KNOWLEDGE BASE Data Protection Regulations In Germany

The information on this page was current at the time it was published. Regulations, trends, statistics, and other information are constantly changing. While we strive to update our Knowledge Base, we strongly suggest you use these pages as a general guide and be sure to verify any regulations, statistics, guidelines, or other information that are important to your efforts.

 

Data Protection Regulations In Germany

 

We encourage you to take a look at our GDPR blog content, including a GDPR readiness Self-Assessment Survey, as we update this page. You can also find additional GDPR resources on this site in the sections under Data Privacy In Germany.  

In the business world today, the collection, use, and disclosure of personal data by a company is an integral part of its functioning and success. Data collection, use, and disclosure activities have many risks for both consumers and companies. For consumers, the unauthorized access and use of their personal data could mean identity theft, which can affect every aspect of their lives for many years. For companies, big, medium, and small, a data breach can be ruinous. For a security breach, companies face criminal prosecution, civil penalties, audit, lawsuit liability, extreme expense to notify customers, to investigate the breach, to compensation customers, and update the system to prevent another such breach, and a loss of profits from a decrease in consumer confidence and a negative reputation.

 

What laws and regulations apply?

 

Data Protection Act

The EU's General Data Protection Act (GDPR) and Germany's Federal Data Protection Act  (Bundesdatenschutzgesetz (BDSG) are the primary legislation regulating data protection in Germany. The GDPR has strict rules for protecting the personal data of EU's citizens and those residing in the EU. This website, the GDPR Portal, is a resource to educate the public about the main elements of the GDPR. The Federal Data Protection Act addresses issues left open by the GDPR.  Laws at the State level seek to protect personal data processed by State public officials, so they tend to be of less practical importance to businesses.

 

To whom and what does the Data Protection Act apply?

The Data Protection Act applies to the processing of personal data by a data controller in Germany or, when the data controller is not located in the European Union but uses equipment located in Germany to process personal data.

 

What are the important terms to understand?

Personal data is any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject).

 

Sensitive personal data is any information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and health or sex life.

 

Data processing means the storage, modification, transfer, blocking, or deleting of personal data.

 

How do I comply with the Data Protection Act?

Registration

Under the Data Protection Act, all companies that process personal data using automated means must notify the appropriate supervisory authority, unless the company has appointed a data protection officer. You are required to appoint a data protection officer if your company has more than nine people regularly involved in automated data processing or when sensitive personal data is being processed. You data protection officer can be someone from within your company or hired from outside your organization. Your registration must include the following information:

  • the name or title of your company;

  • the name(s) of the owners, managing board members, managing directors, or other lawfully or constitutionally appointed managers and the person(s) placed in charge of your data processing;

  • the address of the data controller;

  • the business purposes of your company and of your data processing;

  • a description of the category or categories of the data of your data subjects and of the data or categories of data relating to your data subjects;

  • the recipients or categories of recipients to whom the data might be disclosed or shared with;

  • your standard data retention periods;

  • any plans you have to transfer the data to other countries; and

  • a general description, allowing a preliminary assessment to be made of the appropriateness of your technical and organizational measures taken to ensure security of the processing.

 

Data Collection

Personal data may be collected if:

  • it is necessary to create, execute, or terminate a legal obligation with the data subject;

  • it is necessary to safeguard the legitimate interests of your company (the data controller) and there is no reason to believe that the data subject has an overriding, legitimate interest in preventing the processing; or

  • the personal data is available to the public or you (the data controller) would be allowed to publish the data, unless the data subject has a clear and overriding interest.

