Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Germany - Data Protection Overview
August 2024
1. Governing Texts
Data protection in Germany is primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and is supplemented by the Federal Data Protection Act of June 30, 2017 (implementing the GDPR) (BDSG).
1.1. Key acts, regulations, directives, bills
Germany was the first EU Member State to adopt a national law implementing the GDPR in the form of the BDSG, which entered into force on May 25, 2018, and which also implements the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) (Directive 2016/680) and amends a number or other federal laws all listed in the BDSG.
On November 26, 2019, the Second Act Adapting Data Protection Law to Regulation (EU) 2016/679 and Implementing Directive (EU) 2016/680 (only available in German here) (the Second Data Protection Adaptation Act) entered into force. The Second Data Protection Adaptation Act further amends the BDSG and also amends 154 other federal laws (all listed in the Second Data Protection Adaptation Act) to reconcile them with the GDPR.
The Second Data Protection Adaptation Act introduced the following substantial amendments to the BDSG.
Data protection officers
Under the BDSG, private bodies that permanently employ at least 20 persons dealing with the automated processing of personal data are required to appoint a data protection officer (DPO).
New Section 86
Section 86 of the BDSG provides that public and private bodies may process personal (including sensitive) data for purposes of national awards and honors without informing the data subject.
Processing special categories of data in the public interest
Section 22 of the BDSG has been changed to allow the processing of special categories of data through private bodies for reasons of significant public interest. According to the legislative documents, this change is intended to assist with de-radicalization programs and to enable the passing of data from private bodies to public security agencies in these circumstances. The legislative documents also mention combating pandemics as a significant public interest.
With regard to the changes made to 154 other federal laws, these reportedly focus on adapting the laws to the GDPR terminology, legal bases for processing, and data subject rights.
The BDSG applies to both private and public bodies of the Federation (and in very limited instances public bodies of the Länder). In the BDSG, the German legislator made ample use of several of the GDPR's opening clauses and maintained existing concepts from the previous Federal German data protection law as much as possible. Critics are alleging that some of the GDPR derogations codified in the BDSG go beyond what is permitted. It remains to be seen how these provisions will be interpreted and enforced in practice and whether they will be subjected to judicial challenge. The Second Data Protection Adaptation Act did not reverse any of the controversial derogations.
Each of the 16 Länder has also adopted a new state data protection law in light of the GDPR and is amending a variety of sector-specific data protection obligations in other state laws, such as hospital laws. As the new state data protection laws only apply to public bodies of the Länder, our subsequent discussion focuses on the BDSG. We also disregard those parts of the BDSG that are implementing provisions of Directive 2016/680 and will focus on those provisions relevant to private bodies.
At the beginning of September 2023, the Federal Ministry of the Interior and Community (BMI) published a first draft law amending the BDSG (only available in German here), which focuses, inter alia, on the role of the German Data Protection Conference (DSK). At the beginning of 2024, the draft law was introduced into the official legislative process as a Government bill (only available in German here).
TDDDG
On December 1, 2021, the Federal Telecommunication Digital Services Data Protection Act (only available in German here) (TDDDG), previously named the Data Protection and Privacy in Telecommunications and Telemedia Act (TTDSG) came into effect. One of the purposes of the TDDDG is to implement the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the ePrivacy Directive). The TDDDG contains rules, inter alia, regarding tracking technologies.
1.2. Guidelines
The DSK, a working group representing the Federal Commissioner for Data Protection and Freedom of Information (BfDI) as well as the various supervisory authorities of the Länder which promotes a consistent application of data protection law across Germany, has issued the following GDPR guidance notes so far (only available in German here).
These provide helpful practical guidance on:
- records of processing activities;
- sanctions and powers of supervisory authorities;
- data processing for advertising purposes;
- data transfers to third countries;
- Data Protection Impact Assessments ('DPIAs');
- right of access;
- territorial scope;
- GDPR compliance measures;
- certifications;
- information obligations;
- right to be forgotten;
- DPOs at controllers and processors;
- data processors;
- data protection in the employment context;
- video surveillance;
- joint controllers;
- special categories of data;
- risks for the rights and freedoms of natural persons;
- processing on the instructions of the controller; and
- consent.
Some of them are currently subject to revision, partly due to a change in the legal situation.
The DSK has also issued many other resolutions (only available in German here) and guidance notes on various topics, such as the processing of personal data for direct marketing purposes (only available in German here) and guidelines for telemedia providers (only available in German here) as well as guidance notes on data protection and artificial intelligence (AI) (see for example the latest guidance notes in this regard from May 2024, only available in German, here).
In addition, some supervisory authorities of the Länder have issued guidelines and templates for processing records, video surveillance, and data processing agreements.
1.3. Case law
By now, many German courts have issued decisions in relation to the GDPR. In the following, we have summarized three topics.
Competition authorities taking action for GDPR violations
A contested issue in Germany was whether GDPR violations may constitute a breach of law under Section 3(a) of the Act Against Unfair Competition (UWG). While some courts decided that competitors may bring actions for another's violation of certain provisions of the GDPR (e.g., the Regional Court of Würzburg (only available in German here), and the Higher Regional Court of Hamburg (only available in German here)) other courts took the opposite view mostly arguing that Articles 77 to 84 of the GDPR are exhaustive and leave no room for complaints under the German UWG (e.g., the Regional Court of Bochum (only available in German here) and the Regional Court of Magdeburg). On May 28, 2020, the Federal Court of Justice (the Federal Court of Justice) submitted to the Court of Justice of the European Union (CJEU) the question of whether competitors or consumer protection associations may initiate a civil action in case of infringements of the GDPR (only available in German here). On April 28, 2022, the CJEU ruled that the GDPR does not preclude national legislation that allows a consumer protection association to bring legal proceedings in the absence of a mandate and independently of the infringement of specific rights of data subjects, for infringements of laws protecting personal data (judgment in Meta Platforms Ireland Limited, formerly Facebook Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale (C- 319/20)).
