Data Law Navigator | Germany
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last updated 11 July 2019
- General Data Protection Regulation, GDPR (Regulation (EU) 2016/679 of 27 April 2016), in force since 25 May 2018.
- Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) of 30 June 2017, in force since 25 May 2018, as last amended by the Act to Adapt the Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 of 30 June 2017 (Datenschutz- Anpassungs- und Umsetzungsgesetz EU – DSAnpUG-EU – “First Adaption and Implementation Law”).
- Each German federal state has its own data protection law for the processing of personal data by the authorities of the German federal states (Landesdatenschutzgesetz, LDSG).
- Numerous data protection provisions in sector-specific legislation, including the Telemedia Act of 26 February 2007 (Telemediengesetz - TMG); the Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz – TKG); and social security laws (Sozialgesetzbuch I-X – SGB I-X).
Each German federal state has a Data Protection Authority which is responsible for the enforcement of data protection laws and regulates data controllers established in the state.
Websites of the 16 Data Protection Authorities of the German federal states:
- Mecklenburg-Western Pomerania
- Lower Saxony
- North Rhine-Westphalia
Anticipated changes to law
German parliament (Bundestag) has passed a second Adaption and Implementation Law that will update a variety of data protection provisions in sector specific legislation to GDPR terminology and principles and will change some provisions of the Federal Data Protection Act. The Law still has to be adopted by the state chamber (Bundesrat) and will come into force on 1 November 2020 (some changes in sector specific legislation already on 1 November 2019).
If applicable: stage of legislative implementation of GDPR
The GDPR is fully implemented, particularly the BDSG has been updated to GDPR terminology and standards.
Concerning sector-specific legislation, see above section.
If applicable: local derogations as permitted by GDPR
Germany derogates from the provisions of the GDPR in:
- processing in the context of employment (Article 88 GDPR; Section 26 BDSG)
- processing special categories of data (Article 9 (4) GDPR; Section 22, 27, 28 BDSG)
- safeguards and derogations to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89 GDPR; Section 27 e seqq. BDSG).
- restrictions on data subject rights (Article 23 GDPR; Section 32 et seqq. BDSG)
- obligations of secrecy (Article 90 GDPR; Section 29 BDSG)
- designation of Data Protection Officers (Article 37 (4) GDPR, Section 38 BDSG)
- credit information and scoring (Section 30 et seq. BDSG)
- public video surveillance (Section 4 BDSG)
- processing for other purposes (Article 6 (4) GDPR, Section 24 BDSG)
- Profiling (Art. 22 (2) GDPR, Section 37 BDSG)
- sanctions to other infringements of the GDPR, which are not subject to administrative fines (Section 41 et seqq. BDSG).
Please note that some local derogations have been heavily criticized by German supervisory authorities, some of which explicitly recommend that controllers should not rely on the restrictions of data subject’s rights according to section 32 et. seq. BDSG. The local derogation regarding video surveillance in section 4 BDSG has recently been invalidated by the Federal Administrative Court as far as the operation of video surveillance by private bodies is concerned.
The BDSG applies when:
- The processing of personal data is realized by federal public authorities or public authorities of the German federal states, if the data protection laws of the German federal states do not apply,
- the processing is realized by a private body and is carried out entirely or partly by automatic means or otherwise forms part of or is intended to form part of a filing system and the private body processes data in Germany, in the context of the activities of a German branch or falls within the scope of the GDPR,
- the GDPR does not prevail the national provisions in the BSDG, and
- other sector-specific data protection laws do not take precedence over the BSDG.
- The data protection laws of the German federal states intend to protect personal data from being processed and used by public authorities of the German federal states.
- Governs all electronic information and communication services on German territory, except mere telecommunication and broadcasting (telemedia services).
- Sets out data protection duties for providers of telemedia services.
Other sector-specific data protection laws:
- Apply to the processing of personal data on German territory in various sectors.
Derogation from the GDPR under national law
- The BDSG determines that the provisions of the Administrative Offences Act apply accordingly to violations of the GDPR.
