Over the past year, the German government has been working on legislation to implement the EU’s General Data Protection Regulation (GDPR). On July 6, 2017, Germany did so by passing a statute titled the Data Protection Amendments and Implementation Act. The Act repeals Germany’s venerated Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) and replaces it with an entirely new BDSG, aptly referred to as the “BDSG-New.” Germany becomes the first EU Member State to pass a GDPR implementation statute. Given Germany’s reputation as one of, if not the, most serious privacy jurisdiction in the EU, the BDSG-New is a critical piece of legislation for companies with EU operations.
Alston & Bird is pleased to provide a five-part, English-language overview of BDSG-New provisions likely to be of significance to companies.
- Part 1: Overview, Drafting History, and Scope of Application
- Part 2: Re-Using Data – Secondary Uses, New Regime for Health Data, and Research and Statistical Processing
- Part 3: Inside the Company – Data Protection Officers and Employee Data Rules
- Part 4: Individual Rights
- Part 5: Oversight, Sanctions, and Lawsuits
These articles are related to a summary of the BDSG-New that Daniel Felz published in Bloomberg BNA Privacy and Data Security Law, 16 PVLR 1190 – click here to read.
This third installment addresses internal compliance topics that German law has strongly influenced, which can affect companies’ operations, and which will become areas of special focus under the GDPR: (1) Data Protection Officers (DPOs), and (2) rules for HR data.
Data Protection Officers (DPOs)
DPOs are a German institution. They were originally introduced as a hybrid strategy for supervising privacy compliance: instead of requiring companies to inform government supervisors about every aspect of their processing, companies were exempted from notification duties if they internally appointed a DPO responsible for supervision. This aided national supervisory authorities who, even in the 1980s, had begun to face an unanticipated avalanche of processing registrations in the wake of the corporate and governmental IT revolution. While some Member States (such as France) left DPOs largely optional and stayed closer to the traditional supervision-through-registration model, Germany mandated DPOs to be appointed in practically every business with 10 or more employees. Over time, DPOs became an integral part of companies’ expected information governance structure as well as broader of German privacy practice.
a. The GDPR Position on DPO Appointments
Given the divergence in Member-State practice, the GDPR adopted a compromise position on DPOs. Article 37(1) of the GDPR requires companies to appoint a DPO only if their “core activities” involve “large-scale” (a) processing of sensitive data or (b) regular and systematic monitoring of EU residents. At the same time – and reputedly at Germany’s request – the GDPR permits EU Member States to pass their own statutes requiring DPOs to be appointed in additional circumstances.
b. The BDSG-New’s DPO Rules
The BDSG-New does just that, electing to continue Germany’s DPO tradition. Still, even within Germany, there appears to have been debate as to how many requirements the BDSG-New should place on companies appointing DPOs. Early drafts contained detailed descriptions of the DPO’s powers and companies’ duties – for example, the Interior Ministry’s August 2015 draft (available in German here) required companies to provide DPOs with all “subordinate personnel, office space, systems, tools, and other means” needed to perform her tasks. The final BDSG-New takes a more modest approach, regulation the DPO’s appointment and her protected status, and leaving regulation of the DPO’s tasks and powers to the GDPR. The following represents a summary of the BDSG-New’s DPO requirements
• Duty to Appoint: Both controllers and processors are subject to appointment obligations. Section 38 BDSG-New requires companies to appoint a DPO whenever:
– They employ at least 10 people whose regular duties include processing personal data;
– Their usual business includes processing data for purposes of transferring the data (e.g. data brokers), transferring the data anonymously, or for purposes of market or opinion research; or
– They conduct processing that requires a Data Protection Impact Assessment (DPIA) under Article 35 GDPR.
The last requirement is the only new addition, and may be of interest because if a company anticipates conducting a DPIA, it must have a DPO in place. In fact, under existing regulatory guidance, the DPO should be consulted for every material aspect of the DPIA. At the same time, almost any company with a German presence will have 10 employees, and for these companies – to paraphrase the Bavarian DPA – not much will change.
• Protected Employment: As has been the case to date, German DPOs will enjoy protected employment. DPOs cannot be fired unless employers can show facts that would permit the employee’s immediate termination for cause. Additionally, for internal DPOs who leave the DPOs position – e.g. to take a full-time position elsewhere in the organization – their protected status continues for a year after the DPOs has left the DPO position.
