log in
All Articles | Back

Member Articles

Data Protection in the Social Field 

by Regina Glaser, LL.M., Torsten Gross, LL.M.

Published: November, 2017

Submission: December, 2017



The forthcoming General Data Protection Regulation also results in adaptations with regard to the protection of social data. On May 25, 2018, an amended Code of Social Law will therefore come into effect simultaneously with the General Data Protection Regulation. Above all, the Code of Social Law (SGB) X is affected. Many of the adaptations are editorial changes that have become necessary, but the content has also been amended.

It is a fundamental right of every citizen that service providers must not collect, process or use the social data concerning him/her without authorization. Social data are frequently very sensitive, as they concern the citizen's intimate sphere (e.g. health data). As a result, they require particular protection.


In particular the duties to inform, rights of access to, rectification or erasure of personal data of the respective data subjects, as well as their right to lodge a complaint, are adapted to the requirements of the General Data Protection Regulation in the new version of the SGB X. Overall however, the regulatory systematics of the law are retained to a major extent.

The principle of necessity will also remain a central constituent. Data processing is only lawful if the collecting body needs it in order to fulfil a task. This also expressly applies to special categories of personal data as defined in Art. 9 (1) GDPR (Section 67a SGB X New).


Among other things, the content amendments concern the processing of social data by order - i.e. the equivalent of order data processing. At present, this is possible if "disruptions to the client's operating procedures could otherwise occur". Under the second possibility, the use of private computing centers is only possible if the "predominant share" of the stored data inventory remains with the official authority (Section 80 SGB X).

The latter alternative has now been revised. With effect from May 25, 2018, it will be sufficient if the "work assigned can be carried out significantly more cost-effectively by the order processor". (Section 80 SGB New). It has been recognized that the old rule is no longer in keeping with the times. It could not guarantee the intended control of the data. Non-public bodies can now also be asked to process the entire data inventory. Nevertheless, this must be "significantly more cost-effective", as already provided for under the present rule.

The old Section 80 (2) SGB X still lists the individual circumstances that must be specified in detail in the written order (e.g. subject matter and duration of the order). The national lawmaker has removed this list in the new version. Art. 28 GDPR is now directly applicable.

In addition to the transfer to EU member states and to states with an equal status (EEA and Switzerland), the transfer of data abroad is now also expressly permitted on the basis of an adequacy decision pursuant to Art. 45 of the General Data Protection Regulation (Section 77 SGB X New).


Public bodies must adapt to the new data protection requirements created by the General Data Protection Regulation. They should therefore familiarize themselves with the new rules in the SGB, and check whether their processes are compatible with the new standards.






WSG Member: Please login to add your comment.


WSG's members are independent firms and are not affiliated in the joint practice of professional services. Each member exercises its own individual judgments on all client matters.

HOME | SITE MAP | GLANCE | PRIVACY POLICY | DISCLAIMER |  © World Services Group, 2020