This review of the first year of the GDPR in Germany looks at actions by the state data protection authorities, legislative initiatives and a significant court decision relating to data subject access requests.
According to a recently published article, the German Data Protection Authorities (DPAs) have issued 75 fines since the GDPR was implemented, based on the authorities’ answers to this research. The total amount of all fines imposed, based on these answers, was only EUR 449,000, the largest single fine being EUR 80,000. By way of background information, in Germany, the DPAs are organised on a German state level. Not all 16 Authorities had responded to the questions during this research.
The German legislator has passed a set of national implementation rules that was implemented as the same time as the GDPR. This German statute (‘Bundesdatenschutzgesetz’) includes a specific rule on the processing of employee data, which is for the most part based on previous German data protection legislation.
The GDPR received a huge amount of attention in Germany, especially around the time of implementation before and after May 2018. This included interest in the impact of the GDPR in employment relationships. Now that ‘GDPR preparation’ has been completed by most employers, an increasing number of new practical issues are emerging, such as how to handle data subject access requests (DSARs) or how to manage a very detailed list of data retention or deletion periods.
Regarding DSARs, a recent lower court verdict against German car manufacturer Daimler has received a lot of attention in the employment law community. The action is now pending before the highest German Labour Court, Bundesarbeitsgericht. In proceedings relating to a termination, the plaintiff, a lawyer himself, demanded to be provided with information about all data collated about his performance and behaviour and about the origin of this data. While DSARs are generally granted by the GDPR, the parties are now debating to what extent DSARs are limited by third party rights such as the privacy of other employees included in correspondence, and to what extent DSARs are limited by practical considerations, to avoid an obligation to provide bottomless amounts of information.