- The BDSG furthermore stipulates penal provisions for particular violations of the GDPR.
- In addition to the administrative fines under the GDPR, the BDSG provides for fines (up to EUR 50,000) for violations of Section 30 BDSG (consumer loans) – e.g. for anyone who fails to handle an information request appropriately in the context of consumer loans.
Registration / Notification
No derogation from the GDPR under national law.
Main obligations and processing requirements
Derogation from the GDPR under national law
- Processing in the context of employment (Article 88 GDPR; Section 26 BDSG).
- Processing of special categories of data (Article 9 (4) GDPR; Section 22 BDSG).
- Processing for other purposes (Section 24 BDSG).
- Processing requirements: sector-specific processing requirements for the processing of personal data concerning electronic information and communication services carried out by the providers of telemedia services.
- Information requirements: the TMG contains sector-specific information requirements – e.g. information and contact details concerning the company responsible for the website ("imprint").
Data subject rights
Derogations from the GDPR
- Obligation to notify the individual – in certain cases, the BDSG exempts the data controller from its obligation to inform the individual of their rights, e.g. if the information would interfere with the establishment, exercise or defence of legal claims (provided that there are no overriding interests of the individual in the provision of the information).
- The right to access data – the BDSG contains certain exemptions from the right to access, e.g. if such data were recorded only because they may not be erased due to legal or statutory provisions on retention.
- The right to erasure – the BDSG exempts the controller from its obligation to erasure under certain conditions, e.g. if the erasure would involve a disproportionate effort due to the specific mode of storage.
Please note that some German supervisory authorities explicitly recommend that controllers should not rely on the restrictions of data subject’s rights according to section 32 et. seq. BDSG due to non-compliance with GDPR requirements.
Processing by third parties
No derogation from the GDPR.
Transfers out of country
No derogation from the GDPR.
Data Protection Officer
Data Protection Officer Derogations from the GDPR
The threshold for designating a Data Protection Officer in Germany is lower compared to the GDPR requirements. In addition to the GDPR requirements, a Data Protection Officer must be designated if:
- As a rule, at least ten persons constantly deal with the automated processing of personal data, or
- the business is subject to a data protection impact assessment (Art. 35 GDPR) or commercially processes personal data for the purpose of transfer or anonymized transfer, or for purposes of market or opinion research – in this case the controller has to designate a Data Protection Officer regardless of the number of employees involved in the processing.
The second Adaption and Implementation Law currently in the legislative process provides for a raise of the aforementioned threshold to 20 persons constantly dealing with the automated processing of personal data.
The law still has to be adopted by the state chamber (Bundesrat).
No derogation from the GDPR.
No derogation from the GDPR.
The Act Against Unfair Competition requires prior express consent of the recipient before sending marketing e-mails. An exception applies (cumulative requirements) when:
- the recipient’s e-mail address has been acquired in connection with the sale of goods or services
- the marketer uses the address for direct advertising of their own similar goods or services
- the recipient has not objected to this use
- the recipient was clearly and unequivocally advised when the address was collected, and each time it is used can object its use at any time, without costs arising other than transmission costs pursuant to the basic rates.
The TMG determines that for the purposes of advertising, market research or in order to design the telemedia in a needs-based manner, the service provider may produce profiles of usage based on pseudonyms to the extent that the recipient of the service does not object to this.
The German Federal Ministry of Economic declared in 2014 that the European Commission considers the Cookie directive as implemented in Germany, i.e. that the cited provision does not infringe EU law. This position has however been disputed by part of the legal literature and data protection authorities.
On 26 April 2018, the Conference of the data protection authorities of the German federation and the German federal states (Datenschutzkonferenz – DSK), issued a position paper taking the view that Article 95 GDPR, which states that the GDPR does not impose additional obligations in relation to processing of personal data in connection with the provision of publicly available electronic communications services in public communication networks, does not apply to §§ 12-15 TMG, which contain provisions regarding data protection.
