Data Protection in Germany. Axel Freiherr von dem Bussche Markus Stamm

Transcription

1 Data Protection in Germany Axel Freiherr von dem Bussche Markus Stamm Verlag C. H. Beck München 2013

2 Preface What is the data privacy law in Europe? is perhaps one of the most frequently asked questions that lawyers face when supporting data privacy clients in an international context. Through the implementation of its directive 95/46/EC, the European Union, at least, has attempted to ensure the harmonisation of the data privacy frameworks of its member states a harmonisation which, even today, is far from having been achieved. The question, as it relates to Germany, must therefore at least for now and for the foreseeable future continue to be What is the data privacy law in Germany?. Due to the principle of territoriality in European data protection law, even companies or other entities not based in Germany are faced with Germany s implementation of the EU data protection framework. Companies that are not based within the European Union (EU) or the area of the European Economic Area (EEA) have to adhere to German data protection law if they intend to collect, process or use personal data in Germany. The same applies to companies within the EU or the EEA if they intend to render a specific data processing operation through a subsidiary based in Germany. In addition cross-border data transfer becomes more and more important the requirements that apply to such operations are relevant to many types of outsourcing, centralisation across legal entities, functional transfers, and all off-shoring activities. While these kinds of activities are most commonly associated with international groups of companies, any small or mid-sized business could face the same compliance requirements. Compliance with these requirements cannot be achieved unless those entities, respectively the persons entrusted with data protection and secrecy within these entities, are familiar with the complex legal framework of German data protection. This, however, poses difficulties even for Germen experts especially because of the fragmented and dense set of rules and regulations of the German Data Protection Act (BDSG), the German Telecommunications Act (TKG), the German Telemedia Act (TMG), respective state laws and further sector-specific regulations as well as with respect to their fine differentiation and separation between them. Germany is Europe s economic engine. This is also, and especially, being recognised outside Europe. In this regard data protection law is becoming an ever more important site factor. Consequently, inquiries for legal advice and counsel within the field of German data protection have increased noticeably in recent years. These inquiries are not only issued by large groups of companies with subsidiaries in Germany or IT-Outsourcing-Providers abroad, but also by foreign lawyers, economical auditors, and universities. What these stakeholders commonly share, is that they do not readily speak German, and if they do, they will find it difficult to command the vocabulary necessary to understand and implement advice and counsel in German. Therefore even the most elemental questions may fail merely because of the language barrier. When the authors of this book joined forces to conduct a workshop in German privacy law, for the benefit of foreign experts, at the European Data Protection Day 2011, it was a clearly appreciated advantage that they were able to present the matter to their audience in English. This book strives to share the authors knowledge in a language the reader will feel comfortable with. It is intended as an introduction to German data protection law in English language, which shall address the fundamentals as well as the typi-

3 cally occurring issues in practice with regard to German data protection law. The book has been conceived as a companion handbook not as a scientific textbook or commentary and thus corresponds with the expectations of especially the Anglo-American coined judicial area. The book s ambition is to provide business and practice oriented solutions of common issues within the field of German data protection law. The book primarily targets non-german speaking persons entrusted with data protective tasks within companies or other entities, which however are nevertheless faced with German data protection provisions due to the aforementioned principle of territoriality in course of their area of activity within the businesses of their employers. Additionally it shall serve any other persons being confronted with German data protection provisions within their professional practice like foreign lawyers, but also computer specialists, business managers, directors and entrepreneurs. German data protection law shall not act as a stumbling block for this audience on its way to the German market. This book shall furthermore illustrate how German data protection provisions can be effectively implemented in own business models as a business enabler and thus utilised to one s own advantage.

4 Abbreviations AG BCR BDSG BetrVG BGB BITKOM BVerfG CEO CR DPO DuD e.g. et seq. etc. EC/EG EEA EU EUCR ff. GG HR ID i.e. IFG IP IT ITRB JuS K&R LDSG MDStV MMR NGO no. /pl. nos. OECD p./pl. pp. Aktiengesellschaft (Public Company) Binding Corporate Rules Bundesdatenschutzgesetz (German Federal Data Protection Act) Betriebsverfassungsgesetz (Works Constitution Act) Bürgerliches Gesetzbuch (German Civil Code) Arbeitskreis Datenschutz des Bundesverbands Informationswirtschaft, Telekommunikation und neue Medien e.v. (Working Group Data Protection of the Registered Federal Association Informational Economy, Telecommunications and New Media) Bundesverfassungsgericht (Federal Constitutional Court) Chief Executive Officer Computer und Recht Datenschutzbeauftrager (Data Protection Officer) Datenschutz und Datensicherheit exempli gratia/zum Beispiel (for example) et sequentes/und Folgende (and the following) et cetera/und so weiter (and so forth) European Community/Europäische Gemeinschaft Europäischer Wirtschaftsraum (European Economic Area) Europäische Union (European Union) Europäische Menschenrechtskonvention (European Convention of Human Rights) und die folgenden Seiten (and the following pages) Grundgesetz (German Constitution) Human Resources Identitätsdokument (Identity Document) id est/das heißt (that is) Informationsfreiheitsgesetz (German Freedom of Information Act) Internet Protocol Informationstechnologie (Informational Technology) Der IT Rechtsberater Juristische Schulung Kommunikation & Recht Landesdatenschutzgesetz (State Data Protection Act) Mediendienstestaatsvertrag (State Treaty on Media Services) Multimedia und Recht Nichtstaatliche Organisation (Non-Governmental Organisation) Nummer(n) (number(s)) Organisation für wirtschaftliche Zusammenarbeit und Entwicklung (Organisation for Economic Co-operation and Development) Seite(n) (page(s))

