GDPR in Germany: what you need to know in 2021
Changes to the privacy law are just around the corner: on May 25, 2018, not only the EU General Data Protection Regulation (GDPR) applied, but also the new German privacy law (BDSG-new). BDSG-new supplemented, specified and revised the GDPR. Provides rules for specific topics, such as data processing in the context of employment, data protection officer (DPO) designation, credit and score checking, and analytics.
The BDSG was officially launched on July 5, 2017 and entered into force with the GDPR on May 25, 2018. The purpose of BDSG, in particular, is to use the many open clauses under the GDPR to allow member states to specify or they even restrict data processing requirements under the GDPR.
Current state in Germany
Looking back at Germany’s GDPR over the past three years, one major change is obvious: The German data protection authority is imposing heavy fines for breaches.
Although the old data protection legal framework implementing the repealed Privacy Directive 95/46/EC2 already contains most of the principles and obligations of the GDPR, the fines are as high as 50,000 or 300,000 euros, and the German data protection authorities have not even used this range: the fines are far low At these levels, there is usually no deterrent effect.
With the ability to impose fines amounting up to 4% of the total worldwide annual turnover of the preceding financial year, or €20 million, data protection finally emerged from the shadows. To be ready for significant increases of fines, the 16 data protection authorities of the German Länder (states) and the federal authority gathered together at the German Data Protection Conference (Datenschutzkonferenz – DSK) to agree on a guideline about imposing fines of the right size.
With a total annual global turnover of €500 million, a company will already be subject to the highest fines: the 4% respectively 2% rate, according to Art. 83. The specific total annual global turnover will be divided by 360 days and then attributed to the severity of the violation – similar to German criminal law in which individuals receive either imprisonment in days or penalties depending on a daily income.
Situation in other EU Member States
The courts of other member states have also resolved this issue to varying degrees within the framework of their respective country’s rules on corporate liability, evidence and procedures:
- In Austria, the Federal Administrative Court overturned last year’s decision to impose a fine of 18 million euros on Austrian Post, saying that the Austrian procedural law requires SA to determine that one or more persons (not necessarily managers) of a company violated the GDPR. (See the decision here, in German).
- On the contrary, the French Parliament believes that the French SA (“CNIL”) only needs to explain the reasons for its fines in accordance with Article 83 of the GDPR, without discussing all the criteria listed in Article 8. The regulation, or explaining how it calculates the amount of the specific fines (see the decision here, in French).
Aim of the new BDSG
Basically, the aim of the new BDSG is to align with the GDPR regulations, as it involves helping to make Germany a better location for businesses and supporting new digital developments, but if the GDPR applies, the new BDSG rules do not apply, because the GDPR is considered as a superior rule of law.
This is the intention of the member states to make the applicable changes they deem necessary to the privacy laws and regulations of their respective countries.
Key elements of the BDSG
A few unique elements of the new BDSG are summarized below.
Data Protection Officer
German regulations regarding the obligation to appoint a data protection officer are stricter than those stipulated in Article 1. Article 37 of the GDPR. According to seconds. 38 BDSG, if a company operating in Germany continues to employ at least 10 people who handle automated processing of personal data, it must appoint a data protection officer. In addition, if the company conducts the processing of the data protection impact assessment in accordance with Article 1, it must also appoint a data protection officer. 35 GDPR, or if they conduct commercial processing of personal data for the purpose of anonymous transmission or transmission, or for market or opinion research purposes.
RGPD establishes broad rights of stakeholders in Articles 13 to 22 (disclosure obligations at the time of data collection, information rights, correction and deletion rights, the right to be forgotten, and the right to object). Article 23 of the same law grants the national legislature the right to make exceptions to these rights.
The GDPR stipulates an administrative fine of up to 20 million euros or 4% of global revenue, depending on the larger amount. Violations that only affect the BDSG requirements law will be limited to a fine of up to 50,000 euros, but this is rare in practice and only covers very specific situations, such as information obligations related to consumer loans. In all other cases, the high maximum fines set by the GDPR apply.
