Data residency regulations expect businesses with operations in a specific country to keep and secure consumers’ personal information in data servers within that country’s borders. In the same guise, companies that want to operate in Germany must be able to comply with Germany data privacy laws.
Germany’s data protection laws are similar to China’s PIPL law regarding strict compliance with data residency policies. About 133 countries worldwide have established data protection regulations to secure citizens’ personal information.
A report by the UNCTAD, United Nations Conference on Trade and Development, shows that 20 more nations are already preparing their draft data privacy laws. Without a doubt, these changes in data protection policies will impact the way companies do business worldwide.
Multinational companies must set strategies in place to comply with these numerous data residency laws by country. For instance, companies operating in Germany must consider that the country is also a part of the EU, and the strategies they put in place must comply with the EU’s GDPR and all German data residency laws.
It can be challenging to keep up with these data residency laws by country. In this blog, we will review critical German data privacy laws and how your business can comply with data residency regulations without negatively affecting your operations and workflow.
Whom Does German Data Privacy Laws Apply To?
Germany’s data protection laws affect various entities in different ways. For instance, the German Federal Data Protection Act (“Bundesdatenschutzgesetz” or “BDSG”) applies to private and federal public organizations.
Although not yet in full effect, the Telekommunikation-Telemedien-Datenschutzgesetz or “TTDSG” is specific to entities that use electronic communication mediums (websites, emails, or apps) to process personal data.
If your business is outside the EU but uses the personal data of German residents to monitor consumer behavior and sell products based on this information, then German data privacy laws apply to you.
To put it in context, here is a breakdown of specific German data protection laws and entities they apply to.
- Federal Data Protection Act (BDSG) – the old BDSG applied to federal and public entities or data controllers that processed sensitive personal information.
- New BDSG – complements the EU’s GDPR law and helps to implement it. The law applies to privately owned businesses and multinational corporations with business operations within German borders.
- TTDSG – expected to be enforced in 2023. The law applies to organizations that use automated processes to collect and process data of German citizens.
Key German Data Privacy Laws to Worry About
German privacy laws have been amended since their first incorporation in 1970. The first German Federal Data Protection Act (BDSG) was enacted in 1978. Since then, other EU member states have followed suit in creating data protection policies and regulations.
In 2018, Germany became the first member state of the European Union to establish a national law that implements the GDPR. Germany GDPR law, in the form of the BDSG, adopts and enforces the law enforcement data protection directive.
However, a new German data protection law was implemented in November 2019, the Second Data Protection Adaptation Act. This new law made it possible to reconcile the BDSG and other federal regulations with the GDPR. In addition, the new law amended the BDSG substantially.
Another German data privacy law to worry about for business owners in Germany is the new Telecommunications Telemedia Data Protection Act (DPA). The DPA, still subject to European regulations, addresses the data protection uncertainties posed by digitalization. Once approved, the TTDPA will implement the requirements of the European Union e-privacy directives.
Let’s look at some of German privacy laws‘ regulatory frameworks and how they affect your business in detail.
#1 Data Localization & Transfer
As part of Germany’s data privacy laws, you must consider some data localization requirements. Data localization laws demand that the data originating from Germany stays within German borders.
The transfer of personal data across the EU’s borders is regulated by Articles 44-50 GDPR. According to the regulation, before there can be a data transfer within the EU and EEA or a trusted country, businesses must be able to confirm that the country has an appropriate level of data protection.
In addition, sensitive personal data cannot be transferred to a third-party entity outside the EU or EEA if the data subject does not consent to do so. Therefore, consent to data transfer from the data subject is a crucial point in German privacy laws.
The main requirement for data transfer across German borders is consent from the data subject. Furthermore, consent will only be valid if the data subject was pre-informed about the potential risks involved in cross-border data transfer.
Data transfers to countries with inadequate data protection policies will require an appropriate data protection agent or supervisor to approve the transfer.
#2 Privacy Provisions & Consent
Another regulation addressed by German privacy laws is privacy provisions. Data controllers, organizations that process sensitive personal data, can only collect and use these personal data based on set regulations according to Article 6 GDPR.
Like data transfer regulations, data controllers must seek the consent of data subjects which may be given electronically. However, the consumer has the right to withdraw consent at any given time.
In addition, data controllers must inform the data subject about the purpose and scope of processing their personal data. Data controllers are also required to get valid consent based on a three-part test that identifies the legitimate interests of data subjects.
Before collecting personal data from consumers, data controllers must have specified the primary purpose of data collection. It is against the regulation to use the collected data for any other purpose besides the specified primary reason.
#3 Data Protection Enforcements & Fines
Germany’s state data protection agencies have the right to ensure data privacy compliance of state-based organizations and non-public corporations with business operations in that state. However, for German states with a freedom of information act, the state data protection authorities are also in charge of ensuring data privacy compliance by businesses in that state.
Business owners or multinational corporations failing to comply with these data privacy regulations have huge fines and penalties to contend with. Data protection agencies, DPAs, are authorized to impose these penalties based on the seriousness of the violation.
For instance, DPAs can impose fines of up to €20 million or 4 percent of the annual global turnover. German DPAs use the Bußgeldmodell fining model. The fining model analyzes the violating company’s yearly turnover and the level of the data privacy breach.
A typical example of when the DPA used this fining model was with the fashion chain giant, H&M. The company has imposed a fine of €35 million for unlawful surveillance of employees at a service center in Nürnberg.
Due to cybersecurity issues, the Germany GDPR makes provisions for data controllers to put technical measures in place to lower the risk of damaging a data subject in such cases of data breaches.
In this case, data controllers are expected to notify supervisory authorities of data breaches within 72 hours. Failure to comply comes with a fine of up to €10 million.
It is essential for business owners and companies to put strategies in place that can adequately monitor and report data breaches to the proper authorities within the stipulated time.
BDSG vs. GDPR
Since its first adoption, German data protection laws have been firm in ensuring data privacy and protection for all German citizens. It is essential to note the new German BDSG was established based on the opening clause of the GDPR.
While establishing the GDPR, the EU left up to 70 opening clauses which give EU-member states the right to enact national privacy laws that can supplement or modify the GDPR. As a result, multinational corporations must establish data residency strategies covering all of these national privacy laws.
The new BDSG was established to replace the old one and complements the GDPR in the regulation of privacy laws. In addition, the new BDSG targets privately owned businesses located in Germany.
However, the GDPR is considered a superior law and supersedes the new BDSG. Therefore, in cases where the GDPR is applicable, the new BDSG does not apply.
Although a complement to the GDPR, the new German BDSG is unique in several ways. The table below explains some of the differences between the GDPR and the German BDSG.
How to Stay Compliant with Germany’s Data Privacy Laws
Complying with German data residency laws may seem difficult due to the ever-changing legislature landscape and the national privacy laws. However, it is not impossible to achieve given the right strategies.
Multinational companies are now considering using data residency-as-a-service solutions as the perfect compliance strategy. With data residency-as-a-service, companies can meet the data localization and transfer requirements of the Germany GDPR.
InCountry’s Data Residency-as-a-Service solution offers seamless integration with cloud service providers and makes compliance with German national data privacy laws easier. As a result, businesses do not need to worry about the different regulations and state policies on data privacy.
Furthermore, InCountry provides the infrastructure to help your business store sensitive data according to the regulations of German data privacy laws. These solutions empower companies to continue business operations in Germany without worrying about non-compliance with data laws.
Contact our experts if you need more details on how to comply with data residency laws or want to discuss our solutions.