On February 7, 2024, the German Federal Cabinet approved a bill amending the Federal Data Protection Act (“BDSG”) (the “Bill”). The bill will now Federal House of Councilors (Legislative body representing 16 lane After consulting the German Confederation (states) at the federal level, federal parliament (Federal Congress) and may be adopted.
The Bill aims to address the issues highlighted in the 2021 Federal Home Office BDSG Assessment by amending Parts 1 and 2 of the BDSG. Other legislative projects will address further amendments. Additionally, apart from and in parallel to the changes to the BDSG, the German Federal Cabinet is also proposing changes to the Telecommunications and Telemedia Data Protection Act (“TTDSG”), which are beyond the scope of this blog post.
Below is a summary of the main changes that the Bill proposes to bring to the BDSG.
- The Bill institutionalizes the Data Protection Council (“DSK”), an independent German federal and state data protection supervisory authority body, into the BDSG.. However, DSK's decisions remain non-legally binding.
- The bill amends the BDSG so that companies and institutions that process personal data for scientific, historical and statistical purposes and act as joint controllers will be subject to one German SA, rather than all SAs in which they are located. be supervised by SA.. To achieve this objective, the companies and institutions concerned must notify all authorized SAs that they are joint controllers and to which the company or institution with the highest annual turnover in the previous financial year belongs. You must notify us that you wish to be supervised by an SA. It was located.
- The Bill amends section 34 of the BDSG (which sets out the right of access for data subjects) to clarify that business and trade secrets constitute the rights and freedoms of “others.” According to the explanatory memorandum of the bill, the aim is to make it clear that within the scope of the exception to the right of access (Article 15(4) GDPR), controllers are also subject to the protection of “others”. ” and that certain data disclosed is subject to legal protection. The amendments therefore allow data controllers to rely on exceptions where the interest in business and trade secret confidentiality outweighs the data subject's right of access.
- In addition to the judgment of CJEU C-634/21 of 7 December 2023, the Bill creates a (new) legal basis for scoring.. Removes existing section 31 on “Securing commerce through scoring and credit reporting'' and inserts a new section (tentatively numbered 37a BDSG) to serve as an exception to the prohibition on automated decision-making under section 22. I am proposing to add it. 1) GDPR. More specifically, it allows you to create and use scores (i.e., probability values) to: (i) Predict certain future actions of an individual to determine the establishment, performance, or termination of a contractual relationship with that individual; an individual; or (ii) predicting an individual's ability and willingness to pay through a credit institution. However, the exceptions are subject to some limitations, including the prohibition of using the following personal data in the creation of the score: (i) special categories of personal data, (ii) the data subject's name or social network. Personal data obtained from the use of (iii) information about deposits and withdrawals to bank accounts, (iv) address data. Furthermore, the creation and use of scores cannot influence minors and must, among other things, be calculated based on scientifically accepted mathematical and statistical methods.
- The Bill introduces new BDSG section 40a, which aims to enable joint controllers supervised by different supervisory authorities to designate a competent supervisory authority for both joint controllers.. The supervisory authority with jurisdiction over the company that generated the largest annual turnover in the financial year prior to notification to all affected supervisory authorities will have jurisdiction over both joint controllers.
***
The Covington & Burling LLP team continues to monitor developments in EU data protection law and currently advises the world's top technology companies on some of the most challenging regulatory and compliance issues in the EU. We will be happy to answer any questions you may have regarding the proposed legislation amending the BDSG or other technical regulatory matters.
(This blog post was contributed by Alberto Vogel.)