German Company FormationDüsseldorf, Germany

HomeGuidesStarting an Online Business in Germany: Legal Requirements, Benefits and Strategies

Business Guide

Starting an Online Business in Germany: Legal Requirements, Benefits and Strategies

Legal guide to starting an online business in Germany covering Impressumspflicht, DSGVO, TTDSG, Widerrufsrecht, VAT OSS, VerpackG, and payment processing.

Stefan Keller
2026
8 min read

Impressumspflicht: Mandatory Legal Notice for German Websites

Every commercial German website must display an Impressum (legal notice) under §5 TMG. It must be accessible within two clicks from any page and include the operator's full name, postal address, email, phone, and — for GmbHs — the Handelsregisternummer and Geschäftsführer. Non-compliance triggers Abmahnungen (formal cease-and-desist letters) from competitors — a widespread enforcement mechanism in Germany. Abmahnung damages typically reach €1,000–€2,500 per violation plus legal fees.

  • §5 TMG: Impressum mandatory for all commercial German websites
  • Must be reachable within two clicks from any page — typically footer link
  • Required fields: name, address, email, phone, VAT ID, company register number
  • GmbH: must also list Handelsregisternummer, Registergericht, and Geschäftsführer
  • Missing Impressum: Abmahnung risk with damages €1,000–€2,500 per violation

warning

DSGVO Cookie Consent: TTDSG §25 and TCF 2.2

Cookie consent in Germany is governed by §25 TTDSG, implementing the EU ePrivacy Directive. Non-essential cookies (analytics, advertising, social plugins) require active opt-in before setting. Pre-ticked boxes and consent via vague language are non-compliant under the BGH Planet49 ruling (2019). The IAB Transparency and Consent Framework (TCF 2.2) is the standard for programmatic advertising consent. German data protection authorities (DSBs) actively audit and fine non-compliant cookie implementations.

  • §25 TTDSG: opt-in required for all non-essential cookies — no pre-ticked boxes
  • BGH Planet49 (2019): explicit, active consent required — confirmed by German courts
  • TCF 2.2: IAB standard for advertising consent — required for Google AdSense / DFP
  • CMPs: OneTrust, Cookiebot, Usercentrics — widely used in Germany
  • DSB fines for non-compliant cookie banners: up to €50,000 per violation

Datenschutzerklärung: Privacy Policy Under GDPR Art. 13

Every German online business must publish a Datenschutzerklärung satisfying Art. 13 GDPR. It must disclose the legal basis for each processing activity, categories of data collected, retention periods, third-party recipients, and data subject rights (access, erasure, portability). Generic templates carry high risk — policies must reflect actual data flows. A Datenschutzbeauftragter (Data Protection Officer) is mandatory under Art. 37 GDPR for businesses processing sensitive data at scale or with 20+ employees in systematic data processing.

  • Art. 13 GDPR: privacy policy must state legal basis, retention periods, third parties
  • Must list every tool used: Google Analytics, Meta Pixel, HubSpot, etc.
  • Data subject rights: access (Art. 15), erasure (Art. 17), portability (Art. 20)
  • Datenschutzbeauftragter required for systematic large-scale processing (Art. 37)
  • GDPR penalties: up to €20 million or 4% of global annual turnover

Widerrufsrecht: 14-Day Return Right for B2C Online Sales

German B2C e-commerce is subject to the Widerrufsrecht (right of withdrawal) under §312g BGB. Consumers have 14 days to withdraw from any distance purchase without giving a reason. The period starts when goods are received or withdrawal instructions are communicated. Merchants must provide the statutory Muster-Widerrufsformular — failure extends the period to 12 months and 14 days. Return shipping costs can be passed to the consumer by a clear contractual provision under §357(6) BGB.

  • §312g BGB: 14-day withdrawal right for all B2C distance purchases
  • Period starts: goods delivery or, for services, conclusion of contract
  • Muster-Widerrufsformular required — omission extends period to 12 months + 14 days
  • Return shipping: can be passed to consumer under §357(6) BGB if stated in T&Cs
  • Exceptions: custom-made goods, opened sealed software, perishables, hygiene items

Payment Processing: No ZAG Licence for Merchants

German online merchants using PSPs (Payment Service Providers) such as Stripe, PayPal, Klarna, or Mollie do not require their own ZAG licence. The PSP holds the BaFin-supervised payment institution licence; the merchant simply integrates the checkout. Merchants must ensure: clear pricing without hidden fees (§312a BGB), PSD2-compliant 3D Secure for card payments, and GDPR-compliant data sharing with processors. Stripe and PayPal are the most widely used PSPs for German online businesses.

