Monthly news and analysis of data protection and privacy issues from around the world. Volume 9, Number 9 September 2009

Transcription

1 Reproduced with permission from World Data Protection Report, null, 09/01/2009. Copyright 2009 by The Bureau of National Affairs, Inc. ( ) BNA International X World Data Protection Report International Information for International Businesses Monthly news and analysis of data protection and privacy issues from around the world Volume 9, Number 9 September 2009 The German Federal Data Protection Act and its recent changes By Katharina A. Weimer, Associate, Reed Smith LLP. Katharina A. Weimer is an Associate of the European Corporate Group of Reed Smith and specialises in the area of media and entertainment. She is a commercial lawyer with a strong focus on international and national data protection matters, copyright-related contentious and non-contentious matters, and all aspects of doing business on the internet. She can be contacted at: kweimer@reedsmith.com. The German Federal Data Protection Act (the Act ) dates back to its first enactment in February Prior to this, the German state Hesse had implemented the worldwide first data protection legislation in Calls for amendments to the Act rose almost immediately after its implementation but did not gain foothold until the mid 1980s when draft bills for amendment were introduced. These draft bills failed to come through due to termination of the legislative period at the end of In 1990, the Act was finally amended considerably and reflected the first experiences with statutory data protection. The changes were also influenced by the landmark Census decision by the German Federal Constitutional Court 1 in which it found the right to informational self-determination to exist and be rooted in the German Constitution. When the EC Data Protection Directive 95/46/EC was passed in 1995, the Act had to undergo considerable changes to accommodate the requirements stipulated by the Directive 95/46. In 2001, the legislator belatedly complied with its implementation obligation with a strongly criticised reform of the Act which was mostly intended to avoid an infringement procedure by the European Union (EU). The most recent changes in July 2009 are predominantly owed to the data protection scandals relating to abuse of personal data of employees and customers that hit the headlines in Germany in the past two years. The recent amendment to the Act will come into force on 1 September The Act applies to private persons and companies, and to public institutions and authorities on a federal level. State public institutions and authorities are subject to state legislation on data protection. The provisions of the Act only apply to personal data. Personal data is defined to be any information concerning the personal or factual circumstances of an identified or identifiable individual, section 3(1) of the Act. If data is truly anonymous and can no longer be traced back or related to an individual, it does not fall within the scope of the Act. The Act is also limited in jurisdictional scope. It generally applies to data controllers (ie any person or body that collects, processes or uses personal data on its own behalf, or instructs others to do so on its behalf) in Germany who process personal data in Germany. A data controller outside Germany, but within the EU or the European Economic Area (EEA) who collects, processes or uses personal data in Germany is not subject to the Act, unless such data is collected through a German branch. Data controllers outside the EU or EEA who collect, process or use personal data in Germany BNA International Inc., a subsidiary of The Bureau of National Affairs, Inc., U.S.A.

2 2 are subject to the Act, regardless of whether they employ any technical equipment in Germany for such handling of personal data this is contrary to EU standard which requires technical equipment in the country to be used in order for national legislation to apply. Material requirements for data collection, processing and use Any data collection, processing or use is subject to certain data protection principles which originate from the Directive 95/46 on data protection. Those principles are: s Data minimization and avoidance: Data processing systems must be designed and used so as to collect, process and use as little personal data as possible, and only the specific data that is required. In addition, where possible personal data must be made anonymous or held under a pseudonym. s Principle of purpose limitation: Personal data may only be collected after the specific purpose for such collection is determined, and may only be used for the purpose for which it was originally collected. There are certain exceptions to this rule which are outlined below. s Data secrecy: Data controllers and processors must keep personal data confidential internally as well as externally, ie grant access only to those employees who require it and not disclose it to third parties. They must also oblige their employees to data secrecy. s Transparency: Data processing must be as transparent as possible for the data subject. This entails that the data subject must be informed about the collection, processing and use of his or her data, about the purpose for such activity, about the identity of the data controller, and about any contemplated transfers and the respective recipients. Consent must be given voluntarily and be based on complete information, and the data subject has a right to access and rectify his personal data. Consent by the data subject Collection, processing and use of personal data is subject to the requirement that these activities are legitimised by either consent by the data subject, a statutory permission or a works agreement. According to section 4a of the Act, consent must be based on a voluntary decision of the data subject in order to be valid. This