top of page

GERMANY - Data Protection and GDPR Review

Pre-Computer Era

Even before the computer era, Germany had laws aimed at protecting individual privacy, particularly from government intrusion. These values were incorporated into the Basic Law for the Federal Republic of Germany in 1949.

Hessian Data Protection Act (1970)

The Hessian Data Protection Act was enacted in 1970 in the state of Hesse. It was the first data protection law in the world, and it was created in response to the growing use of automated data processing.

Federal Data Protection Act (BDSG) (1977)

The Bundesdatenschutzgesetz (BDSG) or Federal Data Protection Act came into force in 1977. The act laid down the legal framework for the protection of personal data processed by public authorities and private bodies. It included the right to information, correction, and deletion of data.

Amendments and Adaptations

Germany's BDSG underwent various amendments and adaptations throughout the 1980s and 1990s. Changes were made to keep up with technological advances, international obligations, and European Union directives, including the 1995 EU Data Protection Directive.

Telemedia Act (2007)

In 2007, Germany adopted the Telemedia Act, which added additional layers of data protection to online services. The act stipulated the principles of data minimization and purpose limitation for data processed by internet service providers.

General Data Protection Regulation (GDPR) (2018)

The EU General Data Protection Regulation (GDPR), which came into effect in May 2018, brought substantial changes to data protection laws across the European Union, including Germany. The GDPR set forth strict guidelines for the handling of personal data, granting individuals greater control over their information. Germany adapted its national laws to be in line with the GDPR.

Further Development

Since the implementation of GDPR, Germany has continued to refine its data protection framework. There have been updates and additions, aimed at ensuring the balance between technological innovation and the fundamental rights of individuals.

Germany has been a leader in the field of data protection, reflecting deep-seated cultural values regarding individual privacy. From the early legislation in Hesse to the comprehensive framework under the GDPR, the country has continuously evolved its laws to meet the challenges posed by technological advancements. The balance between individual rights, governmental interests, and business needs remains an ongoing concern in the complex and ever-changing landscape of data protection in Germany.

German Federal Data Protection Act (BDSG) and GDPR

Germany's existing Federal Data Protection Act (BDSG) was revised to align with GDPR. The new BDSG (BDSG-new) complements and specifies the GDPR in areas where member states are allowed to implement their own regulations.

Key Principles

a. Lawfulness, Fairness, and Transparency

Personal data must be processed lawfully, fairly, and in a transparent manner.

b. Purpose Limitation

Data must be collected for specified, explicit, and legitimate purposes.

c. Data Minimization

Data collected must be relevant, and limited to what is necessary for the purposes for which they are processed.

d. Accuracy

Personal data must be accurate and, where necessary, kept up to date.

e. Storage Limitation

Data must be kept in a form that permits identification of data subjects for no longer than is necessary.

f. Integrity and Confidentiality

Data must be processed in a way that ensures its security.

Individual Rights under GDPR

These include:

  • Right to Access: Individuals have the right to access their personal data.

  • Right to Rectification: The right to correct data if inaccurate or incomplete.

  • Right to Erasure: Often known as the ‘right to be forgotten.’

  • Right to Restrict Processing: Individuals have the right to block or restrict the processing of their data.

  • Right to Data Portability: The right to have the data sent to a different organization.

  • Right to Object: The right to object to processing in certain circumstances.

Data Protection Officers (DPOs)

Under GDPR, organizations must appoint a DPO if they engage in large-scale processing of certain types of data. In Germany, even small businesses may require a DPO under certain circumstances.


Clear consent must be obtained for processing personal data, and individuals must be informed of how the data will be used. In Germany, this must align with both GDPR and BDSG-new.

Data Breaches

Organizations must notify the appropriate supervisory authority (in Germany, this is the Federal Commissioner for Data Protection and Freedom of Information) within 72 hours of discovering a breach.

Transfers Outside the EU

Data transfers outside the EU are subject to strict conditions, and German authorities enforce these rigorously.


Fines for non-compliance with GDPR can reach up to €20 million or 4% of the annual global turnover, whichever is higher.

German Specificities

Some areas of BDSG-new provide specific national regulation, such as the processing of employee data, video surveillance, scoring and credit checks.


Compliance with GDPR in Germany requires a thorough understanding of both the European regulation and the specific national implementation under BDSG-new. Ongoing commitment to data protection is essential, as regulations continue to evolve. Consulting with legal experts who specialize in German and EU data protection laws is often advisable to ensure full compliance.


bottom of page