German Company FormationDüsseldorf, Germany

HomeGuidesData Protection in Germany — GDPR, BDSG, and DSGVO Compliance Guide

Business Guide

Data Protection in Germany — GDPR, BDSG, and DSGVO Compliance Guide

Germany enforces GDPR via the BDSG. A DSB is mandatory when 20+ persons process data. 72-hour breach notification, Art.30 records, SCCs for international transfers, fines up to €20M or 4% of turnover.

Stefan Keller
2026
8 min read

Legal Framework: DSGVO + BDSG 2018

Germany's data protection framework rests on two overlapping instruments. The EU General Data Protection Regulation (DSGVO) has been directly applicable since 25 May 2018. The Bundesdatenschutzgesetz (BDSG 2018) implements the GDPR's national opening clauses and adds German-specific rules for employment data, health, journalism, and research. Private-sector supervisory authority is exercised by the Landesdatenschutzbehörde (LfDI/LDA/BayLDA) of the Bundesland where the company is established. The federal BfDI supervises federal agencies and certain telecoms — not most private businesses. Fines reach €20M or 4% of global annual turnover under DSGVO Art. 83(5).

  • DSGVO: directly applicable EU law since 25 May 2018 — all 99 articles in force
  • BDSG 2018: implements GDPR opening clauses; adds German employment and health data rules
  • Private-sector supervisory authority: 16 state DPAs (LfDI/LDA/BayLDA) by Bundesland of establishment
  • Federal BfDI: supervises federal agencies and telecoms under TKG — not private companies
  • Penalties: up to €20M or 4% of global turnover under DSGVO Art. 83(5)

Mandatory Data Protection Officer (Datenschutzbeauftragter, DSB)

Under BDSG §38(1), a Datenschutzbeauftragter (DSB) is mandatory when 20 or more persons are regularly involved in automated processing of personal data. This threshold counts all persons with regular access — employees, contractors, and on-site service providers. The DSB must be appointed in writing and the supervisory authority notified under DSGVO Art. 37(7). The DSB must have expert knowledge of data protection law (Art. 37(5)) and may be an internal employee or an external service provider. The DSB cannot be dismissed or penalised for performing their duties under Art. 38(3).

Trigger for mandatory DSBThresholdLegal Basis
Automated personal data processing≥20 persons regularly involvedBDSG §38(1)
Large-scale special-category dataAny scaleDSGVO Art. 37(1)(c)
DSFA/DPIA requiredAny scaleDSGVO Art. 37(1)(c)
Public authority or bodyAlwaysDSGVO Art. 37(1)(a)
Systematic monitoring of individualsAny scale (large-scale)DSGVO Art. 37(1)(b)

The BDSG §38 threshold of 20 persons refers to persons involved in processing — not the company headcount. A 10-employee startup with 12 contractors regularly accessing customer databases exceeds the threshold and must appoint a DSB.

Records of Processing Activities — Verarbeitungsverzeichnis (Art. 30)

Under DSGVO Art. 30, controllers with ≥250 employees must maintain a Verzeichnis von Verarbeitungstätigkeiten (VVT). Importantly, smaller companies must also maintain a VVT if processing is not occasional, involves special-category data (Art. 9), or poses risks to data subjects — meaning almost all commercial companies are required to maintain one. The VVT must document for each processing activity: the controller's contact and DSB, purposes of processing, data categories, recipients, international transfers, retention periods, and technical and organisational security measures (TOMs). The VVT must be provided to the supervisory authority on request.

  • Mandatory for controllers with ≥250 employees under Art. 30(1)
  • Also required for smaller companies if processing is regular, involves special-category data, or poses risk (Art. 30(5))
  • Must document: purpose, data categories, recipients, retention periods, international transfer safeguards, TOMs
  • Processors must maintain a separate Art. 30(2) record covering all processing categories on behalf of controllers
  • VVT must be in writing (electronic acceptable) and updated whenever processing activities change

Data Breach Notification — 72-Hour Rule (DSGVO Art. 33)

Under DSGVO Art. 33, a personal data breach must be reported to the competent supervisory authority within 72 hours of the controller becoming aware of it. The clock starts the moment the controller first becomes aware — not when investigation is complete. The notification must contain: a description of the breach; categories and approximate number of affected data subjects and records; the DSB's contact details; likely consequences; and measures taken. Notification to individuals under Art. 34 is required if there is high risk to their rights and freedoms. All breaches must be documented internally under Art. 33(5) even if not notified externally.