excludes decisions made under duress, under force or within a relationship of dependency, in particular if consent has been obtained by abusing a position of factual or legal power over the data subject. Particular care must therefore be given to consent obtained within an employment relationship, where the employee will often feel that he has no choice other than to give his consent. It must be made clear that the employee may refrain from giving consent without a negative impact on his employment relationship. Voluntary consent can only be granted if the data subject has been provided with complete information on the purpose of the collection, processing and/or use, and on the consequences of denying consent, if any. The information duty also includes the kind of personal data to be collected and the recipient and purpose of any potential transfers of data. Consent must generally be granted in writing, including electronic form (which requires an electronic signature), unless special circumstances cause a different form to be appropriate, for example in case of telephone surveys. Implicit consent is not sufficient. The data subject may revoke its consent at any time for any and no reason with effect for the future. For dealings on the internet, the specific provisions of the Telecommunications Act and the Telemedia Act apply to consent. Consent can be obtained electronically if: s the data controller ensures that the data subject has declared its consent knowingly and unequivocally; s consent is recorded; s it is accessible for the data subject at any time; s the data subject can revoke its consent for the future at any time; and s it complies with the requirements regarding its content as outlined above. Statutory permission Statutory permissions for the collection, processing and use of personal data can be found in the Act and in areaspecific legislation such as the Social Code, the Telecommunications Act and other sources. For the purposes of this overview, only the general permissions of the Act for data processing activities by private persons and entities shall be investigated. Data collection, processing and use for own purposes The general permission in section 28(1) of the Act provides for data collection, storage, editing or transfer for own business purposes of the data controller. This provision contains three alternatives, though most uses of personal data are based on the first two alternatives. The three justifications are: a) A contractual relationship The data controller may collect, store, edit and transfer the data for his own business purposes if this serves the purpose of a contractual relationship or a quasicontractual fiduciary relationship with the data subject. After the coming into effect of the amendments to the Act, this will read the purposes of a transactional or quasi-transactional obligatory relationship. Every use of personal data which is necessary for the conclusion or execution of a contract between the data subject and the data controller can be based on this justification, eg collection and storage of address details for product shipment. Prior to the reform of the Act, the permission also encompassed the collection and storage of personal data from employees to the extent this was necessary for 09/09 COPYRIGHT 2009 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN

3 3 the purposes of the employment relationship. Transfers to third parties within the scope of the employment relationship, such as to payroll providers, were also legitimate under this provision. However, transfers within a group of companies, eg to the parent company for purposes of HR monitoring, could not be based on this provision as this is, strictly speaking, not necessary for the specific employment relationship. As of September 2009, personal data of employees are subject to the new section 32 of the Act which is outlined below. b) Legitimate interests of the data controller Personal data may also be collected, stored, edited and transferred for the protection of legitimate interests of the data controller if there are no grounds for the assumption that the data subject s interests meriting protection in the exclusion of such use outweigh the data controller s legitimate interests. The interest of the data controller may be of economic, legal or even of nonmaterial nature as long as it is legitimate, having regard to reasonable considerations and the individual circumstances. Although it seems that this provision gives the data controller a blank cheque for using the data subject s data, this is not the case. The data processing in question must be required for protection of the respective interest, not merely helpful or supportive. Thus the data controller may not make use of this authorisation if its interests can also be protected without knowledge of the data at issue. It also gives, for instance, no authorisation to German subsidiaries of American companies to transfer employee data to their parent company for SOX compliance, because this is not an interest of the German subsidiary but of the US parent company a differentiation that may cause serious complications for US-listed companies that have German subsidiaries. The legitimate interest of the data controller must also be weighed against the interests of the data subject. Economic or professional disadvantages for the data subject must be taken into consideration as well as the data subject s right to privacy and to confidentiality. This alternative is generally the legal foundation for data transfer in outsourcing scenarios. Where an entire business function is outsourced to a third party, it is in the legitimate interest of the data controller to transfer the personal data which is needed by the outsourcing provider for the orderly execution of the outsourced functions. c) Public sources The third alternative gives the data controller the possibility