On February 7, 2024, the German Federal Cabinet approved a draft law (“the Draft Law”) amending the Federal Data Protection Act (“BDSG”).  The Draft Law will now go to the Bundesrat (the legislative body that represents the sixteen Länder (federated states) of Germany at the federal level ) for its opinion and then to the Bundestag (the federal parliament) for discussion and, potentially, adoption.

The Draft Law aims to address the issues highlighted in the 2021 Federal Ministry of the Interior and Home Affairs BDSG evaluation by amending Part 1 and 2 of the BDSG.  Other legislative projects will address further amendments.  In addition, separately but in parallel to the changes to the BDSG, the German Federal Cabinet is also proposing changes to the Telecommunications and Telemedia Data Protection Act (“TTDSG”), which we will not cover in this blog post.

The following is a summary of the main changes the Draft Law proposes to bring to the BDSG. 

  • The Draft Law institutionalizes the Data Protection Conference (“DSK”), the body of independent German federal and state data protection supervisory authorities, in the BDSG.  However, the DSK’s decision remain legally non-binding.
  • The Draft Law amends the BDSG so that companies and institutions that process personal data for scientific, historical or statistical purposes and act as joint controllers may be subject to the supervision of one German SA, rather than all the SAs where the companies and institutions are located.  To this end, the companies and institutions concerned should notify all the competent SAs that they are joint controllers and that they wish to be subject to the supervision of the SA in which the company or institution with the highest annual turnover in the previous financial year is located.
  • The Draft Law amends section 34 BDSG (which provides for data subject access rights) to clarify that business and trade secrets constitute rights and freedoms of “other persons.”  According to the explanatory memorandum to the Draft Law, it is intended to clarify that, within the scope of the exceptions to the right of access (Art. 15 para. 4 GDPR), the controller is also covered by the protection of “other persons” and that certain data to be disclosed enjoys legal protection. Hence, the amendment would allow data controllers to rely on an exception when the interest in the confidentiality of business and trade secrets outweighs data subjects’ right of access.
  • Further to the judgement of the CJEU C-634/21 dated December 7, 2023, the Draft Law creates a (new) legal basis for scoring.  It deletes the current Section 31 on “protection of commercial transactions with scoring and credit reports” and proposes to add a new section (provisionally numbered 37a BDSG), which would serve as an exception to the prohibition of automated decision-making under Article 22(1) GDPR.  More specifically, it would allow the creation and use of scores (i.e., probability values) for the purpose of: (i) predicting a certain future behavior of the individual to decide on the establishment, performance, or termination of a contractual relationship with that individual; or (ii) predicting an individual’s ability and willingness to pay through credit agencies.  However, the exception comes with some limits, such as the prohibition of using the following personal data to create scores: (i) special categories of personal data, (ii) the name of the data subjects or personal data from their use of social networks, (iii) information about incoming and outgoing payments to and from bank accounts, and (iv) address data.  In addition, the creation and use of the scores may not affect minors and must be calculated on the basis of a scientifically recognized mathematical-statistical method, amongst others.
  • The Draft Law introduces a new section 40a BDSG which is intended to enable joint controllers who are subject to the supervision of different supervisory authorities to designate a supervisory authority that is competent for both joint controllers.  The supervisory authority that is to be competent for the company that generated the largest annual turnover in the financial year preceding a notification of all affected supervisory authorities is to be competent for both joint controllers.

***

The Covington & Burling LLP team continues to monitor developments on EU data protection laws, and we currently advise the world’s top technology companies on their most challenging regulatory and compliance issues in the EU.  We are happy to assist with any queries you may have about the Draft Law amending the BDSG or other tech regulatory matters.

(This blog post was written with the contributions of Alberto Vogel.)

Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.