  • ZAG licence not required — BaFin supervises the PSP, not the merchant
  • Popular PSPs in Germany: Stripe, PayPal, Klarna, Mollie, Heidelpay
  • PSD2 / SCA: 3D Secure 2.0 mandatory for card payments above €30
  • SEPA Direct Debit: popular for subscription billing — requires SEPA mandate
  • §312a BGB: no surcharge permitted for standard payment methods

VAT and the OSS Procedure for Cross-Border EU Sales

German online sellers must account for VAT in each EU buyer's country once EU-wide B2C turnover exceeds €10,000/year. The One Stop Shop (OSS) procedure via BZSt under §3a UStG allows all cross-border B2C VAT to be reported and paid in a single quarterly return filed in Germany — eliminating the need to register for VAT in each EU country. OSS registration is free. For digital services (SaaS, downloads), OSS is mandatory from the first euro regardless of turnover threshold.

  • EU distance selling threshold: €10,000/year — below this, German VAT applies
  • OSS registration at BZSt — free, online via BOP portal (bop.bzst.de)
  • OSS return: quarterly, per-country VAT rates applied to B2C sales
  • Digital services: no threshold — OSS required from first euro of EU sale
  • B2B sales: use reverse charge under Art. 196 EU VAT Directive — OSS not applicable

Verpackungsgesetz: LUCID Registration for Online Sellers

Every online seller who ships packaged goods to German consumers — including shipping materials (boxes, tape, bubble wrap) — must register in the LUCID packaging register under §9 VerpackG and contract with a dual system (e.g. Der Grüne Punkt, Landbell). Registration is free and mandatory before the first shipment. Operating without LUCID registration is an Ordnungswidrigkeit subject to fines up to €200,000 and a Verkaufsverbot issued by the ZSVR (Zentrale Stelle Verpackungsregister).

  • §9 VerpackG: LUCID registration mandatory before first shipment to German consumers
  • Applies to all packaging: product, outer cartons, and shipping materials
  • Dual system contracts: Der Grüne Punkt, Landbell, Interseroh — annual licence fees
  • Typical annual fees: €50–€500/year depending on packaging weight declared
  • ZSVR can issue Verkaufsverbot for non-registered sellers — actively enforced

warning

German E-Commerce Platform Options: Shopware and Others

Shopware, founded in Schöppingen in 2000, powers over 100,000 German online shops and leads the mid-market open-source segment. It includes native German tax logic, DSGVO-compliant consent tools, and Klarna/PayPal integrations out of the box. WooCommerce is the most common choice for small shops. Shopify requires additional plugins for full German legal compliance. Many German merchants use Trusted Shops or IT-Recht Kanzlei subscription services for legally maintained AGB (standard terms) and legal page content.

  • Shopware: German-built, open-source, 100,000+ shops, strong compliance toolkit
  • WooCommerce: widely used for small German shops — add German compliance plugins
  • Shopify: requires Shopify DE legal plugin and Trusted Shops for compliance
  • Trusted Shops / IT-Recht Kanzlei: subscription AGB and legal page maintenance
  • Shopware 6: cloud and self-hosted, REST API, native OSS VAT module

Domain Registration and DSGVO-Compliant Hosting

German .de domains are registered via DENIC and cost approximately €12/year through accredited registrars (IONOS, Strato, Hetzner). A .de domain strengthens local SEO and user trust. DSGVO-compliant hosting requires EU-located servers to avoid third-country transfer obligations under GDPR Art. 44–49. Popular compliant providers include Hetzner (Nuremberg/Falkenstein) and IONOS. US-hosted infrastructure requires Standard Contractual Clauses (SCCs) and a data processing agreement under Art. 28 GDPR.

  • DENIC .de domain: ~€12/year via IONOS, Strato, Namecheap, or Hetzner
  • Hetzner Cloud (Germany): DSGVO-compliant, cost-effective, popular in EU
  • IONOS / Strato: German-owned with full DSGVO data processing agreements
  • US-hosted: requires SCCs under GDPR Art. 46 and Art. 28 DPA
  • German servers: no third-country transfer — simplest DSGVO compliance path

Marketplace Liability Under §19 MStV

Online marketplaces in Germany are subject to §19 MStV disclosure obligations — they must identify each seller, provide illegal-content reporting mechanisms, and ensure seller traceability. The EU Digital Services Act (DSA), enforceable since February 2024, adds mandatory terms transparency, annual risk assessments for large platforms, and algorithmic recommendation disclosure. The Bundesnetzagentur serves as Germany's Digital Services Coordinator and leads DSA enforcement nationally.

  • §19 MStV: marketplaces must disclose seller identities and handle complaints
  • DSA mandatory from 17 Feb 2024 for all EU-active platforms
  • DSA requirements: terms transparency, illegal content reporting, algorithm disclosure
  • Bundesnetzagentur: Germany's Digital Services Coordinator (DSA enforcement)
  • Produkthaftungsgesetz: marketplace operator liable if seller is untraceable

Frequently Asked Questions

Is an Impressum legally required for German websites?

