Home / Publications / Data Law Navigator | Germany

Data Law Navigator | Germany

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection 

Last updated March 2020

Risk scale

Risk Scale Red

Laws

  • General Data Protection Regulation, GDPR (Regulation (EU) 2016/679 of 27 April 2016).
  • Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) of 30 June 2017, as last amended by Article 12 of the Second Act to Adapt the Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 of 20 November 2019 (Zweites Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU – 2. DSAnpUG-EU)).
  • Each German federal state has its own data protection law for the processing of personal data by the authorities of the German federal states (Landesdatenschutzgesetz – LDSG).
  • Numerous data protection provisions in sector-specific legislation, including the Telemedia Act of 26 February 2007 (Telemediengesetz - TMG); the Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz – TKG); and social security laws (Sozialgesetzbuch I-X – SGB I-X).

Authority

Each German federal state has a data protection authority which is responsible for the enforcement of data protection laws and regulates data controllers established in the respective state.

Websites of the 16 data protection authorities of the German federal states:

Anticipated changes to law

Currently no changes anticipated.

If applicable: stage of legislative implementation of GDPR

The GDPR is fully implemented. In particular, the BDSG has been updated to accommodate the GDPR's terminology and standards. In addition, provisions relating to data protection law in more than 150 German sector-specific acts have recently been harmonised according to GDPR standards through the Second Act to Adapt the Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 of 20 November 2019 (2. DSAnpUG-EU).

If applicable: local derogations as permitted by GDPR

The BDSG contains the following derogations from the GDPR:

  • Processing for employment-related purposes (Article 88 GDPR; Section 26 BDSG)
  • Processing of special categories of personal data (Article 9 (4) GDPR; Sections 22, 27, 28 BDSG)
  • Processing for purposes of scientific or historical research and for statistical purposes; processing for archiving purposes in the public interest (Article 89 GDPR; Sections 27 et seqq. BDSG)
  • Restrictions on data subjects' rights (Article 23 GDPR; Sections 32 et seqq. BDSG)
  • Obligations of secrecy (Article 90 GDPR; Section 29 BDSG)
  • Designation of data protection officers (Article 37 (4) GDPR, Section 38 BDSG)
  • Credit information and scoring (Sections 30 et seq. BDSG)
  • Public video surveillance (Section 4 BDSG)
  • Processing for other purposes (Article 6 (4) GDPR, Section 24 BDSG)
  • Profiling (Article 22 (2) GDPR, Section 37 BDSG)
  • Sanctions for other infringements of the GDPR, which are not subject to administrative fines (Sections 41 et seqq. BDSG).

Please note that some local derogations have been heavily criticised by German supervisory authorities, some of which explicitly recommend that controllers should not rely on the restrictions of data subjects' rights according to sections 32 et. seqq. BDSG. The local derogation regarding video surveillance in section 4 BDSG has been invalidated by the Federal Administrative Court as far as the operation of video surveillance by private bodies is concerned.

Scope

BDSG

The BDSG applies to:

  • Data processing by federal public authorities or public authorities of the German federal states, if the data protection laws of the German federal states do not apply,
  • data processing by a private body which is carried out wholly or partly by automated means or otherwise forms part of or is intended to form part of a filing system and the private body processes data in Germany, in the context of the activities of a German branch or falls within the scope of the GDPR,
  • the GDPR does not prevail the national provisions in the BSDG, and
  • other sector-specific data protection laws do not take precedence over the BSDG.
LDSG
  • The data protection laws of the German federal states intend to protect personal data in the event that they are being processed and used by public authorities of the German federal states.
TMG
  • Governs all electronic information and communication services on German territory, except mere telecommunication and broadcasting (telemedia services).
  • Sets out data protection duties for providers of telemedia services.

