R&C: Could you provide some context as to the introduction of the new Federal Data Protection Act (FDPA) in Germany? To what extent have lawmakers aligned this legislation with the core components of the European General Data Protection Regulation (GDPR)?

Lehmann: The new German Federal Data Protection Act (FDPA) was only recently enacted, after a long discussion. It was published in the German Federal Law Gazette on 5 July 2017. However, the FDPA’s objective is obviously not to provide comprehensive data protection legislation; instead, German lawmakers tried to make use of those provisions in the GDPR that allow the Member States some leeway or even allow for deviation from the GDPR. It was German lawmakers’ aim to preserve as much as possible from existing German data protection legislation. For example, even though the GDPR would allow for a less strict regime with respect to the necessity of having an internal data protection officer, the new FDPA more or less repeats what the ‘old’ German Federal Data Protection Act already required, namely, that any company with more than 10 people involved the processing of data has to have an internal data protection officer. With regard the processing of employees’ data, the FDPA only sets forth what was already more or less common sense under the old Federal Data Protection Act and with regard to the Federal Labour Courts case law, without making a notable addition or aligning it with the GDPR.

Oct-Dec 2017 Issue