Data Privacy & Transfer in Investigations

Last verified on Monday 2nd November 2020

Data Privacy & Transfer in Investigations: Germany

Wolf Bussian

Allen & Overy LLP

All questions

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data?

Germany

The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction.

The German Federal Data Protection Act (the BDSG) adapts the application of the rules of the GDPR in Germany where the GDPR provides for opening clauses. It particularly regulates the processing of employee personal data and provides for exemptions to articles 13 to 15 of the GDPR. Apart from that, the majority of the provisions of the BDSG only apply to the data processing by public bodies and authorities, in which case the BDSG is further accompanied by state law regulations.

Furthermore, there are specific data privacy provisions in German laws, mainly providing for a purpose limitation. In relation to investigations, the Telecommunication Act restricting access to telecommunication data, such as business email accounts or business phones or the browsing history of internet browsers, as long as the telecommunication process is ongoing.

As far as personal data is concerned, data privacy rules have to be considered and complied with when processing personal data in internal investigations (see question 7 for more details). In practice, reliance on statutory legal grounds for processing is often the preferred option as consent can be withheld and withdrawn by data subjects at any time.

In the context of internal investigations, sections 24 and 26 of the BDSG and article 6 of the GDPR can provide valid legal grounds for processing where the personal data of employees or other third parties is concerned. However, it is mandatory to balance the data subject’s interests against those of the controller (eg, the employer), and processing of personal data is only permitted if the processing is proportionate in relation to the purposes for which the data is processed and if the data subject’s interests do not outweigh the controller’s interest. As the controller’s interest in processing personal data in the context of an investigation must be necessary, adequate and proportionate, each step of investigation should be assessed individually in terms of compliance with data protection laws.

This applies to an even greater extent where the use or communication content of email, internet or phone is reviewed as there are various requirements and restrictions that have to be considered. Such processing might even lead to criminal sanctions in Germany.

Answer contributed by Wolf Bussian

2. What other laws and regulations may prevent data sharing in the context of an investigation?

Germany

Bank secrecy

Subject to limited exemptions, credit institutions (as defined in section 1(1) of the German Banking Act) must not disclose confidential client data to (i) third parties; or (ii) persons within the same bank who are not involved with the client-bank relationship.

The German bank secrecy rules are not codified in laws but are customary law. One leading view is that bank secrecy rules constitutes an accessory obligation of the banking contract between a credit institution, bank or financial institution and its client. However, the exact scope of the obligations remains unclear.

A credit institution’s duty to observe bank secrecy rules is contained in section 2(1) of the German Banks’ Standard General Terms and Conditions (AGB-Banken), which a bank with a branch in Germany may or may not subscribe to. Under the German bank secrecy rules, the credit institution, bank, etc, is, in principle, not entitled to disclose the identity of its clients or any client-related information enabling the identification of the client. German bank secrecy rules apply to information relating to both individuals and corporations in connection with client relationships of (German or non-German) credit institutions, banks etc. that are governed by German law, irrespective of whether the credit institution, bank, etc, is operating via a branch or entity within Germany or validly on a cross-border basis.

Anonymised data, however, would not be included in the scope of bank secrecy rules.

Bank secrecy rules can generally only be lifted if the client consents or other justification (including under data protection laws) is given. It is accepted that bank secrecy rules shall not limit the functioning of the credit institution and, for example, not prohibit internal audits and investigations related to internal processes and matters as this would also not be in the interest of the client.

A breach of German bank secrecy rules may lead to contractual damage claims from clients. Where significant violations of bank secrecy rules impair the proper conduct of banking business, the Federal Financial Services Supervisory Authority (BaFin) could take measures to counteract such violations.

Employment Law

If a works council is established at a company, two participation rights of the works council should be considered in the context of investigations concerning employee personal data.

First, the works council has information rights under section 80(2) sentence 1 of the German Works Constitution Act (BetrVG). With respect to employees that the works council is competent for, the employer must inform the works council in a timely and comprehensive manner about its intention to access employees’ emails and its intention to transfer employee data so that the works council can review compliance with relevant laws that protect the rights of employees.

