Data protection and cybersecurity laws in Germany

Data protection

1. Local data protection laws and scope

Data processing operations are governed by the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) of 30 June 2017, as last amended by Article 12 of the Second Act to Adapt the Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 of 20 November 2019 (Zweites Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU – 2. DSAnpUG-EU)). Unless sector-specific data protection laws take precedence over the BSDG, the BDSG applies to: 

  • data processing by federal public authorities or public authorities of the German federal states, if the data protection laws of the German federal states do not apply and; 
  • data processing by private bodies. 

Each German federal state has its own data protection law for the processing of personal data by the authorities of the German federal states (Landesdatenschutzgesetz – LDSG).

Many data protection provisions are included in sector-specific legislation, including social security laws (Sozialgesetzbuch I-X – SGB I-X). The Telemedia Act of 26 February 2007 (Telemediengesetz - TMG) and the Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz – TKG) will be combined in a future Telecommunications Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutzgesetz – TTDSG), which is currently in preparation.

2. Data protection authority

Each German federal state has a data protection authority that is responsible for the enforcement of data protection laws and regulates data controllers established in the respective state. In addition, there is also a Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für Datenschutz und Informationsfreiheit - BfDI), which is responsible for the enforcement of the BDSG. 

3. Anticipated changes to local laws

  • Consolidation of the data protection provisions in the Telemedia Act (Telemediengesetz – TMG) and the Telecommunications Act (Telekommunikationsgesetz – TKG) into a new Telecommunications Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutzgesetz – TTDSG);
  • Intended application of telecommunications secrecy also for so-called "over-the-top" telecommunications services.

4. Sanctions & non-compliance

Administrative sanctions:

In addition to the administrative fines under the GDPR, the BDSG provides for fines (up to EUR 50,000) for violations of § 30 BDSG – e.g. for anyone who fails to handle an information request appropriately in the context of consumer loans (§ 43 BDSG). The BDSG determines that the provisions of the Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten – OwiG) apply accordingly to the local enforcement of violations of the GDPR.

Criminal sanctions:

The BDSG stipulates criminal sanctions for particular violations of the GDPR (§ 42 BDSG), in the event that:

  • personal data of a large number of people which are not publicly accessible are deliberately
    • transferred to a third party, or
    • otherwise made accessible
    • for commercial purposes without authorisation (imprisonment up to three years); or
  • personal data which are not publicly accessible are
    • processed without authorisation, or
    • acquired fraudulently   

in return for payment or with the intention of enriching oneself or someone else or harming someone (imprisonment up to two years).

Others: 

No specific regulations.

5. Registration / notification / authorisation

There is no obligation to register or notify an authority under German data protection law.

6. Main obligations and processing requirements

There are some derogations from the GDPR under national law for:

  • Public video surveillance (§ 4 BDSG);
  • Processing of special categories of data (Article 9 (4) GDPR; § 22 BDSG);
  • Processing for other purposes (Article 6 (4) GDPR, § 24 BDSG);
  • Processing for employment-related purposes (Article 88 GDPR; § 26 BDSG);
  • Processing for purposes of scientific or historical research and for statistical purposes; processing for archiving purposes in the public interest (Article 89 GDPR; §§ 27 et seqq. BDSG);
  • Obligations of secrecy (Article 90 GDPR; § 29 BDSG);
  • Credit information and scoring (§§ 30 et seq. BDSG);
  • Profiling (Article 22 (2) GDPR, § 37 BDSG);
  • Designation of data protection officers (Article 37 (4) GDPR, § 38 BDSG).

7. Data subject rights

There are some derogations from Art. 12 et seq. GDPR:

  • Rights of data subjects in case of secrecy obligations (§ 29 BDSG): in certain cases, the BDSG exempts the data controller from its obligation to inform as far as information would be disclosed which by its nature must be kept secret; in particular because of overriding legitimate interests of a third party;
  • Obligation to notify the individual (§ 32 BDSG): in certain cases, the BDSG exempts the data controller from its obligation to inform the individual of their rights, e.g. if the information would interfere with the establishment, exercise or defence of legal claims (provided that there are no overriding interests of the individual in the provision of the information);
  • The right to access data (§ 34 BDSG): the BDSG contains certain exemptions from the right to access, e.g. if such data were recorded only because they may not be erased due to legal or statutory provisions on retention;
  • The right to erasure (§ 35 BDSG): the BDSG exempts the controller from its obligation to erasure under certain conditions, e.g. if the erasure would involve a disproportionate effort due to the specific mode of storage.