to use personal data if it is available from public sources or if the data controller would be allowed to make it public, unless the data subject has outweighing interests in the exclusion of the processing and use of its personal data. This alternative is of minor practical importance compared to the first two situations. Generally the transfer and use of collected data may only be carried out for the limited purpose for which the data was originally collected. Section 28(2) of the reformed Act contains an exception for a change in purpose. The transfer and use of the personal data for other purposes than for which the data was originally collected is permissible: s if the requirements of (b) or (c) are complied with; or s if necessary for the protection of legitimate interests of a third party or the defense against certain public risks; or s if necessary for research projects. Data processing for address dealing and advertising The collection, transfer and use of personal data for marketing, for address dealing and for advertisement is regulated in sections 28 and 29 of the Act. The Act currently contains gracious permissions for data processing for these purposes. In light of the recent developments in Germany that have hit the headlines of the newspapers, the reform of the Act was intended to employ a stricter regime regarding in particular data processing for address dealing and advertising. The proposed changes were subjected to criticism, in particular from the advertising industry, and were ultimately amended to impose a less strict regime than originally suggested. Since there was a risk that because of the end of the legislative period in September 2009, there would be no changes at all, the amendments are still welcomed even by data protection professionals. The amendments came into force on 1 September 2009; a discussion of the previously valid provisions would thus constitute a historic debate and is obsolete. This overview therefore provides guidance on the new legal basis. Transfer and use of already collected data for the purposes of address dealing or advertising will be permissible if the data subject has given its consent and, in case such consent was not given in writing, the data controller confirms to the data subject the consent and its exact content in writing. This general requirement of consent from the data subject is perforated by several exceptions: s Processing and use of personal data summarised in a list (or similar form) of members or a group of persons is permissible if necessary for the purposes of: a) advertisement for own offers of the data controller; b) advertisement with regard to the occupation of the data subject at the data subject s business address; or c) advertisement for donations. The data that may be used in this manner is restricted to information that the data subject is a member of such group, and the data subject s job, industry, business title, name, title, academic degree, address and year of birth. WORLD DATA PROTECTION REPORT ISSN BNA 09/09

4 4 s Such merged data may also be transferred for purposes of advertisement if such transfer is recorded for two years, including the origin and the recipient of the data, and information on the origin of the data and the recipient is provided to the data subject upon its request. In addition, the advertisement must clearly identify the person or entity that originally collected the data. This last requirement may be burdensome on enterprises, in particular in a chain of transfers where it is not always easy for the ultimate recipient of the data to determine who had originally collected the data. Enterprises should therefore ensure that such information is provided to them when obtaining personal data for advertising purposes. s Personal data may be used for advertising for third party offers if the advertisement enables the data subject to clearly identify the data controller who is responsible for the use of the data. All three alternatives are subject to outweighing interests of the data subject which the data controller has to evaluate. Section 28 of the Act deals with the use of data for advertising and address dealing purposes that were originally collected for other legitimate purposes. Section 29 of the Act regulates the commercial data collection, processing and use for purposes of transfer if this serves the activities of advertising, address dealing or credit agencies. These activities are permissible if: s there are no grounds for assuming that the data subject has an interest meriting protection in the exclusion of the collection, storage or editing; or s the data can be collected from publicly available sources; or s the data controller would be permitted to publish the data unless the data subject can allege outweighing interests; and s these activities are, by reference, also subjected to the general requirement of consent with the outlined broadly scoped exceptions. Transfer of the personal data is permissible if the recipient has substantiated a legitimate interest in knowing the data and, again, there are no grounds for assuming that the data subject has an interest meriting protection in the exclusion of the transfer. The rule of consent and stated exceptions also applies to the transfer of personal data for purposes of advertisement and for the activities of credit agencies and address dealers. The reform of the Act took heed of the public interest in polls and surveys and does not subject commercial data collection, processing and use for purposes of polling and surveys to the data subject s consent, section 30a of the Act. The data controller must only evaluate whether the data subject has an outweighing interest in the exclusion of the collection, processing or use. However, data collected for these purposes may only be used for other purposes if it is completely anonymous, and data must be made