Federal Data Protection Act

The German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) in its version applicable since 25 May 2018 is the central national legal basis of German data protection law. It does not stand alongside the General Data Protection Regulation (GDPR) as an independent regime, but rather supplements and specifies it: as directly applicable EU law, the GDPR takes precedence, yet it contains numerous so-called opening clauses that permit or require the member states to adopt their own rules. The BDSG fills exactly these gaps for Germany. Anyone seeking to understand the obligations of a controller must therefore always read the GDPR and the BDSG together.

The Act is divided into four parts: common provisions (Part 1), implementing provisions for processing within the scope of the GDPR (Part 2), transposition of the so-called Law Enforcement Directive for police and justice authorities (Part 3), and special provisions for processing outside the scope of Union law (Part 4). The provisions most relevant in practice for businesses concern the appointment of a data protection officer (Section 38 BDSG), employee data protection (Section 26 BDSG), restrictions on data subject rights (Sections 32 et seq. BDSG), as well as video surveillance and scoring.

A key German particularity is the obligation to appoint a data protection officer: under Section 38 BDSG, a controller must as a rule appoint a data protection officer as soon as, as a rule, at least 20 persons are constantly engaged in the automated processing of personal data - a threshold the GDPR itself does not contain. Infringements of the BDSG may be penalised as an administrative offence under Section 43 BDSG or, in serious cases, even prosecuted as a criminal offence under Section 42 BDSG, in addition to the fines under the GDPR. For compliance practice, the BDSG is therefore the indispensable national building block alongside the European framework.