for advertising, marketing, and opinion polling purposes if (a) the data subject has consented in writing or in specific alternative forms as provided for by sect. 3a, or (b) if data lists (limited to names, addresses, titles, job functions, year of birth) are derived from public sources and used for the marketing of one’s own products or third-party products, or transferred to third parties for their advertising; in the latter two cases it must be indicated in the ad from where the data originates (sect. 28 paras 3, 3a). Further, there are a number of formal requirements regarding the right to object and the form of notice 7 consent requirements.
- The controller may not “bundle” a contract with the data subject’s consent where the data subject does not have an alternative to obtain comparable goods and services elsewhere (sect. 28 para. 3b).
- There is a full new sect. 30a on market research and opinion polling excluding the use of data for other purposes and requiring anonymization as soon as practical.
- A new sect. 32 limits the use of employees’ data (including applicant data) to what is required for the decision whether to enter into an employment relationship, to perform the employment (e.g. salaries, tax, and social security requirements, delegations, career development), and to terminate the relationship. Specifically, the use of data to pursue criminal behavior of employees requires documented evidence and the interest of the employer to pursue this must outweigh interests of the suspected employee (adequate relation between means and goals, i.e. no excessive collection and use of data on an employee for minor wrongdoing).
- Sect. 3 of the FDPA adds a new definition of “employees,” which influences the scope of new sect. 32.
- Sect. 38 para. 5 extends the rights of the DPA. They were limited to requiring additional technical and organizational measures in the past but now can require changes and amendments to systems and in case of non compliant processing, shut down the whole system in question.
- Sect. 42a introduces a U.S.-style security breach notification duty for the private sector where sensitive data (special types of data, data related to criminal acts and offenses, data subject to professional secrecy duties, bank account information) has been made accessible or transferred unlawfully to a third party and grave adverse effects impend on the data subjects. The notification must be given to both the DPA and the data subjects without undue delay.
- Sect. 43 adds some new offences and raises fines (from 25,000 Euro to 50,000 for “smaller” cases and from 250,000 to 300,000 for larger ones). Also, the fines can be higher, where appropriate, to outweigh any economic advantage that results from the non-compliance.
- Sect. 47 states that, for advertising and marketing, the changes will be implemented from April 1, 2012 onwards, and for market research and opinion polling from April 1, 2010 onwards, but in both cases only to the extent the data has been collected prior to Sept. 1, 2009. All data collected after Sept. 1 is already subject to the new rules.
In addition to this act, the Federal Data Protection Act will change as of April 1, 2010, due to another recent act that is meant to limit the use of scoring techniques (in particular credit scores derived from a higher number of individual values by statistical measures to express creditworthiness of a person, as well as consumer scores), and where scoring is used to increase transparency in the data used for the scores as well as ensure better data subjects’ rights.
Thoma is the chief data protection officer at Siemens AG.
See page 22 for a global review of opt-in versus opt-out requirements for digital marketing initiatives.