The legal framework for data protection in Germany consists of EU and local laws that establish comprehensive rules for the handling of personal data:

• The GDPR forms the core of data protection law across the EU, harmonising rules for the processing of personal data and granting extensive rights to individuals.
• The BDSG supplements the GDPR by utilising its opening clauses to provide national-specific provisions. It regulates areas such as employee data protection and the powers of supervisory authorities, ensuring the application of GDPR aligns with German legal and administrative structures.
• The sector-specific Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)) governs the processing of personal data in telecommunications and online services, addressing issues such as consent for cookies and electronic communications.
• Each of Germany’s 16 federal states has its own data protection laws (Landesdatenschutzgesetz (LDSG)), which apply to state-level authorities and public bodies. These laws align with the GDPR but reflect regional administrative requirements.
• In addition there are, for example, sector-specific data protection laws or regulations for social service providers and hospitals.

Together, these laws create a robust and multi-layered data protection framework, ensuring compliance with EU standards while addressing national and sector-specific needs.

The GDPR primarily addresses (joint or independent) controllers and processors.

“Controller” is a body (natural or legal person, public authority, agency, etc.) that determines the purposes and (essential) means of processing personal data — either alone or jointly with others (Article 4(7) GDPR). “Joint controllers” must define their respective responsibilities in an agreement, the substance of which shall be made transparent (Article 26(2) GDPR).

“Processor” is a body that “processes personal data on behalf of the controller” (Article 4(8) GDPR) and must therefore follow the controller’s instructions.

However, the GDPR does not apply where the data processing is carried out by a natural person “in the course of a purely personal or household activity” (Article 2(2)(c) GDPR, “household exemption”).

The GDPR applies to the processing of personal data by controllers or processors:

• established in the EU, regardless of whether the processing takes place in the EU or not; 
• located outside the EU when offering goods or services to data subjects in the EU (Article 3(2)(a) GDPR); and
• engaged in monitoring the behaviour of EU data subjects within the EU (Article 3(2)(b) GDPR). 

“Establishment” refers to the effective and real exercise of an activity through stable arrangements, irrespective of the legal form (e.g., branch, subsidiary). “Monitoring” includes activities such as internet tracking and profiling for the purpose of decision-making or predictive analysis.

The GDPR applies to the (partially) automated or non-automated processing of personal data that is (or is intended to be) part of a filing system (Article 2(1) GDPR). To the same extent, the BDSG applies to processing by private bodies. For public bodies, the BDSG applies to all (types of) data processing. 

“Processing” of personal data covers a wide range of operations, such as collection, recording, organisation, storage, adaptation, retrieval, use, disclosure by transmission or otherwise making available, combination, restriction, erasure or destruction” (Article 4(2) GDPR). The Court of Justice of the European Union (CJEU) interprets the term broadly, considering even oral disclosure to be processing under the GDPR (C-740/22, paragraph 32).

Article 4(1) GDPR defines “personal data” as information relating to an identified or identifiable person. The CJEU interprets the term broadly and considers that it is sufficient if an individual can be identified by means of additional information, even if not held by one person provided that it can “reasonably likely” be used for identification.

If data cannot be linked to an identifiable person, it is anonymous (or anonymised). Such data does not fall within the scope of the GDPR.

On that basis, according to the CJEU and the German Federal Court of Justice (BGH), email addresses, dynamic IP addresses, cookies, photos and video images (for example) can be classified as personal data. The BGH also, in principle, considers the content of a person’s correspondence with a third party, as well as between third parties and other recipients about that person, as personal data (BGH, 15 June 2021 – VI ZR 576/19).

Article 9(1) GDPR lists special categories of personal data that are subject to special protection because they are, by their nature, particularly sensitive in relation to fundamental rights and freedoms. This includes personal data concerning:

• racial or ethnic origin; 
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic data;
• biometric data for the purpose of uniquely identifying a natural person;
• health; or
• sexual life or orientation. 

In principle, the processing of these categories of sensitive data is prohibited. Article 9(2) GDPR provides exceptions to this rule, for example, a data subject’s explicit consent or the protection of vital interests of a natural person. In addition, lawful processing of sensitive data must also be based on a legal basis under Article 6(1) GDPR (see Question 7, below).

The CJEU defines sensitive data under Article 9(1) GDPR broadly. For “health data”, it is sufficient if the data can be used to draw indirect conclusions about the state of health, for example, by intellectually combining ordered medication, the therapeutic indication of that medication and factors that identify the natural person (C‑21/23, paragraph 84).

