On September 20th, 2019, the Federal Council agreed to adapt numerous national provisions to the European General Data Protection Regulation (GDPR). The amendments entered into force on November 26th, 2019.
1.Abolition of the data protection officer for small and medium-sized enterprises?
In addition to numerous adaptations of definitions and references in the sectoral laws, the most significant change concerns the raising of the threshold for the obligation to appoint a data protection officer (DPO).
Previously, public as all non-public authorities were only obliged to appoint a company data protection officer in accordance with sec. 38 of the Federal Data Protection Act (BDSG) if they generally employed at least ten persons permanently with the automated processing of personal data. The Second Adaptation and Implementation Act (DSAnpUG) raises the threshold to 20. This is to reduce bureaucracy in particular for small and medium-sized enterprises and voluntary associations.
How does this change things?
At first glance, the change means financial relief for small and medium-sized enterprises. This is because the appointment of an external data protection officer in particular is usually cost heavy. However, it is worth taking a second look: raising the threshold does not at the same time lead to a kind of data protection free ride for smaller companies. They remain – as before – bound to the data protection regulations and obligations. Data protection officers make a significant contribution to compliance with these data protection requirements and obligations. Dr. Stefan Brink, Federal State Commissioner for Data Protection of Baden-Württemberg, recently stated that “Data protection officers are important contacts for us [data protection supervisory authorities] and the companies. They help companies comply with the law and thus save time and money – not to mention possible fines for violations.”[1]
Companies below the threshold should therefore critically check whether they actually refrain from appointing a data protection officer despite the threshold being raised.
What consequences will this have for data protection officers already appointed?
The GDPR guarantees data protection officers freedom from instructions and independence regarding the exercise of his tasks. According to sec. 38 (3) GDPR the controller and the processor shall ensure that the data protection officer is not dismissed or penalised by the controller or the processor for performing his tasks. Furthermore, company data protection officers of non-public bodies – insofar as their appointment is mandatory – are subject to the special protection against dismissal pursuant to sec. 6 (4) BDSG. They may only be dismissed and their employment terminated for good cause. It is unclear whether the current amendment to the BDSG (lowering of the threshold) constitutes such an important reason entitling companies below the threshold to dismiss appointed data protection officers.
According to the clear wording internal data protection officers of companies that do not reach the threshold the special protection against dismissal will not apply. The legislator has refrained from a transitional regulation to protect already appointed internal data protection officers. Therefore, an at least analogous applicability of the special protection against unfair dismissal cannot be considered.
2.Consent of the data subject: Is this the end of the mandatory written form?
The second major change concerns the written form of the declaration of consent of employees to the processing of their personal data pursuant to sec. 26 (2) BDSG. With immediate effect, the declaration of consent to data processing is no longer required to be given in writing, but can also be given “electronically”.
Whether this will (acutely) be a real simplification for practice is highly questionable. The electronic form according to sec. 126a German Civil Code (BGB) requires that the issuer adds his name to the declaration and provides the electronic document with a qualified electronic signature. Usually only very few employees have such a qualified electronic signature. Consent by simple e-mail would still not be sufficient. For the time being the requirement of written form essentially may remain unchanged.
The discussion prior to the amendment of the law about the requirement of written form for consent under data protection law, which in practice was often perceived as too strict and impracticable, had in itself been expected to actually facilitate legal transactions. It is therefore not excluded that the strict requirements of sec. 126a BGB (German Civil Code) do not have to be met to fulfil the now permissible electronic consent pursuant to sec. 26 para (2) sentence 3 BDSG. However, as long as there is no case law or an explicit positioning of the data protection authorities in this regard, only compliance with the (strict) electronic or written form can be recommended.
Katharina Mitterer Katharina Schlonsak
Lawyer-Partner Lawyer
[1] BayLfD press release of 09.09.2019 “Data protection officers strengthen companies”, available at https://www.datenschutz-bayern.de/presse/20190909_Herbstkonferenz_und_Behoerdentag.html (download: 02.12.2019).
