Data Privacy & Transfer in Investigations

Last verified on Thursday 30th September 2021

Data Privacy & Transfer in Investigations: Germany

Catharina Glugla, David Schmid and Jan Erik Windthorst

Allen & Overy LLP

SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

Germany

The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in Germany. A number of provisions in the GDPR have particular relevance in the context of investigations. For example, processing of personal data must have a valid legal basis under GDPR. Establishing a legal basis in the context of an investigation is not always straightforward, particularly where investigations involve foreign authorities or courts and where the relevant data includes sensitive data. Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation.  It can be challenging to ensure compliance with these principles in the context of an investigation. 

The Federal Data Protection Act (the BDSG) adapts the application of the rules of the GDPR in Germany where the GDPR provides for opening clauses. In particular, it regulates the processing of employee personal data and provides for exemptions to individual rights under articles 13 to 15 GDPR.

Furthermore, there are specific privacy provisions in German law which mainly provide for a purpose limitation. In relation to investigations, the Telecommunication Act may restrict access to telecommunication data, including business email accounts or business phones or the browsing history of internet browsers, as long as the telecommunication process is ongoing.

In the context of internal and particularly cross-border investigations, sections 24 and 26 BDSG and article 6 GDPR can provide legal grounds for the processing of personal data of employees or other third parties. However, it is mandatory to balance the data subject’s interests against those of the controller (eg, the employer), and the processing must be necessary, adequate and proportionate. Therefore, each step of the investigation should be assessed individually in terms of compliance with data protection laws.

This applies to an even greater extent where the use or communication content of email, internet or phone is reviewed as there are various requirements and restrictions that have to be considered. Such processing might even lead to criminal sanctions in Germany.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

Germany

Banking secrecy

Subject to limited exemptions, credit institutions (as defined in section 1(1) Banking Act) must not disclose confidential client data to (i) third parties; or (ii) persons within the same bank who are not involved with the client-bank relationship.

German bank secrecy rules apply to information relating to both individuals and corporations in connection with client relationships of (German or non-German) credit institutions, banks, etc, that are governed by German law, irrespective of whether the credit institution, bank, etc, is operating via a branch or entity within Germany or validly on a cross-border basis.

Anonymised data, however, would not be included in the scope of bank secrecy rules.

Bank secrecy rules can generally only be lifted if the client consents or other justification (including under data protection laws) is given. It is accepted that bank secrecy rules shall not limit the functioning of the credit institution and, for example, not prohibit internal audits and investigations related to internal processes and matters as this would also not be in the interest of the client.

A breach of German bank secrecy rules may lead to contractual damage claims from clients. Where significant violations of bank secrecy rules impair the proper conduct of banking business, the Federal Financial Services Supervisory Authority (BaFin) could take measures to counteract such violations.

Employment laws

If a works council is established at a company, two participation rights of the works council should be considered in the context of investigations concerning employee personal data:

  • First, the works council has information rights under section 80(2) sentence 1 of the Works Constitution Act (BetrVG). With respect to employees that the works council is competent for, the employer must inform the works council in a timely and comprehensive manner about its intention to access employees’ emails and its intention to transfer employee data so that the works council can review compliance with relevant laws that protect the rights of employees.

In the case of infringement of this information right, the works council can file a claim enforcing its information right. Further consequences or penalties are unlikely and, according to current case law, non-compliance with the information right should not impact the employer’s ability to use findings of otherwise validly collected data as evidence against an employee in court proceedings.

  • Second, there is a co-determination right pursuant to section 87(1) no. 6 of the BetrVG. This means that the employer must not implement or use technical measures for reviewing emails, video interviews or data mining before reaching an agreement with the works council. This right is triggered easily where software or other technical measures are used for the evaluation of emails or other employee data. It does not matter whether a third party uses the software in the interests of the employer or the employer uses it itself. The scope of application is very broad according to German employment case law, but would, for example, not be triggered where existing physical documents (print outs, letters, etc) are reviewed manually. The works council also has a co-determination right if the matter concerns the organisation of the operation or the behaviour of the employees. This would be the case if the employees’ private emails are to be reviewed.

If the employer implements the measure (eg, screening the emails with new software) without the agreement of the works council, the works council can file a preliminary injunction to stop the processing.

