GDPR: Data protection following the German model

In the second part of our blog series about the EU General Data Protection Regulation, we take a look at the principles and regulations that are based on the German Federal Data Protection Act. For example, data processing may not take place without consent - exceptions excluded.

Icons by Smashicons, Freepik

Björn GreifEditor

In part 1 of our blog series on the General Data Protection Regulation (GDPR), we have outlined the rights you as a consumer will be able to claim in the future when it comes to privacy issues. In some cases, these are derived from the principles and regulations of the German Federal Data Protection Act (in German: Bundesdatenschutzgesetz, BDSG), which are again reflected in GDPR – partly in a more stringent form.

This mainly applies to the principles relating to processing of personal data, which are defined in article 5 of the GDPR: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality as well as accountability of data processing companies for compliance with these principles.

Here is an overview of the most important items of GDPR adopted from the German Federal Data Protection Act:

  • No processing of personal data without consent (Article 5 ff.)
    In principle, the processing of personal data is only permitted with the explicit consent of the data subject (prohibition with reservation of permission). The consent must be given by a “clear affirmative action”, namely “freely given, specific, informed and unambiguous”. Thus, putting an end to already ticked boxes or requests for consent hidden in the terms and conditions. In addition, controllers must obtain separate consent from the data subject for each individual processing purpose. Data of minors (minimum age 13 years) may only be processed with the consent of their parents. And data subjects can revoke their consent at any time.
    However, there is one exception: if data processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party”, it is lawful even without the data subject’s consent. The practical effects of this derogation will only become apparent in practice.
  • Principle of purpose limitation (Article 6)
    If a company collects personal data in order to process a purchase contract, for example, it may not simply use this data for other purposes. Exceptions apply to the use of data for scientific or historical research or for statistical purposes.
  • Prohibition of coupling (Article 7)
    The provision of a service may not be made conditional on the consent to the processing of personal data which is not necessary for the performance of that contract. For example, the permission to participate in a raffle may not be made conditional upon the participant’s consent to the use of his or her personal data for marketing purposes.
  • “Special categories” of personal data (Article 9)
    These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data to uniquely identify a person, and data concerning health or a person’s sex life or sexual orientation. The processing of such data is prohibited without explicit consent. However, GDPR defines a number of exceptions here, such as when processing is necessary for the establishment, exercise or defense of legal claims.
  • Right to object (Article 21 ff.)
    Data subjects can object to the processing of their personal data at any time. If direct marketing and related profiling are involved, the data may no longer be processed for these purposes. But if the processing serves other purposes (such as the establishment, exercise or defense of legal claims), the objection may be void. In any case, however, users must be notified of their right to object at the latest at the time of the first communication.

These examples show that the German Federal Data Protection Act serves in many areas as a model for the EU General Data Protection Regulation. But GDPR is also introducing a number of innovations that go beyond the regulations of the already strict German BDSG. These include, for example, an extended definition of “personal data” and the “right to be forgotten”, which will be enshrined in the law in future. We will discuss these and other aspects in more detail in the third part of our blog series.