TTDSG: Germany’s new data privacy law

Background

Germany is a pioneer in data privacy protection. The country’s state of Hesse enacted the world’s first data protection law in 1970, and other states soon followed its initiative. Then, in 1978, the first German Federal Data Protection Act (BDSG) took effect.

From 2018-2021, data protection was governed by a combination of the EU’s General Data Protection Regulation (GDPR), an updated version of BDSG, and the local state laws.

Then, having seen a need to unify the country’s data laws and bring them in line with GDPR, Germany’s parliament introduced a new Data Protection Act in 2021: TTDSG.

The new law was intended to merge different data protection rules into one law.

While most of its provisions deal with cookies, TTDSG has also tightened regulations concerning email data. If you operate a business in Germany, it’s important to make sure you comply with them.

Email and TTDSG

The good news is that if you’re already compliant with GDPR, TTDSG doesn’t require you to do much more, though there are some stipulations regarding accessing email that are worth knowing about.

According to the new law, if a person is not involved in an email/web-based message, then they are forbidden to view it.

Some commenters suggest there are exceptions though. A German compliance management firm called JOWECON has written about TTDSG and email here.

They say that if a company allows its employees to use the corporate email system to send private messages, then, in certain circumstances, the company might be lawfully entitled to access those messages.

For example, if a particular member of staff is absent, or the company has reason to believe an employee’s private messages contain evidence that an offence has been committed, then the company would be allowed to view the messages.

There is another view, though, suggesting that by taking such action this company might be breaking the law. International law firm Herbert Smith Freehills says:

“If employers want to have legally secure access to email communication in company email systems, they have the option on the one hand, to completely prohibit the private use of official devices and infrastructure by employees.” (Herbert Smith Freehills Data notes)

So, there seems to be no consensus yet about whether employers can or cannot access an employee’s private emails without that person’s consent. If and when we gain clarity on this, we’ll update you.

In the meantime, you can help your organisation stay compliant with German laws with our Business Email Retention guide and by storing and accessing emails securely with Cryoserver.