The employer must inform the works council, prior to accessing employees’ emails and transferring employee data, of the scope and extent of its intended access. Complex information may have to be given in writing to the works council and the works council should have time to provide feedback on the intended measures prior to their execution. In case of infringement of this information right, the works council can file a claim enforcing its information right. Further consequences or penalties are unlikely and, according to current case law, non-compliance with the information right should not impact the employer’s ability to use findings of otherwise validly collected data as evidence against an employee in court proceedings.

Second, there is a co-determination right pursuant to section 87(1) no. 6 of the BetrVG. This means that the employer must not implement or use technical measures for reviewing emails, video interviews or data mining before reaching an agreement with the works council. This right is triggered easily where software or other technical measures are used for the evaluation of emails or other employee data. It does not matter whether a third party uses the software in the interests of the employer or the employer uses it itself. The scope of application is very broad according to German employment case law, but would, for example, not be triggered where already existing physical documents (print outs, letters, etc) are reviewed manually. The works council also has a co-determination right if the matter concerns the organisation of the operation or the behaviour of the employees. This would be the case if the employees’ private emails are to be reviewed.

If the employer implements the measure (eg, screening the emails with new software) without the agreement of the works council, the works council can file a preliminary injunction to stop the processing.

We note that (i) one employer might have multiple works councils and also that (ii) the works council is generally not competent for employees in managerial position (leitender Angestellter). Regarding information and internal investigation, we note that the works council is only competent for Germany-based employees with a German employment contract.

Telecommunication Law

Further restrictions on data transfer in the context of an investigation may arise under the German Telecommunication Act (see question 11 for further details).

Answer contributed by Wolf Bussian

3. What can constitute personal data for the purposes of data protection laws?

Germany

The GDPR defines “personal data” as any data relating to a living individual (ie, not a legal person) who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person.

Data that are truly anonymised will not be “personal data” for the purposes of the GDPR, as they do not identify the individual. Data are not truly anonymised if the data could re-identify the individuals to which the data relates by reasonably available means.

Answer contributed by Wolf Bussian

4. Does personal data protection relate only to natural persons or also legal persons?

Germany

Under the GDPR, personal data protection only extends to natural living persons. It does not cover legal persons or deceased natural persons.

Answer contributed by Wolf Bussian

5. To whom do data protection laws apply?

Germany

The direct obligations under the GDPR apply primarily to controllers. A controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed.

However, the GDPR also imposes certain direct obligations on processors. A processor is defined in the GDPR as a person who processes personal data on behalf of the controller.

Answer contributed by Wolf Bussian

6. What acts or operations on personal data are regulated by data protection laws?

Germany

The GDPR applies to "processing", which is defined broadly and includes any activity in relation to personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.

Answer contributed by Wolf Bussian

7. What are the principal obligations on data controllers to ensure the proper processing of personal data?

Germany

A privacy notice should be provided to the data subject at the time the personal data is obtained (unless an exemption applies). In all circumstances, this must include (as per articles 13 and 14 of the GDPR):

  • the identity and contact details of the controller;
  • the contact details of the data protection officer, where applicable;
  • the purposes and legal basis for the processing (including any legitimate interests relied upon where this is the legal basis for processing);
  • the categories of personal data concerned;
  • any recipients or categories of recipients of the personal data; and
  • where applicable, the fact that the controller intends to transfer personal data to a third country, the existence (or absence) of an adequacy decision by the European Commission and, if there is no adequacy decision, the safeguards used for the transfer of that personal data (see question 16).

The controller should also inform the data subject of the period for which their personal data will be stored; the existence of the right to request access, rectification or erasure; the right to restrict the processing; the right to object to the processing; the right to data portability; the existence of automated decision making (including profiling); and the right to lodge a complaint with a supervisory authority.

If the personal data has been obtained directly from the data subject, article 13 of the GDPR will apply and the controller must also inform the data subject whether the provision of personal data is subject to a statutory or contractual requirement and of any potential consequences of failing to provide that personal data.

It may be the case in an investigations context that personal data has not been obtained directly from the data subject. If this is the case, article 14 of the GDPR will apply and the fair processing information given to data subject must also include the categories of personal data processed, the source of personal data and details of any personal data obtained from directly accessible sources.

In Germany, lawyers are exempted from providing information due to professional secrecy rules under article 14(5) lit. d) of the GDPR, section 29(1) sentence 2 of the BDSG, section 43a(2) of the German Federal Lawyers’ Act and section 203 of the German Criminal Code.