  • 72-hour clock starts on awareness of breach — not on completion of investigation (Art. 33 DSGVO)
  • Individual notification (Art. 34): required if breach likely causes high risk to rights and freedoms
  • Internal breach register: all breaches must be documented under Art. 33(5) regardless of risk level
  • Processor obligation: notify controller without undue delay under Art. 33(2) — contractual SLA typically 24–48 h
  • Competent DPA: determined by Bundesland of establishment — e.g. LfDI BW for Stuttgart, BayLDA for Bavaria

Legal Bases for Processing — DSGVO Art. 6

Every processing activity must rest on a legal basis under DSGVO Art. 6. The choice of basis is not a free selection — it must correspond to the actual purpose. Consent (Art. 6(1)(a)) is frequently misused in the employment context: German courts (BAG) hold that employee consent is generally not freely given due to the power imbalance. Legitimate interests (Art. 6(1)(f)) is widely used by private companies for direct marketing and fraud prevention, subject to a documented balancing test. BDSG §26 provides a specific basis for processing employee data necessary for the employment relationship.

Legal BasisArt. 6 Ref.Key Use Cases
ConsentArt. 6(1)(a)Marketing opt-ins, optional cookies — must be freely given, specific, unambiguous
Contractual necessityArt. 6(1)(b)Processing necessary to perform a contract with the data subject
Legal obligationArt. 6(1)(c)Tax reporting (AO), payroll (SGB), AML (GwG)
Vital interestsArt. 6(1)(d)Medical emergencies — very narrow scope
Public taskArt. 6(1)(e)Public authorities only
Legitimate interestsArt. 6(1)(f)Fraud prevention, network security, direct marketing — requires balancing test

International Data Transfers — SCCs and EU-US Data Privacy Framework

Transferring personal data from Germany to countries outside the EEA requires a transfer mechanism under DSGVO Chapter V. Following the Schrems II judgment (CJEU, July 2020) which invalidated the EU-US Privacy Shield, Standard Contractual Clauses (SCCs — June 2021 edition) became the primary tool. The EU-US Data Privacy Framework (DPF) adequacy decision (July 2023) provides an alternative for transfers to DPF-certified US companies. SCCs must be accompanied by a Transfer Impact Assessment (TIA). Germany's DPAs have actively enforced US-transfer restrictions against Google Analytics and Facebook-based services.

  • SCCs (Standard Contractual Clauses): June 2021 EC decision — modular format for controller-controller and controller-processor
  • EU-US Data Privacy Framework: adequacy decision July 2023 — only for transfers to DPF-certified US organisations
  • Transfer Impact Assessment (TIA): required alongside SCCs to assess destination country law
  • Germany DPA enforcement: LfDI BW and BayLDA have ruled against Google Analytics on transfer grounds
  • Binding Corporate Rules (BCR): available for intra-group transfers within multinationals — lead DPA approval required

Cookie Consent and the TDDDG

Prior informed consent is required for non-essential cookies and tracking technologies under the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG, replacing TTDSG in 2024). The BGH Planet49 judgment (2020, confirming CJEU C-673/17) established that cookie consent must be a genuine opt-in — pre-ticked boxes, implied consent, and consent walls are invalid under German law. Strictly necessary cookies do not require consent. A properly implemented Consent Management Platform (CMP) with genuine two-tier opt-in is required. Consent records must be retained to demonstrate compliance under DSGVO Art. 7(1).

German DPAs and competitors actively enforce cookie consent rules. A non-compliant banner can result in DPA fines and, for commercial sites, an Abmahnung under UWG. Use a certified CMP (IAB TCF 2.2 or comparable) with genuine opt-in architecture — implied consent is invalid.

GDPR Fines — German DPA Enforcement

DSGVO Art. 83(5) provides fines up to €20 million or 4% of global annual turnover for violations of core principles, data subject rights, and international transfer rules. Art. 83(4) provides fines up to €10 million or 2% for processor obligations and breach notification violations. German DPAs have issued notable fines: H&M €35.3M (HmbBfDI, 2020) for covert employee monitoring; Deutsche Wohnen SE €14.5M (Berlin DPA, 2019) for unlawful retention of tenant data; Vodafone Germany €9.55M (BfDI, 2021) for inadequate technical security. In addition, Art. 82 entitles affected individuals to claim material and non-material damages.

