Germany - Federal
Summary
Law: The primary pieces of legislation are the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)
Regulator: The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Summary: Germany implemented the GDPR in 2018 through the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) (the Act).
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) enforces data protection in the public sector at a federal level and with regards to all telecommunications and postal service providers, while the 16 regional data protection authorities enforce data protection laws in the public and private sectors of their respective state. All supervisory authorities meet regularly at the German Data Protection Conference (DSK) and have issued detailed guidelines that further develop the privacy landscape in Germany. Important guidelines include guidance on cookie consent, a concept to harmonise the assessment of monetary fines under the GDPR, and a Standard Data Protection Model. Moreover, Germany is one of the first European countries to digitalise its health system, and a special Patient Data Protection Act (PDSG) (only available in German here).