We note that (i) one employer might have multiple works councils and also that (ii) the works council is generally not competent for employees in managerial positions (leitender Angestellter). Regarding information and internal investigations, we note that the works council is only competent for Germany-based employees with a German employment contract.

Telecommunication laws

Further restrictions on data transfer in the context of an investigation may arise under the Telecommunication Act, where employers have permitted or tolerated the private use of communication systems (such as the business email account).

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

3. What constitutes personal data for the purposes of data protection laws?

Germany

The GDPR defines “personal data” as any data relating to a living individual (i.e. not a legal person) who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person. Hence, data protection only extends to natural living persons. It does not cover legal persons or deceased natural persons.

Data that is truly anonymised – information that no longer relates to an identified or identifiable individual, or is rendered in such a way that individuals are not or are no longer identified or identifiable – will not be "personal data" for the purposes of the GDPR, as it does not identify the individual.

Data is not truly anonymised if the data may re-identify the individuals to which the data relates by reasonably available means. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the GDPR.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

Germany

The GDPR and BDSG apply to the ”processing” of personal data, which is defined broadly and includes any activity in relation to personal data (whether or not by automated means), such as the collection, use or disclosure of data. In relation to employee personal data, the BDSG also applies where the data are processed without forming or being intended to form part of a filing system.

The obligations under the GDPR and BDSG apply primarily to controllers. Controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which personal data are processed.

However, the GDPR also imposes certain obligations on processors. Processor is defined in the GDPR as a person who processes personal data on behalf of the controller.

There are two tests for the territorial scope of the GDPR and BDSG, the establishment test and the targeting test:

  • The processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of where the processing takes place; and
  • The processing of personal data of data subjects who are in the EU, where the processing activities relate to the offering of goods and services to them or the monitoring of their behaviour in the EU.

An organisation is “established” for the purposes of the first limb where it exercises “any real and effective activity – even a minimal one” through “stable arrangements” in the EU. In relation to investigations, the relevant test is the establishment test, under which the GDPR and BDSG apply if the data is processed in the context of the activities of an establishment in the European Union.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

Germany

GDPR and BDSG address the processing of personal data in general, not specifically in the context of investigations.

Controllers must comply with the following data protection principles (article 5 GDPR):

  • Principle 1: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Principle 2: personal data should be obtained only for specified, explicit and legitimate purposes and should not be further processed in any manner incompatible with those purposes (“purpose limitation”).

Under section 24(1) of the BDSG, processing of personal data for a purpose other than the one for which the data were collected is permitted if such processing is necessary (i) to prevent threats to state or public security or to prosecute criminal offences or (ii) to establish, exercise or defend legal claims, in each case unless the data subject has an overriding interest in not having the data processed.

  • Principle 3: personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).
  • Principle 4: personal data should be accurate and, where necessary, kept up to date;
  • Principle 5: personal data should not be kept for longer than is necessary for the purposes for which the personal data are processed (“storage limitation”).
  • Principle 6: personal data should be processed in a manner that ensures appropriate security of that personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
  • The controller must also be able to demonstrate compliance with each of these principles (“accountability”).

In addition, under Chapter V of the GDPR personal data may not be transferred to a country or territory outside the EEA unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the controller or processor has provided appropriate safeguards.

The data protection officer of the controller should be involved.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

Germany

In the context of an internal investigation, any data processing and transfers need to be analysed in the same way as any other processing and transfers of personal data, and so must be carried out in compliance with the GDPR and BDSG.

Where a company is carrying out an internal investigation or a third party is assisting with an investigation act as a controller, they must comply with the above data protection principles. This requires in particular:

A privacy notice should be provided to the data subject at the time the personal data is obtained (unless an exemption applies). In all circumstances, this must include the minimum content requirements set out in articles 13 and 14 GDPR (such as the identity and contact details of the controller, the purposes and legal basis for the processing (including any legitimate interests relied upon where this is the legal basis for processing), and the categories of personal data concerned.

In Germany, lawyers are exempted from providing information due to professional secrecy rules under article 14(5) lit. d) GDPR, section 29(1) sentence 2 BDSG, section 43a(2) Federal Lawyers’ Act and section 203 Criminal Code.