Penalties/enforcement

Derogation from the GDPR under national law
  • The BDSG determines that the provisions of the Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten – OwiG) apply accordingly to the local enforcement of violations of the GDPR.
  • The BDSG furthermore stipulates penal provisions for particular violations of the GDPR.
  • In addition to the administrative fines under the GDPR, the BDSG provides for fines (up to EUR 50,000) for violations of section 30 BDSG (consumer loans) – e.g. for anyone who fails to handle an information request appropriately in the context of consumer loans.

Registration/notification

There is no obligation to register or notify an authority under German data protection law.

Main obligations and processing requirements

Derogations from the GDPR under national law
  • Processing for employment-related purposes (Article 88 GDPR; Section 26 BDSG).
  • Processing of special categories of data (Article 9 (4) GDPR; Section 22 BDSG).
  • Processing for other purposes (Section 24 BDSG).
TMG
  • Processing requirements: sector-specific processing requirements for the processing of personal data concerning electronic information and communication services carried out by the providers of telemedia services.
  • Information requirements: the TMG contains sector-specific information requirements – e.g. information and contact details concerning the company responsible for the website ("imprint").

Data subject rights

Data subjects' rights according to GDPR
  • Right of access (Article 15 GDPR),
  • Right to rectification (Article 16 GDPR),
  • Right to erasure (Article 17 GDPR),
  • Right to restriction of processing (Article 18 GDPR),
  • Right to data portability (Article 20 GDPR),
  • Right to object (Article 21 GDPR),
  • Right not to be subject to a decision based solely on automated processing, including profiling (Article 22 GDPR).
Derogations from the GDPR
  • Obligation to notify the individual (Section 32 BDSG) – in certain cases, the BDSG exempts the data controller from its obligation to inform the individual of their rights, e.g. if the information would interfere with the establishment, exercise or defense of legal claims (provided that there are no overriding interests of the individual in the provision of the information).
  • The right to access data (Section 34 BDSG) – the BDSG contains certain exemptions from the right to access, e.g. if such data were recorded only because they may not be erased due to legal or statutory provisions on retention.
  • The right to erasure (Section 35 BDSG) – the BDSG exempts the controller from its obligation to erasure under certain conditions, e.g. if the erasure would involve a disproportionate effort due to the specific mode of storage.

Please note that some German supervisory authorities explicitly recommend that controllers should not rely on the restrictions of data subjects' rights according to sections 32 et. seqq. BDSG due to non-compliance with GDPR requirements.

Processing by third parties

No derogation from the GDPR.

Transfers out of country

No derogation from the GDPR.

Data Protection Officer

In addition to Article 37 GDPR, a data protection officer must be designated if:

  • As a rule, at least twenty persons constantly deal with the automated processing of personal data, or
  • the business is subject to a data protection impact assessment (Article 35 GDPR) or commercially processes personal data for the purpose of transfer or anonymised transfer, or for purposes of market or opinion research – in this case the controller has to designate a data protection officer regardless of the number of employees involved in the processing.

Security

No derogation from the GDPR.

Breach notification

No derogation from the GDPR.

Direct marketing

The Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG) requires the recipient's prior express consent before sending marketing e-mails. An exception applies (cumulative requirements) when:

  • the recipient's e-mail address has been acquired in connection with the sale of goods or services,
  • the marketer uses the address for direct advertising of their own similar goods or services,
  • the recipient has not objected to this use, and
  • the recipient was clearly and unequivocally advised when the address was collected, and each time it is used can object to its use at any time, without costs arising other than transmission costs pursuant to the basic rates.

Cookies

The German authorities hold that tracking mechanisms such as cookies, in particular for advertising purposes, require the data subject's explicit consent pursuant to Article 6 (1) lit. a), Article 7 GDPR. It is no longer sufficient to offer an opt-out mechanism pursuant to section 15 (3) TMG (cf. opinions of the German data protection conference (Datenschutzkonferenz – DSK) of  April 2018 and March 2019).

In addition, the ECJ (Planet49 – Case C‑673/17) has recently held that agreement in the sense of active consent by the user is required for the setting of cookies that are not technically necessary for use, i.e. in particular with regard to cookies used for advertising purposes. According to the decision, pre-ticked boxes or similar methods are not sufficient.

