# German BDSG Requirements German-specific data protection requirements under the Bundesdatenschutzgesetz (BDSG) and state laws. --- ## Table of Contents - [BDSG Overview](#bdsg-overview) - [DPO Requirements](#dpo-requirements) - [Employment Data](#employment-data) - [Video Surveillance](#video-surveillance) - [Credit Scoring](#credit-scoring) - [State Data Protection Laws](#state-data-protection-laws) - [German Supervisory Authorities](#german-supervisory-authorities) --- ## BDSG Overview The Bundesdatenschutzgesetz (BDSG) supplements the GDPR with German-specific provisions under the opening clauses. ### Key BDSG Additions to GDPR | Topic | BDSG Section | GDPR Opening Clause | |-------|--------------|---------------------| | DPO appointment threshold | § 38 | Art. 37(4) | | Employment data | § 26 | Art. 88 | | Video surveillance | § 4 | Art. 6(1)(f) | | Credit scoring | § 31 | Art. 22(2)(b) | | Consumer credit | § 31 | Art. 22(2)(b) | | Research processing | §§ 27-28 | Art. 89 | | Special categories | § 22 | Art. 9(2)(g) | ### BDSG Structure - **Part 1 (§§ 1-21)**: Common provisions - **Part 2 (§§ 22-44)**: Implementation of GDPR - **Part 3 (§§ 45-84)**: Implementation of Law Enforcement Directive - **Part 4 (§§ 85-91)**: Special provisions --- ## DPO Requirements ### Mandatory DPO Appointment (§ 38 BDSG) A Data Protection Officer must be appointed when: 1. **At least 20 employees** are constantly engaged in automated processing of personal data 2. **Processing requires DPIA** under Art. 35 GDPR (regardless of employee count) 3. **Business purpose involves personal data transfer** or market research (regardless of employee count) ### DPO Qualifications **Required qualifications:** - Professional knowledge of data protection law and practices - Ability to fulfill tasks under Art. 39 GDPR - No conflict of interest with other duties **Recommended qualifications:** - Certification (e.g., TÜV, DEKRA, GDD) - Legal or IT background - Understanding of business processes ### DPO Independence (§ 38(2) BDSG) - Cannot be dismissed for performing DPO duties - Protection extends 1 year after end of appointment - Entitled to resources and training - Reports to highest management level --- ## Employment Data ### § 26 BDSG - Processing of Employee Data **Lawful processing for employment purposes:** 1. **Establishment of employment** (recruitment) - CV processing - Reference checks - Background verification (limited scope) 2. **Performance of employment contract** - Payroll processing - Working time recording - Performance evaluation 3. **Termination of employment** - Exit interviews - Reference provision - Legal claims handling ### Consent in Employment Context **Special requirements:** - Consent must be voluntary (difficult in employment relationship) - Power imbalance must be considered - Written or electronic form required - Employee must receive copy **When consent may be valid:** - Additional voluntary benefits - Photo publication (with genuine choice) - Optional surveys ### Employee Monitoring **Permitted (with justification):** - Email/internet monitoring (with policy and proportionality) - GPS tracking of company vehicles (business use) - CCTV in certain areas (not changing rooms, toilets) - Time and attendance systems **Prohibited:** - Covert monitoring (except criminal investigation) - Keystroke logging without notice - Private communication interception ### Works Council Rights Under Betriebsverfassungsgesetz (BetrVG): - Co-determination on technical monitoring systems (§ 87(1) No. 6) - Information rights on data processing - Must be consulted before implementation --- ## Video Surveillance ### § 4 BDSG - Video Surveillance of Public Areas **Permitted for:** 1. Public authorities - for their tasks 2. Private entities - for: - Protection of property - Exercising domiciliary rights - Legitimate purposes (documented) **Requirements:** - Signage indicating surveillance - Retention limited to purpose - Regular review of necessity - Access limited to authorized personnel ### Technical Requirements **Signs must include:** - Fact of surveillance - Controller identity - Contact for rights exercise **Data retention:** - Delete when no longer necessary - Typically maximum 72 hours - Longer retention requires specific justification ### Balancing Test Documentation Document for each