Planned changes to the German Federal Data Protection Act

The amendments to the German Federal Data Protection Act are intended to strengthen the existing level of data protection. We discuss the proposed changes and point out their impact on companies.

Since 28 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR) has been in force in the countries of the European Union, which has harmonized the regulations for the processing of personal data of natural persons. In Germany, the EU level of personal data protection is supplemented by the German Federal Data Protection Act (Bundesdatenschutzgesetz, hereinafter: BDSG).

The BDSG is being amended with the aim of standardizing and strengthening data protection.

Planned changes:

  • Data Protection Conference (DSK)

The data protection supervisory authority will be strengthened in its role as a coordinating body of the data protection authorities through the legal standardization in § 16a BDSG.

 The planned amendment proposes that the federal and state supervisory authorities form the Conference of Independent Federal and State Data Protection Supervisory Authorities (Data Protection Conference). By naming all federal and state supervisory authorities in § 16a without differentiating between public and non-public bodies, the fact that there may be different supervisory authorities for public and non-public bodies in a country is taken into account.

This Act does not include a provision on the legally binding nature of DSK decisions, as this would affect constitutional limits due to the prohibition of mixed administration. 

  • Legal basis for credit scoring

In our article with the title ,,Stricter rules for credit scoring’’ we already reported that the ECJ has found that the current Schufa scoring violates the GDPR. The introduction of § 37a BDSG is therefore intended to create a legal basis for credit scoring, thereby creating more transparency and avoiding discrimination.

As scoring procedures can have wide-ranging effects on whether and under what conditions the data subject is granted access to certain contractual relationships and services, it is important that the requirements set out in § 37a BDSG regarding the statistical quality and relevance of the data used are carefully checked.

Data must be carefully checked. As intended for high-risk AI systems, this review should be carried out by an external, independent body.

  • Strengthening the right to information

The amendment to § 34 BDSG is intended to strengthen the right to information in accordance with Art. 15 GDPR. In § 34 BDSG, it should be clarified that the right of access under Article 15 GDPR cannot be restricted by private law, but only by public law statutes.

  • Clarification of the requirement of domestic relevance

The draft act containing the need for an amendment to § 1, indicates that the BDSG only applies if the data processing has a national connection. The planned amendment also touches on the reformulation of the existing wording of the provision, in terms of stating that § 1 BDSG is only addressed to non-public bodies.

  • One contact point for companies

For better enforcement and consistency, companies and research institutions with cross-border projects should be able to be subject to only one national data protection supervisory authority.

  • Video monitoring

The possibility of monitoring public places on the basis of § 4 sec. 1 BDSG is now to be restricted to authorities. Private entities, in turn, will only be able to cite Art. 6 sec. 1 letter f) GDPR as the legal basis for the use of monitoring.

According to the proposed amendment, the monitoring of publicly accessible areas with optical-electronic equipment (monitoring) by authorities is only permitted if it is necessary for the fulfillment of their tasks, including the exercise of their domestic authority, and there are no indications that the interests of the persons concerned worthy of protection prevail.

Company data protection officer

The Federal Council’s Committee on Internal Affairs has proposed abolishing the obligation to appoint data protection officers in companies. The supporters of the abolition of the above-mentioned requirement justify their position with the overall objective of the adopted EU regulation, according to which small and medium-sized companies should not be overburdened by bureaucracy. Furthermore, a risk-based approach should be adopted for the protection of personal data, while the legal requirement of 20 employees represents a limit that is completely independent of any risk. However, this proposal was not adopted. As a result, the current provisions of § Article 37 BDSG remain in place.

If you have any further questions, please contact our law firm on +49 (0) 40 180 364 020 or

Do you have any questions or require our consultation?

Contact us. We will further help you.