Germany
employees process personal data. Even below this threshold, a DPO is required if processing operations pose regularly particular risks (e.g., processing subject to a Data Protection Impact Assessment or systematic processing for transfer/market research). This national rule is stricter than in most EU Member States. Regardless of the threshold, controllers remain obliged to implement appropriate security measures, conduct Data Protection Impact Assessments (DPIAs) where required, and notify data breaches to the competent authority within 72 hours. Data Subject Rights: The GDPR’s full catalogue of rights applies (access, rectification, erasure, restriction, portability, objection). The BDSG contains limited exceptions (e.g., §§ 34 - 35 BDSG allow restrictions to
protect secrecy or public interests). German courts and regulators tend to interpret rights broadly in favor of data subjects. For example, in 2023, the Court of Justice of the EU (CJEU) clarified, on reference from German courts, that the right of access under Article 15 GDPR extends to internal access logs - i.e., information on when and for what purpose staff accessed personal data. This significantly increases the transparency obligations of controllers in Germany. Protection: Germany has long lacked a comprehensive statute on employee data, relying instead on § 26 BDSG. That provision broadly allows processing if necessary for hiring, carrying out, or terminating employment. Recent National Developments Employment Data
www.omf-law.com
Made with FlippingBook - PDF hosting