Useful links


Cyber Security 

Last reviewed March 2020

Risk scale

Risk Scale Orange

Laws and regulations

  • EU Cybersecurity Act (Regulation (EU) 2019/881 of 17 April 2019).
  • Act of 14 August 2009 on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der InformationstechnikBSIG).
  • Regulation of 22 April 2016 on the determination of critical infrastructures according to the BSIG (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSIGBSI-KritisV).
  • General Data Protection Regulation, GDPR (Regulation (EU) 2016/679 of 27 April 2016), supplemented by the Federal Data Protection Act of 30 June 2017 (BundesdatenschutzgesetzBDSG), and the data protection laws of the federal states.
  • eIDAS Regulation (Regulation (EU) 910/2014 of 23 July 2014), supplemented by the German Trust Service Act of 18 July 2017 (Vertrauensdienstegesetz – VDG), and the German Trust Service Ordinance of 15 February 2019 (Vertrauensdiensteverordnung – VDV).
  • Radio Equipment Act of 27 June 2017 (Funkanlagengesetz – FuAG).
  • Sector-specific laws with provisions on IT security, including:
    • the Telemedia Act of 26 February 2007 (Telemediengesetz – TMG)
    • the Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz – TKG)
    • the Energy Industry Act of 7 July 2005 (Energiewirtschaftsgesetz – EnWG)
    • the Act on the peaceful use of nuclear energy and protection against its dangers of 15 July 1985 (Atomgesetz – AtG)
    • the Banking Act of 9 September 1998 (Kreditwesengesetz – KWG)
  • Others: Trade Secret Act of 18 April 2019 (Gesetz zum Schutz von Geschäftsgeheimnissen – GeschGehG).

Anticipated changes to law

National level
  • Changes to be expected with regard to the catalogue of safety requirements under Sec. 109 para. 6 TKG (Link).
European level
  • Outstanding adoption of the ePrivacy Regulation (Link),
  • Preparation of European certification schemes under the EU Cybersecurity Act,
  • Initiative of the European Commission on the specification of security requirements under RED (Link),

Ongoing revision of the Machinery Directive (Link), potentially leading to cyber security requirements for the placing on the market of machinery.

Application 

EU Cybersecurity Act

The EU Cybersecurity Act establishes an EU certification framework for ICT digital products, services and processes and enables the creation of tailored and risk-based EU certification schemes.

BSIG/BSI-KritisV

The BSIG and the BSI-KritisV, which widely implement the NIS Directive 2016/1148 in Germany set out security obligations for:

  • critical infrastructures – sectors: energy, IT and telecommunications, transport and traffic, health, water, food, finance and insurance,
  • digital service providers – online marketplaces, online search engines, cloud computing services, and
  • federal authorities (Link).
GDPR

The GDPR stipulates cyber security requirements for the processing of personal data.

eIDAS, VDG and VDV

The eIDAS Regulation creates a uniform framework for the cross-border use of electronic identification schemes and trust services. It provides a regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities (including security requirements for electronic identification schemes and electronic trust services).

FuAG

The FuAG, which transposes the Radio Equipment Directive 2014/53/EU in Germany, sets out security requirements for radio equipment (e.g. electrical devices with Wi-Fi or Bluetooth functionality).

TMG

The TMG stipulates security obligations for providers of digital services (e.g. provision of websites, apps etc.).

TKG

The TKG stipulates security obligations for operators of electronic communication networks and providers of electronic communications services (e.g. internet access providers).

EnWG

The EnWG sets forth obligations for operators of energy networks and plants to implement adequate protections against threats to telecommunications and electronic data processing systems which are necessary for secure operation of the energy networks and plants.

AtG

The AtG stipulates notification obligations for license holders under the AtG in case of impairments of their information technology systems, components or processes which could lead to a threat to or interference with the nuclear safety of the nuclear installation or activity concerned.