Relating to investigations, German supervisory authorities accept that the information of data subjects can be withheld to not “tip off” data subjects until the investigation is completed. This is based on the exemption that providing the information is likely to render impossible or seriously impair the achievement of the objectives of that processing under article 14(5) of the GDPR and sections 29, 33 of the BDSG. From the explicit wording or article 14(5) GDPR and sections 29, 33 of the BDSG, it is not entirely clear whether the information has to be provided once the investigation is complete (ie, whether it is an exemption to the information obligations or only a suspension). There is no judgment on this issue yet.

The GDPR sets out a number of data protection principles that controllers must comply with. The first principle is that personal data must be processed “lawfully, fairly and in a transparent manner”. This means that data cannot be processed unless there is a legal basis under article 6 of the GDPR. The following legal bases are available:

  • the data subject has given his or her consent to the processing for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract;
  • the processing is necessary for compliance with a legal obligation to which the controller is subject;
  • the processing is necessary to protect the vital interests of the data subject or another natural person;
  • the processing is necessary for performing tasks in the public interest or in the exercise of official functions by the controller; or
  • the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where the processing is unwarranted by reason of prejudice to the interests and fundamental rights and freedoms of the data subject. In the context of investigations, for example, pursuing or defending civil claims or preventing damages or criminal liability of both the controller as well as other group companies could serve as legitimate interest.

In respect of sensitive data (or “special categories of personal data”), the processing must also comply with one of the stricter legal bases set out in article 9 of the GDPR and stricter organisational and technical security measures required under section 22 of the BDSG. Sensitive data is defined as information relating to: racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data and biometric data for the purpose of uniquely identifying a natural person; data concerning health; and sex life and sexual orientation. In an investigations context, relevant conditions for the processing of sensitive data may include where:

  • the individual has given their explicit consent to the processing for one or more specified purposes;
  • the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
  • the processing is necessary for reasons of substantial public interest, on the basis of Union or member state law, where this is proportionate to the relevant aim and safeguards the rights and interests of data subjects.

The processing of data about criminal convictions and offences is dealt with separately to sensitive data, under article 10 of the GDPR. This provides that such data can only be processed where authorised under national law. Under the legislative materials to the BDSG, section 26(1) of the BDSG provides for sufficient safeguards within the meaning of article 10 of the GDPR and can serve as a legal basis for processing criminal personal data of employees in Germany.

Controllers must comply with the following data protection principles:

  • Principle 1: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”, see above for further details on transparency requirements);
  • Principle 2: personal data should be obtained only for specified, explicit and legitimate purposes and should not be further processed in any manner incompatible with those purposes (“purpose limitation”);
  • Principle 3: personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
  • Principle 4: personal data should be accurate and, where necessary, kept up to date (“accuracy”);
  • Principle 5: personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
  • Principle 6: personal data should be processed in a manner that ensures appropriate security of that personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”); and
  • The controller must also be able to demonstrate compliance with each of these principles (“accountability”).

Under section 24(1) of the BDSG, processing of personal data for a purpose other than the one for which the data were collected is permitted if such processing is necessary (i) to prevent threats to state or public security or to prosecute criminal offences or (ii) to establish, exercise or defend legal claims, in each case unless the data subject has an overriding interest in not having the data processed.

In addition, under Chapter V of the GDPR personal data may not be transferred to a country or territory outside the EEA unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (see also question 16).

Answer contributed by Wolf Bussian

DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

8. Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?

Germany

While there are no specific steps required under the GDPR, it is advisable to check that non-locally generated data was transferred to, or within, the jurisdiction in compliance with relevant data protection laws and regulations. This may include:

  • ascertaining what data has been transferred to, or within, the jurisdiction and the natural and/or legal persons to which that data relates;
  • reviewing the privacy notice provided to data subjects;
  • ascertaining the legal basis for the processing (see question 7); and/or
  • determining whether a contract or other safeguard applies to the transfer of that data (eg, a data processing agreement, data transfer agreement or binding corporate rules, as appropriate).

In particular, the above may inform whether certain restrictions may apply to further processing of that data.

Answer contributed by Wolf Bussian

9. Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?