Finally, in addition to the GDPR, the TDDDG also lays down specific data protection rules for providers of public telecommunications and digital services when processing certain types of personal data, such as inventory data, usage data and message content. Contents and further details of telecommunications, in particular the fact that someone is or was involved in a telecommunications process, are subject to telecommunications secrecy.

The processing of personal data is lawful if it complies with the data processing principles (Article 5 GDPR) and is based on one of the following lawful legal basis (Article 6(1) GDPR): 

• consent of the data subject;
• necessity to conclude or perform a contract;
• necessity to comply with legal obligations;
• necessity to protect a natural person’s vital interests;
• necessity to perform public interest or exercise official authority; and
• necessity to pursue legitimate interests, unless overridden by the data subject’s rights, especially in cases involving children.

Reliance on consent as a lawful legal basis requires that it has been given freely, is specific, informed and unambiguous, and given by a clear affirmative action (e.g., ticking a box). Pre-ticked boxes, silence, or inactivity do not constitute consent. Consent can be withdrawn at any time without detriment. The controller must prove that consent was given and inform the data subject of their right to withdraw.

For children under the age of 16, consent of a parent or guardian is required.

In the employment context, it is usually doubtful whether consent has been given voluntarily. The employee’s dependence and individual circumstances are crucial in this regard. Legal or economic advantages or concurrent interests indicate that consent has been given freely (section 26(2) BDSG). 

The voluntary nature of the consent is also unclear in “pay or consent” cases. The European Data Protection Board (EDPB) considers that for large online platforms, consent is invalid if the user “only” has the choice between a paid and a “free” option linked to behavioural advertising. By contrast, a German court has ruled that the “consent or pay” model constitutes effective consent (Regensburg District Court, 15 April 2024, 75 O 1040/23).

For reliance on contractual necessity, the processing must be indispensable to achieve a purpose that constitutes the main subject of the contractual performance. This purpose must not be able to be achieved without the relevant processing (C-252/21, paragraph 98).

Processing may rely on legitimate interests of the controller or a third party unless overridden by the data subject’s interests or rights. Legitimate interest can be any interest recognised by the legal system, provided that it is worthy of protection and objectively justifiable (German Federal Administrative Court, 27 March 2019, 6 C 2/18). Any processing based on legitimate interests must be “strictly necessary” to achieve the intended interests. The controller must conduct a case-by-case balance of interests, considering the data subject’s reasonable expectations. 

The processing of sensitive personal data (see Question 6, above) is prohibited, unless one of the exceptions under Article 9(2) GDPR are met, such as explicit consent or the vital interests of a natural person while the data subject is incapable of consenting. Even if one of the exceptions of Article 9(2) GDPR apply, the legal basis requirement of Article 6 GDPR must still be satisfied. 

There are additional German exemptions (Article 9(4) GDPR), including section 22 BDSG for the processing of sensitive data in the context of healthcare, social services or national security. Under certain conditions, section 27 BDSG permits the processing of sensitive data for scientific, historical or statistical purposes.

When processing personal data, controllers are obliged to:

• Comply with processing principles such as lawfulness, transparency, purpose limitation, data minimisation, storage limitation and confidentiality (Article 5(1) GDPR). Controllers are responsible for demonstrating compliance in this regard (Article 5(2) GDPR).
• Provide data subjects with information about processing to ensure transparency, including processing purposes, legal basis, recipients and data subject rights (Article 13, 14 GDPR). All information must be clear, concise and easily accessible (Article 12(1) GDPR).
• Implement appropriate technical and organisational measures to protect personal data against risks such as loss, alteration or unauthorised access (Article 32(1) GDPR), including pseudonymisation, encryption and regular security testing. Such measures must be implemented by design and by default (Article 25 GDPR).
• Maintain a record of all processing activities (Article 30(1) GDPR). 
• Conduct a data protection impact assessment where processing is likely to involve a high risk (Article 35 GDPR) and a prior consultation with the supervisory authority where processing results in a high risk (Article 36 GDPR).
• Enter into a data processing agreement with any processor used (Article 28(1), (3) GDPR).
• In case of a personal data breach, notify the supervisory authority within 72 hours unless the breach is unlikely to put individuals’ rights at risk (Article 33(1) GDPR) and, if the breach poses a high risk, notify the affected individual unless protective measures like encryption are in place to mitigate the impact (Article 34(1) GDPR).