This shows that the areas of data protection and competition law to increasingly intersect and are seen as protecting similar values.
Compensation for non-material damages
There are several judgments by the CJEU concerning compensation for non-material damages. Also, there are many decisions from German courts concerning this topic.
German courts seemed to take a narrow interpretation of non-material damages and ruled that the person who has suffered non-material damages must have suffered a noticeable disadvantage and that a mere infringement of the GDPR does not automatically entail a claim for damages. The Labor Court of Düsseldorf, however, ruled in 2020 that a company must pay €5,000 to a former employee because according to the court, the company's response was late and not comprehensive to a subject access request.
In January 2021, the German Federal Constitutional Court overturned a ruling of a local court that dismissed a claim for non-material damages pursuant to Article 82(1) of the GDPR and decided that the requirements and scope of Article 82 of the GDPR must be clarified by the CJEU (only available in German here). The Regional Court of Munich (December 9, 2021, Case No. 31 O 16606/20) granted non-material damage in the amount of €2,500 to a data subject in the aftermath of a personal data breach.
In May 2023, the CJEU ruled in UI v Österreichische Post AG (C-300/21) that the mere infringement of the provisions of the GDPR is not sufficient to confer a right to compensation. Hence, a claim for non-material damages under Article 82(1) of the GDPR only exists if the individual has actually suffered non-material damage. However, the proven non-material damage does not have to exceed a certain degree of seriousness.
Right of access
The scope of the right of access is still debated in Germany. The Federal Labor Court (the Labor Court) rejected a claim regarding copies of emails because it was not sufficiently precise pursuant to Section 253(2) Nr. 2 of the German Civil Procedure Code. According to the Labor Court's press release (only available in German here), the plaintiff requested information about their personal data processed by the defendant as well as a copy of this data pursuant to Article 15(3) of the GDPR, in particular including copies of emails sent by them or mentioning them in the course of their employment. According to the Labor Court's press release, it was not clear exactly which emails the request referred to. In a later decision, the Labor Court again ruled that a request for information must be sufficiently precise (only available in German here). However, the Federal Court of Justice assumed a broad understanding of the term 'personal data' in its ruling of June 15, 2021, VI ZR 576/19 (only available in German here). According to the Federal Court of Justice, the right of access pursuant to Article 15(1) of the GDPR also extends to letters exchanged between the parties, internal notes, and communication or correspondence with third parties.
2. Scope of Application
2.1. Personal scope
According to Section 1(1) of the BDSG, the BDSG applies to:
- public bodies of the Federation;
- public bodies of the Länder, in particular cases where data protection is not governed by Land Law; and
- private bodies.
Our subsequent discussion focuses on private bodies.
2.2. Territorial scope
According to Section 1(4) of the BDSG, the BDSG applies to public bodies.
It also applies to private bodies if:
- the controller or processor processes personal data in Germany,
- personal data is processed in the context of the activities of an establishment of the controller or processor in Germany; or
- although the controller or processor does not have an establishment in a Member State of the EU or in another contracting state of the European Economic Area (EEA), it falls within the scope of the GDPR.
2.3. Material scope
There are essentially no variations from the GDPR - the BDSG supplements the GDPR.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
Germany has both a federal data protection authority as well as 16 state data protection authorities, all of which are being maintained under the GDPR.
The federal regulator for data protection remains the BfDI in Bonn. The BfDI is competent to supervise the public bodies of the Federation and telecommunication service providers and represents Germany in the European Data Protection Board (EDPB) as the joint representative and single point of contact.
In addition, each of the German Länder continues to have a regulatory authority responsible for monitoring the application of data protection legislation by private bodies in its territory (Section 40 of the BDSG). From the perspective of private bodies, the 'main regulator' is the competent state authority that will be competent to monitor and enforce compliance with the GDPR.
Similar to the GDPR, the BDSG prescribes cooperation mechanisms for the various regulators in order to ensure a consistent application of the GDPR. It also mirrors the GDPR provisions for establishing a lead supervisory authority within Germany providing that the Land in which the controller or processor has its main or single establishment is the lead supervisory authority (Section 19 of the BDSG). The main establishment is to be determined in accordance with Article 4(16) of the GDPR, which designates as the main establishment the place of central administration unless the decisions on the purposes or means of processing are taken in another establishment which also has the power to implement such decisions, in which case that establishment is the main establishment. These provisions turn out to be rather complex to apply in practice.
3.2. Main powers, duties and responsibilities
The BfDI is competent to supervise the public bodies of the Federation (Section 9 of the BDSG). Section 16 of the BDSG provides that the BfDI has the powers referred to in Article 58 of the GDPR.
Section 14 of the BDSG lists a long list of tasks of the BfDI and clarifies that these are in addition to the tasks contained in the GDPR. The tasks listed largely repeat Article 57 of the GDPR and include the following (among others):
- monitor and enforce the application of the BDSG and other data protection legislation; promote awareness in relation to data processing;
- handle complaints;
- cooperate with other supervisory authorities; and
- conduct investigations on the application of the BDSG and other data protection legislation.
The BfDI must also produce an annual activity report including a list of the types of violations reported and measures taken (Section 15 of the BDSG). This report will be made publicly available and provide an important window into enforcement priorities.
