New rules on data protection - the data protection audit seal is coming

On 10 December 2008, the Federal Cabinet passed a draft law regulating data protection audits and amending data protection regulations.

The law aims to improve the level of data protection and the transparency of data processing in the non-public sector and to strengthen citizens' possibilities to influence the use of their personal data. The reason for this were the incidents in the non-public sector that became known in the summer and again in the past few days concerning business-like trading with personal data.

data of citizens. To this end, amendments to the Federal Data Protection Act and corresponding adaptations to the Telemedia and Telecommunications Act are proposed, through which the possibilities of those affected to influence the use of their personal data for purposes of advertising, market and opinion research are to be strengthened.

The current legal situation allows personal data to be exchanged between companies for the purposes of advertising, market and opinion research without the consent of the persons concerned, or even to make address lists of one's own customers available to other companies for their advertising; and this without the customer knowing about it.

This so-called "list privilege" has led to personal data of citizens being traded widely and - since no consent has to be shown - the lawfulness of the data trade is difficult to control. The draft law therefore subjects the use of personal data for the purposes of advertising, market research and opinion polling to explicit consent in future. For this, the draft law has been strongly criticised by the business community. However, in order to avoid disproportionate burdens, companies are given three years to adapt to the new situation. In addition, large parts of address-related advertising remain unaffected by the bill. For example, self-promotion with one's own customer data collected within the framework of a contractual relationship will continue to be possible without restriction. And the frequently encountered insertion of advertising from other companies in one's own catalogues, on invoices or in parcels also remains free. In order to carry out this self-promotion in a more targeted manner, companies can enrich their customer database with additional data in order to better reach certain target groups. This data can be purchased as before.

[Example: A mail order company wants to target garden furniture in a spring campaign.

advertise to those of his clients who own a garden. He acquires a file of

streets where single-family houses with gardens are located and enriches - provided it has a

knows" customers in the street, his data record with the feature "garden owner".

For tax-privileged donation advertising, especially by non-profit and church organisations, the law provides for a legal situation that corresponds to the previous one. These organisations can therefore continue to buy data without the consent of the person concerned. The reason behind this is that otherwise non-profit organisations could only receive addresses of those citizens who have consented to commercial advertising. However, it is more in line with the reality of life that even those who have refused their consent to advertising for commercial purposes are nevertheless not bothered by, for example, an appeal for help for disaster victims.

Preference is also given to advertising that goes to freelancers and businesses.

There, the industry-specific information is in the foreground, the response to advertising messages follows an economic logic and not the laws of consumption.

The future consent solution will be flanked by a prohibition of tying for market-dominant companies. Companies may not make the conclusion of a contract dependent on the consent of the data subject to the use of his or her personal data for advertising purposes if the data subject cannot reasonably be given other access to equivalent contractual services without consent.

Furthermore, the draft introduces five new offences for fines for violations of data protection law and expands one offence for fines. Among other things, new fines are envisaged for better control of automated retrieval procedures and for inadequate commissioned data processing as well as for the use of personal data despite an advertising objection.

The fine for formal violations increases from 25,000 EUR to 50,000 EUR and for other data protection violations from 250,000 EUR to 300,000 EUR in accordance with sector-specific regulations. In addition, the possibility of skimming off an economic advantage of the offender from the administrative offence was provided for. For this purpose, the fine can also exceed the amount of the fine.

[Example: A data trader makes 12 million euros from the illegal sale of several million customer data].

In order to protect those affected against the enormous damage resulting from data loss at companies, e.g. when customer data is lost together with credit card data, companies will in future be obliged to inform customers quickly. This also includes data on bank accounts and - because the loss of such data can create behavioural patterns - inventory and usage or traffic data from telephone and internet use.

Finally, the position of company data protection officers has been strengthened. Their protection against dismissal is extended and they are entitled to further training. Another component of the draft is the creation of a legally regulated, voluntary and unbureaucratic data protection audit procedure. Companies can acquire a data protection audit seal if they follow a regular data protection control procedure and comply with guidelines for improving data protection and data security. The guidelines are to be drawn up by a committee of experts from business and administration, go beyond the legal requirements and be sector-specific.

The use of the data protection audit seal should not depend on a one-off control and award procedure, but rather, following the proven control system for awarding the organic seal in the Organic Farming Act, as submission to a set of rules, compliance with which can be continuously monitored. In order to minimise bureaucracy in the control system, the Länder and, in the area of postal services and telecommunications, the Federal Commissioner for Data Protection and Freedom of Information should be granted the greatest possible flexibility to transfer tasks to private control bodies. In the case of the transfer of tasks to private supervisory bodies, only their supervision and particularly incisive sovereign decisions should remain with the competent authorities.

Companies with branches in different federal states should only be inspected by one supervisory authority within the framework of the data protection audit procedure. The inspection bodies also have an interest in operating across the Länder without having to go through several approval procedures. In order to realise a nationwide uniform control system at a high level, it is therefore proposed that the Federal Commissioner for Data Protection and Freedom of Information, as the central federal agency with sole decision-making authority, be granted uniform authorisation, following the proven control system for the award of the organic seal.

The data protection audit procedure is intended to provide market-oriented incentives for improving data protection in companies. The acquisition and promotionally effective use of the data protection seal opens up the possibility for companies to gain advantages with consumers and over competitors. In this way, the data protection audit increases the level of data protection at companies and creates more transparency for citizens through the data protection audit seal. In this way, the data protection audit combines business promotion measures with the promotion of data protection.

The Data Protection Audit Act enters into force the day after it is promulgated in order to enable the control system to be set up in a timely manner. A data protection audit can be carried out as of 1 July 2010.

Review:

On 4 September 2008, a meeting was held at the Federal Ministry of the Interior with ministries and supervisory authorities from the Federation and the Länder responsible for data protection in the non-public sector. The aim of the meeting was to jointly discuss how data protection in the private sector can be realised more effectively. At that time, the participants agreed on four key points for changing the legal basis, which have been taken into account in the draft law now presented:

1. the abolition of the so-called "list privilege", i.e. the legal permission to transmit and use certain "list data" for the purposes of advertising, market and opinion research without the consent of the data subjects.

2. the introduction of a tying ban for dominant companies.

3. the extension of fines for violations of data protection law.

4. the creation of possibilities to skim off ill-gotten gains.

In addition, a data protection audit law has been announced - also in view of the data protection problems that have become known in the telecommunications industry - which is also included in the bill that has now been passed.

 

Source: Press release of the Federal Ministry of Justice of 10.12.2008

Goldberg Attorneys at Law

Lawyer Michael Ullrich, LL. M. (Information Law)

E-mail: m.ullrich@goldberg.de

 

Seal