KWG

The KWG provides a regulatory framework for credit and financial services institutions, stipulating obligations to implement appropriate risk management structures, which also covers IT-security related risk management and requirements.

GeschGehG

The GeschGehG, which implements the Trade Secret Directive 2016/943 in Germany, stipulates that only information that is subject to appropriate confidentiality measures (which includes cybersecurity measures) is to be qualified as a trade secret.

Authority

  • European Union Agency for Cybersecurity (ENISA): https://enisa.europa.eu
  • Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI): https://www.bsi.bund.de
  • European Data Protection Board (edpb): https://edpb.europa.eu
  • Data protection authorities and state media authorities
  • Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway / Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen (BNetzA): https://www.bundesnetzagentur.de
  • Market surveillance authorities
  • Federal Financial Supervisory Authority / Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin): https://www.bafin.de/EN/

Key obligations 

BSIG/BSI-KritisV

Operators of critical infrastructures must implement appropriate, state-of-the-art organisational and technical measures to avoid security incidents with their IT-systems which could affect the functioning of the infrastructure/service (minimum security requirements). They must prove that these measures fulfil the requirements at least every two years. The BSI can approve sector-specific security standards.

Digital service providers must implement appropriate, state-of-the-art organisational and technical measures to avoid risks to the security of the network and information systems they use to provide the services. These measures will be further defined by the European Commission according to Article 16 para 8 of EU directive (EU) 2016/1148.

Operators of critical infrastructures must provide the BSI with a contact point.

Operators of critical infrastructures and digital service providers must notify the BSI in the event of significant cyber security incidents.

GDPR

Controllers and processors are obliged to implement appropriate, state-of-the-art technical and organisational measures to ensure a level of security appropriate to the risk, including (inter alia) pseudonymisation and encryption.

eIDAS, VDG and VDV

The eIDAS Regulation stipulates security requirements for electronic identification schemes (including interoperability requirements), (qualified) trust services, (advanced and qualified) electronic signatures and seals, electronic time stamps, electronic registered delivery services and website authentication.

For instance, the assurance level (low, substantial and/or high) of notified electronic identification schemes depends on whether certain security criteria are fulfilled or not.

(Qualified) trust service providers are obliged to take appropriate, state-of-the-art organisational and technical measures to manage the risks posed to the security of the trust service they provide and to notify the supervisory body and other relevant bodies in the event of significant security incidents. In case the security breach is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the trust service provider is also obliged to notify the natural or legal person of the breach of security.

Qualified trust service providers are additionally subject to recurring inspection by conformity assessment bodies and information obligations.

FuAG

Manufacturers that place radio equipment on the German market shall design and manufacture such device in a way that it does not harm the network or its functioning or misuse network resources and that it incorporates safeguards to ensure that the personal data and privacy of the user are protected.

TMG

Providers of digital services must implement reasonable, state-of-the-art organisational and technical measures, especially including the use of encryption, that:

  • guard against unauthorised access to the technical systems they use to provide their digital services,
  • ensure that their technical systems are protected against unauthorised access to personal data, and
  • prevent malfunctions, including any caused by external attacks.
TKG

The TKG sets forth cyber security related obligations of operators of electronic communications networks and providers of electronic communications services.

Operators of publicly available telecommunications networks are particularly obliged to

  • implement technical and organisational measures to protect the network against disruptions,
  • appoint a security officer and draw up a security concept (which needs to be submitted to the BNetzA immediately after commencing network operation), and
  • notify the BNetzA and the BSI without delay of any impairments to telecommunications networks and services which (can) lead to significant security breaches.

The measures to be taken are specified in a catalogue of security measures, issued by the BSI and the BNetzA (Link).

