The GDPR will have direct application in every EU member state, and will also have extra-territorial application to international businesses that process the personal data of EU citizens.
However, there are aspects of the GDPR which either require, or provide the option for, each EU country to update their national data protection laws – so called "opening clauses". The UK government consulted on potential changes to UK data protection rules earlier this year. Now Germany has passed a new Federal Data Protection Act (FDPA).
The main provisions of the FDPA, which was published in law in Germany on 5 July, will apply from 25 May 2018, the same date that the GDPR will apply from.
Munich-based data protection law expert Stephan Appt of Pinsent Masons, the law firm behind Out-Law.com, said: "German lawmakers made use of the GDPR opening clauses and filled the gaps through the new FDPA. Many of the new provisions are fairly similar to the previous framework under the Bundesdatenschutzgesetz, or BDSG: The legislator was keen to enact the FDPA before German general elections in September which resulted in an approach of keeping as many of the current provisions unchanged as possible instead of engaging in a discussion about improvements, for example in the context of much needed clarifications and long-planned revisions of the employee data protection rules under the BDSG."
"In practice this means that when interpreting the provisions of the FDPA a close look at guidance from the German data protection authorities and existing German case law will be needed, whilst all of this precedent must be of course be reviewed in light of the GDPR," he said.
Appt previously outlined some of the main changes that the new German data protection laws will introduce after the legislation was approved by the Bundestag, the country's parliament, earlier this year.
The new Act clarifies the circumstances in which businesses will be obliged to appoint a data protection officer (DPO), as well as conditions for processing employee data in the context of the standard employment relationship as well as for the specific purpose of internal investigations.
In addition, the Act addresses rules on the processing of personal data for research and statistical purposes, and the rights of data subjects when processing of that nature takes place.
The Act will also introduce a new criminal offence of knowingly transferring to a third party, or making publically available, personal data about a large number of people that is not already publically available where that action is taken for a business purpose.
Appt said, that there other new data protection laws can be expected in Germany. He said the German Bundestag and Bundesrat have passed sector-specific amendment Acts that will align many other pieces of legislation with GDPR requirements. This includes the Patent Act, Copyright Act, Trademark Act, Design Act, Fiscal Code, Financial Administration Act, Social Security Code, he said.
"Many of the amendments concern, in particular, public registers which may contain personal data providing for restrictions of the right of information of affected persons," Appt said. "The data protection laws at state level will need be subject to respective revision too."