Importantly, supervision of GDPR compliance of private bodies falls onto the supervisory authorities of the Länder (Section 40 of the BDSG). If any such supervisory authority determines that data protection legislation has been violated, it has in addition to the powers stipulated in the GDPR the power to inform data subjects concerned, report violations to other responsible bodies for prosecution or punishment and notify serious violations to the trade supervisory authority to take measures under trade and industry law.
4. Key Definitions
There are no definitions for the below-listed terms in the part of the BDSG that supplements the GDPR.
Data controller: There are no variations from the GDPR
Data processor: There are no variations from the GDPR
Personal data: There are no variations from the GDPR
Sensitive data: There are no variations from the GDPR
Health data: There are no variations from the GDPR
Biometric data: There are no variations from the GDPR
Pseudonymization: There are no variations from the GDPR
5. Legal Bases
5.1. Consent
There are no variations from the GDPR.
With respect to consent as a legal basis used in relation to processing employee data please see the section on legal bases in other instances below.
5.2. Contract with the data subject
There are no variations from the GDPR.
With respect to contract as a legal basis used in relation to processing of employee data please see the section on legal bases in other instances below.
5.3. Legal obligations
There are no variations from the GDPR.
5.4. Interests of the data subject
There are no variations from the GDPR.
5.5. Public interest
There are no variations from the GDPR.
5.6. Legitimate interests of the data controller
There are no variations from the GDPR.
5.7. Legal bases in other instances
We are focusing on legal bases relevant to private bodies only.
Processing for other purposes
Section 24 of the BDSG stipulates that private bodies shall be permitted to process personal data for a purpose other than the one for which the data were collected if:
- processing is necessary to prevent threats to state or public security or to prosecute criminal offences; or
- processing is necessary for the establishment, exercise, or defense of civil claims, unless the data subject has an overriding interest in not having the data processed.
The processing of special categories of personal data for a purpose other than the one for which the data were collected shall be permitted if the conditions of the above are met and an exception pursuant to Article 9 of the GDPR or pursuant to Section 22 of the BDSG applies.
Processing of employee data
In Section 26 of the BDSG, the German legislator made use of the opener clause in Article 88 of the GDPR by stipulating legal bases with respect to the processing of employee data. The term 'employee' is defined in Section 26(8) of the BDSG.
Pursuant to Section 26(1) of the BDSG personal data of employees may be processed for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out, or terminating the employment contract or to exercise or satisfy rights and obligations of employees' representation laid down by law or by collective agreements or other agreements between the employer and staff council.
Pursuant to Section 26(2) of the BDSG personal data of employees may be processed to detect crimes only if there is a documented reason to believe the data subject committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the data subject's legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason.
Section 26(2) of the BDSG contains specific rules regarding consent in the employment context, in particular on the voluntariness of consent. For the assessment of the voluntariness of the consent, the employee's level of dependence in the employment relationship as well as the circumstances under which the consent was given shall be taken into account. Consent may be given voluntarily in particular if it is associated with a legal or economic advantage for the employee, or if the employer and the employee are pursuing the same interests. Consent shall be given in writing or electronically, un- less another form is appropriate due to special circumstances. The employer shall inform the data subject in text form about the purpose of the data processing and about their right of withdrawal in accordance with Article 7(3) of the GDPR.
Section 26(3) of the BDSG contains a legal basis for the processing of special categories of personal data for employment-related purposes. It shall be permitted if it is necessary to exercise rights or comply with legal obligations derived from labor law, social security, and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data. The specific requirements for consent outlined above also apply to consent to the processing of special categories of personal data; consent must explicitly refer to this data. Section 22(2) shall apply accordingly.
Further, Section 26(4) of the BDSG stipulates that the processing of personal data, including special categories of personal data of employees is permitted on the basis of collective agreements. The negotiating parties shall comply with Article 88(2) of the GDPR.
Section 26 of the BDSG shall also apply when personal data, including special categories of personal data, of employees are processed without being stored or intended to be stored in a file system.
In March 2023, the CJEU ruled in its judgment in Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium v Minister des Hessischen Kultusministeriums Case (C-34/21) ('the C-34/21 Judgement') that national legislation concerning the processing of personal data of employees in the employment context must remain inapplicable if it does not comply with the conditions and limits set out in Articles 88(1) and 88(2) of the GDPR (available here). The subject of the C-34/21 Judgement is Section 23 of the Hessian Data Protection and Freedom of Information Act (HDSIG) of May 3, 2018 (only available in German here) which has an almost identical wording as the first sentence of Section 26 (1) of the BDSG. While the CJEU emphasizes that it is for the referring court to assess whether the provisions at issue comply with the conditions and limits set out in Article 88 of the GDPR, it states that Section 23(1) of the HDSIG merely appears to repeat the requirements for the processing of personal data under Article 6(1)(b) of the GDPR without adding a more specific provision within the meaning of Article 88(1) of the GDPR. The CJEU further states that if the referring court were to find that Article 88 of the GDPR has not been complied with, it would in principle have to disregard these provisions. In the absence of more specific rules concerning the conditions and limits laid down in Article 88 of the GDPR, the processing of personal data in the employment context is directly governed by the provisions of the GDPR in both the private and public sectors.
Because of the almost identical wording, the C-34/21 Judgement will likely have an impact on the first sentence of Section 26(1) of the BDSG. See the statement of the Hessen data protection authority (HBDI) (only available in German here) and the frequently asked questions (FAQs) issued by the Baden-Württemberg data protection authority (LfDI Baden-Württemberg) (only available in German here) in this regard.