Germany

Additional provisions of the GDPR apply where the data are processed by a processor on behalf of the controller. The primary factor considered is control of the data rather than its possession, so the controller must ensure that the third-party processor is complying with the requirements on the security of data set out in the GDPR. A written contract to this effect must be entered into between the processor and controller (article 28 of the GDPR). This contract must include a description of the data processing activities and require the processor, among other things, to:

  • act only on the documented instructions of the controller (including with regard to international transfers of data to a third country);
  • ensure that persons who process the data have committed to confidentiality or are under a statutory duty of confidentiality;
  • implement appropriate security measures in accordance with the GDPR;
  • engage a sub-processor only with the prior authorisation of the controller;
  • assist the controller in carrying out its obligations to respond to requests by data subjects to exercise their rights under the GDPR; and
  • assist the controller in ensuring its compliance with its data security obligations.

Where a processor engages a sub-processor, the contract between them must reflect the same data protection obligations as set out in the contract between the controller and the processor.

These provisions of the GDPR apply to processors within the same corporate group in the same way as to other third-party processors.

The GDPR also imposes certain direct obligations on processors. These include an obligation to: (i) maintain a written record of processing activities carried out on behalf of each controller; (ii) designate a data protection officer where required; (iii) appoint a representative (when not established in the EU) in certain circumstances; and (iv) notify the controller without undue delay on becoming aware of a personal data breach.

Answer contributed by Wolf Bussian

10. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?

Germany

The consent of the data subject is one legal basis for processing of personal data under the GDPR. Data subject consent is therefore not mandatory for the processing of personal data, but consent must be obtained if no other legal basis exists.

There is no prescribed form for consent under GDPR, but it should be freely given, specific, informed and unambiguous. In addition, to the extent relied upon as a basis for international transfers, consent must also be explicit (see question 16). Consent can also be withdrawn at any time and must be as easy to withdraw as to give.

In the case of sensitive data, where consent is relied on to provide a legal basis under article 9 GDPR, it must also be explicit. A controller may, therefore, wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”).

Note that German employee consent has to be obtained in written form (ie, wet ink signatures) or, once the draft amendment of section 26 of the BDSG will have been implemented by German lawmakers, in electronic form (ie, qualified electronic signature, not email or ticking a box).

Consent can be obtained through a website or other electronic means.

Employee consent

Note that employee consent in Germany must be obtained in written (i.e. wet ink signatures) or electronic form (i.e. qualified electronic signature, not email or ticking a box), unless a different form is appropriate because of special circumstances, under section 26(2) sentence 2 of the BDSG.

Answer contributed by Wolf Bussian

11. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Germany

Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing of personal data in reliance solely on this ground might sometimes not be appropriate. One reason is that consent must be capable of being withdrawn at any time (a right which it is not possible to contract out of).

However, according to the German supervisory authorities’ view, consent might under certain circumstances be required for reviewing employee business email accounts. In this regard, it has to be differentiated between a scenario when the employer allows or tolerates the private use of the business email account and the opposite setting in which the private use is strictly forbidden:

  • Where the employer allows or tolerates private use, German supervisory authorities regard the employer as a telecommunication provider so that employers are bound by the secrecy of telecommunication. Any processing of telecommunication data is subject to the German Telecommunication Act under which the processing of telecommunication data can only be justified in very limited cases of which none applies to reviewing emails in case of internal investigations. Processing of telecommunication data may also not be justified by the GDPR or the BDSG as such laws do not explicitly refer to the telecommunication process and the secrecy of telecommunication and can therefore not serve as a legal basis for processing telecommunication data, such as the content of an email. Note that the secrecy of telecommunication is also protected by criminal liability under the German Criminal Code. However, this rationale only applies during the telecommunication process, which scope of application and duration is, however, unclear. There is case law both agreeing and disagreeing with the German supervisory authorities’ line of argumentation. Therefore, whether the employer is regarded as a telecommunication provider and as such bound by the secrecy of telecommunication remains a shade of grey area. As a consequence, it should always be assessed whether (i) private use is allowed or tolerated, (ii) the communication process is ongoing or (iii) consent from the employee should be obtained.
  • If however the private use of the business email account is strictly prohibited, the secrecy of telecommunication does not apply and the general data protection rules under the GDPR and BDSG apply.