• Protected DPO Status: In addition to protected employment, the DPO’s status as DPO is protected by the BDSG-New. Under § 6(4) BDSG-New, a DPO cannot be removed from her position as DPO – even if he is not fired – unless the company can document facts analogous to those that would permit immediate for-cause termination in the employment.
• Privilege Preservation: Organizations drafting DPO policies can find themselves evaluating how to preserve applicable privileges, such as the attorney-client or work-product privileges, over matters where the DPO must by law be involved – especially if the DPO is not a licensed attorney. The BDSG-New maintains one currently-existing German privilege-preservation rule that may help guide companies’ DPO structuring: If the DPO learns any matter over which the company’s management or any company employee could claim a privilege, then (a) the DPO can also assert the privilege, and (b) the DPO does not ‘own’ the privilege, but rather the non-DPO employee who otherwise ‘owns’ the privilege decides whether it should be waived.
• New Standard for DPO Activity: While much remains the same for DPOs, the traditional German lodestar for DPO activity disappears under the BDSG-New. To date, German statutes have required DPOs to “work toward compliance with applicable data protection law” within their companies. Article 37 of the GDPR will now require DPOs to “monitor compliance” within their organizations. Given decades of German practice and the significant DPO powers within the GDPR, this may be a distinction without a difference. But it also arguably may set a new baseline for acceptable DPO behavior.
c. Additional Germany-Specific DPO Guidance from German DPAs
Additional German requirements for DPOs are expected to come from DPA guidance on GDPR and BDSG-New provisions. As an example relevant to many international companies, Article 37(2) GDPR permits corporate groups to appoint a single “global” DPO to supervise all companies within the corporate family. The Hessian DPA has recently formally confirmed that a global DPO can supervise an international company’s German subsidiaries. At the same time, German DPAs have already stated that they expect any such “global” DPO to sit within the EU, unless companies can document she would be more effective from the group’s (non-EU) headquarters. Additionally – as required by Art. 37(2) GDPR and recently reiterated by the DPA of Nordrhein-Westfalen – a global DPO needs to be “readily available” for German DPAs, employees, and third-party data subjects, potentially via a hotline or web form (the NRW DPA’s DPO FAQs are in German here). Lastly, a global DPO needs to have the resources that permit her to communicate in German as needed with DPAs, employees, and third-party data subjects. Language appears to be important to German DPAs. For example, the DPA of Northrhein-Westfalen describes local-language capabilities as part of companies’ duty to make the global DPO “readily available,” implying that a lack of German-language capacity could be grounds for finding a violation of the GDPR’s DPO requirements.
The Hessian DPA also recently issued detailed guidance on DPO obligations under the GDPR and BDSG-New. Several points of potential interests to companies include:
- DPOs’ GDPR duty to cooperate with DPAs does not entail a duty to self-report GDPR violations; instead, the GDPR “exhaustively” sets forth the situations where reporting to DPAs is mandatory (especially through the breach reporting rules of Article 33 GDPR).
- DPOs exercise discretion in assisting companies in making risk-based processing evaluations and decisions. A DPO may commit a breach of duty if she goes beyond her proper discretion, or “insufficiently” weighs business interests and privacy interests – and if she fails to document any risk-balancing that goes into her recommendations.
- DPOs’ ability to “monitor compliance” with GDPR obligations includes the power to evaluate companies’ internal compliance structure, and to point out if she believes the internal “allocation of jurisdiction” is not effective.
The Hessian DPA’s complete guidance is available in German here.
d. Article 29 Working Party DPO Guidance – and the Potential for German Divergences
In addition to guidance from German DPAs, the Article 29 Working Party provided detailed guidance on the GDPR’s DPO requirements earlier this year – see our summary here. A note of caution for any company implementing its DPO obligations is that, while the Article 29 Working Party’s guidance will influence German DPAs’ interpretation of DPO provisions, the German DPAs are not bound by Article 29 Working Party opinions. As an example, the Article 29 Working Party took the position that corporate entities (as opposed to natural persons) could permissibly serve as external DPOs (click here for the Article 29 Working Party’s guidance). The Hessian DPA, however, warns that the German DPAs currently have “differing views” on whether entities can serve as DPOs, and recommends that any company considering nominating an external entity as DPO should pre-clear the appointment with its supervising DPA.