National implementation of Article 89 of the GDPR
Sections 27 and 28 in conjunction with Section 22(2) of the BDSG codify the German implementation of Article 89 of the GDPR, which provides that processing for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes must be subject to appropriate safeguards for the rights and freedoms of individuals. It also provides that where personal data is processed for these purposes, certain rights of data subjects may be limited subject to suitable safeguards in place.
Video surveillance
Section 4 of the BDSG contains specific rules relating to video surveillance of publicly accessible areas. It provides that such video surveillance is only permissible to the extent it is necessary for one of the following:
- for public bodies to perform their tasks;
- to exercise the right to determine whether access shall be allowed or denied; or
- or to safeguard legitimate interests for specifically defined purposes.
In addition, there must be no indication of legitimate overriding interests of the data subjects.
Appropriate measures must be taken to ensure the surveillance itself and the controller's name and contact details are identifiable as early as possible. Storing or using the data collected is permitted only if necessary to achieve the intended purpose and there is no indication of overriding legitimate interests of data subjects. The data must be deleted without delay if no longer needed or if contrary to the data subject's legitimate interests. Further processing of the data collected is only permissible as necessary to prevent threats to state and public security and to prosecute crimes. Information obligations pursuant to Articles 13 and 14 of the GDPR apply if data collected from video surveillance is attributed to a particular person. The Lower Saxony data protection authority (LfDI Niedersachsen) published guidance regarding transparency requirements and templates for signs (only available in German here).
However, the German Federal Administrative Court (the Administrative Court) ruled in March 2019 that video surveillance by private sector organizations is solely subject to Article 6 of the GDPR, while the more lenient Section 4 of the BDSG is no longer applicable as it is incompatible with the GDPR. Section 4 of the BDSG was originally introduced in response to terrorist attacks and rampages in order to allow more privately operated video surveillance cameras in public spaces. But the provision has been controversial since its inception and criticized by various German data protection authorities as leading to excessive surveillance. In their guidance on video surveillance (only available in German here), the German data protection authorities had also stated that whether and to what extent the new provisions for video surveillance in Section 4 of the BDSG apply or are overruled by the GDPR needs to be considered on a case-by-case basis (only available in German here). The Administrative Court has now clarified that video surveillance by private sector organizations must comply with Article 6(1)(f) of the GDPR (only available in German here).
Scoring and credit reports
Using a probability value for credit scoring or reporting purposes is subject to the following strict conditions listed in Section 31 of the BDSG:
- data protection law is complied with;
- the data used to calculate the probability value is demonstrably essential for calculating the probability of the action on the basis of a scientifically recognized mathematic-statistical procedure;
- other data in addition to address data is used to calculate the probability value; and
- if address data is used, data subjects are notified in advance of such use.
On October 1, 2021, the Administrative Court of Wiesbaden submitted to the CJEU, inter alia, the question of whether Section 31 of the BDSG is compatible with Article 22 of the GDPR since the German legislator only stipulated the 'use' of the score value, but not the creation of the score value (decision dated October 1, 2021 – case No. 6 K 788/20 (only available in German here)). On December 7, 2023, the CJEU ruled in OQ v. Land Hesse (C-634/21) that Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value-based on personal data relating to a person and concerning their ability to meet payment commitments in the future constitutes 'automated individual decision-making' within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person. The CJEU further stated that it is for the referring court to verify whether Section 31 of the BDSG can be classified as a legal basis authorizing, under Article 22(2)(b) of the GDPR, the adoption of a decision solely based on automated processing.
Processing and freedom of expression and information
Despite the fact that the BDSG does not contain any derogations from the GDPR in order to reconcile the right to data protection with the right to freedom of expression and information as permitted by Article 85 of the GDPR, Germany still provides for special rules for the processing of personal data by the media. These are contained in the data protection laws of the Länder.
6. Principles
There are essentially no variations from the GDPR.
7. Controller and Processor Obligations
7.1. Data processing notification
No notification or registration requirements vis-à-vis the data protection authorities apply in Germany. Notification obligations vis-à-vis data subjects are covered in the section on data subject rights below.
7.2. Data transfers
There are essentially no variations from the GDPR.
However, we note that there are statements from some of the German data protection authorities regarding Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (the Schrems II Case) and that some German data protection authorities started a 'coordinated audit' by sending questionnaires on various topics to selected companies to enforce the decision. On September 4, 2023, the DSK published guidance notes regarding the EU-US Data Privacy Framework (DPF) (only available in German here).
7.3. Data processing records
There are essentially no variations from the GDPR. The DSK published a template record with a guidance note.
