Support Centre

Germany

Summary

Law: Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

Regulator: The Federal Commissioner for Data Protection and Freedom of Information (BfDI). Please note that there are also regional laws and regulators.

Summary: Germany implemented the GDPR in 2018 through the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) (the Act). Germany is composed of a federation and 16 Länder that have complementary competences in the privacy sector. In addition to the Act, every Länder has adopted its own regional data protection law implementing the GDPR, which applies to the public sector and have priority over the Act. Further information on each Länder as well as federal activities is available through the jurisdiction dashboard links below.

Browse more jurisdictions:

Germany - Federal
Baden-Württemberg
Bavaria
Berlin
Brandenburg
Bremen
Hamburg
Hesse
Lower Saxony
Mecklenburg-Vorpommern
North Rhine-Westphalia
Rhineland-Palatinate
Saarland
Saxony
Saxony-Anhalt
Schleswig-Holstein
Thuringia

News

Insights

November 2024

Germany: Employee Data Protection Act - what are the practical implications?

Digitalization has significantly changed the world of work in recent years. More and more processes are becoming data-driven, and the use of artificial intelligence (AI) is creating new opportunities but also significant uncertainties and challenges for employers and employees.

The draft of the Employee Data Protection Act (Beschäftigtendatengesetz - BeschDG) from the Federal Ministry of Labor and Social Affairs is currently being coordinated between the departments and must then still be passed in the German Parliament (Bundestag) before it can come into force. In this Insight article, Dr. Jessica Jacobi, Partner at KLIEMT.Arbeitsrecht Part­ner­schaft von Rechts­an­wäl­ten mbB, discusses the most important new provisions of the draft, specific examples of implementation in everyday life, and what the draft could mean in practice.

September 2024

Germany: Consent Management Ordinance – what it means for cookie banners

The Consent Management Ordinance pursuant to Section 26(2) of the Telecommunications Digital Services Data Protection Act (TDDDG)1 (the Ordinance) was adopted by the Federal Government on September 4, 2024. The Ordinance aims to provide an alternative for cookie banners and management of consent. OneTrust DataGuidance Research provides an overview of the Ordinance with expert insights by Dr. Christian Rabe, Senior Associate at Luther Rechtsanwaltsgesellschaft mbH, and Dr. Christoph Werkmeister, Partner at Freshfields Bruckhaus Deringer LLP.

June 2024

Germany: Guidance of Data Protection Supervisory Authorities on AI and data protection

In this Insight article, Daniela Schott and Kristin Bauer, from KINAST, elaborate on the Orientation Guide of the Committee of Independent German Federal and State Data Protection Supervisory Authorities - the German Data Protection Conference (DSK) - on artificial intelligence (AI) and data protection. The guide was published on May 6, 2024, and outlines data protection criteria necessary for the compliant use of AI applications and serves as a guideline for their selection, implementation, and use.

July 2023

Germany: Unpacking the DSK's decision on data protection significance of access options from third countries

On January 31, 2023, the German Data Protection Conference (DSK) - the joint body of independent German federal and state data protection authorities (collectively, the German DPAs) - issued a decision on extraterritorial access by public authorities from third countries outside the EEA (only available in German here).

Valentino Halim, Senior Associate from WilmerHale, unpacks the main provisions of the DSK decision, giving insight into its scope and implications.

March 2023

Germany: Paying with personal data? Data protection implications of new provisions under German Civil Code

New regulations on contracts for digital products have been in force in Germany for just over a year. These new regulations transpose the Directive on Certain Aspects Concerning Contracts for the Supply of Digital Content and Digital Services (Directive (EU) 2019/770) ('the Digital Content Directive') into German law. Thorsten Ihler and Melanie Ludolph, from Fieldfisher, discuss the implications of the new provisions under the German Civil Code ('BGB') in terms of data protection, resulting from the transposition of the Digital Content Directive.

February 2023

Germany: Data processing agreements of web hosting providers

In the summer of 2022, the German data protection authorities (collectively, 'the German DPAs') initiated a coordinated audit campaign of the standard contracts of major web hosts. For the campaign, they have developed a checklist for auditing data processing agreements. For companies, this provides valuable guidance for concluding data processing agreements in practice, even outside of ongoing audit procedures.