§5 TMG requires every commercial German website to have an Impressum within two clicks. It must include name, address, email, phone, and for companies the Handelsregisternummer and Geschäftsführer. Missing Impressum triggers Abmahnungen — damages €1,000–€2,500 plus costs.

Does Germany require cookie consent opt-in?

Yes. §25 TTDSG requires active opt-in before setting non-essential cookies. Pre-ticked boxes and implied consent are non-compliant under the BGH Planet49 ruling (2019). A compliant CMP (Usercentrics, Cookiebot, or OneTrust) is required for any site using analytics or advertising cookies.

What is the Widerrufsrecht for online shoppers?

§312g BGB grants B2C consumers a 14-day right to return any distance purchase without reason. Merchants must provide the Muster-Widerrufsformular — omitting it extends the return window to 12 months plus 14 days. Custom-made goods, opened software, and hygiene items are excepted.

Do I need a ZAG licence to accept online payments in Germany?

No. Merchants using licensed PSPs (Stripe, PayPal, Klarna, Mollie) do not need a BaFin licence under ZAG. The PSP holds the authorisation. Merchants must ensure PSD2 3D Secure 2.0 is active for card transactions above €30 and comply with GDPR data-sharing rules.

What is the OSS VAT procedure for German e-commerce?

OSS (One Stop Shop) lets German sellers report and pay all EU B2C VAT via one quarterly return with BZSt. Required when EU-wide B2C turnover exceeds €10,000/year. Digital services have no threshold. Registration is free at bop.bzst.de. B2B sales use reverse charge instead.

What is LUCID and who must register?

LUCID is Germany's packaging register (VerpackG §9). Every seller shipping packaged goods to German consumers must register and contract with a dual system (Grüner Punkt, Landbell) before first shipment. Non-registration: fines up to €200,000 and a sales ban. Free at lucid.verpackungsregister.org.

What e-commerce platform should I use for a German online shop?

Shopware is the leading German-built platform (100,000+ shops) with native tax logic, DSGVO tools, and OSS VAT support. WooCommerce suits small shops with compliance plugins. Shopify requires the DE legal plugin and Trusted Shops integration to meet German legal requirements.

Does my German website need a GDPR privacy policy?

Yes. Art. 13 GDPR requires a Datenschutzerklärung covering legal basis, data categories, retention periods, third-party recipients, and data subject rights for every tool used. Generic templates are high-risk — the policy must reflect actual data flows including all analytics and CRM tools.

Should I use German hosting for DSGVO compliance?

German or EU-based hosting (Hetzner, IONOS) avoids third-country transfer obligations under GDPR Art. 44–49. US hosting (AWS, GCP) is permitted but requires Standard Contractual Clauses and an Art. 28 data processing agreement, adding compliance overhead.

How much does a .de domain cost?

Approximately €12/year via DENIC-accredited registrars (IONOS, Strato, Hetzner). The .de extension is preferred by German consumers and improves local SEO trust signals in Google.de results. DENIC, not ICANN, administers the .de namespace.

What are the DSA obligations for German online marketplaces?

The EU Digital Services Act (enforceable from 17 Feb 2024) requires marketplaces to identify sellers, provide illegal-content reporting, disclose algorithms, and conduct annual risk assessments. The Bundesnetzagentur is Germany's DSA enforcement authority.

Can I sell digital products without German VAT registration?

Below €10,000 EU-wide B2C turnover, German VAT applies to all EU sales. Above this, OSS registration is required. Digital services have no threshold — OSS applies from the first euro for German-based sellers. B2B sales use reverse charge; no OSS needed.

What is an Abmahnung and how can I avoid one?

An Abmahnung is a formal cease-and-desist demanding correction of a legal violation — missing Impressum, non-compliant AGB, or cookie consent issues. It demands an Unterlassungserklärung plus €500–€2,500 reimbursement. IT-Recht Kanzlei or Trusted Shops subscriptions prevent the most common triggers.

Do I need standard terms (AGB) for my German online shop?

AGB are not mandatory but practically essential — without them, statutory rules on liability and returns apply, often unfavourably. AGB must comply with §305 BGB and include the Widerrufsbelehrung. Trusted Shops and IT-Recht Kanzlei offer subscription-based AGB maintenance.

What is the Verpackungsgesetz dual system licence fee?

Annual fees depend on declared packaging weight and material. Small sellers typically pay €50–€200/year to operators like Der Grüne Punkt or Landbell. Underdeclaration is an administrative offence — accurate annual tonnage reports are mandatory under §7 VerpackG.

Need professional help?

Licensed German Rechtsanwälte in Düsseldorf since 2007.

Free Consultation
+49 176 26888856info@germancompanyformation.com

Work with the firm that knows Germany.

Licensed Rechtsanwälte and Steuerberater in Düsseldorf. Free 30-minute consultation, no commitment.

Book Free Consultation