Legal Framework: GDPR + BDSG
Germany enforces EU data protection law through two overlapping instruments. The GDPR (Datenschutz-Grundverordnung, DSGVO) is directly applicable EU law providing the baseline framework. The BDSG (Bundesdatenschutzgesetz 2018) is the German national implementation act that fills in GDPR opening clauses and adds German-specific provisions.
- GDPR/DSGVO: directly applicable in all EU member states since 25 May 2018
- BDSG 2018: German implementation; adjusts GDPR opening clauses for employment, health, and public interest processing
- 16 state (Länder) data protection acts apply to state and municipal authorities
- Supervisory authority: each Bundesland has an independent DPA (Landesdatenschutzbehörde); federal: BfDI (Bundesbeauftragter für den Datenschutz)
- Penalties: up to €20M or 4% of global annual turnover under GDPR Article 83(5)
When a Data Protection Officer (DSB) Is Mandatory
Germany has one of the strictest DPO thresholds in the EU. Under BDSG §38 (implementing GDPR Art. 37), a data protection officer (Datenschutzbeauftragter, DSB) is mandatory when:
| Trigger | Threshold | Legal Basis |
|---|---|---|
| Regular processing of personal data | 20 or more persons involved | BDSG §38(1) |
| Processing requiring Data Protection Impact Assessment | Any scale — DPIA required under GDPR Art. 35 | GDPR Art. 37(1)(c) |
| Core activity = large-scale processing of special category data | Any scale | GDPR Art. 37(1)(c) |
| Public authority or body | Always mandatory | GDPR Art. 37(1)(a) |
The BDSG §38 threshold of 20 persons (not 10, as sometimes misquoted) refers to persons involved in the processing — not employees of the company. It counts part-time processors, contractors, and anyone with regular access to personal data. A startup with 8 employees but 25 contractors accessing user data would exceed the threshold.
Breach Notification — 72-Hour Rule
Under GDPR Article 33, a personal data breach must be reported to the competent supervisory authority within 72 hours of becoming aware of it — without undue delay. The 72-hour clock starts when the organisation first becomes aware of the breach, not when investigation is complete.
- Notification to supervisory authority: within 72 hours of awareness (GDPR Art. 33)
- Notification to affected individuals: without undue delay if high risk to rights and freedoms (GDPR Art. 34)
- Breach records: all breaches must be documented internally under GDPR Art. 33(5)
- Processor obligations: processors must notify the controller without undue delay (Art. 33(2))
- Key German DPAs: BayLDA (Bavaria), LfDI Baden-Württemberg, LDA Brandenburg, LDI NRW, HmbBfDI (Hamburg)
EU AI Act and Future Compliance Obligations
The EU AI Act entered force on 1 August 2024 with a phased implementation timeline. German companies deploying AI systems in high-risk categories face new obligations from August 2026 onwards.
- EU AI Act: applies to AI systems placed on market or put into service in EU
- High-risk AI systems (Annex III): HR screening, biometric identification, critical infrastructure — full conformity assessment required
- Prohibited AI practices: ban applies from 2 February 2025 (social scoring, real-time biometric surveillance in public)
- General-purpose AI models: transparency and copyright obligations from August 2025
- Penalties: up to €35M or 7% of global annual turnover for prohibited practices
GDPR Compliance for German Businesses
Appoint DPO (if required)
Mandatory if >20 employees process personal data automatically
Day 1Map Your Data Flows
Create Records of Processing Activities (ROPA) under Art. 30 GDPR
Implement TOMs
Technical and organisational security measures (encryption, access controls)
Publish Privacy Policy
Website Datenschutzerklärung + cookie consent banner required
Set Up Breach Response
72-hour reporting to supervisory authority (LDA/LfDI) for notifiable breaches
72-hour ruleAppoint DPO (if required)
Mandatory if >20 employees process personal data automatically
Day 1Map Your Data Flows
Create Records of Processing Activities (ROPA) under Art. 30 GDPR
Implement TOMs
Technical and organisational security measures (encryption, access controls)
Publish Privacy Policy
Website Datenschutzerklärung + cookie consent banner required
Set Up Breach Response
72-hour reporting to supervisory authority (LDA/LfDI) for notifiable breaches
72-hour ruleFrequently Asked Questions
Does GDPR apply to all German companies?