When processing personal data on behalf of a controller, processors are obliged to process the personal data only in accordance with the instructions of the controller and to comply with the data processing agreement, including providing for technical and organisational measures (Article 28(3) GDPR).

Data subjects have comprehensive rights under the GDPR to ensure transparency and maintain control over their personal data. Specifically, data subjects may:

• Request detailed information on the processing of their personal data, including purposes of processing, recipients, and sources (right of access, Article 15 GDPR).
• Demand the correction of inaccurate or incomplete personal data within a reasonable time (right to rectification, Article 16 GDPR).
• Request the deletion of their data under specific conditions set out in Article 17(1) GDPR, most notably when it is no longer necessary for the initial processing purpose or if consent is withdrawn (right to erasure, Article 17 GDPR). 
• Request the data processing to be restricted under certain conditions (right to restriction of processing, Article 18 GDPR).
• Receive their personal data in a transferable format (right to data portability, Article 20 GDPR).
• Object to data processing when the processing is based on legitimate interests or the performance of a task in the public interest (right to object, Article 21 GDPR).
• Object to any data processing for direct marketing purposes without restrictions. The controller must clearly inform data subjects of this right and effectively handle objections through all communication channels (Article 21(2) to (4) GDPR).
• Not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject (Article 22 GDPR). 

While the GDPR allows for restrictions of the rights of data subjects in Articles 23, 85(2) and 89(2), the German legislator has provided for such restrictions in sections 27 et seq. of the BDSG:

• For research, statistical or archiving purposes, sections 27(2), 28(2)-(4) BDSG apply: the rights under Articles 15, 16, 18, 21 GDPR may be restricted.
• In the case of conflicting confidentiality interests, in particular in the event of overriding legitimate interests of a third party, section 29(1) BDSG limits Articles 14 and 15 GDPR: this applies especially to persons bound by professional secrecy, so that a lawyer does not have to inform a data subject about the collection and processing of data that has come to their knowledge in the course of a client relationship.

In the case of direct collection, the obligation to provide information (Article 13 GDPR) may be restricted under section 32(1) No. 4 BDSG to ensure the proper exercise and defence of rights. 

For the same reason, the obligation to provide information in the case of collection by third parties (Article 14 GDPR) may be restricted pursuant to section 33(1) No. 2 BDSG. Similarly, a restriction can be made here if data from civil law contracts is processed and this serves to prevent criminal offences. This may be important for compliance with regulations in commercial transactions, such as fraud prevention. In these cases, however, the interests of the data subject must not take precedence.

Section 35 BDSG restricts the right to erasure (Article 17 GDPR) in the case of non-automated data processing if the costs of erasure are high, in all other cases if the data subjects themselves have a legitimate interest in not having the data erased, or if there are legal or contractual obligations to store the data.

Sending of direct marketing communications and the related processing of personal data are governed by both the German Unfair Competition Act (UWG) and the GDPR. 

While section 7 UWG imposes consent requirements on direct marketing depending on the communication channel, from a data protection perspective, direct marketing may also be based on legitimate interests (Article 6(1)(f) GDPR). However, the German Data Protection Conference considers that UWG and GDPR (consent) requirements must be aligned. Based on this, the following requirements and lawful legal bases apply: 

• Postal marketing can regularly be based on legitimate interests (Article 6(1)(f) GDPR) as a lawful legal basis.
• Direct marketing calls business-to-consumer (B2C) require the consumer’s consent (section 7(2) No. 1 UWG, Article 6(1)(a) GDPR). For direct marketing calls to business-to-business participants (B2B), presumed consent (section 7(2) No. 1 UWG) is sufficient. Such calls can be based on legitimate interests (Article 6(1)(f) GDPR), if there is a specific reason for the call that aligns with the interests of the called business. 
• Direct marketing emails — both B2B and B2C — require the recipient’s consent (section 7(2) No. 2 UWG, Article 6(1)(a) GDPR). However, direct marketing emails can exceptionally be sent without consent to existing customers to advertise goods or services similar to those previously purchased, provided that the customer has not objected despite being informed of his/her rights (section 7(3) UWG).

Where consent is necessary, it requires that the type of intended advertising and the advertised products or services are specified. The double opt-in procedure is required for electronic consent in order to verify the declaration of intent of the data subject. Saving an IP address is not sufficient to prove consent. Consent must be fully verifiable, including with regard to its wording (BGH, judgment of 10 February 2011, Az. I ZR 164/09).