 

Sensitive personal data may be collected if:

  • it is allowed by law or urgently required for reasons of important public interest;

  • the data subject has given his consent;

  • it is necessary to protect the vital interests of the data subject or of another person when the data subject is physically or legally incapable of giving his consent;

  • the data involved are that which the data subject manifestly made public;

  • it is necessary to prevent a significant threat to the public security;

  • it is urgently required to prevent significant disadvantages to the common good or to preserve significant concerns of the common good;

  • it is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and when the data are processed by health professionals or other persons subject to the obligation of professional secrecy;

  • it is necessary for the purposes of scientific research, when the scientific interest in carrying out the research project significantly outweighs the data subject’s interest in preventing the collection and the purpose of the research cannot be achieved in any other way or would require disproportionate effort;

  • it is required for compelling reasons of defense or to fulfill supranational or intergovernmental obligations of a public body of the Federation in the field of crisis management, conflict prevention or for humanitarian measures.

 

Data Processing

If you do not have the consent of the data subject, you can only process his or her personal data in the course of business for commercial purposes if the processing is:

  • necessary to create, execute, or terminate legal obligation with the data subject;

  • necessary to safeguard your (the data controller) legitimate interest and there is no reason to believe that the data subject has an overriding, legitimate interest in preventing the processing; or

  • the personal data is available to the public or you (the data controller) would be allowed to publish the data, unless the data subject has a clear and overriding interest.

 

Sensitive personal data may only be processed with the data subject’s consent, unless:

  • it is necessary to protect the vital interests of the data subject or of another person when the data subject is physically or legally incapable of giving his consent;

  • it is necessary to assert, exercise, or defend legal claims and there is no reason to assume that the data subject has an overriding interest in preventing the collection, processing, or use of the data;

  • the data subject has manifestly made the data public; or

  • it is necessary for the purposes of scientific research, when the scientific interest in carrying out the research project significantly outweighs the data subject’s interest in preventing the collection and the purpose of the research cannot be achieved in any other way or would require disproportionate effort.

 

Data Transfer

A processor can only process personal data pursuant to the data controller’s instructions. The following, among other things, must be specified in the contract between the processor and the data controller:

  • the data subject and the duration of the work required;

  • the type, extent, and purpose of the processing of the data, the type of data, and the category of data subjects;

  • the rectification, deletion, and blocking of data;

  • the processor’s obligations, particularly regarding any right to issue subcontracts;

  • the data controller’s rights over the processor and the processor’s obligation to cooperate; and

  • the return of the storage device and deletion of data.

 

International Data Transfer

The transfer of personal data within the European Economic Area (EEA) is not subject to additional requirements, exception the need for a legitimate reason. To transfer personal data outside the EEA, your data subjects must not have a legitimate interest in preventing the transfer and the recipient must ensure an adequate level of data protection. An adequate level of data protection can be achieved by:

  • transferring the data to a country that the European Commission (EC) has recognized as having an adequate level of protection in accordance with the 1995 European Data Directive 95/46/EC;

  • entering into binding corporate rules; or

  • entering into a data protection agreement based on the EU model clauses of the EC.

 

The US-EU Privacy Shield Framework replaced the Safe Harbor Framework in 2016 but it was also invalidated by the European Court of Justice in July 2020. Since then, companies have relied on other legal mechanisms for data transfers, including: Standard Contractual Clauses (SCCs): These pre-approved contractual clauses, approved by the European Commission, can be used to ensure adequate safeguards for data transfers; Binding Corporate Rules (BCRs): These are internal company policies approved by a specific EU data protection authority and can be used for intra-group data transfers; Derogations: In limited situations, derogations from the general transfer prohibition may be available, such as for explicit consent from the data subject or for necessary transfers for contractual performance.

 

Even if you cannot ensure an adequate level of protection, a transfer can still be made if:

  • the data subject has given his consent;

  • the transfer is necessary:

    • for the performance of a contract with the data subject;

    • for the performance of a contract, which has been or will be concluded in the interest of the data subject between you (the data controller) and a third party; or

    • to protect the vital interests of the data subject;

  • the transfer is legally required for an important public interest; or

  • the transfer is made from a register that is already publically available.

 

Data Security

You are required to provide an adequate level of security against the unlawful processing of personal data. The level of protection must be proportionate to the harm that could result from such unlawful processing and must be appropriate to the nature of the personal data.