Yes. The GDPR applies to all organisations established in Germany and to non-EU organisations that process personal data of people in Germany. It applies regardless of company size. Smaller companies have lighter documentation obligations but the core GDPR principles and rights apply universally.
When is a data protection officer (DSB) mandatory in Germany?
Under BDSG §38, a DSB is mandatory when 20 or more persons are regularly involved in automated processing of personal data. The threshold counts all persons with access — employees, contractors, freelancers — not just employees. It is also mandatory for controllers with core activities involving large-scale or special-category data processing.
What is the deadline for reporting a data breach in Germany?
Under GDPR Article 33, a personal data breach must be reported to the competent supervisory authority within 72 hours of becoming aware of it. The 72-hour clock starts when the organisation first becomes aware — not when investigation is complete. Affected individuals must be notified if there is high risk to their rights and freedoms.
What are the GDPR fines for German companies?
GDPR fines can reach €20 million or 4% of global annual turnover for the most serious violations under Article 83(5). German supervisory authorities have issued significant fines — the Hamburg DPA fined a company €35.3M for unlawful employee monitoring; the LfDI Baden-Württemberg fined €1.24M for inadequate email storage.
Does the EU AI Act apply to German companies in 2026?
Yes. The EU AI Act entered force on 1 August 2024. Prohibited AI practices (social scoring, real-time biometric surveillance) were banned from 2 February 2025. High-risk AI system obligations apply from August 2026. German companies deploying AI in HR, credit scoring, or critical infrastructure must assess their compliance obligations now.
Which German supervisory authority (DPA) is responsible for my company?
Germany has 16 state-level data protection authorities (Landesdatenschutzbehörden) plus the federal BfDI for federal bodies. Competence is based on where your company is established — for example, LfDI Baden-Württemberg for Stuttgart companies, Bayerisches Landesamt für Datenschutzaufsicht for Bavaria. The Hamburg HmbBfDI is competent for companies whose German headquarters is in Hamburg.
What is a data processing agreement (DPA) and when is it required in Germany?
A Auftragsverarbeitungsvertrag (AVV) — also called a DPA — is required under GDPR Article 28 whenever you engage a processor that handles personal data on your behalf. This includes cloud providers (AWS, Google Cloud, Microsoft Azure), payroll processors, email marketing tools, CRM vendors, and recruitment software. The AVV must be in writing (or electronic form) before data processing begins.
What is the Beschäftigtendatenschutz and what does it require?
Beschäftigtendatenschutz (employee data protection) is governed by BDSG §26. Employers may process employee data only if necessary for the employment relationship. This covers recruitment data, payroll, time recording, and performance data. Covert monitoring is prohibited. Works councils (Betriebsrat) have co-determination rights over digital monitoring systems under BetrVG §87(1) No.6.
Does Germany require cookie consent banners?
Yes. The Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG), which replaced the TTDSG in 2024, requires prior informed consent for non-essential cookies and tracking technologies. The German courts and ULD Schleswig-Holstein have consistently held that pre-ticked boxes and implied consent are invalid. A properly implemented cookie consent management platform (CMP) with genuine opt-in is required.
What are the record-keeping obligations under GDPR for a German GmbH?
Under GDPR Article 30, any company with 250 or more employees must maintain a Verzeichnis von Verarbeitungstätigkeiten (Records of Processing Activities — RoPA). Companies with fewer than 250 employees must also maintain a RoPA if processing is regular, involves special-category data, or poses risks to data subjects. The RoPA must list data categories, purposes, retention periods, and safeguards for each processing activity.
Need professional help?
Goldblum und Partner AG — licensed German Rechtsanwälte in Düsseldorf since 2007.
Free ConsultationWork with the firm that knows Germany.
Licensed Rechtsanwälte and Steuerberater in Düsseldorf. Free 30-minute consultation, no commitment.
Book Free Consultation