Relating to investigations, German supervisory authorities accept that the information of data subjects can be withheld to not “tip off” data subjects until the investigation is completed. This is based on the exemption that providing the information is likely to render impossible or seriously impair the objectives of that processing under article 14(5) GDPR and sections 29, 33 BDSG. From the wording of article 14(5) GDPR and sections 29, 33 BDSG, it is not entirely clear whether the information has to be provided once the investigation is complete (i.e. whether it is an exemption of the information obligations or only a suspension). There appears to be n no published judgment on this issue yet.

Furthermore, data cannot be processed unless there is a legal basis under article 6 GDPR, such as the individual’s consent, where the processing is necessary for the performance of a contract to which the data subject is a party, where the processing is necessary for compliance with a legal obligation to which the controller is subject, or where the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where the processing is unwarranted by reason of prejudice to the interests and fundamental rights and freedoms of the data subject.

In the context of investigations, for example, pursuing or defending civil claims or preventing damages or criminal liability of both the controller as well as other group companies could serve as legitimate interest.

In respect of sensitive data (or “special categories of personal data”), such as for example ethnic origin, sexual orientation or religious beliefs., the processing must also comply with one of the additional conditions set out in article 9 GDPR and stricter organisational and technical security measures required under section 22(2) BDSG.

Where the third party acts as a processor, the GDPR also imposes certain obligations, including an obligation to: (i) maintain a written record of processing activities carried out on behalf of each controller; (ii) designate a data protection officer where required; (iii) appoint a representative (when not established in the EU) in certain circumstances; (iv) notify the controller without undue delay upon becoming aware of a personal data breach; (v) ensure the security of personal data that they process; (vi) ensure that any personal data that it processes are kept confidential; and (vii) must comply with the controller’s instructions.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

RIGHTS OF INDIVIDUALS

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

Germany

No, consent of the data subject is one of several alternative legal bases for the processing of personal data and must only be obtained if no other legal basis exists (such as legitimate interest).

However, according to the view of the German supervisory authorities, consent might under certain circumstances be required for reviewing communication data, particularly employee business email accounts. In this regard, a scenario, when the employer allows or tolerates the private use of the business email account, is distinct from if the private use is not permitted or tolerated:

  • Where the employer allows or tolerates private use, German supervisory authorities regard the employer as a telecommunication provider so that employers are bound by the secrecy of telecommunication. Any processing of telecommunication data would then be subject to the Telecommunication Act under which the processing of telecommunication data can only be justified in very limited cases of which none apply to reviewing emails in the case of internal investigations. However, there is case law both agreeing and disagreeing with the German supervisory authorities’ line of argument.
  • If, however, the private use of the business email account is prohibited, the secrecy of telecommunication does not apply and the general data protection rules under the GDPR and BDSG apply.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Germany

Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing of personal data in reliance solely on this ground might sometimes not be appropriate. One reason is that consent must be capable of being withdrawn at any time (a right which it is not possible to contract out of).

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

Germany

Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent obtained via or within an employment contract, or obtained generally by an employer from an employee, may for this reason be invalid.

In any case it has to be assessed in detail whether the employee freely provided consent, taking into account the individual case including the interests of the employee and whether the employee gains an advantage by providing consent (section 26(2) sentence 1 BDSG).

Note that German supervisory authorities request employers to obtain employee consent for reviewing business email accounts in certain scenarios, so that it can be assumed that employee consent can validly be obtained for such purposes in Germany.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

Germany

There is no prescribed form for consent under GDPR, but it should be freely given, specific, informed and unambiguous. A controller may, therefore, wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”). Consent can also be withdrawn at any time and must be as easy to withdraw as to give.

In the case of sensitive data, where consent is relied on to provide a legal basis under article 9 GDPR, it must explicitly mention the sensitive nature of this data.

Consent can be obtained through a website or other electronic means. However, please note that German employee consent has to be obtained in written form (ie, wet ink signatures) or in electronic form (ie, qualified electronic signature, and possibly also by email or ticking a box).

Whether consent given in advance, such as through standard business terms and conditions, is sufficient for the purposes of the GDPR depends, among other things, on the balance of power between the controller and data subject and on whether the consent is sufficiently specific. Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. Therefore, if consent is hidden among other terms and conditions one might argue that the respective prerequisites are not fulfilled. So there is a risk that a generic consent provided through standard business terms and conditions may be regarded as not sufficiently specific and informed, and so not valid.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Germany

A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request (DSAR). The information that can be requested includes a description of the data, the purpose for which it is being processed, and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject. Exactly what a controller is required to provide in response to a DSAR is controversial in legal literature and case law.