The new BDSG also defines non-monetary damages (legal term: non-monetary). These are damages that are not easy to quantify or value in money, such as the proposed compensation for pain and suffering. Interested parties (including employees) can claim compensation for non-pecuniary losses. It is a new liability that can generate significant economic risks for the company.
Main provisions of the BDSG-new
For private companies the BDSG-new sets rules, e.g. for:
- video surveillance of public places (Sec.4 BDSG-new),
- data processing for other purposes, than initially intended (Sec. 24 BDSG-new),
- data processing in the context of employment (Sec. 26 BDSG-new),
- data processing related to consumer credits (Sec. 30 BDSG-new),
- • scoring and credit checks (Sec. 31 BDSG-new),
- limitation of rights of the data subject (Sec. 32-37 BDSG-new),
- designation of a DPO (Sec. 38 BDSG-new),
- administrative fines, criminal provisions (Sec. 41 – 43 BDSG-new),
- procedural rules for private and public lawsuits (Sec. 20, 44 BDSG-new).
BDSG-new and GDPR
Generally speaking, if the GDPR applies, the BDSG-new rules do not apply because the GDPR is considered a higher rule of law. This means that when it comes to privacy rules set by the GDPR, EU member states cannot set national rules. Only within the scope of the opening clauses stipulated by the GDPR, may there be room for national rules. However, the rules within the scope of the BDSG-new opening clause take precedence over the GDPR rules.
The privacy rules of specific topics take precedence over the general rules of BDSG-new (Sec. 1 II BDSG-new). However, these rules themselves must comply with higher EU legislation.
GDPR in Germany
If the data is necessary to establish, maintain or terminate an employment relationship, BDSG-new allows the collection and use of employee data. It stipulates that employees must agree to the collection and retention of personal data in writing. It also encourages organizations to strike a practical balance between the interests of employers and the privacy of employees.
Appointment of Data Protection Officer (DPO)
The GDPR requires companies to appoint DPOs only when their core activities involve large-scale processing of sensitive data. At BDSG-new, Germany maintains its long tradition of requiring companies to conduct self-monitoring by appointing DPOs: At least 10 employees regularly process personal data; your business involves anonymous data transmission or market/opinion research; or GDPR requires them to conduct data protection Impact Assessment (DPIA). BDSG-new continues to protect the employment and status of DPOs.
Special Categories of Data
BDSG-new clarified the purposes for which sensitive data can be collected and used (such as health, biometrics, genes), including: preventive medicine, employee work capacity assessment, and medical diagnosis. However, according to the general GDPR regulations, the strictest protection measures must be taken to protect this data, such as encryption, pseudonyms and the appointment of a data protection officer (DPO).
Data Processing for Research & Statistical Purposes
If necessary, sensitive data can be processed without consent for scientific or historical research and statistical purposes. If questioned, the data controller must prove that their interest in processing such data greatly exceeds the interest of the data subject. It must be noted that personal data is anonymous.
Alteration of Original Purpose of Collecting Data
This is only permitted when necessary for national defense or public safety, the prosecution of criminal offenses, and the assertion, exercise, or defense of civil proceedings. If asked, the controller must demonstrate why the interests of the data subject are not superior to these other interests.
Restrictions on Some Individual Rights
The previous draft of BDSG-new has been criticized by privacy advocates for excessively restricting individual rights granted by the GDPR. The final version of contains only moderate restrictions, for example:
- If the notification of sensitive data is disclosed, there is no need to notify the data subject of the violation.
- Restrict the right to access data if the storage is only to comply with regulatory retention requirements.
- If erasure is impossible or costly, or if the data subject has only a small interest in erasure, the right to erasure is restricted.
Data Protection Authorities (DPAs)
There are 17 different DPAs in Germany, one of which is federal and has jurisdiction over telecommunications and postal companies, and the other 16 are maintained by the German states and have supervision over private companies operating under their jurisdiction. BDSG-new implements a “one-stop” mechanism for companies with offices in multiple states in Germany. The main DPA is the DPA of the state where the company is mainly established.
BDSG-new also restricts APD’s investigation powers on the confidentiality obligations of professions such as doctors, lawyers, and psychologists.