anonymous as soon as this is possible according to the purpose of the polling or survey research. Employee data The reform of the Act introduces a new provision on the collection, processing and use of employee data for purposes of the employment relationship, in section 32 of the reformed Act. Personal data of employees may only be collected, processed or used for purposes of the employment relationship if this is necessary for the decision on the establishment of the employment relationship or, after it has commenced, for its execution or termination. This includes all collection and processing of personal data which is necessary for the performance of the employment relationship, eg transfer to payroll providers. Personal data may only be used for purposes of uncovering criminal acts if there are factual indications that the data subject has committed such a criminal act and the data subject has no outweighing interest in the exclusion of the collection, processing and use, in particular taking into consideration that the manner and scope of such collection, processing and use must not be unreasonable compared to the alleged act. While it is certainly beneficial that data protection in employment relationships has finally found explicit reflection in the reformed Act, the new provision does not considerably extend the scope of protection beyond the protection already granted by section 28(1) of the Act. However, in particular the evaluation of reasonableness of the data processing in comparison with the alleged criminal act may protect employees from overly motivated employers wishing to control every move of their employees. Sensitive personal data Sensitive personal data includes information on racial or ethnic origin, political opinions, religious or philosophical convictions, trade union membership, health, and sex life. Sensitive personal data is subject to heightened protection by the Act: a data controller must generally obtain specific consent, explicitly stating that sensitive personal data shall be used, or rely on strict and exceptional permissions. Works agreements According to section 4 (1) of the Act, data collection, processing and use are legitimate if the Act or another legal provision permits it or the data subject has consented to it. A works agreement constitutes such other legal provision in the sense of section 4(1) of the Act. Companies that have a works council therefore have the option of concluding a works agreement on the data processing, collection or use. It is necessary that the works agreement specifically outlines the data processing that shall be carried out, including the data or kinds of data, the purposes of the collection, processing or use, and potential recipients. If a respective works agreement exists in the enterprise of the data controller it 09/09 COPYRIGHT 2009 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN

5 5 forms the justification for the data collection, processing and use and recourse to the Act is no longer necessary for the activities specifically outlined in the works agreement. It is debated to what extent works agreements may extend the scope of permissible data collection, processing and use beyond the use of data for purposes of the specific employment relationship. It has been argued that the protection granted by the Act should not be undermined by works agreements where the individual employee has no possibility for voicing his concern. With the newly inserted provision in section 32 of the Act, strict limits on the scope of permissible use of personnel data have been introduced. It remains to be seen how the friction between this limitation and the options possible via works agreements will be handled by the data protection authorities. Formal requirements under the Act Apart from these material requirements for the use of personal data, the Act also contains a number of provisions outlining formal requirements for those involved in data collection and use. a) Data protection officer Most notably this is the obligation to have a data protection officer installed if the data controller or processor regularly employs more than nine persons with tasks involving automated processing of personal data. This threshold must take into consideration not only fulltime employees who are mainly concerned with data processing tasks, but also includes part-timers, interns and employees who use personal data as a by-product within their main area of employment. The data controller/processor is free in choosing whether he wishes to fill this position with an employee or with an external adviser. An internal data protection officer is likely to know more about the internal processes and procedures, thereby finding it easier to competently advise on data protection issues and questions. However, the amended Act will grant special dismissal protection to data protection officers. As of September 2009, an internal data protection officer can only be terminated from his employment in case of extraordinary termination for good cause. The protection survives termination of the position as data protection officer by one year. If an internal data protection office is desired, it may therefore be advisable to fill this position with an employee who already enjoys special dismissal protection due to other functions he holds, eg the emission control officer or a member of the works council. However, it should be ensured that the data protection officer has the necessary competence and experience to properly advise on data protection issues. It is important to note that the data protection officer has a strictly advisory function. He is responsible for informing the data controller/processor s management on the requirements under the Act and under areaspecific legislation, for educating the employees in respect of data protection, and for supervising the orderly application of data