7.4. Data protection impact assessment
National activities subject to prior consultation/authorization
The DSK has agreed and issued a uniform non-exhaustive list (only available in German here) (the DPIA List) with processing operations that are subject to the requirement for a DPIA under Article 35(4) of the GDPR. The DPIA List includes 17 types of data processing operations which require a DPIA, including:
- processing of biometric data for the unique identification of natural persons, if at least one of the following criteria applies:
- data concerning vulnerable data subjects;
- systematic monitoring;
- innovative use or application of new technological or organizational solutions;
- evaluation or scoring;
- matching or combining datasets;
- automated decision-making with legal or similar significant effects; or
- when the processing in itself prevents data subjects from exercising a right or using a service or a contract;
- processing of genetic data within the meaning of Article 4(13) of the GDPR, if at least one of the following criteria applies:
- data concerning vulnerable data subjects;
- systematic monitoring;
- innovative use or application of new technological or organizational solutions;
- evaluation or scoring;
- matching or combining datasets;
- automated decision-making with legal or similar significant effects; or
- when the processing in itself prevents data subjects from exercising a right or using a service or a contract;
- large-scale processing of data subject to social, professional, or special official secrecy, even if it is not data in accordance with Article 9(1) and Article 10 of the GDPR;
- large-scale processing of personal data about the location of natural persons;
- matching or combining of personal data from various sources and processing of the data thus aggregated, provided that:
- the merging or processing is carried out on a large scale;
- for purposes for which not all of the data to be processed have been collected directly from the data subjects;
- include the use of algorithms that are incomprehensible to the persons concerned; and
- serve to produce databases that can be used to take decisions that have legal effects concerning the data subjects or which may have a similarly significant impact on them;
- mobile optical-electronic recording of personal data in public areas provided that the data from one or more recording systems are centrally consolidated on a large scale;
- large-scale collection and publication or transfer of personal data used to evaluate the behavior and other personal aspects of individuals and which may be used by third parties to make decisions that have a legal effect concerning the individuals assessed or that have a similarly significant impact on them;
- large-scale processing of personal data on the conduct of employees, which can be used to evaluate their work activities with legal or similar significant effects;
- creation of comprehensive profiles on the interests, the network of personal relationships, or the personality of data subjects;
- matching or combining of personal data from various sources and processing of the data thus aggregated, provided that:
- the merging or processing is carried out on a large scale;
- for purposes for which not all of the data to be processed have been collected directly from the data subjects;
- include the use of algorithms that are incomprehensible to the persons concerned; and
- serve the discovery of previously unknown connections inside the data for purposes that are not predetermined;
- use of artificial intelligence to process personal data to control interaction with the data subject or to evaluate personal aspects of the data subject;
- unintended use of sensors of a mobile phone in the possession of the persons concerned or of radio signals transmitted by such devices to determine the whereabouts or movement of persons over a substantial period of time;
- automated evaluation of video or audio recordings to evaluate the personality of data subjects;
- creation of comprehensive profiles on the movement and purchasing behavior of those affected;
- anonymization of personal data pursuant to Article 9 of the GDPR, not only in individual cases (in relation to the number of data subjects and the information per data subject) for the purpose of transmission to third parties;
- processing of personal data in accordance with Articles 9(1) and 10 of the GDPR - even if it is not to be regarded as 'large scale' within the meaning of Article 35(3)(b) of the GDPR – provided that non-recurring data collection takes place by means of the innovative use of sensors or mobile applications and these data are received and processed by a central office; and
- processing of data in accordance with Articles 9(1) and 10 of the GDPR – even if it is not to be regarded as 'large scale' within the meaning of Article 35(3)(b) of the GDPR – provided that the data are used by the providers of new technologies to determine the performance of the persons.
The DPIA List provides very practical and detailed examples of data processing activities that are likely to be subject to the DPIA requirement. It is highly recommended that organizations consult the DPIA List for guidance.
Finally, the DSK has issued practical guidance on how to carry out a DPIA (only available in German here). However, on the question of whether a DPIA needs to be carried out, the DSK guidance refers to the DPIA List.
National activities not subject to prior consultation/authorization
None of the German supervisory authorities have issued any lists under Article 35(5) of the GDPR to date.
Method
The DSK's Short Paper No. 5 on DPIA according to Article 35 of the GDPR (only available in German here) includes step-by-step instructions on how to conduct DPIAs.
Notably, some regional supervisory authorities have published guidelines relevant to DPIAs, for instance:
- the Lower Saxony data protection authority (LfD Niedersachsen) issued guidance (only available in German here); and
- the Data Protection Authority of Bavaria for the Private Sector (BayLDA) issued guidance (only available in German here).
7.5. Data protection officer appointment
For private bodies, Germany largely retains its pre-GDPR rules regarding the duty to appoint a DPO. In addition to the GDPR requirements, processors and controllers are required to designate a DPO according to Section 38 of the BDSG if any of the following applies:
- they permanently employ at least 20 persons dealing with the automated processing of personal data (changed from 10 to 20 persons by the Second Data Protection Adaptation Act);
- they undertake processing subject to a DPIA; or
- they commercially process personal data for the purpose of transfer, anonymized transfer, or for purposes of market or opinion research.
In practice, most businesses (except small businesses) operating in Germany will be required to appoint a DPO despite the change amending the threshold from ten to 20 employees.
The BDSG does not vary the role and tasks of DPOs for private bodies, except that it provides that mandatorily appointed DPOs will be subject to special dismissal protections. On 21 October 2020, the Federal Labor Court submitted to the CJEU the question of whether the GDPR precludes a provision in national law, that declares ordinary termination of the employment contract of the DPO to be impermissible (available here). The CJEU ruled on February 9, 2023, in X-FAB Dresden GmbH & Co. KG v FC (C-453/21) that the second sentence of Article 38(3) of the GDPR must be interpreted as not precluding national legislation which provides that a controller or a processor may dismiss a DPO who is a member of its staff solely where there is just cause, even if the dismissal is not related to the performance of that DPO's tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.
With regard to notifications of the appointment of a DPO, Länder supervisory authorities have produced online notification forms for organizations to communicate the details of the DPO and/or change and update the DPO's details:
- the Baden-Württemberg data protection authority (LfDI Baden-Württemberg) (only available in German here);
- the BayLDA (only available in German here);
- the Berlin Data Protection Authority (Berlin Commissioner) (only available in German here);
- the State Commissioner for Data Protection and Access to Information Brandenburg (the Brandenburg LDA) (only available in German here);
- the Bremen data protection authority (the Bremen Commissioner) (only available in German here);
- the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) (only available in German here);
- the HBDI (only available in German here);
- the Mecklenburg-Vorpommern data protection authority (only available in German here);
- the LfD Niedersachsen (only available in German here);
- the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information (LDI NRW) (only available in German here);
- the Rhineland-Palatinate data protection authority (LfDI Rheinland-Pfalz) (only available in German here);
- the Saarland data protection authority (the Saarland Commissioner) (only available in German here);
- the Saxon data protection authority (SächsDSB) (only available in German here);
- the Schleswig-Holstein data protection authority (ULD) (only available in German here);
- the Thuringian data protection authority (TLfDI) (only available in German here); and
- the Sachsen-Anhalt data protection authority (LfD Sachsen-Anhalt) (only available in German here).