The GDPR takes a firm stance on automated decision-making algorithms, which can significantly affect data subjects and require a prior choice of consent and manual appeal mechanisms. To cope with pressure from various departments relying on automated processes, BDSG-new has granted certain exemptions to these requirements:
- In the insurance department, if the interested party receives everything they require, they can do so without consent or without an appeal mechanism Use the decision algorithms in order.
- In the health insurance sector, automatic decision-making based on the binding cost of medical services does not require prior consent. However, if the claim is not accepted in its entirety, the interested party must be informed of their right of appeal.
- In order to maintain the integrity of the German credit system, BDSG-new maintains the current German data protection regulations relating to credit ratings and inspections. However, it limits the way companies use credit scores in automated decision making.
Right of DPAs to Challenge European Commission Decisions
BDSG-new establishes the right of the German DPA to challenge the validity of the European Commission’s privacy decisions. The DPA challenge is reviewed by the German Supreme Administrative Court (SAC), and if it agrees with the DPA’s concerns, the case must be submitted to the European Court of Justice for review. If the SAC believes that the committee’s decision is legitimate, it will dismiss the DPA’s challenge and issue a final decision.
Sanctions and Fines
BDSG-new acknowledges that GDPR now fully regulates sanctions and fines for infringement of personal data privacy through the DPA of member states. As described in the introduction of this white paper, these measures are very important. The only exception is that the German DPA can impose a fine of 50,000 Euros for breaching consumer credit disclosure obligations.
Digital business in Germany
The collection and use of personal data online is mainly regulated by the GDPR and the German Data Protection Act.
The new German data protection law has made major changes to the old German data protection law to bring it into line with the GDPR and take advantage of its exceptions. Although the GDPR applies directly to the entire European Union and its provisions take precedence over national laws, member states retain the ability to introduce their own national legislation based on certain exceptions provided by the GDPR.
These derogations include national security, crime prevention and investigation, but also apply to other important situations, such as the collection and use of employee data (still not regulated by the GDPR) or more stringent appointment of a data protection officer (compared to GDPR).
The Privacy Directive (2002/58 / EC) has not yet been clearly implemented in Germany. The German government has long claimed that it does not need to be implemented because the E-Privacy directive has been correctly reflected in current German law related to the relevant cookie requirements. The majority of data protection experts, including the majority of German data protection agencies, have harshly criticized and disagree with this opinion.
GDPR specifies certain data security requirements that companies must meet to ensure that appropriate technical and organizational measures are taken to prevent unauthorized or illegal processing of personal data and accidental loss, destruction or damage. These requirements include the obligation to ensure that the appropriate level of security is applied to Internet transactions involving the transfer of personal data.
German Shopify Store and GDPR
In regards to GDPR any Shopify store located in Germany should follow the GDPR law. Shopify is not GDPR ready so you will need to install an app to do this job. Although there are many applications about GDPR in the Shopify app store only few of them are covering your store based on the GDPR regulations.
Add legal information
Add your store policies in your Shopify admin and assign them to your store navigation.
Link to OS-Platform (online dispute resolution)
According to a European directive, every European merchant must provide a clickable link to an online dispute resolution platform (known as the “OS platform”) where merchants and customers can try to resolve their disputes over online shopping out of court.
To meet this requirement, just add a short description and a link to the OS-platform in one of your legal pages.
Here are the examples:
- In English: Platform of the EU Commission regarding online dispute resolution: http://ec.europa.eu/consumers/odr
- In German: Plattform der EU-Kommission zur Online-Streitbeilegung: http://ec.europa.eu/consumers/odr
Right of Return expiration for digital products
If you sell digital products, your customers are eligible to return them for a full refund within 14 days, unless they have already started downloading or streaming digital products.
If you want to avoid requesting a refund for a digital product purchased from your store, you can ask your customer to agree to the expiration of the right of return when purchasing a digital product.
Display tax information
Add information about VAT that will be charged (or won’t be charged) so that customers can see it during shopping in your catalog.
VAT in your catalog
You need to include tax information on your product pages, i.e. display total product price saying it includes VAT.