processing programs. The data controller is obligated to provide the data protection officer with an index of procedures of automated processing containing certain information on the procedures. The data protection officer will make this index available to anybody upon request under section 4g(2) of the Act but he is not obliged to create this index of procedures himself. He is also not liable for non-compliance of the data controller/processor with the Act or with areaspecific legislation. b) Obligation to data secrecy The employees involved in data processing tasks must be obligated to data secrecy upon commencement of their activity. This includes providing them with information regarding the obligation to data secrecy and regarding consequences of breaches. Although this obligation does not have to be carried out in writing, it is preferable to do so to be able to prove compliance with this requirement. c) Notification The Act also provides for a notification requirement of the data controller or processor to the data protection authority. Although the requirement is worded as the rule, it is factually the exception. The data controller is obligated to notify the competent authority of automated data processing procedures prior to commencement of their operation unless: i. it has installed a data protection officer (and most data controllers and processors are required to have a data protection officer in place); or ii. the data controller only uses personal data for own purposes and a maximum of nine persons are employed with such tasks; and a. the data subjects have either consented to the processing; or b. it falls within the scope of a contractual or quasicontractual relationship with the data subject (in the future, read: transactional or quasitransactional obligatory relationship). These exceptions will apply to most cases. d) Technical and organisational measures The Act requires every person or entity handling personal data to take certain technical and organisational measures to ensure protection of the personal data, under section 9 of the Act. These include: s control of access to the data protection equipment; s control of access to the data processing systems; s control of access authorisation; s control of data transfer; s retroactive input control; s control of processing in compliance with instructions (for data processors); WORLD DATA PROTECTION REPORT ISSN BNA 09/09

6 6 s availability control, ie protection of data from loss and destruction; and s separation of data collected for different purposes. e) Rights of individuals The data subject has a right to information about the data that is stored on it, and to correction, deletion or blocking of its personal data. If the right to information is exercised, information must be provided at no cost for the data subject. Its personal data must be rectified if incorrect, and deleted if: s storage is not or no longer permissible; s it is sensitive personal data; s it is no longer required for the purpose for which it was originally collected; and s processed for commercial transfer, at the end of the fourth calendar year after initial storage an evaluation shows that it is no longer required. The data subject may also assert a damage claim against the data controller if it suffers damages from impermissible or incorrect collection, processing or use of its personal data. f) Breach notification The new section 42a of the Act introduces a breach notification duty into the Act. This breach notification duty is due to repeated attempts by major companies in Germany to camouflage data protection mishaps within their structure. A data controller or processor that stores sensitive personal data, personal data subject to professional confidentiality, personal data relating to criminal acts or administrative offences, or personal data relating to bank or credit card details, has to notify the competent data protection authority and the respective data subjects if it realises that: s the data has been transferred illegitimately; or s third parties have illegitimately gained knowledge of the personal data by other means; and this bears the risk of material impairment of protection-worthy interests of the data subject. If notification of all concerned data subjects would constitute an unreasonable effort, the data controller or processor is permitted to inform the public by public announcements in at least two nationwide daily newspapers or by other means having the same effect. Data processing on assignment The Act grants certain privileges to data processors. Data processors are persons or entities who are not part and not an employee of the data controller but are entrusted with data collection, processing or use on the data controller s behalf. The data controller remains responsible for compliance with the Act and other area-specific data protection legislation, and data subjects must address the data controller with claims for information, correction, deletion or blocking of data, and with claims for damages. The data controller and the data processor must conclude a written agreement on the data processing. As of September 1, 2009, failure to conclude a written agreement may, according to the reformed Act, result in an administrative fine of up to a50,000. The reformed Act also outlines the specifics such agreement must contain, such as for instance details on the scope, kind and purpose of the intended data processing, obligations, potential authorisations for sub-processing, control rights of the data controller and other similar provisions. Despite the privileges granted to data processors, they must still comply with certain requirements under the Act. These include in particular the requirement to have a data protection officer installed if the criteria are fulfilled and to take the necessary technical and organizational security measures. The privileges for data