7.6. Data breach notification
Section 29(1) of the BDSG provides that, in addition to the exceptions listed under Article 34(3) of the GDPR, the obligation to inform data subjects of a personal data breach shall not apply to the extent meeting this information obligation would disclose information which by law or its nature must be kept secret, in particular, because of an overriding legitimate interest of a third party. However, by way of exception, the data subject must nonetheless be informed if their interests outweigh the interest in secrecy, in particular taking into account the threat of damage.
Importantly, Section 43(4) of the BDSG provides that breach notifications to a regulator or affected data subjects may not be used in proceedings pursuant to the Act on Regulatory Offences 1987 against the person required to provide such notification unless the person has consented. The German legislator is relying on Article 83(8) of the GDPR in order to justify this provision. No other Member State has taken a similar position. Nevertheless, the LfDI Baden-Württemberg imposed a fine on a company due to a violation of Article 32 of the GDPR which LfDI Baden-Württemberg became aware of due to a data breach notification of the company.
7.7. Data retention
See the section on right to erasure below.
7.8. Children's data
The age of consent in Germany is 16 as the German legislator has not made use of its right to provide for a lower age of consent in relation to information society services as permitted under Article 8 of the GDPR.
7.9. Special categories of personal data
National regulation concerning the processing of special categories of data and criminal conviction data
The BDSG does not contain rules for the processing of criminal conviction data.
The BDSG contains a number of derogations from the general prohibition on the processing of special categories of data codified in Article 9 of the GDPR. These can be categorized into:
- general derogations; and
- specific derogations relating to processing for scientific or historical research purposes, statistical purposes, archiving purposes in the public interest, and employment purposes.
Section 22(1) of the BDSG provides by way of general derogation that the processing of special categories of personal data is permitted by public and private bodies if:
- processing is necessary to exercise the right derived from the right of social security and social protection and to meet related obligations;
- processing is necessary for the purposes of preventive medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care, or treatment or the management of health or social care systems and services pursuant to the data subject's contract with a health professional, and if this data is processed by health professionals or other persons subject to the obligation of professional secrecy or under their supervision;
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; or
- processing is necessary for reasons of substantial public interest and the interests of the controller in the data processing outweigh the interests of the data subject (this derogation was added in June 2019 through the Second Data Protection Adaptation Act and previously only applied to processing by public bodies).
However, private or public bodies that wish to rely on any of the above derogations, must take appropriate and specific measures to safeguard the interests of the data subject. Section 22(2) of the BDSG provides a detailed list of measures that may be appropriate, such as implementing technical organizational measures to ensure compliant processing, designating a DPO, restricting access to personal data, and pseudonymizing or encrypting data, etc.
Section 27 of the BDSG provides, by way of specific derogation from Article 9 of the GDPR, that processing of special categories of personal data is permitted without consent for scientific or historical research purposes or statistical purposes if such processing is necessary for these purposes and the interests of the controller in processing substantially outweigh those of the data subject in not processing the data. However, the following stringent conditions apply:
- the controller must take appropriate and specific measures to safeguard the interests of the data subject listed in Section 22(2) of the BDSG, such as pseudonymization or encryption of data, restricting access to data, or designating a DPO;
- sensitive data shall be rendered anonymous as soon as the research or statistical purposes allow unless this conflicts with legitimate interests of the data subject; until data is anonymized, the characteristics enabling information concerning personal or material circumstances to be attributed to an identified or identifiable individual must be stored separately and may be combined with the information only to the extent required by the research or statistical purposes; and
- the controller may publish personal data only with the data subject's consent or if doing so is indispensable for the presentation of research findings on contemporary events.
Furthermore, by way of specific derogation from Article 9 of the GDPR, processing of special categories of personal data is permitted if necessary for archiving purposes in the public interest (Section 28 of the BDSG) on the condition that the controller takes appropriate and specific measures to safeguard the interests of the data subject listed in Section 22(2), such as pseudonymization or encryption of data, restricting access to data, and designating a DPO.
Finally, Section 26(3) of the BDSG provides that the processing of special categories of personal data for employment-related purposes shall be permitted if necessary to exercise rights or comply with legal obligations derived from labor law, social security, and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in the data not being processed. Please see the section 'Legal bases in other instances' above in this regard.
7.10. Controller and processor contracts
There are essentially no variations from the GDPR.
8. Data Subject Rights
Section 22(2) of the BDSG lists the safeguards mandated by Article 89(1) of the GDPR to protect the rights and freedoms of the data subjects.
The German legislator has made use of the room for derogations provided by Article 89(2) and (3) of the GDPR as follows.
Section 27(2) of the BDSG provides that in cases of data processing for purposes of scientific or historical research or for statistical purposes, the following rights of data subjects are limited to the extent that these rights are likely to render impossible or seriously impair the achievement of the research or statistical purposes and such limits are necessary for the fulfilment of the research or statistical purposes:
- right of access (Article 15 of the GDPR);
- right to rectification (Article 16 of the GDPR);
- right to restriction of processing (Article 18 of the GDPR); and
- right to object (Article 21 of the GDPR).