  • Max fine under Art. 83(5): €20M or 4% of global annual turnover — for core principle violations
  • Max fine under Art. 83(4): €10M or 2% — for processor obligations and breach notification
  • H&M €35.3M (HmbBfDI, 2020): covert employee monitoring at Nuremberg site
  • Deutsche Wohnen €14.5M (Berlin DPA, 2019): tenant data retained in non-deletable archive
  • Individual damages: data subjects may claim material and non-material compensation under Art. 82 DSGVO

Employee Data Protection — Beschäftigtendatenschutz (BDSG §26)

Employee personal data may be processed under BDSG §26 only if necessary to establish, carry out, or terminate the employment relationship. Covert monitoring is generally prohibited; open monitoring (time-recording, CCTV, GPS) requires a legal basis under §26 and, where a Betriebsrat exists, a co-determination agreement under BetrVG §87(1) No.6. Employee consent is valid only if freely given — German courts are sceptical due to the inherent employment power imbalance (BAG 11.12.2014). Applicant data should be retained no longer than 6 months after rejection, in line with AGG §15(4) and DSGVO Art. 5(1)(e).

  • BDSG §26: legal basis for processing data necessary for the employment relationship
  • Employee consent: valid only if freely given — BAG scrutinises inherent power imbalance
  • Covert monitoring: prohibited — BetrVG §87 No.6 co-determination required for open monitoring systems
  • Time-recording: mandatory under ECJ Stechuhr ruling (C-55/18, 2019) — ArbZG amendment pending
  • Applicant data: retain maximum 6 months after rejection (AGG §15(4) limitation period)

Data Processing Agreements — Auftragsverarbeitungsvertrag (AVV)

A written Auftragsverarbeitungsvertrag (AVV) — also called a DPA — is required under DSGVO Art. 28 before any processor handles personal data on behalf of the controller. This includes cloud providers (AWS, Google Cloud, Azure), payroll services, email platforms, CRM systems, analytics tools, and recruitment software. The AVV must contain the mandatory clauses of Art. 28(3). The controller bears full liability under DSGVO Art. 82 if the processor processes without or outside the AVV. German DPAs have fined controllers for failing to have AVVs in place with major cloud providers.

  • AVV required under Art. 28 for every processor arrangement — cloud, SaaS, payroll, analytics, CRM, email
  • AVV must cover: subject matter, duration, nature and purpose of processing, Art. 28(3) mandatory clauses
  • Sub-processor authorisation: general written authorisation permissible if controller can object to specific sub-processors
  • Controller bears full Art. 82 liability if processor processes outside the AVV
  • DSFA/DPIA required under Art. 35 for high-risk processing — e.g. AI systems, biometrics, large-scale monitoring
Process Overview

GDPR Compliance for German Businesses

1

Appoint DPO (if required)

Mandatory if >20 employees process personal data automatically

Day 1
2

Map Your Data Flows

Create Records of Processing Activities (ROPA) under Art. 30 GDPR

3

Implement TOMs

Technical and organisational security measures (encryption, access controls)

4

Publish Privacy Policy

Website Datenschutzerklärung + cookie consent banner required

5

Set Up Breach Response

72-hour reporting to supervisory authority (LDA/LfDI) for notifiable breaches

72-hour rule

Frequently Asked Questions

Does the DSGVO apply to all German companies?

Yes. The DSGVO applies to all organisations established in Germany processing personal data, regardless of size. Companies with fewer than 250 employees have lighter VVT obligations under Art. 30(5), but core obligations — lawful basis, data subject rights, security, breach notification — apply universally from the first employee and first customer.

When is a Datenschutzbeauftragter (DSB) mandatory in Germany?

Under BDSG §38(1), a DSB is mandatory when 20 or more persons are regularly involved in automated processing of personal data. This counts all persons with regular access — employees, contractors, and on-site service providers — not just the headcount. It is also mandatory for organisations whose core activities involve large-scale special-category processing or systematic monitoring of individuals.

What is the 72-hour breach notification rule?

Under DSGVO Art. 33, a personal data breach must be notified to the competent Landesdatenschutzbehörde within 72 hours of the controller first becoming aware of it. The notification must describe the breach, affected data categories, approximate number of data subjects, likely consequences, and remedial measures. All breaches — including low-risk ones not requiring individual notification — must be documented internally under Art. 33(5).

Which German DPA is responsible for my company?

The competent supervisory authority is the Landesdatenschutzbehörde of the Bundesland where your company has its main German establishment: e.g. LfDI Baden-Württemberg for Stuttgart, BayLDA for Bavaria, HmbBfDI for Hamburg. The federal BfDI supervises federal public authorities and certain telecoms providers — not private-sector companies.

What is the Verarbeitungsverzeichnis and who must maintain one?

The Verarbeitungsverzeichnis (VVT) is the Records of Processing Activities required under DSGVO Art. 30. Controllers with ≥250 employees must always maintain one. Smaller controllers must also do so if processing is regular, involves special-category data, or poses risks. In practice, nearly every commercial company must maintain a VVT covering purposes, data categories, recipients, retention periods, transfer safeguards, and TOMs.

