Member Article

The forthcoming General Data Protection Regulation also results in adaptations with regard to the protection of social data. On May 25, 2018, an amended Code of Social Law will therefore come into effect simultaneously with the General Data Protection Regulation. Above all, the Code of Social Law (SGB) X is affected. Many of the adaptations are editorial changes that have become necessary, but the content has also been amended.

It is a fundamental right of every citizen that service providers must not collect, process or use the social data concerning him/her without authorization. Social data are frequently very sensitive, as they concern the citizen's intimate sphere (e.g. health data). As a result, they require particular protection.

AMENDMENTS OF SOCIAL CODE SGB X

In particular the duties to inform, rights of access to, rectification or erasure of personal data of the respective data subjects, as well as their right to lodge a complaint, are adapted to the requirements of the General Data Protection Regulation in the new version of the SGB X. Overall however, the regulatory systematics of the law are retained to a major extent.

The principle of necessity will also remain a central constituent. Data processing is only lawful if the collecting body needs it in order to fulfil a task. This also expressly applies to special categories of personal data as defined in Art. 9 (1) GDPR (Section 67a SGB X New).

PROCESSING OF SOCIAL DATA BY A PROCESSOR

Among other things, the content amendments concern the processing of social data by order - i.e. the equivalent of order data processing. At present, this is possible if "disruptions to the client's operating procedures could otherwise occur". Under the second possibility, the use of private computing centers is only possible if the "predominant share" of the stored data inventory remains with the official authority (Section 80 SGB X).

The latter alternative has now been revised. With effect from May 25, 2018, it will be sufficient if the "work assigned can be carried out significantly more cost-effectively by the order processor". (Section 80 SGB New). It has been recognized that the old rule is no longer in keeping with the times. It could not guarantee the intended control of the data. Non-public bodies can now also be asked to process the entire data inventory. Nevertheless, this must be "significantly more cost-effective", as already provided for under the present rule.

The old Section 80 (2) SGB X still lists the individual circumstances that must be specified in detail in the written order (e.g. subject matter and duration of the order). The national lawmaker has removed this list in the new version. Art. 28 GDPR is now directly applicable.

In addition to the transfer to EU member states and to states with an equal status (EEA and Switzerland), the transfer of data abroad is now also expressly permitted on the basis of an adequacy decision pursuant to Art. 45 of the General Data Protection Regulation (Section 77 SGB X New).

CONCLUSION

Public bodies must adapt to the new data protection requirements created by the General Data Protection Regulation. They should therefore familiarize themselves with the new rules in the SGB, and check whether their processes are compatible with the new standards.