5 para. Sec. /pl. Secs. SMS TDG TDDSG TKG TMG ULD UWG ZD Absatz (paragraph) Paragraph(en) (Section(s)) Short Message Service Teledienstegesetz (German Teleservices Act) Teledienstedatenschutzgesetz (German Data Security for Telecommunication Services Act) Telekommunikationsgesetz (German Telecommunications Act) Telemediengesetz (German Telemedia Act) Unabhängiges Landeszentrum für Datenschutz (Independent State Centre for Data Protection) Gesetz gegen den unlauteren Wettbewerb (Law Against Unfair Competition) Zeitschrift für Datenschutz

6 Table of Contents A. The Concept of Data Privacy and Protection in Germany... 1 I. Key Legislation: The structure and function of the Federal Data Protection Act The short history of Data Protection Law The European General Data Protection Regulation The Future of Data Protection? The legal structure of German Data Protection Law... 5 II. The underlying principles of the German Data Protection Concept General Principles... 7 a. Personal data... 7 b. Scope of the BDSG: automated and non-automated collection, processing and use of personal data... 8 c. Collection, processing and use of personal data... 9 d. Legal permission... 9 e. Consent... 9 aa. Free decision of the data subject bb. Informing the data subject cc. Consent for sensitive data dd. Formal requirements ee. Revocation of the consent f. Further requirements of lawful data processing aa. Collection from data subject bb. Principle of data reduction and data economy g. The controller When does German data protection law apply? III. Rights of the Data Subject and Legal Consequences of Breach of Law B. The Regulatory Framework: Supervisory Authorities and Compliance I. The Role and Position of the Supervisory Authorities The Federal and State Structure of the Supervisory Authorities The Separation between Public and Private entity Supervision Scrutiny of the Supervisory Authorities Roles and Dependencies Changes to the Judicial Review Process Headcount Ramp-up in the Supervisory Authorities The Role of the Düsseldorf Circle II. Notification Duties Not necessary in Germany! Obligation to notify Exceptions from the notification duty... 20

7 III. The Data Protection Officer and how to integrate him into your Compliance Organisation Obligation to appoint a Data Protection Officer The German DPO a unique Function in the EU Dispensing with Notification Requirements The Duties of the DPO in General Does the DPO need to be a Lawyer? Beware of the Placeholder DPO The DPO and its Interface to the Supervisory Authority Avoiding Conflicts of Interest The external DPO as an alternative The Future of the DPO on an EU Level C. Customer and Supplier Data Protection Proving a Web Trust to your Partners I. General requirements II. Use of customer data for own commercial purpose (Sec. 28 para. 1 BDSG) III. Use of customer data for marketing purposes (Sec. 28 para. 3 BDSG) The use of personal data for marketing purposes without consent a. Use of personal data for advertising purposes b. Transferring for advertising purposes and address trading The use of personal data for marketing purposes with consent a. Formal requirements b. Using of standard consent forms c. Consent under the TMG Restrictions of unfair competition law (UWG) a. Distinction between marketing measures b. Declaration of consent (Double Opt-In) Commercial data collection and recording for the purpose of market or opinion research IV. Data protection in regard to website publishers Privacy Policy Online marketing and corresponding consent Use of cookies, tracking and analytic tools a. Use of cookies b. Use of web tracking and analytic tools V. Video surveillance & Street View Video surveillance Google Street View VI. Disclosure of Data Consequences of breaching applicable data protection rules VII. Annex: Useful Toolkit for companies for compliance with data protection law... 41

8 D. Employee Data Protection Using Employee Data in Globally Operating Organisations I. Centralised Functions and the Use of Personal Data General Concepts of Centralised Functions The Legal Employer and its Key Position The Absence of Group Regulations and its Effects The Position of the Düsseldorf Circle Practical Implementation of Düsseldorf Circle Guidance The N+x Approach Self-Generated and Perceived Needs to Know The Issue of Consent in Employee Relationships Anticipated Development on the EU Level II. The Role of the German Works Council Co-Determination and Information Obligations Works Council and Works Agreement Matching Works Councils and DPOs a. Limits to the Works Council Codetermination Rights b. The DPO as Expert for the Works Council c. Supervision of Works Councils by the DPO d. Cases of Conflict between Works Council and DPO III. Social Media and Social Networks Use of Social Media and Social Networks as Sources of Information Use of Social Media and Social Networks as Means of Publication IV. Compliance Requirements vs. Data Protection Requirements V. Mergers & Acquisitions and personal data in due diligence procedures E. International Transfer of Personal Data I. Legal requirements according to Sec. 4b BDSG International data transfer within the EU or EEA area International data transfer to countries outside of the EU or EEA area II. Safeguarding data transfers to the US Safe Harbor Principles. 54 III. Derogations according to Sec. 4c para. 1 BDSG IV. Derogations according to Sec. 4c para. 2 BDSG Standard Contractual Clauses Binding Corporate Rules a. Misconceptions as to the BCR b. Drawbacks in the implementation c. Future Development of BCR d. BCR Still the method of choice? F. Commissioned Data Processing in- and outside of the EU/EEA I. System and legal requirements for commissioned data processing... 59

9 1. Commissioned data processing in Germany, within the EU and the area of the EEA a. General Principles b. Agreement on commissioned data processing No privilege for commissioned data processing outside the area of the European Union and the EEA a. Is Sec. 11 BDSG applicable to commissioned data processing outside of the EU or EEA? b. Deviation from European regulations II. Central Processing and End-to-End Transfer of Personal Data within Groups of Companies A Viable Model Use of Central Platform Resources by the Controllers End-to-End Transfer of Personal Data between Controllers.. 65 III. Data Protection in the Cloud Annex Federal Data Protection Act (bi-lingual German-English) Index