E. GDPR and national law
How Art. 9 GDPR interacts with the BDSG and other German laws – primacy, scope, and obligations.
Back to the Art. 9 GDPR overview.
At a Glance
As an EU regulation, the GDPR applies directly throughout Germany – without the Bundestag having to transpose it first. It has primacy over national law. The BDSG and other German laws may only specify the GDPR or – in certain areas – tighten it.
I. How German law may stand alongside the GDPR
| Type of national law | Permitted? |
|---|---|
| Specifications and implementing rules | ✅ Yes, where the GDPR leaves scope |
| Opening-clause law (e.g. via Art. 9(4)) | ✅ Yes, within the relevant scope |
| Stricter rules for genetic, biometric and health data | ✅ Yes, under Art. 9(4) |
| Relaxations of the GDPR's level of protection | ❌ No |
II. What the BDSG regulates regarding Art. 9
The Federal Data Protection Act 2018 (BDSG) contains several provisions specifying Art. 9 GDPR:
| BDSG provision | Function |
|---|---|
| § 22(1) BDSG | Authorising provisions for health data (implementation of (b), (h), (i)) |
| § 22(2) BDSG | Obligation to take protective measures for all Art. 9 data |
| § 23 BDSG | Further processing of special categories of personal data |
| § 26(3) BDSG | Consent in employment for special categories |
| § 27 BDSG | Scientific research and statistics (implementation of (j)) |
| § 28 BDSG | Archiving in the public interest (implementation of (j)) |
What § 22(2) BDSG requires
Anyone processing special categories of personal data must take appropriate and specific safeguards. This is not a recommendation – it is mandatory. They include:
- Technical measures: encryption, pseudonymisation, access restrictions
- Organisational measures: training, internal policies, data protection officer
- Controls: logging, regular review
III. Sector-specific laws affecting special categories of personal data
In addition to the BDSG, there are many other German laws relevant to sensitive data. As more specific laws, they take precedence over the BDSG:
| Law | Area | Relevant categories |
|---|---|---|
| GenDG | Genetic diagnostics | Genetic data |
| SGB V (§§ 284 et seq.) | Statutory health insurance | Health data |
| SGB XI (§§ 94 et seq.) | Long-term care insurance | Health and care data |
| IfSG (§§ 9 et seq.) | Infection protection | Health data (reporting obligations) |
| State hospital laws | Inpatient care | Health data |
| ArbSchG | Occupational safety | Health data (company doctor) |
IV. Data protection impact assessment (DPIA)
Anyone processing special categories of personal data on a large scale must first carry out a data protection impact assessment (DPIA). This is a systematic assessment of the risks to data subjects.
Record of processing activities
Every processing of sensitive data must be documented in the record of processing activities under Art. 30 GDPR – also for small enterprises. There is no exception here.
Data protection officer
Anyone processing sensitive data on a large scale must appoint a data protection officer. In Germany, § 38(1) BDSG specifies this obligation for private companies.
Frequently Asked Questions (FAQ)
Do I have to keep a record of processing activities even as a small company? Yes – for sensitive data there is no exemption from the documentation obligation, not even for micro-enterprises.
When do I need a data protection officer? Where you process sensitive data on a large scale. "Large scale" depends on the volume, duration, geographical extent and risk to data subjects.
What happens if my sector-specific law and the GDPR conflict? As a rule, the stricter rule takes precedence – where the sector-specific law is based on Art. 9(4) and is stricter than the GDPR, it takes precedence. Where, conversely, the sector-specific law relaxes the GDPR's protection, it is inadmissible.
Back to the Art. 9 GDPR overview