Leaked new draft of the Data Protection Amendment and Implementation Act EU – DSAnpUG-EU

A new draft of the Data Protection Amendment and Implementation Act EU – DSAnpUG-EU was leaked on 28.01.2017:


A number of drafts are apparently circulating at the moment – a different draft (not leaked) with a different number of pages and with slightly different content appeared last week already.

What all the new drafts have in common is that they are said to be for discussion by the Federal cabinet “soon”. Calendar week 5 was specifically mentioned in the version behind the above link. This information is also congruent with information from other sources that the next draft is scheduled for discussion at the beginning of February.

No official new version tabled also for the hearing of the associations has to date come to light, as happened in November, very soon after the second draft was leaked back then. We will wait in suspense what the next week may bring.

Irrespective of this, you may of course read and comment on the leaked version and propose changes to the second draft.

Here, therefore, my first (incomplete) assessment of the changes:

  • We no longer talk about ABDSG (as in the 1st draft of September 2016) or about BDSG-new (as in the 2nd draft of November 2016), we are back to BDSG, but the revised version.
  • Video surveillance: The intention was to amend the video surveillance arrangements in the current BDSG (for detail see, among other: https://www.datenschutzverein.de/wp-content/uploads/2016/11/Stellungnahme_Videoueberwachung_06112016.pdf).
    It appears that these arrangements have been included in § 4 of the revised BDSG. For the reasons given (in the linked comment), this is not good. And Paragraph 2 of § 6 is also, in my opinion, not good: “(2) The circumstances of observation and the name and contact data of the responsible person shall be disclosed by taking suitable measures at the earliest possible point in time.” When is the earliest possible point in time? Clever arguments may place this months away. This was not phrased this way in the 2nd
  • In § 23 of the 2nd draft (BDSG-new) processing for other reasons was the same for public and private bodies. This was separated in the leaked version. We have now been given a new partial arrangement for public bodies (where state funds are involved…):
    Ҥ 23 Рprocessing for other purposes by public bodies
    (1) Processing by public bodies, within the framework of their responsibilities, of personal data for other purposes than those for which the data were captured shall be permissible if […] 4. this […] is necessary for securing revenue from tax and duties, […]”
  • The paragraphs on Scoring and transfer to information bureaus (§ 27 and § 28 of the 2nd draft (BDSG-new) dated 23.11.2016) have been replaced by § 31 “Protection of economic traffic during Scoring and creditworthiness enquiries”. Although § 28 of the 2nd draft (BDSG-new) on Scoring has remained virtually unchanged, § 27 of the 2nd draft (BDSG-new) on information bureaus has clearly been changed.
    These two paragraphs have disappeared from the other circulating, but not leaked, draft.
  • The data protection officer is still present (§ 36), worded almost the same as in the 23.11.2016 draft. The only change is in the word “automated”: “…provided they will in general employ at least ten persons full time for automated processing of personal data.”

As mentioned above, it is hard to decide which is the most current version, since none of the leaked versions have a date. Nothing then to do here but wait for the next officially published version. Maybe next week…..

The Regional Representative for Data Protection and Freedom of Information in Mecklenburg-Vorpommern has published his clearly critical comments on the “4th draft of the new Federal Data Protection Act (BDSG)”:

Link to the press release https://www.datenschutz-mv.de/presse/2017/pm-bdsg-e4.html

and the Position statement https://www.datenschutz-mv.de/presse/2017/sn-bdsg-e4.pdf.


(Author: Frank Spaeing)