8. Processing by third parties

There are no derogations from the GDPR

9. Transfers out of country

Art. 44 et seq. GDPR apply. There are no derogations from the GDPR

10. Data Protection Officer

In addition to Article 37 GDPR, a data protection officer must be designated if:

  • As a rule, at least twenty persons constantly deal with the automated processing of personal data; or
  • the business is subject to a data protection impact assessment (Article 35 GDPR) or commercially processes personal data for the purpose of transfer or anonymised transfer, or for purposes of market or opinion research – in this case the controller has to designate a data protection officer regardless of the number of employees involved in the processing. 

11. Security

Art. 32 GDPR applies in general. § 22 (2) BDSG provides for some additional obligations when processing special types of personal data. In addition, § 13 (7) TMG applies for telemedia services.

12. Breach notification

Art. 33 et seq. GDPR apply in general. § 29 BDSG stipulates derogations in case of secrecy obligations.

13. Direct marketing

The Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG) requires the recipient's prior express consent before sending marketing emails. An exception applies (cumulative requirements) when:

  • the recipient's email address has been acquired in connection with the sale of goods or services;
  • the marketer uses the address for direct advertising of their own similar goods or services;
  • the recipient has not objected to this use; and
  • the recipient was clearly and unequivocally advised when the address was collected, and each time it is used can object to its use at any time, without costs arising other than transmission costs pursuant to the basic rates.

14. Cookies and adtech

  • The German authorities hold that tracking mechanisms such as cookies, in particular for advertising purposes, require the data subject's explicit consent pursuant to Article 6 (1) lit. a), Article 7 GDPR. It is no longer sufficient to offer an opt-out mechanism pursuant to § 15 (3) TMG (cf. opinions of the German data protection conference (Datenschutzkonferenz – DSK) of  April 2018 and March 2019);
  • The ECJ (Planet49 – Case C 673/17) has held that agreement in the sense of active consent by the user is required for the setting of cookies that are not technically necessary for use, i.e. in particular with regard to cookies used for advertising purposes. According to the decision, pre-ticked boxes or similar methods are not sufficient;
  • Finally, there is a new ruling by the Rostock Regional Court of September 2020 on so-called "nudging", i.e. designing cookie banners in such a way that users are manipulated to consent to cookies by hiding the "decline" button either visually (e.g. greyed out) or in (complicated) sub-menus. According to the court, nudging leads to the fact that the declaration of consent to the use of cookies is invalid.

15. Risk scale

Severe

Cybersecurity

1. Local cybersecurity laws and scope

  • EU Cybersecurity Act (Regulation (EU) 2019/881 of 17 April 2019).
  • Act of 14 August 2009 on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – BSIG), amended on 23 June 2017 by the implementation act of directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016.
  • Regulation of 22 April 2016 on the determination of critical infrastructures according to the BSIG (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSIG – BSI-KritisV).
  • General Data Protection Regulation, GDPR (Regulation (EU) 2016/679 of 27 April 2016), supplemented by the Federal Data Protection Act of 30 June 2017 (Bundesdatenschutzgesetz – BDSG), and the data protection laws of the federal states.
  • eIDAS Regulation (Regulation (EU) 910/2014 of 23 July 2014), supplemented by the German Trust Service Act of 18 July 2017 (Vertrauensdienstegesetz – VDG), and the German Trust Service Ordinance of 15 February 2019 (Vertrauensdiensteverordnung – VDV).
  • Radio Equipment Act of 27 June 2017 (Funkanlagengesetz – FuAG).
  • Sector-specific laws with provisions on IT security, including: 
    • the Telemedia Act of 26 February 2007 (Telemediengesetz – TMG)
    • the Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz – TKG)
    • the Energy Industry Act of 7 July 2005 (Energiewirtschaftsgesetz – EnWG)
    • the Act on the peaceful use of nuclear energy and protection against its dangers of 15 July 1985 (Atomgesetz – AtG)
    • the Banking Act of 9 September 1998 (Kreditwesengesetz – KWG)

Others: Trade Secret Act of 18 April 2019 (Gesetz zum Schutz von Geschäftsgeheimnissen – GeschGehG).

2. Anticipated changes to local laws

There is currently a draft of a second law to increase the security of information technology systems (IT-Sicherheitsgesetz 2.0); among other things, to strengthen the rights of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and to improve consumer protection:

Rights of the BSI:

The BSI will be given extended monitoring and auditing powers vis-à-vis the federal administration and will be more closely involved in the federal government's digitisation projects. The BSI will also be empowered to detect security vulnerabilities through so-called portscans and honeypots.

Consumer protection:

A uniform IT security label will be introduced to make the level of cybersecurity of products more transparent. To this end, manufacturers will be required to provide information about their products.

Other obligations:

Operators of critical infrastructure will be required to use systems to detect attacks (e.g. so-called intrusion detection systems). An amendment to the Electricity and Gas Supply Act extends this obligation to operators of energy supply networks and energy plants. In addition, cybersecurity notification obligations will also apply to companies that are of particular public interest, such as companies in the defence industry.

