“In Germany the authorities are taking increasingly consistent action against IT security breaches.”

GDPR, BDSG, TTDSG… In Germany, cybersecurity is covered by a mix of national and EU laws. Dr. Hans Markus Wulf and Dr. Thomas Jansen, equity partners at Heuking Kühn Lüer Wojtek, and Theresa Bardenhewer, research assistant in Hamburg, explain which laws carry the most weight and how foreign firms can ensure cybersecurity compliance in Germany.

Posted Wednesday, August 3rd 2022
“In Germany the authorities are taking increasingly consistent action against IT security breaches.”

Heuking Kühn Lüer Wojtek x Leaders League

Leaders League. Why should companies be concerned about cybersecurity? Since the GDPR came into force four years ago, the importance of cybersecurity has increased significantly.  Art. 83 of the GDPR covers the conditions for imposing administrative fines. 

Violations of data protection may result in fines of up to €20 million or 4% of a company’s annual global turnover.

The most serious violations of data protection regulation can even result in a prison sentence of up to three years, for things like data espionage, phishing or data manipulation, but also unauthorised processing or obtaining of data with the intent to gain an advantage. Moreover, cybersecurity is also a question of reputation and companies are increasingly concerned about the protection of their confidential data against disclosure.

Which laws are applicable to cybersecurity in Germany? The cybersecurity landscape consists of national laws like the Federal Data Protection Act (BDSG) or the Telecommunications Telemedia Data Protection Act (TTDSG) and EU law, such as the General Data Protection Regulation (GDPR) or the upcoming Digital Services Act (DSA), which cover internet platforms. Most of these govern the protection of personal data. Additionally, there are sector-specific regulations, for example the one for critical infrastructure according to Section 8a of the BSI Act (last amended at the end of May 2021 to take the IT Security Act 2.0 into account) as well as for the banking industry i.e. the Banking Supervisory Requirements for IT (BAIT) of the Federal Financial Supervisory Authority (BaFin) as well as in Section 25a of the German Banking Act (KWG) with its Minimum Requirements for Risk Management (Ma-Risk) and Section 80 of the German Securities Trading Act (WpHG). Further sector-specific regulations exist for insurance companies, namely theInsurance Law Requirements for IT (VAIT) and the Minimum Requirements for the Rules of Procedure of Insurance Companies (MaGo), also issued by the Federal Financial Supervisory Authority, the automotive industry or in the energy sector as well as in the area of smart metering i.e., the operation of smart gas, water or electricity meters.

You’ve mentioned specific German laws, such as the BDSG and the TTDSG. To what extent do these deviate from the GDPR? The definitions of important terms like “personal data” are in accordance with the GDPR and also regarding the principles or the justification of processing data processors must comply with the GDPR (Art. 5 and Art. 6). The BDSG mainly contains clarifications of the GDPR and only a few specific rules of its own, for example on video surveillance, employee data-protection, research and archiving purposes, or consumer credits.

According to Art. 38 of the BDSG, companies with 20 or more employees must appoint a data protection officer if they are involved in the automated processing of personal data. Since it is unlawful to dismiss or discriminate against a data-protection officer because of the performance of their duties, dismissing a company’s data-protection officer is almost impossible in Germany. However, this protection against dismissal does not apply if a company appoints an external data-protection officer.

Finally, German supervisory authorities require consent to be explicit, i.e. that in most cases, it cannot be replaced by implied, tacit action. On the internet, Section 25 of the TTDSG requires an opt-in rather than an opt-out, for example when it comes to the use of cookies

What does the BSI Act, which is a specific German law, require of critical infrastructures? In the area of critical infrastructures, in Germany companies are obliged to provide evidence of compliance with the necessary technical and organisational measures in accordance with Art. 8a of the BSI Act.

Such proof must be provided every two years and can be provided through security audits, examinations or certifications by one of the recognised certification bodies.