As another example, the Article 29 Working Party took the position that DPOs cannot be personally liable, under the reasoning that the GDPR obligates data controllers, not DPOs, to ensure compliance with the GDPR. In contrast, the Hessian DPA states that because the DPO is subject to duties imposed on her by the GDPR and BDSG-New – and has the potential to breach them – “personal liability of DPOs can be considered in certain circumstances.”
Within large organizations, DPO requirements can become complex, and companies are well-advised to begin planning their DPO office now.
Employee Privacy Rules
At present, Germany’s law of HR privacy primarily comes from § 32 of the current BDSG, together with provisions of other employment-related statutes (such as the Works Constitution Act [Betriebsverfassungsgesetz], which provides for Works Councils), and decisions of the German courts. German privacy organizations have expressed dissatisfaction with what they describe as Germany’s patchwork approach to HR privacy, and have long advocated for a comprehensive employment data privacy statute. In privacy circles, there was some hope that the BDSG-New would be used as an opportunity to enact a comprehensive statutory regime for employee privacy.
However, the BDSG-New sticks to the approach of its predecessor: it contains one paragraph dedicated to “Processing for Purposes of the Employment Relationship.” Nonetheless, the BDSG-New’s § 26 introduces a number of statutory provisions that do not currently exist in German law. Some of these changes have been anticipated by practice, but the BDSG-New provides for their first statutory codification. Among the more salient are:
• General Processing-for-Employment-Purposes Rules Stay Intact. Current German law contains a general permission to process employee data for the establishment, performance, or termination of the employment relationship. Section 26(1) maintains the current law generally permitting processing of employee data as is necessary “for purposes of the employment relationship,” including “hiring,” “performing,” or “terminating the employment contract.” The BDSG-New also goes a step further and indicates in commentary that “necessary” in the HR context does not mean ‘strictly necessary,’ but rather “striking a practical balance” between “the interests of the employer” and “the privacy rights of the employee.” This reflects the case law of German labor courts, and grants both companies and employee representatives flexibility in tailoring processing to their organizations’ HR operations.
• Collective Agreements Remain as a Processing Basis – but Renegotiation Necessary. German labor court decisions have long permitted companies to process data on the basis of collective agreements, one of the more common being Works Council agreements. Section 26(1) BDSG-New maintains the state of the law, stating that collective agreements are a valid processing basis, and adding in commentary that “collective agreements, Works Council agreements or service contracts may continue to constitute a legal basis for rules on employee data protection.”
At the same time, however, Article 88(2) of the GDPR creates new requirements for collective agreements, including works council agreements. The GDPR’s permits companies to use works council agreements to customize their HR processing, but in exchange for flexibility, companies must ensure works council agreements ensure a foundational baseline of employee privacy protection. Specificall, to constitute valid bases for processing employee data, Article 88(2) GDPR requires works council agreements to include “suitable and specific measures” to safeguard “the data subject’s human dignity  and fundamental rights”, particularly regarding (a) transparency of processing, (b) “the transfer of personal data within” a corporate group, and (c) “monitoring systems at the work place.” Many existing works council agreements will lack such provisions, and both the GDPR and BDSG-New suggest the agreement’s validity may depend on including them. The statute contains no exemption for works council agreements concluded before the GDPR and/or BDSG-New – so companies and Works Councils have their work cut out for them.
• Statutory Recognition of Employee Consent. German law formally permits employees to consent to specific processing of their data. Still, German DPAs are traditionally skeptical that employee consents are voluntary, on the reasoning that employees are dependent on their employer and thus under pressure to sign. The BDSG-New gives a nod to this policy, stating that the validity of employee consent should “especially” be evaluated in light of the “dependence of the data subject that exists in the employment context.” However, § 26(2) BDSG-New also introduces new scenarios in which employee consent can be considered voluntary and thus effective, “in particular” when (a) the employee receives an economic or legal benefit by consenting, or (b) the interests of the employee and employer are aligned. The statute’s commentary provides further guidance on these consent scenarios:
– An “economic benefit” that can support consent is present when a company (a) introduces an occupational health management or support program, or (b) permits private use of company IT systems. The latter point – if adopted by the German DPAs and courts – will be of interest to companies asking their employees to consent to monitoring of private email and Internet use, since valid consent to monitoring of private use can prevent companies from running afoul of German telecommunications secrecy requirements.