VAT-exemption for small businesses (special case)
If you are a small business owner and have a small billing, you may not need to collect and pay VAT. However, small business owners are required by law to notify clients of their special tax situation.
You can generate tax invoices manually and automatically for your orders and attach them to the order confirmation email. These tax invoices meet the legal requirements and meet the EU standard billing requirements.
Shopify offers a free tool for that. This invoice generator makes your life easier when it comes to billing and collecting money. Simply fill in the required information and create an invoice on the spot. You can save, print or email it directly to your clients.
The Shopify invoice maker uses a professional layout that includes all of the necessary details for clean, consistent, and accurate billing practices. See a sample invoice here.
Display shipping information
You should inform your customers about shipping costs and delivery time frames in your catalog.
Shipping costs in your catalog
If you charge shipping costs in an online store, you must notify your customers on each product page that you must pay additional shipping costs.
Delivery time in your catalog
An essential mandatory information in online transactions is the delivery date. You can put this information in the product description or appear in the attribute text field above the product page description.
Display important information about products
Include the list of essential product properties and characteristics to your product pages.
Essential product characteristics
The product detail page should provide information about the basic functions of the product. This will make it easier for your customers to decide which product to buy. You can use product attributes to display a list of features on your product page.
Price per unit
If the product can be measured in units such as kilograms, liters, meters, etc., it is necessary to specify the exact price of the unit of measurement in the store.
Energy labels and product data sheet
If you sell energy-consuming products (appliances, lights, etc.) in your store, you are obliged to show the energy label and the technical data sheet for these products.
Display important notices at checkout
You can display important information to customers during checkout. For example, if the customer is outside the European Union, there may be some additional costs, such as customs duties.
Shopify supports that already and you can find more details here.
Accept the Data Processing Terms
If you use Google Analytics on a website in the European Union or Switzerland, you must agree to Google Analytic’s Data Processing Terms. To do this, open Google Analytics, and under Admin > Account settings > Data processing amendment, click “Review amendment”.
Anonymize IP addresses
First, you must enable IP anonymization1. Some websites already got in trouble for incorrectly anonymizing IP addresses in Google Analytics, so this is a very important step. You anonymize IP addresses by adding ga(‘set’, ‘anonymizeIp’, true) before the ga(‘send’, ‘pageview’) line in your tracking code.
You are also supposed to delete the data Google Analytics saved prior to anonymizing IP addresses. This is done by recreating the property (that’s your website) from Google Analytics and creating it again.
Set the data retention period
In the Google Analytics console, you change the data retention period to 14 months or less to comply with the GDPR/DSGVO regulation1. You must also disable “Reset on new activity”. You will find these settings under Admin > Account settings > Tracking info.
Take care of your customer privacy
GDPR Cookie Bar +ePrivacy Page is the most popular GDPR application in the store. Shopify is proposing it as the #1 GDPR alternative for the removed apps they had. It provides an EU GDPR/CCPA banner including preferences popup, cookie compliance and works as a complete CMP. Based on a flexible settings panel you are able to make it feet on your needs and brand.
In the case of Germany you will need to select one of the strict mode banners where all cookies are disabled until user gives his consent. You also need to enable the options for limiting tracking for visitors from Europe through your store preferences menu option. You can find more here by Shopify.
Finally you will need to enable the e-privacy page in order to support Data Subject Requests for your customers or visitors.
All in all, Germany’s adaptation to the GDPR is progressing smoothly, although many controllers and processors can only complete their internal documentation and compliance processes by the end of 2019/early 2020. From the perspective of stakeholders, the GDPR creates a more transparent process and conscious processing, and clearly raises the awareness of the importance of personal data and their respective rights among interested parties and ordinary consumers.
In Germany, data protection law has always been a policy issue. The data protection principle was formulated by the German Federal Constitutional Court in the 1970’s in response to the excessive data requirements of the German authorities. It became a core human right and now has 17 independent government supporters: German state and federal data protection agencies. If this support is always in the full interest of the individual, and their human rights status is an issue, it may need to be resolved again in court.