Answer contributed by Wolf Bussian

12. Is it possible for data subjects to give their consent to such processing in advance?

Germany

Whether consent given in advance, such as through general terms and conditions or account opening information, is sufficient for the purposes of the GDPR depends, among other things, on the balance of power between the controller and data subject. Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, may for this reason be invalid. In any case it has to be assessed in detail whether the employee freely provided consent taking into account the individual case including the interests of the employee and whether the employee gains an advantage by providing consent (section 26(2) sentence 1 of the BDSG). Note that German supervisory authorities request employers to obtain employee consent for reviewing business email accounts in certain scenarios (see question 11 for further details), so that it can be assumed that employee consent can validly be obtained for such purposes in Germany.

Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. Therefore, if consent is hidden among other terms and conditions one might argue that the respective prerequisites are not fulfilled. So there is a risk that a generic consent provided through general terms and conditions may be regarded as not specific and informed, and so not validly given by the data subject.

The controller should also consider the requirement for consent to the processing for sensitive data to be explicit (see question 7).

Answer contributed by Wolf Bussian

13. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Germany

A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request (DSAR). The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject. According to some German supervisory authorities, it is sufficient to provide a “summary” as opposed to a “copy” of the personal data. There are exemptions to the DSAR under section 34 of the BDSG, none of which applies in the context of internal investigations (except for lawyers due to professional secrecy rules, see above). Furthermore, according to a decision from the regional labour court in Baden Wurttemberg (dated 20 December 2018, case No. 17 Sa 11/18), the employer might, in certain circumstances have an overriding interest in secrecy on which basis the DSAR may be denied. However, details as to when and to what extent this additional exemption applies are still unclear. Case law on the DSAR is evolving rapidly and should be monitored closely in relation to investigations.

A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) of the GDPR). If relying on this exemption, a controller should retain evidence to demonstrate why it considers the request to be unfounded or excessive. According to some German supervisory authorities, German procedural laws do not recognise a right to produce information and the DSAR should therefore not be misused for non-privacy purposes. If a controller refuses to act on a request, they must also inform the data subject of the reason why and tell the data subject that they can complain to their relevant supervisory authority and enforce their right through judicial remedy.

Data subjects have the right to request rectification of any personal data relating to them that is inaccurate, and completion of any incomplete data, including by way of a supplementary statement. There is an obligation on a controller under the GDPR to ensure the personal data it keeps is accurate (see question 7).

Data subjects have the right to obtain from the controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

In certain circumstances, such as when a controller is relying upon their legitimate interests (or those of a third party) or the processing is necessary for performing tasks in the public interest or in the exercise of official functions (see question 7), data subjects have a right to object to the processing of personal data concerning them at any time. A controller must adhere to this objection unless it can demonstrate a legitimate basis for the processing that overrides the interests of the data subject, or if the processing is necessary within legal proceedings.

A data subject also has a right to obtain a restriction of processing from the controller where it believes the relevant personal data is inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the data subject can require the controller to limit the processing to that required in the context of legal proceedings.

Answer contributed by Wolf Bussian

TRANSFER FOR LEGAL REVIEW AND ANALYSIS

14. How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?

Germany

Law firms would, in general, qualify as controllers in relation to providing legal advice and as processors when only providing document review or hosting services. External document reviewers and other legal process outsourcing firms are generally characterised as processors and, thus, a data processing agreement pursuant to article 28 of the GDPR has to be entered into.

However, exemptions may occur in practice as this depends on the service provided and the details of the individual case, particularly on whether the client issues instructions regarding the content and means of the data processing, that is, whether the external service provider or law firm:

  • is free to determine the purposes, content and means of the data processing (the ‘why’ and ‘how’), in which case it will be qualified as controller; or
  • is strictly bound by concrete and binding instructions of their client regarding the processing of personal data (in which case, it will be qualified as processors).

Answer contributed by Wolf Bussian

15. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Germany

The data protection officer of the controller should be involved.

It should be assessed whether processing and, in particular, the disclosure is likely to result in a high risk to the rights and freedoms of natural persons so that a data protection impact assessment has to be carried out pursuant to article 35 of the GDPR prior to disclosing personal data.

Depending on the client’s business, the purposes for which the personal data can be processed might be limited under German regulatory law (eg, data that has been shared for anti-money laundering purposes) and it has to be ascertained whether processing for the purpose of the internal investigation is compatible with the purpose for which the personal data have been initially collected.

