GDPR Enforcement in Germany

Trend: Have the national data protection authorities in Germany focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

It cannot be clearly stated whether German data protection authorities deliberately focus on certain types of violations. However, it can be observed that the majority of all German fines have been issued either due to insufficient legal bases for data processing (Art. 5, 6 GDPR) or due to deficiencies in information security (Art. 32 GDPR).

The fines imposed in Germany so far cover a fairly balanced range of sectors, in particular the health sector, the finance, insurance and consulting sector, the individuals and private associations sector and the processing of employee data. Looking only at the amounts of fines, it can be observed that two of the three largest German fines (those issued against H&M and notebooksbilliger.de, see below) have been imposed in connection with the processing of employee data. The reduction of the notebooksbilliger.de fine by the Higher Regional Court of Celle in March 2026 further illustrates the significant practical role of judicial review in German GDPR fining practice.

Overall, what was the most significant fine in Germany to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The highest GDPR fine in Germany to date was imposed on H&M Hennes & Mauritz Online Shop A.B. & Co. KG on 1 October 2020 in the amount of EUR 35.26 million due to insufficient legal basis for data processing. It was revealed that H&M – a fashion company based in Hamburg – operated a service centre in Nuremberg, where private information on employees, including special categories of personal data (e.g. symptoms of illness and diagnoses –obtained through channels including from "welcome back!" conversations) had been comprehensively recorded and stored on a network storage system since at least 2014. In addition, according to the Hamburg data protection authority, some supervisors also recorded knowledge about employees, for example about family problems and religious beliefs learned from casual workplace conversations. The information stored on the network storage system was accessible to up to 50 managers at the company and was used to evaluate work performance and make promotion decisions, among other things.

How is the data protection authority organised in Germany? Budget, staff, assignment to a ministry?

Germany has a two-level data protection system with a federal authority (BfDI) for public entities and telecoms, and separate state authorities for the private sector.

• 16 independent data protection authorities in the 16 German federal states. Responsible for enforcement of the GDPR and the German Federal Data Protection Act towards private entities and public entities in the respective state.
• The Federal Commissioner for Data Protection and Freedom of Information (BfDI), as an independent watchdog, elected by Federal Government, around 300 employees. Responsible for enforcement of the GDPR and the German Federal Data Protection Act against federal public entities and telecommunication providers.

How does a fine procedure work in Germany? Can the authority impose fines itself? Procedural steps? Legal remedies?

• Fines can be directly imposed by the respective federal or state authority as part of administrative proceedings.
• Administrative proceedings are governed by (essentially similar) state or federal law or by uniform federal law in the case of administrative fine proceedings.
• Proceedings usually start with a formal notification to the respective company on the opening of administrative fine proceedings (frequently as a consequence of ongoing general administrative fine proceedings where the DPA has asked for and obtained information from the controller/processor). The respective company has the option to provide its views on factual and legal aspects of the case before the authority issues the penalty notice (Bußgeldbescheid).
• Companies can appeal against penalty notices to the competent (criminal) courts.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Fines are allocated to the respective state or federal treasury.

Is there an official calculation methodology for fines in Germany?

There is no common, official calculation methodology for fines. However, the German data protection conference (Datenschutzkonferenz – "DSK") published a concept for the calculation of fines even before the respective EDPB proposal in 2022. The current 'German concept' no longer appears to be considered in practice in view of the EDPB concept and previous court rulings questioning the previous DSK concept.

Can public authorities be fined in Germany? If yes: Where does this money go?

No fines will be imposed on public authorities and other public bodies (section 43 (3) German Federal Data Protection Act (Bundesdatenschutzgesetz – "BDSG"). However, there are a few exceptions, e.g. to the extent public bodies compete in the market as public-sector companies. Also, individual employees of public authorities may be fined in cases when they violate data protection laws while acting in their private capacity.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

There is no comprehensive publication of fines. Data protection authorities are not required to publish every fine. Notable fines are often published in press releases and activity reports. Fined entities are usually not anonymised in the press releases.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

The respective data protection authorities of the federal states generally publish the number and total amount of fines imposed in their annual reports.

Does Germany have model declaratory proceedings/class actions in data protection law?

The German legal system has different collective redress mechanisms:

• Model declaratory action (Musterfeststellungsklage)
• Collective action for redress (Abhilfeklage)
• Action for injunction (Unterlassungsklage)

In 2023, the German Bundestag passed the Act implementing the EU Representative Actions Directive (Verbandsklagenrichtlinieumsetzungsgesetz – "VRUG"). This law not only introduced the Consumer Rights Enforcement Act (Verbraucherrechtedurchsetzungsgesetz – "VDuG") but also significantly expanded the options for collective consumer redress in Germany. Previously, the model declaratory action, introduced in 2018, allowed consumer organisations to clarify legal questions affecting a group of consumers. The VRUG now complements this with the collective action for redress, which empowers these organisations to directly seek compensation for consumers within the VDuG framework.

The model declaratory action allows qualified entities, like consumer organisations, to file lawsuits on behalf of groups of consumers. While it does not award individual damages, it obtains a declaratory judgment on common legal issues. This judgment simplifies the enforcement of individual claims for consumers who join the proceedings. The provisions for this action are set out in section 41 VDuG.

The collective action for redress allows consumer organisations to take legal action against companies on behalf of groups of consumers (at least 50) who have suffered harm in similar ways and to claim remedies such as compensation for damages. This is a significant change for Germany as it strengthens consumer rights and allows for more efficient resolution of disputes.
The German Law on Injunctions for Consumer Rights and Other Violations (Unterlassungsklagengesetz – "UKlaG") allows for class actions under very limited circumstances in cases of infringement of consumer rights. According to section 2 UKlaG, in relation to data protection rights, "consumer rights" include provisions setting out under which circumstances consumers' personal data may be collected or processed for the purposes of advertising, market or opinion research, the operation of a credit agency, profiling, data trading or for comparable commercial purposes. However, any such claims are limited to injunctive relief and elimination of the violation (no claim for damages). As with model declaratory proceedings and the collective action for redress, only certain entities may pursue such class actions.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

As of now, fines issued by data protection authorities appear to be more relevant than private litigation regarding data protection infringements. This is most likely due to the high litigation costs paired with low damages awarded. However, the introduction of the new collective action for redress could lead to an increase in private legal disputes in the near future. Additionally, we have observed an increase in the enforcement of data subjects' rights, which is likely to result in more litigation. Please refer to CMS Germany’s list of GDPR damage cases in Germany for further information (in German)