Therefore, the position was taken that the mentioned provision of the TMG was replaced by the provisions of the GDPR, and the use of tracking methods, e.g. via cookies, require a previous consent in accordance to Art. 8 GDPR. This position was widely criticized.
- Bavarian data protection authority, containing papers of the DSK: https://www.lda.bayern.de/en/privacy_eu.html (in German only).
- Data Protection Authorities of German federal states: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html (in German only).
- Industry association of information and telecommunication industry: https://www.bitkom.org/EN/index-EN.html (parts of the publications are available also in English).
Last reviewed 9 October 2018
Laws and regulations
- IT-security Act of 7 July 2015 on the increase of the security of IT systems (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme) – IT-Sicherheitsgesetz
- Act of 14 August 2009 on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) – BSI-Gesetz
- Regulation of 22 April 2016 on the determination of critical infrastructures according to the BSI-Gesetz (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz) Kritis-VO
- Telemedia Act of 26 February 2007 (Telemediengesetz) – TMG
- Sector-specific laws with provisions on IT security, including: the Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz) – TKG; and the Energy Industry Act of 7 July 2005 (Energiewirtschaftsgesetz) – ENWG
Anticipated changes to law
No major changes anticipated; EU NIS Directive has already been implemented.
The BSI-Gesetz and the Kritis-VO set out security obligations for:
- critical infrastructures – sectors: energy, water, food, IT and telecommunications, health, finance and insurance, transport and traffic
- digital service providers – online marketplaces, online search engines, cloud computing services
- [Federal Authorities].
The TMG stipulates security obligations for providers of digital services (e.g. provision of websites, apps etc.).
Various sector-specific laws also cover cyber security obligations, especially in the telecommunications and energy sectors.
Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI): https://www.bsi.bund.de
TMG and sector-specific laws: other authorities, including state authorities of the German federal states (Länder)
Critical infrastructures must implement appropriate, state-of-the-art organisational and technical measures to avoid security incidents with their IT-systems which could affect the functioning of the infrastructure/service (minimum security requirements). They must prove that these measures fulfil the requirements at least every two years. The BSI can approve sector-specific security standards.
Digital service providers must implement appropriate, state-of-the-art organisational and technical measures to avoid risks to the security of the network and information systems they use to provide the services. These measures will be further defined by the European Commission according to Article 16 para 8 of EU directive (EU) 2016/1148.
Providers of critical infrastructures and digital service providers must notify the BSI in the event of major cyber security incidents.
Providers of digital services must implement reasonable, state-of-the-art organisational and technical measures, especially including the use of encryption, that:
- guard against unauthorised access to the technical systems they use to provide their digital services
- ensure that their technical systems are protected against unauthorised access to personal data
- prevent malfunctions, including any caused by external attacks.
The various sector-specific laws often contain provisions to take appropriate organisational and technical measures to maintain a minimum level of security and to notify authorities in the case of major security incidents.
- Fines of up to EUR 100,000
- Fines of up to EUR 50,000
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Yes. The CERT-Bund:
- creates and publishes recommendations for preventive measures
- points out vulnerabilities in hardware and software products
- proposes measures to address known vulnerabilities
- supports public agencies’ efforts to respond to IT security incidents
- recommends various mitigation measures.
For other services – such as incident analysis – it mainly assists federal institutions.
The Bürger-CERT provides information on cyber security to private persons.
Is there a national incident management structure for responding to cybersecurity incidents?
The BSI has an IT analysis and operations centre that continuously monitors, assesses and reports on the cyber security situation and provides incident response support. If necessary, it acts as an IT-crisis centre to coordinate fast responses to major incidents.
There is also an interagency - the National Cyber-Defence Centre - that coordinates the operational cooperation of the security authorities (i.e. the police and intelligence services).
Other cybersecurity initiatives
Alliance for Cyber Security (Allianz für Cybersicherheit) is a cooperation platform for the exchange of information between the BSI, industry and science and research.
- National competent authority (BSI): https://www.bsi.bund.de
- Alliance for Cyber Security (ACS): https://www.allianz-fuer-cybersicherheit.de/
- German cybersecurity strategy