camera: - Purpose served - Alternatives considered - Privacy impact - Proportionality assessment - Technical safeguards --- ## Credit Scoring ### § 31 BDSG - Credit Information **Requirements for scoring:** - Scientifically recognized mathematical procedure - Core elements must be explainable - Not solely based on address data **Data subject rights:** - Information about score calculation (general logic) - Factors that influenced score - Right to explanation of decision ### Creditworthiness Assessment **Permitted data sources:** - Payment history with data subject consent - Public registers (Schuldnerverzeichnis) - Credit reference agencies (Auskunfteien) **Prohibited practices:** - Social media profile analysis for credit decisions - Using health data - Processing special categories for scoring ### Credit Reference Agencies (Auskunfteien) Major agencies: - SCHUFA Holding AG - Creditreform - infoscore Consumer Data GmbH - Bürgel **Data subject rights with agencies:** - Free self-disclosure once per year - Correction of inaccurate data - Deletion after statutory periods --- ## State Data Protection Laws ### Landesdatenschutzgesetze (LDSG) Each German state has its own data protection law for public bodies: | State | Law | Supervisory Authority | |-------|-----|----------------------| | Baden-Württemberg | LDSG BW | LfDI BW | | Bayern | BayDSG | BayLDA | | Berlin | BlnDSG | BlnBDI | | Brandenburg | BbgDSG | LDA Brandenburg | | Bremen | BremDSGVOAG | LfDI Bremen | | Hamburg | HmbDSG | HmbBfDI | | Hessen | HDSIG | HBDI | | Mecklenburg-Vorpommern | DSG M-V | LfDI M-V | | Niedersachsen | NDSG | LfD Niedersachsen | | Nordrhein-Westfalen | DSG NRW | LDI NRW | | Rheinland-Pfalz | LDSG RP | LfDI RP | | Saarland | SDSG | ULD Saarland | | Sachsen | SächsDSG | SächsDSB | | Sachsen-Anhalt | DSG LSA | LfD LSA | | Schleswig-Holstein | LDSG SH | ULD | | Thüringen | ThürDSG | TLfDI | ### Public vs Private Sector **Public sector (Länder laws apply):** - State government agencies - State universities - State healthcare facilities - Municipalities **Private sector (BDSG applies):** - Private companies - Associations - Private healthcare providers - Federal public bodies --- ## German Supervisory Authorities ### Federal Level **BfDI - Bundesbeauftragte für den Datenschutz und die Informationsfreiheit** - Responsible for federal public bodies - Responsible for telecommunications and postal services - Representative in EDPB ### State Level Authorities **Competence:** - Private sector entities headquartered in the state - State public bodies ### Determining Competent Authority For private sector: 1. Identify main establishment location 2. That state's DPA is lead authority 3. Cross-border processing involves cooperation procedure ### Fines and Enforcement **BDSG fine provisions (§ 41):** - Up to €50,000 for certain violations (supplement to GDPR) - GDPR fines up to €20 million / 4% turnover apply **German enforcement characteristics:** - Generally cooperative approach first - Written warnings common - Fines increasing since GDPR - Public naming of violators --- ## Compliance Checklist for Germany ### BDSG-Specific Requirements - [ ] DPO appointed if 20+ employees process personal data - [ ] DPO registered with supervisory authority - [ ] Employee data processing documented under § 26 - [ ] Works council consultation completed (if applicable) - [ ] Video surveillance signage in place - [ ] Scoring procedures documented (if applicable) ### Documentation Requirements - [ ] Records of processing activities (German language) - [ ] Employee data processing policies - [ ] Video surveillance assessment - [ ] Works council agreements ### Supervisory Authority Engagement - [ ] Competent authority identified - [ ] DPO notification submitted - [ ] Breach notification procedures in German - [ ] Response procedures for authority inquiries --- ## Key Differences from GDPR-Only Compliance | Aspect | GDPR | German BDSG Addition | |--------|------|----------------------| | DPO threshold | Risk-based | 20+ employees | | Employment data | Art. 88 opening clause | Detailed § 26 requirements | | Video surveillance | Legitimate interests | Specific § 4 rules | | Credit scoring | Art. 22 | Detailed § 31 requirements | | Works council | Not addressed | Co-determination rights | | Fines | Art. 83 | Additional § 41 fines |