There are no restrictions on the transfer of personal data from Germany to other countries in the EU or the European Economic Area (EEA). 

For data transfers to a third country outside the EU/EEA, a level of protection that is “essentially equivalent” to that guaranteed by the GDPR must be ensured. 

For countries for which the EU Commission issued an adequacy decision (Article 45 GDPR), no additional safeguards are required. These include, for example, Switzerland, the UK and Australia. The EU Commission provides a list of the adopted adequacy decisions on its website (see https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

If there is no adequacy decision for a third country, transfers must rely on appropriate safeguards (Article 46 GDPR), including:

• EU standard contractual clauses (SCCs) adopted by the EU, which do not require supervisory action if concluded without changes;
• binding corporate rules (BCRs) approved by a supervisory authority, applicable for intra-group data transfers within multinational groups;
• individual contractual clauses approved by the supervisory authority; and
• industry-specific codes of conduct (Article 40 GDPR) or certification mechanisms (Article 42 GDPR).

Third country transfers may also be based on the exhaustive derogations, such as consent, contract performance, and necessity to establish, exercise or defend legal claims (Article 49 GDPR).

The transfer mechanism most commonly used in practice is SCCs. When using SCCs, the data exporter must carry out a transfer impact assessment (TIA) that assesses the laws and practices in the third country. Further, additional safeguards may need to be implemented.

Data transfers to the U.S. can be based on the EU-US Data Privacy Framework adopted by the EU Commission. Under the adequacy decision, personal data from the EU can be transferred to certified U.S. companies without further appropriate safeguards or additional measures needed. The U.S. Department of Commerce publishes a list of U.S. companies that have been voluntarily certified under the framework (see www.dataprivacyframework.gov/s/participant-search).

In Germany, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Data Protection Authorities of the federal states ("State DPAs") are supervisory authorities (see a list of German DPAs at www.datenschutzkonferenz-online.de/datenschutzaufsichtsbehoerden.html).

The BfDI oversees federal institutions and telecommunications and postal services, while the State DPAs are, among other things, competent for private companies within their respective states. Both levels of authority possess the powers outlined in Article 58 GDPR, including investigatory, corrective, and enforcement powers, in particular to: 

• instruct the provision of information necessary for the performance of their duties; 
• conduct investigations in the form of data protection audits; 
• issue warnings or order controllers or processors to bring processing operations into compliance with the GDPR; 
• impose temporary or definitive limitations, including a ban on processing; 
• impose administrative fines; and
• order the suspension of data flows to a recipient in a third country or to an international organisation.

In practice, the key activities of the BfDI and State DPAs include ordering data controllers to bring processing into compliance with the GDPR (Article 58(2)(d) GDPR), and conducting data protection audits (Article 58(1)(b) GDPR). Complaints from individuals are a frequent trigger for investigations, which may lead to binding orders or fines as per the GDPR and BDSG. 

Non-compliance with data protection laws can lead to various sanctions and remedies, including administrative fines, criminal penalties, and private legal remedies.

Administrative fines

Supervisory authorities may impose fines under Article 83 GDPR, which can reach up to EUR 20 million or 4% of a company’s global annual turnover, whichever is higher.

Member States may impose additional penalties under Article 84 GDPR. In Germany, for example, section 43 BDSG allows fines of up to EUR 50,000 for mishandling consumer information requests.

Criminal offences

Under Article 84 GDPR and section 42 BDSG, unauthorised commercial transfer or disclosure of large-scale personal data can lead to up to three years' imprisonment or a fine.

Unauthorised processing or fraudulent acquisition of non-public personal data with intent to enrich or harm can result in up to two years' imprisonment or a fine.

Private remedies and enforcement

Individuals have the right to lodge complaints with supervisory authorities (Article 77 GDPR) and claim damages for violations (Article 82 GDPR), covering both material and non-material damages.

Recent CJEU rulings clarify that loss of control over personal data can qualify as non-material damage, even without data actually being misused.

In a landmark decision, the BGH recently upheld claims for non-material damages under Article 82 GDPR in cases such as unauthorised scraping of public social media profiles, affirming that brief loss of data control can be considered as non-material damage under the GDPR (18 November 2024, Az. VI ZR 10/24). However, the BGH has assessed the amount of damages as rather low.

These measures collectively ensure accountability and offer redress for breaches of data protection laws.