Under certain circumstances, data subjects may furthermore have the right to request to correct or erase incorrect personal data or to object to or restrict processing.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

EXTRACTION, LEGAL REVIEW AND ANALYSIS BY THIRD PARTIES, INTERNATIONAL TRANSFER

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

Germany

There may be additional requirements under the GDPR where third parties are appointed to process personal data in connection with an investigation if they are data processors as opposed to controllers. Whether the third party is a processor or (joint) controller will depend on a number of factors including their role in and degree of influence over the processing activity.

The disclosure of data must be limited to what is necessary for the purpose of the processing (data minimisation). Depending on the client’s business, the purposes for which the personal data can be processed might be limited under German regulatory law (eg, data that has been shared for anti-money laundering purposes) and the processing for the investigation must be considered to be compatible with the purpose for which the personal data have been initially collected.

Relevant data protection clauses should be agreed with the third party. In particular, where the third party acts as a processor, a data processing agreement under article 28 GDPR must be entered into, and where the parties act as joint controllers, an agreement under article 26 GDPR must be entered into.

Where the third party processes personal data outside the EEA, data transfer requirements under Chapter V of the GDPR must be met.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

Germany

Yes, the GDPR generally recognises the establishment, exercise and defence of legal claims as a legitimate interest. Under section 24(1) BDSG, processing of personal data for a purpose other than the one for which the data were collected is permitted if such processing is necessary (i) to prevent threats to state or public security or to prosecute criminal offences or (ii) to establish, exercise or defend legal claims, in each case unless the data subject has an overriding interest in not having the data processed.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

Germany

Law firms would, in general, qualify as controllers in relation to providing legal advice and as processors when only providing document review or hosting services.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

15. What is the position and status of legal process outsourcing firms under data protection laws?

Germany

External document reviewers and other legal process outsourcing firms are generally characterised as processors.

However, exemptions may occur in practice as this depends on the service provided and the details of the individual case, particularly on whether the client issues instructions regarding the content and means of the data processing.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Germany

It should be assessed whether processing and, in particular, the disclosure is likely to result in a high risk to the rights and freedoms of natural persons so that a data protection impact assessment can be carried out under article 35 GDPR prior to disclosing personal data.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Germany

The GDPR distinguishes between transfers to jurisdictions within the EEA and transfers of data to other jurisdictions outside the EEA.

Within the EEA

A transfer of personal data from Germany to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within Germany.

Outside the EEA

Personal data cannot be transferred to a third country outside the EEA unless the European Commission has determined that this third country provides an adequate level of data protection. Currently, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, the United Kingdom and Uruguay.

Alternatively, the controller or processor as transferor could ensure an adequate level of protection through:

  • entering into standard contractual clauses approved by the European Commission for controller-to-processor, controller-to-controller or processor-to-processor transfers; or
  • for transfers within the same group, adoption of binding corporate rules.

When relying on an international transfer mechanism under article 46 GDPR (such as standard contractual clauses or binding corporate rules),  the parties exporting and importing the data are required, prior to the data transfer, to conduct a transfer impact assessment of the local laws and practices of the destination jurisdiction to assess whether additional safeguards (supplementary measures) are needed to remedy any identified deficiency in the local laws and practices to ensure an essentially equivalent level of data protection.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

Germany

Data can otherwise be transferred if one of the following derogations, among others, applies:

  • the data subject has consented to the transfer (this consent should in particular be explicit on the data protection level at the recipient);
  • the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims; or
  • the transfer is necessary to protect the vital interests of the data subject.

Where none of the above derogations is available, there are limited other circumstances, where a transfer to a third country may take place.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Germany

The transfer of personal data to regulators and enforcement authorities within Germany must comply with the GDPR in the same way as any other processing. In particular, a legal basis must be established under article 6 GDPR or section 26 BDSG.

