Data Protection Academy » Data Protection Wiki » What is the BDSG - new?
The new Federal Data Protection Act (BDSG-new)
The Federal Data Protection Act-new (BDSG-new for short) is the central supplement to the General Data Protection Regulation (GDPR) and came into force at the same time as the GDPR in 2018. The BDSG-new also replaced the previously central German data protection law BDSG-old and concretises the GDPR at national level. The new BDSG only applies if the GDPR cannot be applied due to opening clauses and the like. So-called "opening clauses" offer individual member states of the European Union a certain amount of leeway in the implementation of data protection.
Most important information on the BDSG
- The BDSG is the abbreviation for the "Federal Data Protection Act"
- The new BDSG came into force in 2018 and supplements or concretises the General Data Protection Regulation (GDPR) at national level
- The BDSG regulates the handling of personal data, Employee data protection, data subject rights, scoring and credit checks
Content on the BDSG:
What forms the basis of data protection in Germany?
As in all EU member states, the basis for data protection is provided by the General Data Protection Regulation as directly applicable law. If the GDPR does not set out any specific data protection requirements, the BDSG-new will apply in Germany.
GDPR and BDSG-new: What is the relationship between them? What is the difference between BDSG and GDPR? What happens if the BDSG and GDPR contradict each other?
As a European legal framework, the General Data Protection Regulation (GDPR) applies in all EU member states and therefore takes precedence over national regulations. One of these national laws is the new Federal Data Protection Act (BDSG-new), which applies exclusively in the Federal Republic of Germany.
The provisions of the BDSG apply where the GDPR deliberately leaves provisions open or omits them. As a result, it serves as a concretisation or supplement to the General Data Protection Regulation. One example of this is the provisions of the penal provisions, which are § 42 BDSG-new, instead of the GDPR. The reason for this is that only provisions on fines can be made at European level.
If the GDPR and BDSG-new contradict each other, e.g. as a result of a revision of the GDPR, the GDPR shall take precedence over the BDSG-new.
What is the purpose of the BDSG?
The purpose of the Federal Data Protection Act is to concretise or supplement the General Data Protection Regulation at national level.
How do the old and new Federal Data Protection Acts differ?
The main difference between the old and new Federal Data Protection Act is their respective scope of application. While the old Federal Data Protection Act was still an independent law that did not need to be implemented, the new BDSG is a directly applicable law that serves to supplement and concretise the GDPR. As a result, it is only applicable in conjunction with the General Data Protection Regulation.
Who does the new BDSG apply to?
The first paragraph deals with who the new Federal Data Protection Act applies to. The new BDSG applies to public bodies, but also to non-public bodies, provided that
- the controller or processor individual-related data processed domestically,
- the processing of personal data takes place in the context of the activities of a domestic establishment of the controller or processor, or
- the controller or processor does not have an establishment in a Member State of the European Union or in another state party to the Agreement on the European Economic Area, but falls within the scope of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1; L 314, 22.11.2016, p. 72).
BDSG: these are the legal obligations
When the new Federal Data Protection Act came into force, a number of new data protection regulations were introduced. For example, companies may be obliged to appoint a data protection officer if aspects of § 38 BDSG-new apply to the company.
Compliance with the BDSG
If a company violates the provisions of the new BDSG, this will result in severe fines. In addition, there is a loss of trust and image among customers, business partners and employees.
To prevent this and to help your company implement data protection legislation, it is advisable to appoint a data protection officer.
Are you interested in an external data protection officer? We at Robin Data will be happy to help you.
Appointment of a data protection officer
The GDPR specifies when a data protection officer must be appointed in Article 37 regulated. Only a few forms of data processing that require the appointment of a data protection officer arise from the conditions set out there.
In Germany, the appointment of data protection officers is regulated by § 38 BDSG-new regulated. A data protection officer must be appointed,
- if at least 20 persons are permanently involved in the automated processing personal data are employed,
- processing operations that are subject to a data protection impact assessment in accordance with Article 35 are subject to
- Personal data is processed for the purpose of transmission, anonymised transmission or for the purposes of market or opinion research
This is also a difference to the old Federal Data Protection Act, which required the appointment of a data protection officer if more than 20 people were employed. In contrast, the new BDSG does not include the regulation regarding non-automated data processing.
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
What does the new BDSG say? - What is it all about?