Answer contributed by Wolf Bussian

16. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Germany

The GDPR distinguishes between transfers to jurisdictions within the EEA and transfers of data to other jurisdictions outside the EEA.

Within the EEA

A transfer of personal data from Germany to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within Germany (see question 7).

Outside the EEA

Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory provides an adequate level of protection for personal data.

The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data and so a transfer can be made to such countries in compliance with the rules that provide restrictions on transfers outside the EEA. Currently, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

Alternatively, the controller as transferor could ensure an adequate level of protection through:

  • entering into standard contractual clauses approved by the European Commission for both controller-to-processor and controller-to-controller transfers; or
  • for transfers within the same group, adoption of binding corporate rules.

In a judgment issued on 16 July 2020, the CJEU held that the standard contractual clauses should be viewed as offering only the basic level of protection and they may only be used where the protection provided by the contract is not undermined in the particular circumstances. This means that controllers exporting personal data and looking to rely on standard contractual clauses approved by the European Commission must assess on a case-by-case basis whether additional safeguards are needed to remedy any identified deficiency and ensure adequate data protection. 

The European Commission had issued an adequacy decision for recipients registered under the EU-US Privacy Shield framework in respect of their handling of personal data.  However, in the judgment dated 16 July 2020, the CJEU held the European Commission’s adequacy decision to be invalid and so data transfers cannot currently be made to the US on the basis of the EU-US Privacy Shield.

Data can otherwise be transferred if one of the following derogations, among others, applies:

  • the data subject has consented to the transfer (as noted above, this consent should be explicit as well as freely given, specific, informed and unambiguous);
  • the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims; or
  • the transfer is necessary to protect the vital interests of the data subject.

Where none of the above derogations is available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The controller shall inform the supervisory authority of the transfer and, in addition to providing the information referred to in articles 13 and 14 of the GDPR, shall inform the data subject of the transfer and on the compelling legitimate interests pursued. As such, this derogation is unlikely to be of practical application in the context of an investigation.

Answer contributed by Wolf Bussian

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

17. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Germany

The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing (see question 7). In particular, a legal basis must be established under article 6 GDPR or section 26 of the BDSG in relation to employee data.

Prosecutors, tax investigation officers and regulators such as the Federal Cartel Authority or BaFin have extensive powers to investigate (ie, to inspect corporate or private premises, to copy and/or seize documents in any form and to interview suspects and employees). There are certain degrees of investigation powers of regulators and enforcement authorities, from individual requests to provide information on certain matters to official search orders. Investigation powers may be based, inter alia, on criminal prosecution grounds (section 94 et seq. German Code of Criminal Procedure), cartel grounds (section 57 et seq German Law Against Restraints on Competition) or administrative grounds (section 46 German Act on Regulatory Offences). The BaFin’s supervisory powers include, inter alia, the right to (i) conduct an investigation in respect of a supervised entity; or (ii) appoint the German Central Bank or another third party (eg, audit or law firms) to conduct an investigation on BaFin’s behalf. In all these cases, transfer of personal data to regulators or enforcement authorities within Germany is permissible.

Answer contributed by Wolf Bussian

18. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Germany

The provisions applying to cross-border data transfer generally (see question 16) also apply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction. Any transfer to an overseas regulator would have to comply with the GDPR in the same way as any other processing.

Any disclosure of personal data to an overseas regulator or law enforcement authority would engage the first data protection principle (including the requirement to establish a legal basis under article 6 GDPR or section 26 of the BDSG for employee data) and prohibitions on cross-border transfers of personal data. In particular, the first principle provides that processing of personal data must be fair, lawful and transparent.

Any transfer of personal data to an overseas regulator or law enforcement authority may breach this principle on the basis that this is not a purpose about which the data subjects will have been sufficiently informed. The GDPR sets out exemptions to providing a privacy notice where this is impossible or would involve disproportionate effort on the part of the controller, but these exemptions are often interpreted narrowly. The additional exemptions under sections 32 to 34 of the BDSG are also interpreted narrowly and, according to German supervisory authorities, do not provide for general exemptions but only for temporary postponement of the information obligations (see question 7).

The cross-border transfer of personal data would additionally require safeguards for the relevant transfer and a legal basis for processing. There is no clear exemption or derogation from either the first principle, the requirement for a legal basis for processing, or the prohibition on cross-border transfers that will routinely cover requests for data by a foreign regulator or law enforcement authority.