3. Application 

EU Cybersecurity Act

The EU Cybersecurity Act establishes an EU certification framework for ICT digital products, services and processes and enables the creation of tailored and risk-based EU certification schemes.

BSIG/BSI-KritisV

The BSIG and the BSI-KritisV, which widely implement the NIS Directive 2016/1148 in Germany set out security obligations for:

  • critical infrastructure sectors: energy, IT and telecommunications, transport and traffic, health, water, food, finance and insurance;
  • digital service providers: online marketplaces, online search engines, cloud computing services; and
  • federal authorities  
GDPR

The GDPR stipulates cybersecurity requirements for the processing of personal data.

eIDAS, VDG and VDV

The eIDAS Regulation creates a uniform framework for the cross-border use of electronic identification schemes and trust services. It provides a regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities (including security requirements for electronic identification schemes and electronic trust services).

FuAG

The FuAG, which transposes the Radio Equipment Directive 2014/53/EU in Germany, sets out security requirements for radio equipment (e.g. electrical devices with Wi-Fi or Bluetooth functionality). 

TMG

The TMG stipulates security obligations for providers of digital services (e.g. provision of websites, apps etc.).

TKG

The TKG stipulates security obligations for operators of electronic communication networks and providers of electronic communications services (e.g. internet access providers).

EnWG

The EnWG sets forth obligations for operators of energy networks and plants to implement adequate protections against threats to telecommunications and electronic data processing systems which are necessary for secure operation of the energy networks and plants.

AtG

The AtG stipulates notification obligations for licence holders under the AtG in case of impairments of their information technology systems, components or processes which could lead to a threat to or interference with the nuclear safety of the nuclear installation or activity concerned.

KWG

The KWG provides a regulatory framework for credit and financial services institutions, stipulating obligations to implement appropriate risk management structures, which also covers IT-security related risk management and requirements.

GeschGehG

The GeschGehG, which implements the Trade Secret Directive 2016/943 in Germany, stipulates that the only information that is subject to appropriate confidentiality measures (which includes cybersecurity measures) is to be qualified as a trade secret.

4. Authority

European Union Agency for Cybersecurity (ENISA): https://enisa.europa.eu

Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI): https://www.bsi.bund.de

European Data Protection Board (edpb): https://edpb.europa.eu 

Data protection authorities and state media authorities

Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway / Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen (BNetzA): https://www.bundesnetzagentur.de

Market surveillance authorities

Federal Financial Supervisory Authority / Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin): https://bafin.de

5. Key obligations 

BSIG/BSI-KritisV

Operators of critical infrastructure must implement appropriate, state-of-the-art organisational and technical measures to avoid security incidents with their IT systems which could affect the functioning of the infrastructure/service (minimum security requirements). They must prove that these measures fulfil the requirements at least every two years. The BSI can approve sector-specific security standards. 

Digital service providers must implement appropriate, state-of-the-art organisational and technical measures to avoid risks to the security of the network and information systems they use to provide the services. These measures will be further defined by the European Commission according to Article 16 para 8 of EU directive (EU) 2016/1148.

Operators of critical infrastructure must provide the BSI with a contact point.

Operators of critical infrastructure and digital service providers must notify the BSI in the event of significant cybersecurity incidents.

GDPR

Controllers and processors are obliged to implement appropriate, state-of-the-art technical and organisational measures to ensure a level of security appropriate to the risk, including (inter alia) pseudonymisation and encryption.

eIDAS, VDG and VDV

The eIDAS Regulation stipulates security requirements for electronic identification schemes (including interoperability requirements), (qualified) trust services, (advanced and qualified) electronic signatures and seals, electronic time stamps, electronic registered delivery services and website authentication.
For instance, the assurance level (low, substantial and/or high) of notified electronic identification schemes depends on whether certain security criteria are fulfilled or not.

(Qualified) trust service providers are obliged to take appropriate, state-of-the-art organisational and technical measures to manage the risks posed to the security of the trust service they provide and to notify the supervisory body and other relevant bodies in the event of significant security incidents. In case the security breach is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the trust service provider is also obliged to notify the natural or legal person of the breach of security. 

Qualified trust service providers are additionally subject to recurring inspection by conformity assessment bodies and information obligations.

FuAG

Manufacturers that place radio equipment on the German market shall design and manufacture such device in a way that it does not harm the network or its functioning or misuse network resources, and that it incorporates safeguards to ensure that the personal data and privacy of the user are protected.

TMG

Providers of digital services must implement reasonable, state-of-the-art organisational and technical measures, especially including the use of encryption, that:

  • guard against unauthorised access to the technical systems they use to provide their digital services;
  • ensure that their technical systems are protected against unauthorised access to personal data; and
  • prevent malfunctions, including any caused by external attacks.    
TKG

The TKG sets forth cybersecurity related obligations of operators of electronic communications networks and providers of electronic communications services.