The new Federal Data Protection Act is divided into four parts:
- Part 1: General provision
- Part 2: Concretisations and additions to the General Data Protection Regulation in six chapters:
- Chapter 1: Legal basis of the Processing of personal data
- Chapter 2: Rights of the data subject
- Chapter 3: Obligations of controllers and processors
- Chapter 4: Supervisory authority for data processing by non-public bodies
- Chapter 5: Sanctions
- Chapter 6: Legal remedies
- Part 3: Implementation of the EU Data Protection Directive for police and justice (EU 2016/680)
- Part 4: Provisions that fall neither under the Justice and Police Directive nor under the GDPR
Data protection in the employment relationship
Article 88 GDPR is entitled "Data processing in the employment context", but does not contain any specific provisions on employment data protection. Instead, the article instructs EU member states to adopt specific regulations themselves.
In Germany, the regulations on the legal basis for data processing and consent in the work context are set out in § 26 BDSG-new ("Data processing for the purposes of the employment relationship").
After that the Processing of personal data of employees is permitted if it
- For the decision on the establishment of an employment relationship,
- Within the employment relationship for its implementation or termination,
- or is necessary for the exercise or fulfilment of the rights and obligations of the employee representative body arising from a law or a collective agreement, a works or service agreement (collective agreement).
Paragraph 2 of the paragraph regulates the voluntary nature of consent in this respect. The existing dependency of the person employed and the circumstances must be taken into account. Accordingly, consent can be given voluntarily if
- a legal or economic advantage is achieved for the person employed
- Employer and employee pursue similar interests
Such consent is required according to § Section 26 (2) BDSG-new in writing, whereby the employer must inform the employee of the purpose of the data processing and their right to withdraw consent (in accordance with Article 7(3) of Regulation (EU) 2016/679).
The following are considered employees in accordance with paragraph 8:
- Employees (including temporary workers in relation to the hirer),
- Employees for their vocational training,
- Participants in benefits for participation in working life and in clarifications of professional aptitude or work trials (rehabilitants),
- people employed in recognised workshops for disabled people,
- Volunteers performing a service in accordance with the Youth Volunteer Service Act or the Federal Volunteer Service Act,
- Persons who are to be regarded as employee-like persons due to their economic independence; these also include persons working from home and persons treated as such,
- Federal civil servants, federal judges, soldiers and persons performing civilian service.
- Applicants for an employment relationship and persons whose employment relationship has ended
Scoring and credit reports
The new Federal Data Protection Act defines scoring in § Section 31 (1) as:
Use of a probability value about a certain future behaviour of a natural person for the purpose of deciding on the establishment, performance or termination of a contractual relationship with this person
It is permissible if
- the provisions of data protection law have been complied with,
- the data used to calculate the probability value are demonstrably significant for the calculation of the probability of the specific behaviour on the basis of a scientifically recognised mathematical-statistical procedure,
- address data were not exclusively used for the calculation of the probability value and
- in the case of the use of address data, the data subject has been informed of the intended use of this data before the probability value is calculated; this information must be documented.
Credit reports are subject to the same conditions mentioned above. In addition, there are certain requirements that must also be taken into account. Further information can be found in § Section 31 (2) BDSG-new.
Consumer loans
Consumer loans are granted in § 30 of the new Federal Data Protection Act and are closely related to scoring and credit reports. Paragraph 2 stipulates that data subjects must be informed if a loan is refused on the basis of creditworthiness information obtained. In addition, data subjects must also be informed about the information obtained together with the information about the rejection.
Penalties and fines
- § 42of the new Federal Data Protection Act supplements the Article 83 GDPR prescribed sanctions by penal provisions. These steps must be taken by a national law, which the EU General Data Protection Regulation is not authorised to do.
The new BDSG provides for the following sanctions:
- Imprisonment of up to three years or a fine for transferring to third countries or otherwise making available a large number of personal data.without being authorised to do so. The legal text does not specify when a "large number" is deemed to exist and must be determined by the courts on a case-by-case basis.
- Imprisonment of up to two years or a fine if personal data is processed without authorisation or obtained by providing incorrect information with the intention of enrichment or damage
The new BDSG also regulates fines that go beyond the GDPR. For example, in ( § 43 BDSG-new 2 cases regulated. An offence is committed by anyone who intentionally or negligently
- against § Section 30 (1) BDSG-new a request for information is not handled correctly or
- contrary to Section 30 (2) sentence 1, fails to inform a consumer or fails to do so correctly, completely or in good time.
Both cases can be penalised with fines of up to €50,000, although no fines are imposed on authorities and other public bodies.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023