processors only apply to data processors located within the EU or the EEA. Data transfer outside the EU Data transfer to recipients outside the EU or EEA is regulated by sections 4b and 4c of the Act. Such transfer may not take place if the data subject has an interest meriting protection in the exclusion of such transfer, in particular if the recipient (not the country in which the recipient resides) cannot guarantee an appropriate level of data protection. Transfer is permissible where the transfer is necessary for the performance of a contract between the data controller and the data subject, or of pre-contractual measures. This often applies to travel bookings or online purchases from sellers not residing in the EU or the EEA. Permissions for individual data transfers or kinds of data transfers can also be granted individually by the data protection authority if the data controller can show that an adequate level of protection is guaranteed, under section 4c (2) of the Act. a) Countries with adequate level of protection The EU has determined that Argentina, Canada, Guernsey, the Isle of Man and Switzerland generally offer a level of protection which is adequate. This indicates that recipients in these locations offer an adequate level of protection, unless it is known that they have breached the national data protection laws. b) Safe Harbor In addition, the EU and the USA have agreed on Safe Harbor Principles which implement a level of protection that is also deemed adequate for purposes of data transfer. Thus companies residing in the USA who notify the Federal Trade Commission (FTC) that they adhere by the Safe Harbor Principles will also be deemed to guarantee an adequate level of protection for data transferred to them. 09/09 COPYRIGHT 2009 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN

7 7 c) Consent Data may also be transferred to a non-eu or non-eea recipient if the data subject has validly and explicitly consented to the transfer, under section 4c(1) no. 1 of the Act, knowing that the recipient may not offer an adequate level of protection, because by consenting to the transfer the data subject indicates that he has no outweighing interest in the exclusion of the transfer. d) Model contract It is also possible to establish an adequate level of protection between the German data controller and the recipient by entering into an EU model contract. The EU has published three sets of rules 2 which contain provisions on the transfer of personal data between the parties to the contract and respective safeguards. These model contracts, if used unaltered, are deemed to establish a level of protection for the personal data between the parties which is adequate. Implementation of a model contract makes the generally required permission for individual data transfers or certain kinds of data transfer by the data protection authority obsolete. Until now, the EU has published two model contracts for a data controller to controller transfer and one for a data controller to processor relationship. The difference in the two controller to controller model contracts lies within the provisions on liability vis-à-vis data subjects: while the older model contract deems both parties to be equally responsible for breaches by the recipient, with the newer model contract the parties agree that the data subjects shall first approach the data exporter with requests to take appropriate action against the data importer. e) Binding corporate rules A concern with entities in several countries inside and outside the EU and the EEA will find it difficult to have all entities enter into model contracts with each other. It is therefore possible for the entire concern to implement binding corporate rules, according to section 4c(2) of the Act. Such binding corporate rules generally need not be approved by the data protection authority in Germany but it is advisable to cooperate with them in order to ensure that the rules contain the necessary safeguards. The binding corporate rules will then establish an adequate level of protection. Whether the individual data transfers or kinds of data transfers still require permission by the competent data protection authority is disputed and should be discussed with the data protection authority which is responsible for the German data controller, depending on which German state the data controller resides in. Enforcement and sanctions The competent data protection authority in the German state in which the data controller resides is the supervisory body for enforcement of the Act and of areaspecific data protection legislation. The reform of the Act will extend the competences of the authority. In the future, it will be able to not only issue orders to remedy faults regarding the technical and organisational measures to be taken, as is the case now, but it will be competent to order measures to remedy any established breach of the Act in the collection, processing and use of personal data. It may ultimately order the cessation of the respective collection, processing or use. The list of offences subject to a fine will be extended by the reform, now in particular including the failure to conclude a written agreement on data processing on assignment. In addition, the amount of fines for violations of formal requirements will be increased from a25,000 to a50,000, and the amount of fine for violations of material requirements will be increased from a250,000 to a300,000. The reformed Act will also provide that the administrative fine shall exceed the economical advantage the offender gained with the offence, and the imposed fines may therefore exceed the spelled-out amount. NOTES 1 See Bundesverfassungsgerichtsentscheidungen (Federal Constitutional Court Decisions) 65, p.1 et seq. 2 These rules are available online at home/fsj/privacy/modelcontracts/index_en.htm. WORLD DATA PROTECTION REPORT ISSN BNA 09/09