Providers of publicly available electronic communication services are in particular obliged to

  • implement technical and organisational measures to protect the secrecy of telecommunications and other personal data as well as to protect the underlying network against disruptions,
  • appoint a security officer and draw up a security concept (which needs to be submitted to the BNetzA upon request),
  • immediately notify the BNetzA and the BSI of any impairments to telecommunications networks and services which (can) lead to significant security breaches,
  • immediately notify the BNetzA and the Federal Commissioner for Data Protection (and, where applicable, additionally the persons concerned) of any violation of the protection of personal data,
  • keep a register of violations of the protection of personal data, and
  • immediately inform customers in case of malfunctions caused by customers data processing systems.

The measures to be taken are specified in a catalogue of security measures, issued by the BSI and the BNetzA (Link).

EnWG

Operators of energy supply networks are obliged to implement adequate protections against threats to telecommunications and electronic data processing systems which are necessary for secure network operation. The measures to be taken are specified in a catalogue of security measures, issued by the BSI and the BNetzA (Link).

Operators of energy plants classified as critical infrastructures and connected to energy supply networks are obliged to implement adequate protections against threats to telecommunications and electronic data processing systems which are necessary for secure operation of the plant. The measures to be taken are specified in a catalogue of security measures, issued by the BSI and the BNetzA (Link).

Both, operators of energy supply networks and operators of energy plants classified as critical infrastructures must notify the BSI in the event of significant cyber security incidents.

AtG

License holders under the AtG are obliged to notify the BSI.

in case of impairments of their information technology systems, components or processes which could lead to a threat to or interference with the nuclear safety of the nuclear installation or activity concerned.

KWG

Credit and financial service institutions are obliged to implement appropriate risk management structures, including IT-security related structures and measures. The respective minimum requirements are specified in the BaFin Circular 10/2017 (BA) as amended on 14 September 2018 (Banking supervisory requirements for IT / Bankaufsichtliche Anforderungen an die IT (BAIT), Link). In addition, credit and financial service institutions as well as financial holding companies are required to implement internal security measures to prevent criminal offences that could endanger the institution's assets.

GeschGehG

Holders of trade secrets are required to implement appropriate confidentiality measures to ensure that their trade secrets are subject to the (legal) protections of the GeschGehG.

Penalties/enforcement

EU Cybersecurity Act
  • No sanctions, voluntary
BSIG/BSI-KritisV
  • Fines of up to EUR 50,000
GDPR
  • Fines of up to EUR 10,000,000 or up to 2 % of the total worldwide annual turnover of the preceding financial year (in case of an undertaking)
eIDAS Regulation and VDG
  • Fines of up to EUR 100,000
FuAG
  • Fines of up to EUR 100,000/market ban
TMG
  • Fines of up to EUR 50,000
TKG
  • Fines of up to EUR 100,000/operating ban
EnWG
  • Fines of up to EUR 100,000
KWG
  • Fines/Order of additional capital requirements

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. The CERT-Bund:

  • creates and publishes recommendations for preventive measures
  • points out vulnerabilities in hardware and software products
  • proposes measures to address known vulnerabilities
  • supports public agencies’ efforts to respond to IT security incidents
  • recommends various mitigation measures.

For other services – such as incident analysis – it mainly assists federal institutions.

The Bürger-CERT provides information on cyber security to private persons.

Is there a national incident management structure for responding to cybersecurity incidents?

The BSI has an IT analysis and operations centre that continuously monitors, assesses and reports on the cyber security situation and provides incident response support. If necessary, it acts as an IT-crisis centre to coordinate fast responses to significant incidents.

There is also an interagency - the National Cyber-Defence Centre - that coordinates the operational cooperation of the security authorities (i.e. the police and intelligence services).

Other cybersecurity initiatives

Alliance for Cyber Security (Allianz für Cybersicherheit) is a cooperation platform for the exchange of information between the BSI, industry and science and research.

Useful links 

 

<< back to Overview 

Authors

Christian Runte
Christian Runte
Partner
Munich
Michael Biendl
Dr. Michael Biendl
Senior Associate
Munich
Rene Sandor
Dr. Rene Sandor, LL.M. (King's College London)
Senior Associate
Munich