Prosecutors, tax investigation officers and regulators such as the Federal Cartel Authority or BaFin have extensive powers to investigate (ie, to inspect corporate or private premises, to copy and/or seize documents in any form and to interview suspects and employees). There are certain degrees of investigation powers of regulators and enforcement authorities, from individual requests to provide information on certain matters to official search orders. Investigation powers may be based, inter alia, on criminal prosecution grounds (section 94 et seq Code of Criminal Procedure), cartel grounds (section 57 et seq Law Against Restraints on Competition) or administrative grounds (section 46 Act on Regulatory Offences). The BaFin’s supervisory powers include, inter alia, the right to (i) conduct an investigation in respect of a supervised entity; or (ii) appoint the German Central Bank or another third party (eg, audit or law firms) to conduct an investigation on BaFin’s behalf. In all these cases, transfer of personal data to regulators or enforcement authorities within Germany is permissible.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Germany

The provisions applying to a cross-border data transfer generally also apply to the transfer (and onward transfer) of data to regulators and law enforcement authorities outside of the EEA. Any transfer to an overseas regulator would have to comply with the GDPR in the same way as any other processing, in particular with the requirement to establish a legal basis and prohibitions on cross-border data transfers. The transfer may or may not be permissible, depending on the circumstances of the processing. The possible legal bases that a controller may rely on include:

  • that the processing is necessary for the establishment, exercise or defence of legal claims, depending on the circumstances;
  • that the processing is necessary to comply with a legal obligation to which the controller is subject to; or
  • that the processing is in the legitimate interests of the controller subject to a comprehensive balancing of interests, particularly taking into account whether the data subject could face (legal) consequences.

The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place.

Without prejudice to other grounds for international transfers, a decision from a third-country authority, court or tribunal does not in itself justify the transfer of personal data to a non-EEA country. This is the case unless the transfer is based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board guidelines state: “In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.”

Furthermore, any transfer of personal data to an overseas regulator or law enforcement authority may breach the principle of transparency if this is not a purpose of processing, or recipient of the data, about which the data subjects will have been sufficiently informed (eg, via a privacy notice). The GDPR sets out exemptions to providing a privacy notice where this is impossible or would involve disproportionate effort on the part of the controller, but these exemptions are often interpreted narrowly. The additional exemptions under sections 32 to 34 BDSG are also interpreted narrowly and, according to German supervisory authorities, do not provide for general exemptions but only for temporary postponement of the information obligations.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Germany

The recipient of such a request may consider taking the following steps, among others:

  • Consider if there is a legal obligation to respond to the request and, if so, to what extent.
  • Seek further information in writing from the requesting regulator to evaluate the purpose of the request.
  • If possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation.
  • In accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose.
  • Consider whether it is practicable to obtain data subject consent and/or give a further privacy notice.
  • Consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting regulator requests data via an MLAT or other international agreement.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

ENFORCEMENT AND SANCTIONS

22. What are the sanctions and penalties for non-compliance with data protection laws?

Germany

There is a tiered approach to penalties for infringements of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover or €20 million (eg, for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover or €10 million.

The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement.

A data subject who suffers material or non-material damage as a result of a breach of the GDPR may bring a civil claim for compensation.

If the secrecy of telecommunication applied to employers allowing or tolerating the private use of business systems, there is also a risk that unlawful processing of personal data may incur an administrative fine of up to €300,000 under the Telecommunication Act. Infringement of the secrecy of telecommunication is a criminal offence in Germany, subject to five years imprisonment or a fine.

Further potential consequences in Germany are reputational damages due to press releases or articles in the activity reports of the German supervisory authorities and cease and desist orders from competitors or consumer associations and respective litigation and in exceptional cases criminal liability under section 42 BDSG.

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Germany

EU General Data Protection Regulation (2016/679)
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Federal Data Protection Act
https://www.gesetze-im-internet.de/englisch_bdsg/index.html

Guidance from German supervisory authorities regarding whistleblowing hotlines and other warning systems including guidance on internal investigations (dated 14 November 2018, German language only)
https://www.datenschutzkonferenz-online.de/media/oh/20181114_oh_whistleblowing_hotlines.pdf

Guidance from German supervisory authorities regarding application of telecommunication laws to employers allowing private use of business communication systems (dated January 2016, German language only)
https://www.datenschutzkonferenz-online.de/media/oh/201601_oh_email_und_internetdienste.pdf

Answer contributed by Catharina Glugla, David Schmid and Jan Erik Windthorst

Get unlimited access to all Global Investigations Review content