It was one of the last big projects of the current Federal Government: the old German Federal Data Protection Act (BDSG), which dates back 40 years, had to be adapted to the impending EU General Data Protection Regulation (EU-GDPR). The renamed “BDSG-new” contains regulations which have so-called “flexibility clauses” in the GDPR. They allow for leeway in the interpretation of the regulations in question and are substantiated in concrete terms by the national legislators. Besides many other important reforms, the handling of personal data when using whistleblowing systems is subject to new rules.
Within the scope of an employment relationship, data controllers processing special categories of personal data must verify whether their processing is strictly necessary. Those controllers are still obliged to evaluate whether the interests of the employee outweigh those of the company or vice versa. According to legislation, it must be ruled out that the legitimate interest of the affected person in foregoing processing prevails.
Therefore, comprehensive protection measures must be taken when processing personal data: The more comprehensive the sensitive data are technically protected, the more likely the desired weighing of interests with regard to the intended data processing is positively decided. This is the case when compliance applications ensure the protection of the data by comprehensive technical and organizational measures. These include, for example, complex encryption methods, pseudonymization or defined authorization structures.
However, the compliance applications of many providers may not meet these strict requirements. External certifications provide information on the precautions taken. The law is controversial. Experts criticize it as too complex to be implemented on time. Moreover, a clear distinction between BDSG-new and the GDPR is equally difficult for companies and consumers. This legal uncertainty is likely to prove as an extra burden for companies.
Beginning on 25 May 2018, the GDPR will be directly applicable in all EU member states. The BDSG-new then also enters into force. Until then, the requirements of both legislative texts have to be implemented. In the event of infringement of the regulations, the data protection law comes closer to the antitrust law: the companies are subject to a fine of up to € 20 million or four percent of the annual turnover (whichever is the higher). Companies are advised to deal intensively with the new data protection requirements.