 

Breach Notification Requirements

You are required to report any illegal transfer or illegal access to a data subject’s:

  • sensitive personal data;

  • personal data that are subject to professional confidentiality obligations;

  • personal data regarding criminal acts or administrative offenses; or

  • personal data regarding bank accounts or credit card accounts.

Breach notification requirements apply if the illegal transfer or access would lead to severe adverse effects on the rights or legitimate interests of the data subject. You should notify data subjects as soon as appropriate of the measures that have been implemented to safeguard the data, as long as the notification would not endanger any criminal prosecution.

 

What are the risks of noncompliance?

A violation of German data protection laws can result in fines of up to €300,000 per violation. The fine should exceed the financial benefit to the perpetrator, so if that amount exceeds the statutory limits, the limits may be disregarded. If the violation is done willfully or in exchange for a financial benefit (a criminal offense), imprisonment of up to two years can be imposed in addition to a fine. In 2023, German authorities have imposed several significant fines for data protection violations, including a €12 million fine on Deutsche Telekom and a €9.5 million fine on H&M. These cases highlight the increasing enforcement of data protection regulations in Germany.

 

Cookie Regulation

What is a cookie? Cookies, also known as browser cookies or tracking cookies, are small, often encrypted, text files that are downloaded onto the ‘terminal equipment’ (e.g., a computer or smartphone) when a user accesses a website. Cookies allow a website to recognize a user’s device and store information about the user’s preferences and past actions. Cookies are not just created by the website the user is browsing, often called first party cookies, but also, by other websites that run ads, widgets, or other elements being loaded on the page, often called third party cookies. Cookies can expire at the end of a session or they can be stored for longer. Session cookies expire after a browser session. Session cookies can be used to remember what a user has put in a cart or shopping basket or for security reasons when accessing internet banking or webmail. Persistent cookies are stored on a user's’ device in between browsing sessions and can be used to remember a user’s preferences and choices or for targeted advertising.

 

What laws and regulations apply?

Germany has not implemented the EU Cookie Directive (EU Directive 2009/136/EC), which requires the consent of users to use cookies, because the federal government believes that existing law, specifically, the Telemedia Act (Telemediengesetz) already encompasses the EU Directive. The German Federal States have criticized the German federal government for not implementing the EU Directive, but it seems unlikely any amendment to current legislation will be made. There is no central regulatory body for cookie regulations in Germany, rather, state regulators from the 16 German states are responsible.

 

How do I comply with the the Telemedia Act?

Telemedia Act requires that users be informed about the use of cookies and that a provider may use traffic data (generally collected through cookies) only

  1. for the delivery of services, or

  2. otherwise (for advertising purposes) only without personal data and subject to a user’s opt-out right, or

  3. with consent as required for other purposes based on Section 12 of the Telemedia Act.

 

Essentially, if you want to set/use cookies, you should:

  • tell people that cookies are being used

  • tell people what the cookies are doing

  • obtain consent to store cookies on a user’s device

 

It is currently unclear whether you must obtain explicit consent or whether implied consent is sufficient. Explicit consent is the most cautious approach, but could seriously impair your user’s experience. Explicit consent can be obtained through a pop-up or banner that requires the user to click an acceptance or agreement (to the setting and use of cookies) to continue to use your website. Implied consent can be obtained by using a pop-up to inform your user that cookies are being used and that the continued use of your website will be deemed consent. With the exception of the cookies necessary for the use of your goods or services, you must provide your users with the option to opt-out of the setting/use of cookies and clear instructions to do so.

 

 

Globig Resources

Data Protection Act

Federal Data Protection Officer (Bundesbeauftragter für Datenschutz und Informationsfreiheit)

1995 European Data Directive 95/46/EC

Binding Corporate Rules

Standard Contractual Clauses

EU Cookie Directive

Telemedia Act (Telemediengesetz)

KNOWLEDGE BASE Data Protection Regulations In Germany