What is required for valid cookie consent in Germany?

Under TDDDG and DSGVO Art. 7, cookie consent must be freely given, specific, informed, and an unambiguous opt-in. Pre-ticked boxes, implied consent, and consent walls are invalid under German law (BGH Planet49, 2020). Strictly necessary cookies do not require consent. A certified CMP with genuine opt-in architecture is required for all non-essential tracking and analytics.

What are the maximum GDPR fines in Germany?

Under DSGVO Art. 83(5), the most serious violations carry fines up to €20M or 4% of global annual turnover. German DPAs have used these powers: H&M €35.3M for covert employee monitoring (HmbBfDI, 2020); Deutsche Wohnen €14.5M for unlawful data retention (Berlin DPA, 2019). Data subjects may additionally claim damages under Art. 82.

What mechanism is needed to transfer personal data to the USA?

The main options are Standard Contractual Clauses (SCCs, June 2021 version) accompanied by a Transfer Impact Assessment, or the EU-US Data Privacy Framework for transfers to DPF-certified US companies (adequacy decision July 2023). The old Privacy Shield is invalid. German DPAs have been particularly active enforcing US-transfer restrictions against Google Analytics and Meta-based services.

What is an Auftragsverarbeitungsvertrag (AVV) and when is it required?

An AVV (DSGVO Art. 28 data processing agreement) is required before any external processor accesses personal data on the controller's behalf — cloud providers, payroll services, email platforms, CRM systems, analytics tools, and recruitment software. The AVV must contain the mandatory Art. 28(3) clauses. Processing without an AVV is itself a DSGVO violation subject to fines.

What are the rules on processing employee data under BDSG §26?

BDSG §26 permits processing employee data only where necessary for the employment relationship. Covert monitoring is prohibited. Open monitoring (time-recording, CCTV, GPS on company vehicles) requires a §26 legal basis and — where a Betriebsrat exists — a Betriebsvereinbarung under BetrVG §87(1) No.6. Employee consent is valid only if freely given; German courts are sceptical given the inherent power imbalance.

Is a Data Protection Impact Assessment (DSFA) required?

Under DSGVO Art. 35, a DSFA is mandatory before high-risk processing — including systematic profiling, large-scale special-category data, and systematic monitoring of public areas. German DPAs publish mandatory DSFA lists. If residual risk remains high after the assessment, prior consultation with the supervisory authority under Art. 36 is required before processing commences.

How does the EU AI Act interact with DSGVO compliance for German companies?

The EU AI Act (in force 1 August 2024) adds separate obligations for AI deployers. High-risk AI systems in HR, credit scoring, and critical infrastructure require conformity assessments and registration in the EU AI database from August 2026. German companies must also conduct a DSFA under DSGVO Art. 22 for automated decision-making systems that significantly affect individuals.

How long must personal data be retained under DSGVO?

DSGVO Art. 5(1)(e) requires data to be kept no longer than necessary. German law adds specifics: payroll and accounting records 10 years (AO §147); business correspondence 6 years (HGB §257); applicant data generally no more than 6 months after rejection (AGG §15(4) limitation period). All retention decisions must be documented in the VVT with a legal justification.

Can a German GmbH appoint an external DSB?

Yes. DSGVO Art. 37(6) expressly permits appointment of an external Datenschutzbeauftragter — typically a specialist law firm or consultancy. The external DSB fulfils all DPO obligations. They must be formally appointed in writing, notified to the supervisory authority, and accessible to employees and data subjects. External DSBs are common among SMEs as they combine expertise with cost efficiency.

Need professional help?

Licensed German lawyers in Düsseldorf since 2007.

Free Consultation
+49 176 26888856info@germancompanyformation.com

Related Guides

Employment Law in Germany — Complete Guide for Foreign Employers

German employment law is strongly employee-protective. KSchG, BUrlG, ArbZG, Mindestlohn €12.82/h, Betriebsrat rights, and Tarifvertrag obligations explained.

Real Estate in Germany for Foreign Buyers — Legal and Tax Guide 2026

Germany imposes no nationality restriction on property purchase. Transaction costs run 8–12% above purchase price. RETT varies 3.5%–6.5% by Bundesland. Ownership transfers on Grundbuch registration, not contract signing.

Intellectual Property Protection in Germany — Patents, Trademarks & Copyright

Germany offers robust IP protection via PatG (patents), MarkenG (trademarks), UrhG (copyright), and Gebrauchsmustergesetz (utility models). This guide covers costs, terms, and enforcement.

Work with the firm that knows Germany.

Licensed lawyers and accountants in Düsseldorf. Free 30-minute consultation, no commitment.

Book Free Consultation