February 2017 - Data Protection & Privacy | IT Law | Doing Business in Germany

Germany: Land of Data Protection and Security – But Why?

Understanding the German mentality to data protection and data privacy is fundamental to doing successful business in the country

Germany: Land of Data Protection and Security – But Why?

Image: iStockphoto | Rallef

Nowhere in the world are there stricter requirements for data protection and privacy than in the European Union – and within the Union, no other country stands for data protection more than Germany. If you want your business to be successful in Germany, you should know the reasons. They have to do with the country’s history.

Germany has given rise to two political systems in which the surveillance of its own people played a fundamental part of control, manipulation and oppression: the Third Reich and the German Democratic Republic. Both regimes managed to survive for years. The shared experience was that no one could trust in their privacy, and deviant behavior could be punished severely. Both systems are history, and much has been written and said about the political reasons and implications. And the consequences are still very present today.

Therefore, topics related to privacy, data protection and thus, security, cause stronger reactions in Germany than in its neighboring countries or in regions of the world with even fewer cultural similarities. This is especially true for health data. Research presented in the Harvard Business Review shows just how deep the divide is not only between Germany and countries like India or China, but also between Germany and Great Britain or the USA. When it comes to protecting data related to personal health history, the average German is willing to pay as much as $184 U.S., while the average Briton would pay only $59 U.S. (U.S. citizens and the Chinese place a single-digit value on the certainty that their health data is safe, and Indians not even that much.)

What does this mean for companies wanting to expand their reach into the German market? Here are some things to consider for companies who do or do not specialize in data protection, privacy or security.

Does your company offer products that do not primarily provide additional data protection, privacy or security?

Then consider the legal requirements and concerns of your potential customers in Europe and Germany from the start. Make sure your customers and their data and devices are secure. The integrity of all transactions is a must; security breaches may be considered a deal breaker. Transparency won’t hurt you, and proof of certifications and the meeting of industry standards will give you competitive advantages. When marketing your products, underscore your thought leadership in data protection and security.

Does your company offer products that especially provide additional data protection, privacy or security?

Then you will find Europe, and especially Germany, to be a mature market – one that may not have waited for your specific solution. The advantage for your company? You can expect your potential buyers to be aware of the issues you are trying to help them with. You don’t have to spend extra time explaining the usefulness of data protection and security. The disadvantage for your company? You can expect your potential buyers to be aware of the issues you are trying to help them with. You will spend extra time explaining why it is your product above all others that improves your potential buyers’ data protection and security. Plus, you will have to live up to your promises.

Does your company do, or want to do, business in Germany or elsewhere in the EU?

Then you should take more than just a peripheral glance at data protection. Data protection is, and is becoming ever more important. Companies need to find out in advance what data protection-related regulations and laws they are subject to, not only to avoid the fines: “The secure handling of personal data is becoming more and more important in the public awareness. Data protection has long since lost its role as the unloved stepchild,” says Dr. Katharina Kuechler from eco – Association of the Internet Industry. “Properly implemented, data protection can be a real competitive advantage.” 

Data protection law within the EU will be harmonized through the new General Data Protection Regulation, which will mean that, for example, the requirements for gaining permission are becoming more stringent in comparison to existing German data protection law. However, completely new concepts will also be introduced, such as the data protection impact assessment (Art. 35 GDPR) compensation or the right to data portability. The General Data Protection Regulation came into effect on 25 May 2016 and will apply from 25 May 2018 in all EU Member States, without the need for a further implementation law. This means that companies have until 2018 to adapt their processes and contracts to the new regulation. As of that date, companies that do not comply will be faced with fines of up to 20 million EUR. There are only few cases where protection is offered for contracts that were finalized before the General Data Protection Regulation applies. So companies should really start to review their processes and contracts now for compliance with the new regulation. Also new in the regulation is the market principle. This means that, in future, companies must apply the data protection law of the given EU state in which they offer their service, regardless of whether the company is based in that state. As a result, companies based outside of the EU must also observe the General Data Protection Regulation from 2018 if they want to process data or market their products within the EU.

To help companies in dealing with the transition, eco offers internal audits for member companies, so they can find out if they are well prepared for doing business in Europe.

The General Data Protection Regulation also includes the Europe-wide stipulation for companies to appoint a Data Protection Officer. The central obligation to report in Art. 37 Abs. 7 GDPR simplifies the monitoring of actual appointments, so that the detection of inaction will become more likely. The obligation to appoint a Data Protection Officer can be difficult to fulfill, especially for SMEs. Here also, eco is happy to help members with an external solution. 
More information is available at go.eco.de/dataprotection
Or you can send an email to dataprotectionofficer@eco.de and the eco legal team will get in touch with you.