04.07.2017 | KPMG Law Insights

There is no turning back. The new GDPR applies. – New data protection law approved by cabinet

New data protection law approved by cabinet

On February 1, 2017, the German Federal Cabinet approved a new draft law for the adaptation and restructuring of German data protection law. The “Data Protection Adaptation and Implementation Act” (DSAnpUG-EU) is necessary to adapt German data protection regulations to the European Data Protection Directive for Police and Justice and to the requirements of the new EU General Data Protection Regulation (EU GDPR). The EU GDPR aims to create a unified data protection law and thus largely the same standards for handling personal data within the EU. Nevertheless, it opens up scope for national regulations in the member states with a large number of opening clauses.

What does the new law regulate?

The DSAnpUG-EU represents a comprehensive reform and restructuring of German data protection law. The focus of the redesign is the comprehensive revision of the current Federal Data Protection Act (BDSG), which is intended to supplement and concretize the EU GDPR that will apply in Germany from May 2018. The 85-paragraph law presented in the draft is much more comprehensive than the previous BDSG. The underlying regulation is directly applicable as a European regulation. However, it is supplemented by the new BDSG. As a result, companies will have to comply with both sets of rules in the future. In addition, there are sector-specific regulations in specialized laws, which must also be within the framework of the EU GDPR regulations that have priority.

Criticism from experts and data protection authorities

The draft of the DSAnpUG-EU adopted by the Federal Cabinet is – like the previous drafts – in part considered to be contrary to European law and misguided. Many opening clauses are repeated in the draft of the new BDSG, which lacks the necessary concretizing regulation. In addition, the room for maneuver granted to the member states is being overstretched in some cases, so that regulations are being created that are not covered by the opening clauses of the EU GDPR. For example, the German supervisory authorities criticize that the rights of data subjects in particular would be unduly restricted. Overall, this would jeopardize the intended harmonization of data protection law in the EU and unlawfully lower the level of data protection provided for by the EU GDPR. Due to the many exceptions and references in the draft of the DSAnpUG-EU, an opaque thicket had been created especially for companies subject to German law. This would make the application of the new data protection law considerably more difficult and thus counteract the EU’s efforts to standardize and simplify data protection law for companies throughout Europe.

Finally, the draft in its current form leaves open the extent to which additional regulations are necessary with regard to the numerous sector-specific data protection provisions in Germany. Accordingly, there is a risk of an inconsistent data protection structure in Germany with partly contradictory regulations. The legal practitioners are simply overwhelmed with this situation and considerable legal uncertainty is created by the draft law.


It remains to be seen in what concrete form the draft will actually be promulgated as law after the vote in the Bundestag and Bundesrat and whether the points of criticism raised will be taken into account. In any case, companies are advised to keep a close eye on the legislative process and deal with the largest data protection reform in Europe now, otherwise they will face severe fines of up to EUR 20 million or 4% of the previous year’s global turnover as of May 25, 2018. On March 10, the Federal Council is expected to discuss the new law.

Services of KPMG Law

Our team of highly specialized attorneys advises international and national corporations, small and medium-sized enterprises, public corporations, as well as financial investors and start-ups comprehensively in the area of information management (data protection and IT security), especially in the identification, analysis and evaluation of existing legal documentation and internal processes for handling personal data (“Privacy Impairment Check”) as well as their optimization.

In addition, we provide creative advice on the introduction of information and data management in compliance with data protection requirements, as well as on the development and market launch of products (“Privacy by Design”).

Of course, we also advise you on an ad hoc basis in internal or external investigation proceedings, e.g. following a “data loss incident” in the event of a crisis, and represent you in all official or court proceedings (legal representation). Feel free to contact us at any time about our consulting services!

Explore #more

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

29.04.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

09.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: The employment law function

In almost all German companies, the employment law function is located in the HR department and not in the legal department. One of the reasons…

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.