In addition, according to Section 8b of the BSI Act, there is an obligation to register and specify a contact point, and there is also an obligation to report IT malfunctions. The obligation to register as a critical infrastructure operator exists as soon as a company falls under this description.

When is a company considered a provider of critical infrastructure? According to Section 1 No. 2 of the BSI Critical Infrastructure Ordinance, a critical infrastructure operator is any natural or legal person who, taking into account the legal, economic and factual circumstances, exercises decisive influence over the nature and operation of a critical infrastructure facility or parts thereof. The A bank, for example, falls under the definition of a critical infrastructure provider if it operates a system that processes more than 100 million account transactions per year for its customers.

We know that complying with the GDPR has caused difficulties for many. Does the German legislator provide any extra requirements regarding the compliance with cybersecurity laws? Generally, there are no specific regulations on compliance besides the requirement to keep a processing register, the analysis of technical and organisational measures or the data protection impact assessment, all laid down in the GDPR. Furthermore, from the requirement to delete data, the German supervisory authorities derive the obligation of every company to create and maintain deletion guidelines that list the respective processing procedures and provide.

Additionally, clause 14 of the EU standard contractual clauses requires each company to carry out an individual risk-assessment before the transfer of data to a non-EU country for which there is no adequacy decision as per Art. 45 of the GDPR.

Do companies have to pay any additional damages or compensation in case of breaches of data privacy laws? According to the concept for the calculation of fines in proceedings against companies issued by the German Data Protection Conference (DSK), the calculation of the fine takes into account the size and turnover of the company and the severity of the violation. So far, the largest fine in Germany amounted to €35 million and was imposed on H&M for the unlawful processing of sensitive employee-data.

Furthermore, data subjects can claim damages in the event of a violation of their data protection rights. The burden of proof for the data breach lies with the data subject, but Art. 82 of the GDPR does not require fault on the part of the processor.

Under the GDPR, data subjects may also claim non-pecuniary damages for pain and suffering. Non-pecuniary damages have been granted in the €500 to €5,000 range in Germany.

Are there any laws on cyber-crime or a cybersecurity regulator in Germany? There are no specific legal regulations for dealing with cybercrime in Germany, except those in the German Criminal Code (e.g. computer fraud, data spying/interception, computer sabotage, handling of stolen data). Yet, the supervisory authorities regularly provide information and recommendations on the state of threats. For example, In 2021, the Bavarian data-protection authority recently published a special recommendation for preventive measures with regard to ransomware.

While the 16 state-data-protection authorities are specifically responsible for supervising compliance with data-protection laws, the Federal Office for Information Security (BSI) is responsible for supervising compliance with IT security law in Germany. Among other things, the BSI is in charge of the promotion of preventive cybersecurity and for the creation of minimum standards.

Who is entitled to claim violations of cybersecurity law in Germany? And under what circumstances? In a case where an individual’s personal-data rights are violated, data subjects have the right to sue. In contrast, companies can only assert data protection claims in exceptional cases because they need to prove that the data protection standard in question had a market conduct regulating character pursuant to Section 3a of the UWG.

Otherwise violations of IT security are mainly sanctioned by the authorities. In Germany the authorities are taking increasingly consistent action against IT security breaches. In May 2021, for example, a German online store was fined EUR 65,500 for using an outdated version of the store software and also for not using password hashing (translation of the password into a separate code). 

In addition, according to a current judgement of the European Court of Justice (C-319/20), consumer protection associations may pursue GDPR infringements, even without a corresponding mandate from a data subject, as long as this is provided in the respective national law. For companies working in the B2C sector at least, the risk of actions by consumer protection associations will rise significantly. Thus, companies should resolve visible issues of non-compliance promptly.

  • Interview with Heuking Kühn Lüer Wojtek in Hamburg:
  • Theresa Bardenhewer, research assistant
  • Dr. Thomas Jansen, Partner
  • Dr. Markus Wulf, Partner