The transfer may or may not be permissible, depending on the circumstances of the processing. The possible legal bases that a controller may rely on in this context include:

  • the consent of each affected data subject to the disclosure and transfer. However, as noted above, this can be problematic to obtain, can be withdrawn at any time and (in the case of sensitive data) consent must be explicit;
  • that the processing is necessary for the establishment, exercise or defence of legal claims, depending on the circumstances;
  • that the processing is in the legitimate interests of the controller (see question 16 for further details) subject to a comprehensive balancing of interests, particularly taking into account whether the data subject could face (legal) consequences; or
  • that the processing is necessary for the performance of a task carried out in the public interests (see question 7 for further details on the application of this basis to the processing of sensitive data).

The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place. Article 49 of the GDPR provides for derogations to the requirement for an adequacy decision or implementing safeguards in certain circumstances, including where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.

This article provides that, without prejudice to other grounds for international transfers, a decision from a third-country authority, court or tribunal does not in itself justify the transfer of personal data to a non-EEA country. This is the case unless the transfer is based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board guidelines state, in relation to article 48: “In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.”

Answer contributed by Wolf Bussian

19. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Germany

The recipient of such a request may consider taking the following steps, among others:

  • Consider if there is a legal obligation to respond to the request and, if so, to what extent.
  • Seek further information in writing from the requesting regulator to evaluate the purpose of the request.
  • If possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation.
  • In accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose. 
  • Consider whether it is practicable to obtain data subject consent and/or give a further privacy notice.
  • Put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor) or data transfer agreements limiting the purpose for which the transferee can process the data and, to the extent required by supervisory authorities, put in place additional safeguards for employee personal data.
  • Consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.

Answer contributed by Wolf Bussian

20. What are the sanctions and penalties for non-compliance with data protection laws?

Germany

There is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (eg, for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million.

The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement. 

A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a controller may bring a civil claim for compensation.

If the secrecy of telecommunication applied to employers allowing or tolerating the private use of business systems, there is also a risk that unlawful processing of personal data will incur an administrative fine of up to €300,000 under the German Telecommunication Act. Infringement of the secrecy of telecommunication is a criminal offence in Germany, subject to five years imprisonment or a fine.

Further potential consequences in Germany are reputational damages due to press releases or articles in the activity reports of the German supervisory authorities and cease and desist order from competitors or consumer associations and respective litigation and in exceptional cases criminal liability under section 42 of the BDSG.

Answer contributed by Wolf Bussian

CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

21. What are the continuing obligations on the original data controller that apply in an investigation?

Germany

A controller’s obligations under the GDPR are continuing for as long as it remains a controller. As a result, it should ensure compliance with the GDPR, where applicable, at all stages of the investigation.

Practical steps that a controller should follow include:

  • ensuring that any third-party processing data on behalf of the controller signs a data processing agreement and/or data transfer agreement, as applicable;
  • ensuring that all personal data processed is accurate and, where applicable, that the consent of data subjects remains valid;
  • complying with the restrictions on the transfer of data to third parties set out at question 16 (whether within or outside the EEA), including any transfer to a regulator or law enforcement authority; and
  • maintaining a record of processing and responding to data subject requests.

Answer contributed by Wolf Bussian

22. What are the continuing obligations on any intervening data controller that apply in an investigation?

Germany

The original and intervening controllers should ensure that a written agreement is in place between them and follow the steps to address their continuing obligations set out at question 21.

Answer contributed by Wolf Bussian

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Germany

EU General Data Protection Regulation (2016/679)

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Federal Data Protection Act

https://www.gesetze-im-internet.de/englisch_bdsg/index.html

Guidance from German supervisory authorities regarding whistleblowing hotlines and other warning systems including guidance on internal investigations (dated 14 November 2018, German language only)

https://www.datenschutzkonferenz-online.de/media/oh/20181114_oh_whistleblowing_hotlines.pdf

Guidance from German supervisory authorities regarding application of telecommunication laws to employers allowing private use of business communication systems (dated January 2016, German language only)

https://www.datenschutzkonferenz-online.de/media/oh/201601_oh_email_und_internetdienste.pdf

Answer contributed by Wolf Bussian

Get unlimited access to all Global Investigations Review content