Arbeit Frau am Schreibtisch mit Computer

These Laws and Policies Keep Our Data Safe

Today, hardly any area of our lives does not depend on the processing of digital data. It makes many things faster, easier and more effective – yet it also poses new security risks. In order to protect data from misuse, there are clear legal requirements and control bodies in Germany and the EU, a selection of legal foundations for our data security.

Data, an Asset Worth Protecting

Data are everywhere: Whether in health care, mobility or the financial sector, they play a decisive role in almost all areas of life today. They document important developments and help with making decisions and predictions. Our entire digital society is based on data. It is therefore vital to protect them appropriately and handle with them responsibly. This requires a legal framework that provides clear guidelines and is constantly being updated. In Germany and at the European level, politicians have therefore passed a wide variety of laws and strategies in recent years for the lawful handling of our data. 

The European General Data Protection Regulation (EU GDPR)

Since 2018, the GDPR has been regulating all data protection requirements within the European Union. What was important to its drafters was to achieve “modern data protection” that strikes a balance between economic and consumer interests. In addition, the GDPR is a big step towards European harmonisation. It creates uniform regulations on data protection throughout Europe. and it also offers companies equal opportunities in every EU country. Among other things, the regulation focuses on the pseudonymisation of data, the processing of personal data and the protection of privacy. In Germany, the Federal Data Protection Act (BDSG) supplements the GDPR in those places where the European regulation allows leeway for national regulations.

“The GDPR is the first European data protection law that is directly applicable throughout the EU. The pan-European harmonisation it brings cannot be overstated in the face of global and ubiquitous processing of personal data. And it is already evident that it is becoming a standard far beyond Europe, serving as orientation in other states and regions, especially in Asia and in North and South America.”

Prof. Ulrich Kelber, Federal Commissioner for Data Protection and Freedom of Information

The IT Security Act 

The first “Act to Increase the Security of Information Technology Systems” was passed in Germany back in 2015. It is aimed at ensuring and continuously improving the security of digital infrastructures and IT systems. The main focus is on critical infrastructures (CRITIS), including the electricity and water supply, the health sector or financial institutions. A failure of these facilities, such as due to inadequately protected IT systems, would have dramatic consequences for the economy and society – and must therefore be avoided at all costs. Operators of critical infrastructures are therefore obliged by the IT Security Act to adequately safeguard the IT required for providing their services and to have the protective measures regularly checked. An amended form of the IT Security Act, the IT Security Act 2.0, has been in force since May 2021. It extends the rights and obligations of the operators of critical infrastructures and expands the powers of the Federal Office for Information Security (BSI) as a supervisory authority. In addition, “special public interest” companies – such as arms manufacturers – are now obligated to take special IT protection measures as well.

The Data Strategy of the German Federal Government

Using data innovatively, sharing them and at the same time ensuring the highest level of data protection and data security – this is the aim of the more than 240 measures of the data strategy that the German Federal Government made up of CDU/CSU and SPD adopted at the beginning of 2021. The intent is to allow the opportunities that data offer for science, business and also civil society to be exploited to the fullest. One part of the data strategy involves measures to expand the necessary data infrastructure, digital education or digital administration, for example. Another important area of action of this strategy is the creation of a legal framework for handling data securely. The strategy paper specifies uniform legal interpretations and applications for applicable data protection regulations. Another part of the package of measures entails the promotion of anonymisation procedures and methods and the harmonisation of data protection guidelines among the German federal states.

The Patient Data Protection Act (PDSG)

The Patient Data Protection Act protects patients’ electronic data in the telematics infrastructure. It came into force in October 2020 and is a prerequisite for the use of the electronic patient record (ePA) or the e-prescription. For example, the PDSG stipulates that the patient alone makes decisions concerning the creation and processing of his/her ePA and thus always retains control over his/her data. The decision as to who may access which documents in the file lies solely with the patient as well. Anyone who wants to “donate” data (anonymously) will have the option of doing so starting in 2023. For example, patients will be able to make their medical data available for research and science. In addition, the PDSG grants patients certain provisions to simplify their communication with doctors or pharmacists. Referrals can be transmitted digitally to doctors, and e-prescriptions are accessible via a smartphone app. Last but not least, of course, the Patient Data Protection Act also regulates the actual protection of data. After all, sensitive health data such as findings, diagnoses, medication and treatment reports must not fall into the wrong hands. That is why, according to the PDSG, doctors, pharmacists and hospitals have been obligated to ensure the confidentiality, integrity and availability of their information since 1 January 2021. This necessitates certain technical – and organisational – measures to guarantee the security of IT structures and important processes. For this reason, an official review is required every other year to ensure that all measures are being complied with and are up to date.

The Federal Commissioner for Data Protection

This is not a law in the true sense of the word, but a personal matter: The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is the guardian of the fundamental right of informational self-determination in Germany. Prof. Ulrich Kelber has held his position as an independent supreme federal authority since 2019.
The BfDI supervises all federal public bodies, certain social security institutions, telecommunications companies and postal service agencies with regard to applicable data protection provisions. It checks whether all requirements are being met and can issue warnings or fines in the event of violations. Moreover, citizens have the opportunity to submit complaints to the BfDI as well. On the basis of the Freedom of Information Act, the BfDI also ensures that administrative actions are made more transparent for citizens. In addition to the Federal Commissioner, there are also data protection commissioners in the individual federal states. The data protection commissioners of the states have oversight of state and local authorities and of all non-public sectors.

The EU Data Act 

The EU Data Act is the latest European project to regulate data protection issues within the EU. It builds on the 2020 European Data Strategy and Data Governance Act and was presented by the European Commission in February 2022. This act is intended to determine who in the EU may use and access data for which purposes, including across sectors. For example, the new data act aims to provide legal security for people who use, share and establish data. One important innovation is that companies will be obliged in future to provide public bodies with data needed for fulfilling a task in the public interest if there is an exceptional need. For example, this may involve public health or environmental protection agencies. Another important aspect is that the companies concerned are required to pseudonymise personal data before making it available. In addition, users must have the right to switch the provider of data processing services. And this act will give them access to the data their interconnected devices have generated.

“We want to give consumers and businesses even more say over what can happen to their data by clarifying who has access to the data and under what conditions.”

Margrethe Vestager, EU Commissioner for Competition