Similarly, Section 28(2-4) of the BDSG provides that in cases of data processing for archiving purposes in the public interest, the following rights of data subjects shall not apply in certain circumstances:
- right of access (Article 15 of the GDPR);
- right to rectification (Article 16 of the GDPR);
- right to restriction of processing (Article 18 of the GDPR); right to data portability (Article 20 of the GDPR); and
- right to object (Article 21 of the GDPR).
8.1. Right to be informed
Variations of GDPR on the right of information to be provided
Sections 29, 32, and 33 of the BDSG list circumstances in which information does not have to be provided to data subjects as envisaged by Articles 13 and 14 of the GDPR respectively. These circumstances are very specific and narrow.
Firstly, in relation to Article 13 of the GDPR, such limitations only relate to instances where the controller intends to process the data for a purpose other than the original purpose for which the data was collected:
- the data concerned is stored in analog form, the controller directly contacts the data subject through further processing, the original and further purposes are compatible, the communication with the data subject does not take place in digital form and the interest of the data subject in receiving the information can be regarded as minimal;
- providing the information would endanger public security or interfere with the establishment, exercise, or defense of legal claims, and the controller's interests in not providing the information outweigh the interests of the data subject; or
- providing information would endanger a confidential transfer of data to public authorities.
Secondly, in relation to Article 14 of the GDPR, Section 29(1) of the BDSG stipulates that the obligation to provide information does not apply as far as meeting this obligation would disclose information which by its nature must be kept secret, in particular, because of overriding legitimate interests of a third party.
Section 33 of the BDSG stipulates that the information requirement does not apply, if providing the information would interfere with the establishment, exercise, or defense of legal claims, or processing includes data from contracts under private law, and is intended to prevent harm from criminal offenses unless the data subject has an overriding legitimate interest in receiving the information.
If one wants to rely on these derogations, a close reading of the complex Sections 29, 32, and 33 of the BDSG is required.
8.2. Right to access
Variations of GDPR on the right of access
The BDSG restricts data subjects' right of access as granted under Article 15 of the GDPR in various instances as follows:
General restriction
Section 34(1) of the BDSG provides that the right of access shall not apply if the data was recorded only because it may not be erased due to legal or statutory retention provisions or only serve the purpose of monitoring data protection or safeguarding data, and in each case providing the information would require a disproportionate effort and appropriate technical and organizational measures make processing for other purposes impossible, or the responsible public body has determined with respect to the controller that disclosing the data would otherwise be detrimental to the welfare of the Federation or the Land.
In either case, the controller must document the reasons for refusal to provide information and inform the data subject of those reasons unless the latter would undermine the intended purpose of refusing to provide the information.
Restrictions in the case of secrecy obligations
The right of access does not apply to the extent that providing access would disclose information which by law or its nature must be kept secret, in particular, because of overriding legitimate interests of a third party (Section 29(1) of the BDSG).
Restrictions in the case of data processing for research and statistical purposes
Section 27(2) of the BDSG further limits the right of access in relation to data processing for research and statistical purposes as follows:
- the right of access is limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and such limits are necessary for the fulfilment of the research and statistical purposes (Section 27(2) of the BDSG); and
- the right of access does not apply if the data is necessary for purposes of scientific research and the provision of information would involve disproportionate effort (Section 27(2) of the BDSG).
Restrictions in case of data processing for archiving purposes in the public interest
According to Section 28(2) of the BDSG, the right of access does not apply in case of data processing for archiving purposes in the public interest if the archival material is not identified with the person's name or the data subject does not provide any information which would enable the archival material to be found with reasonable administrative effort.
8.3. Right to rectification
Variations of GDPR on the right to rectification
The right to rectification does not apply if personal data is processed for archiving purposes in the public interest (Section 28(3) of the BDSG). In the event that a data subject disputes the accuracy of personal data, they must be given the opportunity to present their version which must be added to the files by the responsible archive. Furthermore, in cases of data processing for purposes of scientific or historical research and for statistical purposes, the right to rectification is limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes, and such limits are necessary for the fulfilment of the research and statistical purposes (Section 27(2) of the BDSG).
8.4. Right to erasure
Variations of GDPR on right to erasure
Section 35(1) of the BDSG provides that data subjects do not have a right to erasure in case of non-automated processing if the erasure would be impossible or involve a disproportionate effort due to the mode of storage, provided the data subject's interest in erasure may be regarded as minimal and the data was processed lawfully. Restriction of processing will then apply instead of a right to erasure. These restrictions have been heavily criticized during the legislative process by the European Commission but nonetheless found their way into the BDSG. It remains to be seen whether these will come under judicial challenge. That said, these restrictions are extremely narrow and unlikely to apply in practice given they only apply in the rare case of non-automated processing. In addition, it is questionable whether these restrictions even constitute a derogation from the GDPR as the GDPR applies to non-automated processing only to the extent the relevant personal data forms part or is intended to form part, of a filing system. So, the relevant German provisions can only be classified as a GDPR derogation to the extent the relevant non-automated processing falls within the material scope of the GDPR.
8.5. Right to object/opt-out
Variations of GDPR on the right to object
The BDSG limits the data subject's right to object according to Article 21 of the GDPR in the following ways.
Section 28(4) of the BDSG provides that in the case of data processing for archiving purposes in the public interest, the right to object to data processing does not apply as far as it renders impossible or seriously impairs the achievement of the archiving purposes, and the limitation is necessary to fulfil those purposes:
- in cases of data processing for purposes of scientific or historical research and for statistical purposes, the right to object is limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and such limits are necessary for the fulfilment of the research and statistical purposes (Section 27(2) of the BDSG); and
- with regard to public bodies, the right to object does not apply if the processing is required by law or if there is an urgent public interest in the processing that outweighs the interests of the data subject (Section 36 of the BDSG).