Valentino Halim, Senior Associate from Wilmer Hale, unpacks the audit campaign of the German DPAs, with a particular focus on the checklist for examining data processing agreements, its scope, limitations, and potential.

June 2022

Germany: Overview of Supply Chain Due Diligence Act

With an increasing focus on Environmental, Social, and Governance ('ESG') across all sectors, businesses are required, and legally bound, to observe specific human rights and environmental due diligence obligations. This Insight article gives an overview over the German Supply Chain Due Diligence Act in German Lieferkettensorgfalts­pflichtengesetz (LkSG) ('the Due Diligence Act'), which will enter into force on 1 January 2023, and discusses its scope of application, definitions, and key requirements.

June 2022

Baden-Württemberg: Recent developments with respect to cookie requirements

On 4 March 2022, the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') published its frequently asked questions ('FAQs') on cookies and tracking by website operators and smartphone app developers. The FAQs are meant to complement the German Data Protection Conference's ('DSK') guidelines ('the Guidelines') on the new Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG'), published in December 2021.1 Unlike the Guidelines, the FAQs of the LfDI Baden-Württemberg specify the application of the legal requirements in greater detail. The FAQs contain a 16-page list of negative examples for obtaining consent that indicate a very strict interpretation of the requirements of the TTDSG and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Dr Carlo Piltz and Philip Schweers, from Piltz Legal, illustrate and discuss some of these examples, whilst also taking a look at recommendations for the use of cookies without obtaining consent.

May 2022

Germany: Revised DSK guidance on direct marketing

In February 2022, the German Data Protection Conference ('DSK') issued a revised guidance on the processing of personal data for direct marketing purposes under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')1 ('the Guidance'). Thorsten Ihler and Melanie Ludolph, from Fieldfisher, summarise the key provisions of the Guidance and the impact it has on companies.

May 2022

Germany: How the RDG affects the designation and role of DPOs

According to the conception of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), data protection officers ('DPOs') play an important role in the protection of personal data. Their activity serves a regulated self-control of the controller or processor, the advantage of which lies not least in the relief of public authorities. Their appointment is mandatory for all public and many private entities. The activity of a DPO requires knowledge of data protection law and includes providing advice on data protection issues. In Germany, however, the provision of legal services is regulated, among other things, by the German Act on Out-of-Court Legal Services1 ('RDG'). It is questionable whether this also imposes special requirements on the DPO. Stefan Hessel, Attorney-at-Law and Co-Head of Digital Business Unit at reuschlaw Legal Consultants, sheds light on the topic.

April 2022

Germany: DSK Guidelines on the TTDSG - Part two

On 20 December 2021, the German Data Protection Conference ('DSK') published the long-awaited guidelines ('the Guidelines') on the new Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG'). The Guidelines consider both the provisions of the TTDSG, which has been applicable since 1 December 2021, and those of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Within the Guidelines, the German authorities provide companies with a clearer picture on the most relevant questions around the usage of cookies and similar technologies. There is currently a public consultation going on and it is likely that there will be some form of additions, specifications, and possibly also small changes to the current version.

In part two of a two-part series, Philipp Quiel, Counsel at Piltz Legal, provides an overview on the DSK's opinions regarding consent and next steps for companies. Part one covers the scope of applicability, legal basis, explicit requests, and strict necessity under the TTDSG.

April 2022

Germany: DSK Guidelines on the TTDSG - Part one

On 20 December 2021, the German Data Protection Conference ('DSK') published the long-awaited guidelines ('the Guidelines') on the new Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG'). The Guidelines consider both the provisions of the TTDSG, which has been applicable since 1 December 2021, and those of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Within the Guidelines, the German authorities provide companies with a clearer picture on the most relevant questions around the usage of cookies and similar technologies. There is currently a public consultation going on and it is likely that there will be some form of additions, specifications, and possibly also small changes to the current version.

In part one of a two-part series, Philipp Quiel, Counsel at Piltz Legal, provides an overview on the DSK's opinions regarding the scope of applicability, legal basis, explicit requests, and strict necessity under the TTDSG. Part two covers consent and next steps for companies.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.