Operators of publicly available telecommunications networks are particularly obliged to: 

  • implement technical and organisational measures to protect the network against disruptions;
  • appoint a security officer and draw up a security concept (which needs to be submitted to the BNetzA immediately after commencing network operation); and
  • notify the BNetzA and the BSI without delay of any impairments to telecommunications networks and services which (can) lead to significant security breaches.

The measures to be taken are specified in a catalogue of security measures, issued by the BSI and the BNetzA.

Providers of publicly available electronic communication services are in particular obliged to:

  • implement technical and organisational measures to protect the secrecy of telecommunications and other personal data as well as to protect the underlying network against disruptions;
  • appoint a security officer and draw up a security concept (which needs to be submitted to the BNetzA upon request);
  • immediately notify the BNetzA and the BSI of any impairments to telecommunications networks and services which (can) lead to significant security breaches;
  • immediately notify the BNetzA and the Federal Commissioner for Data Protection (and, where applicable, additionally the persons concerned) of any violation of the protection of personal data;
  • keep a register of violations of the protection of personal data; and
  • immediately inform customers in case of malfunctions caused by customer data processing systems.  

The measures to be taken are specified in a catalogue of security measures issued by the BSI and the BNetzA.

EnWG

Operators of energy supply networks are obliged to implement adequate protections against threats to telecommunications and electronic data processing systems that are necessary for secure network operation. The measures to be taken are specified in a catalogue of security measures issued by the BSI and the BNetzA.

Operators of energy plants classified as critical infrastructure and connected to energy supply networks are obliged to implement adequate protections against threats to telecommunications and electronic data processing systems which are necessary for secure operation of the plant. The measures to be taken are specified in a catalogue of security measures issued by the BSI and the BNetzA.

Operators of energy supply networks and energy plants classified as critical infrastructure must notify the BSI in the event of significant cybersecurity incidents.

AtG

Licence holders under the AtG are obliged to notify the BSI in case of impairments of their information technology systems, components or processes that could lead to a threat to or interference with the nuclear safety of the nuclear installation or activity concerned.

KWG

Credit and financial services institutions are obliged to implement appropriate risk management structures, including IT-security related structures and measures. The respective minimum requirements are specified in the BaFin Circular 10/2017 (BA) as amended on 14 September 2018 (Banking supervisory requirements for IT (Bankaufsichtliche Anforderungen an die IT (BAIT)). In addition, credit and financial services institutions as well as financial holding companies are required to implement internal security measures to prevent criminal offences that could endanger the institution's assets.

GeschGehG

Holders of trade secrets are required to implement appropriate confidentiality measures to ensure that their trade secrets are subject to the (legal) protections of the GeschGehG.

6. Sanctions & non-compliance 

Administrative sanctions:
  • BSIG/BSI-KritisV: Fines of up to EUR 50,000
  • GDPR: Fines of up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year (in case of an undertaking)
  • eIDAS Regulation and VDG: Fines of up to EUR 100,000
  • FuAG: Fines of up to EUR 100,000
  • TMG: Fines of up to EUR 50,000
  • TKG: Fines of up to EUR 100,000
  • EnWG: Fines of up to EUR 100,000
  • KWG: Fines/Order of additional capital requirements
Criminal sanctions:
  • Possible criminal sanctions for data protection violations according to § 42 BDSG.
  • Possible criminal sanctions for violations of the Telecommunications Act according to § 148 TKG.
Others: 
  • FuAG: Possible market ban
  • TKG: Possible operating ban

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. The CERT-Bund, which:

  • creates and publishes recommendations for preventive measures;
  • points out vulnerabilities in hardware and software products;
  • proposes measures to address known vulnerabilities
  • supports public agencies’ efforts to respond to IT security incidents;
  • recommends various mitigation measures.

For other services – such as incident analysis – it mainly assists federal institutions.

The Bürger-CERT provides information on cybersecurity to private persons.

8. National cybersecurity incident management structure

The BSI has an IT analysis and operations centre that continuously monitors, assesses and reports on the cybersecurity situation and provides incident response support. If necessary, it acts as an IT crisis centre to coordinate fast responses to significant incidents.

There is also an inter-agency, - the National Cyber-Defence Centre, which coordinates the operations of the security authorities (i.e. the police and intelligence services).

9. Other cybersecurity initiatives 

Alliance for Cybersecurity (Allianz für Cybersicherheit) is a cooperation platform for the exchange of information between the BSI, industry and science and research.

Portrait ofChristian Runte
Christian Runte
Partner
Munich
Dr. Rene Sandor, LL.M. (King's College London)
Portrait ofMichael Biendl
Dr. Michael Biendl
Counsel
Munich