DSAn­pUG-EU: Draft Ger­man Act on the Imple­men­ta­ti­on of the GDPR and the Schengen-RiLi

Back­ground: Full har­mo­nizati­on with ope­ning clauses

The GDPR pro­vi­des for a uni­form, com­pre­hen­si­ve and direct­ly appli­ca­ble regu­la­ti­on of Euro­pean data pro­tec­tion law (“full har­mo­nizati­on”). At various points (in so-cal­led Ope­ning clau­ses), howe­ver, pro­vi­des – not always imme­dia­te­ly cle­ar­ly – for a com­ple­men­ta­ry legi­fe­ra­ti­on of the Mem­ber Sta­tes. Some examp­les are

  • Art. 6 para. 2 – Data pro­ce­s­sing in the public domain
  • Art. 8 par. 1 – Mini­mum age for consent
  • Art. 9 para. 2 – Per­mis­si­bi­li­ty of pro­ce­s­sing spe­cial per­so­nal data
  • Art. 14 par. 5 – Excep­ti­ons to the obli­ga­ti­on to pro­vi­de information
  • Art. 23 – Limi­ta­ti­ons to the rights of the data subject
  • Art. 84 – Sanctions
  • Art. 85 – Free­dom of expres­si­on and information
  • Art. 88 – Employee data protection

It is the­r­e­fo­re accept­ed that the goal of har­mo­nizati­on is rest­ric­ted in favor of a cer­tain fle­xi­bi­li­ty. Howe­ver, natio­nal legi­ti­mi­zing com­pe­ten­ces are inter­pre­ted rest­ric­tively. The prin­ci­ples of the Judgment of the ECJ in the case of ASNEF will be appli­ca­ble on the merits, as expres­sed the­r­ein, inter alia, in para. 35:

Direc­ti­ve 95/46 con­ta­ins pro­vi­si­ons cha­rac­te­ri­zed by a degree of fle­xi­bi­li­ty, lea­ving it in many cases to the Mem­ber Sta­tes to regu­la­te the details or to choo­se bet­ween opti­ons (see Lind­q­vist, para­graph 83). It is thus important to distin­gu­ish bet­ween natio­nal mea­su­res pro­vi­ding for addi­tio­nal con­di­ti­ons modi­fy­ing the scope of a prin­ci­ple con­tai­ned in Art. 7 of Direc­ti­ve 95/46, on the one hand, and natio­nal Mea­su­res that spe­ci­fy only one of the­se prin­ci­pleson the other hand. The first men­tio­ned type of natio­nal mea­su­res is pro­hi­bi­ted. Only in the con­text of the second type of natio­nal mea­su­res do the Mem­ber Sta­tes have dis­cretio­na­ry powers under Art. 5 of Direc­ti­ve 95/46.


Against this back­ground, the Ger­man Bun­des­tag alre­a­dy pas­sed the draft for a future Fede­ral Data Pro­tec­tion Act (BDSG) on April 27, 2017, under the tit­le “Draft law on the adap­t­ati­on of data pro­tec­tion law to Regu­la­ti­on (EU) 2016/679 and the imple­men­ta­ti­on of Direc­ti­ve (EU) 2016/680″ and the abbre­via­ti­on “DSAn­pUG-EU” (for “Data Pro­tec­tion Amend­ment and Imple­men­ta­ti­on Act EU”). (Link – PDF).

The DSAn­pUG-EU is inten­ded to initi­al­ly com­mon rules which only app­ly out­side direct­ly appli­ca­ble EU law, in par­ti­cu­lar out­side the GDPR. In addi­ti­on spe­cial pro­vi­si­ons for the design of the GDPR (“Part 2”) with the fol­lo­wing regu­la­to­ry focus (and clear echo­es of the exi­sting Ger­man BDSG, e.g., in the pro­vi­si­ons on employee data pro­tec­tion and scoring):

  • Legal basis for the pro­ce­s­sing of spe­cial data
  • Admis­si­bi­li­ty requi­re­ments for pro­ce­s­sing for other pur­po­ses by public and non-public bodies and for data trans­fers by public bodies
  • Regu­la­ti­on of other spe­cial pro­ce­s­sing situations
  • Rules on the rights of data subjects
  • Impo­si­ti­on of fines for vio­la­ti­ons of the GDPR.

Sec­tions 29 and 32 et seq. on the rest­ric­tion of data sub­jects’ rights are also worth men­tio­ning, in addi­ti­on to the spe­cial pro­vi­si­ons for employees (Sec­tion 26), for con­su­mer loans (Sec­tion 30) and for scoring and cre­dit­wort­hi­ness infor­ma­ti­on (Sec­tion 31). §§ Sec­tions 41 et seq. then con­cern lia­bi­li­ty and sanc­tions, which accor­ding to the wor­ding of the DSAn­pUG-EU are not limi­t­ed to com­pa­nies, but can also affect natu­ral persons.

As was to be expec­ted, the draft of the DSAn­pUG-EU has come in for cri­ti­cism, name­ly from repre­sen­ta­ti­ves of the EU Com­mis­si­on at an event orga­ni­zed by the Stif­tung Daten­schutz, as has reported:

Accor­ding to the insi­der, the com­mis­si­on is also cha­fing at the fact that the fede­ral govern­ment has fai­led to com­ply with the ordinance’s Wants to rest­rict the rights of the per­sons con­cer­nedThe com­pa­ny is entit­led to inspect data stored about it and, if neces­sa­ry, have it cor­rec­ted or dele­ted. She under­stands the approach of wan­ting to allow Indu­stry 4.0 to do as much as pos­si­ble, inclu­ding with per­so­nal infor­ma­ti­on. Howe­ver, the “right to be for­got­ten” is cle­ar­ly defi­ned in the regu­la­ti­on. Niko­lay the­r­e­fo­re made it clear that the Com­mis­si­on would “con­ti­n­ue to enga­ge in dia­log” with the Ger­man bodies, but that the­re was also a “risk of inf­rin­ge­ment proceedings”.

The Ger­man Bun­des­rat will deci­de on May 12, 2017 whe­ther to appro­ve the draft. If it does so, the law can enter into force tog­e­ther with the GDPR on May 25, 2018.




Rela­ted articles