8.6. Right to data portability
Variations of GDPR on right to data portability
According to Section 28(4) of the BDSG, in the case of data processing for archiving purposes in the public interest, the right to data portability granted pursuant to Article 20 of the GDPR does not apply as far as it renders impossible or seriously impairs the achievement of the archiving purposes, and the limitation is necessary to fulfill those purposes.
The BDSG does not contain any other variations of the right to data portability as granted under the GDPR.
8.7. Right not to be subject to automated decision-making
According to Section 37 of the BDSG, the right not to be subject to a decision based solely on automated processing granted to data subjects under the GDPR shall not apply (in addition to the exceptions included in the GDPR itself) if the decision is made in the context of providing services under an insurance contract and either of the following applies:
- any requests for performance of the data subject were fulfilled; or
- in the event that the data subject's request for performance is not granted in full, the decision is based on the application of binding rules of remuneration for therapeutic treatment and the controller takes suitable measures to safeguard the data subject's legitimate interests, such as granting the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.
Section 37(2) of the BDSG clarifies that decisions based solely on automated processing may be based on the processing of health data.
8.8. Other rights
Variations of GDPR on the right to restriction of processing
Section 27(2) of the BDSG limits data subjects' right to restriction of processing under Article 18 of the GDPR to the extent that these rights are likely to render impossible or seriously impair the achievement of research or statistical purposes and such limits are necessary for the fulfillment of the research and statistical purposes.
Section 28(4) of the BDSG provides that in the case of data processing for archiving purposes in the public interest, the right to restriction of processing does not apply as far as it renders impossible or seriously impairs the achievement of the archiving purposes, and the limitation is necessary to fulfill those purposes.
The BDSG does not contain any other variations of the right to restriction of processing as granted under the GDPR.
9. Penalties
As a general rule, the sanctions provided under the GDPR will apply. The BDSG provides for special rules in the following two cases.
Firstly, Section 30 of the BDSG imposes special information and notification requirements upon bodies that process personal data for purposes of granting consumer loans and undertaking related evaluations of creditworthiness. Section 43 of the BDSG provides that violations of these requirements may be punished by an administrative fine of up to €50,000.
Secondly, Section 42 of the BDSG includes penal provisions and provides that:
- transferring data to a third party or otherwise making it accessible for commercial purposes may be punished with up to three years imprisonment or a fine if done deliberately and without authorization with regard to the personal data of a large number of people; and
- processing data that is not publicly available without authorization or fraudulently acquiring such data in return for a payment or with the intention of enriching oneself or someone else or harming someone may be punished with imprisonment of up to two years or a fine.
There are several voices in German legal literature stating that a fine due to a violation of the GDPR requires at least a negligent violation of the GDPR.
9.1 Enforcement decisions
Decisions by authorities
There are several noteworthy cases, where the German data protection authorities imposed high fines, e.g.:
- in October 2019, the Berlin Commissioner imposed a fine of €14.5 million against a real estate company for violating data retention requirements, as the company ignored warnings from the Berlin Commissioner to take corrective measures and to implement an appropriate data deletion concept (the Berlin Commissioner's 2019 Fine);
- in December 2019, the BfDI imposed a fine of €9.5 million against a telecommunication company for insufficient authentication procedures in the customer call center before disclosing customer data to callers (the BfDI's 2019 Fine);
- in June 2020, the LfDI Baden-Württemberg imposed a fine of €1.2 million against an insurance organization for using the personal data of lottery participants for advertising purposes without their consent;
- in October 2020, the HmbBfDI imposed a €35.5 million fine on a global fashion company's subsidiary in Germany for comprehensive monitoring of employees;
- in January 2021, the LfD Niedersachsen imposed a fine of €10.4 million on an online shop for electronic equipment for video surveillance of its employees at work desks, in salesrooms, the warehouse, and lounge areas;
- in September 2021, the HmbBfDI imposed a €900,000 fine on a European power company's subsidiary in Germany for insufficient information of customers about the processing of their data (press release only available in German here);
- in July 2022, the LfD Niedersachsen imposed a €1.1 million fine on an automobile company for, among others, a lack of information signs and failure to put in place a data processing agreement (press release only available in German here);
- in July 2022, the LfD Niedersachsen imposed a €900,000 fine on a credit institute for unlawful profiling for advertising purposes (press release only available in German here); and
- in September 2022, the Berlin Commissioner imposed a €525,000 fine on a subsidiary of a Berlin-based e-commerce group due to a conflict of interest of its DPO (press release only available in German here).
Decisions by courts
Concerning the Berlin Commissioner's 2019 Fine, in February 2021, the Berlin Regional Court discontinued the proceedings citing the fact that the Berlin Commissioner's 2019 Fine was invalid (only available in German here). However, the legal dispute continued because of the public prosecutor's appeal against the judgment. On December 6, 2021, the Berlin Court of Appeal submitted to the CJEU the question of whether a company can be directly subject to fine proceedings and whether it is required to determine that a natural person has committed the violation. On December 5, 2023, the CJEU ruled in C-807/21 (available here) that Articles 58(2)(i) and 83(1) to (6) of the GDPR must be interpreted as precluding national legislation under which an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Articles 83(4) to (6) of the GDPR only in so far as that infringement has previously been attributed to an identified natural person. The CJEU further ruled that Article 83 GDPR must be interpreted as meaning that an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Articles 83(4) to (6) of the GDPR thereof.
Separately, concerning the BfDI's 2019 Fine, the Regional Court of Bonn significantly reduced the fine to €900,000 (only available in German here). This judicial decision is final.