– “Aligned interests” that can support consent are present when the company and employees work together to add employees’ names and birthdays to a company birthday list, or to use photographs of employees for an Internet website.
– In determining whether consent is voluntary, companies should also consider the point in time at which consent is asked for – “prior to the conclusion of an employment contract, employees will regularly be subject to greater pressure to consent to processing of their data.”
Consent must be in writing (or, if special circumstances are present, in any other appropriate form), which in Germany generally means countersigned and on paper, or electronic with an e-signature. Companies must also inform employees about their right to withdraw consent.
• Sensitive Data Processing without Prior Consent. Often, companies with German employees must process sensitive data, such as occupational medicine data or religious data processed for taxation purposes. The GDPR introduces the possibility for Member States to pass laws permitting processing of sensitive data without consent in the employment context, and the BDSG-New takes advantage of this provision. Section 26(3) BDSG-New provides that employers can process sensitive data about employees (a) to manage the employment relationship, or (b) to exercise rights or fulfill duties of employment law or social-services law – so long as the employee’s privacy interests do not override the company’s interest in conducting the processing. To take advantage of this new exemption, companies will need to build processes around sensitive data uses, documenting what data they are processing and why they believe their interests outweigh those of employees. Where employee interests override, the company must likely either obtain consent as outlined above or formalize an arrangement with the Works Council.
• Core GDPR Guarantees Must be Integrated to HR Processes. The BDSG-New is careful to make sure that the flexibility it grants companies regarding HR data – e.g. by creating customized processing rules under works council agreements, processing sensitive data without consent, or obtaining valid employee consents – does not undermine baseline GDPR privacy protections. Section 26(5) requires all controllers to implement “suitable measures” to ensure that, regardless of the basis of processing, the principles of Article 5 GDPR are complied with. These principles include (a) purpose limitation, (b) transparency, (c) lawfulness of processing, (d) data minimization, (e) accuracy, (f) storage limitation, (g) confidentiality, and (h) integrity/security. Essentially, § 26(5) BDSG-New makes reference to these principles a mandatory part of any works council agreement or collective wage agreement – or, for companies without works councils or unions, a mandatory section within the internal HR policies and procedures.
• Employee Monitoring Rules Stay in Force. Companies based outside the EU can operate under the presumption that employees have no expectation of privacy in their use of corporate IT assets, and can thus be surprised by the restrictions on employee monitoring in Germany. The BDSG-New maintains Germany’s current regime, which only permits employees to be monitored when the company can document reasons to believe the employee is engaged in criminal conduct, or – as recently confirmed by the German Supreme Court – has or is committing a serious breach of her duties. In practice, works council agreements often set additional rules and procedures, such as consulting with HR and the Works Council prior to conducting any monitoring that goes beyond spot testing; initially pseudonymizing results while determining whether wrongful conduct is actually occurring; and restricting who can re-identify monitoring data. Even when monitoring is permitted, companies should take care to ensure it is conducted in a privacy-protective and proportionate manner – a recent decision of Germany’s Supreme Labor Court ruled that monitoring an employee’s activity with a keylogger that captured every single typing movement violated the employee’s privacy, and the log data could not be used to terminate the employee (the Court’s official press release is available in German here). Under the GDPR, employees such as the employee in the “keylogger” case will have a right to sue for non-material damages to remedy the harm to their privacy interests.
Additionally, non-German companies should be aware that Works Councils have co-determination rights over any technology which could be used to monitor employees – such as common security or data-loss applications – regardless of whether the company is actually planning to use the technology for that purpose. As a result, monitoring will likely continue to be an area where companies will need to stay in proactive communication with Works Councils. Non-Economic Damages Suits. Although lawsuits will be discussed in further detail in Part 5 of this series, it bears mentioning that the GDPR grants employees a right to sue their employers for data protection violations, and under the GDPR, they may recover non-economic damages. Employees are more likely than other types of plaintiffs to have access to the type of evidence they need to prove their claims, and disputes with employees are generally more likely than suits from external third parties. Additionally, employers may not be able to fire employees merely because the employee filed a data-protection claim against the employer.
• Definition of “Employee.” Section 26(8) defines who qualifies as an “employee” for purposes of HR privacy. The section largely adopts the definition contained in the current BDSG. However, it also adds that “temporary employees” (Leiharbeiter) are considered employees for privacy purposes both in regards to the company at which they are working, as well as in regards to their employing agency.
* * * * *