Law: Hessian Data Protection and Freedom of Information Act (HDSIG) of 3 May 2018 (only available in German here)

Regulator: Hessen data protection authority (HBDI)

Summary: Hesse implemented the GDPR through the Hessian Data Protection and Freedom of Information Act of May 3, 2018 (HDSIG) (only available in German here) which came into effect on May 25, 2018.

The HDSIG provides for derogations from the GDPR and data protection requirements within Hesse. In particular, the HDSIG covers exemptions for the public sector, limitations on data subject rights, and special purposes of processing.

The Hessen data protection authority (HBDI) is the supervisory authority under the HDSIG and can be considered a relatively active regulator. The HBDI has released an extensive frequently asked questions on data protection topics and has issued fines in the past. In both its 2018 and 2019 annual reports, the HBDI recorded one of the highest totals for number of complaints and number of breach notifications among the German Länders.